Strict Standards: Redefining already defined constructor for class wpdb in /www/htdocs/w006f36b/wp-includes/wp-db.php on line 49

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/cache.php on line 35

Strict Standards: Redefining already defined constructor for class WP_Object_Cache in /www/htdocs/w006f36b/wp-includes/cache.php on line 400

Strict Standards: Declaration of Walker_Page::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_PageDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 553

Strict Standards: Declaration of Walker_Category::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_CategoryDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 674

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/query.php on line 15

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/theme.php on line 505
MauriceK, caught between dev and drums » 2007 »

January 11, 2007

Fratting with your second mind…

Category: General, Spare Time — kaldor @ 9:16 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Since some days a good friend of mine started to work for an interesting project. It is called zweitgeist and its webpage can be reached at www.zweitgeist.com.
The concept is as easy as it is fascinating. Just read the following quote:
In the real world we see people where ever we go: at the bus stop, at school, in the work place, int the shopping mall, at the gym. If we want, can contact them. When we are surfing the Web, there are many other people on the same website at the same time as us. Unfortunately they have been invisible until now. Zweitgeist give us the opportunity to make ourselves and others visible even beyond single web sites.
And here you go. You install the application (firefox users have to install a separate plugin also), go through the typical IM configurations and start browsing to some pages. The most convenient way to get in contact with some people is browsing to google or some other well known pages.
Just try it out, in my opinion it is definetly worth it. Maybe we will meet us at one page somewhen, I am looking forward to it…

January 9, 2007

The urge to clarify…

Category: General, Development — kaldor @ 10:00 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Wow. During the last days this page really went popular. Much more than it ever was my intention. First it all started of at beuser, followed up by a discussion on the zeta-os.com forum itself, a post on isComputerOn and somehow it even made it up to osnews.com. Today, also Bernd Korz found some time to spend on this topic. The last post really showed me, that the BeOS community is not as dead as it seems to be most of the time. And because of this, I think I have to clarify some points of my last post.

First, it is true, that keyboard handling is not managed by the input_server when you are in KDL. This was a misinformation from my side and I would like to thank marcone to correct this. Marcus Overhagen was the first person who told it me, but I was too lazy to update. You can easily capture this in the frequency of me posting something here :)

All in all it seems like the main point of this post has been misunderstood by some people. It never was my target to show any weaknesses of hacking a ZETA machine from the outside. Basically this entry was intended to target two points mentioned in the magnussoft news:
- “The architecture does not allow to analyse the system from the outside, without notifying the user about it”.(”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt.”). Here I wanted to concentrate on the notifying the user aspect. Both examples, sending a mail as well as integrating an unknown plugin, can actually be done without notifying the user. This has already been mentioned also in my previous post.
- “[…], but also dialer, trojans […] are without any chance”.(”[…], sondern auch Dialer, Trojaner oder anderweitige Hackerangriffe sind […] chancenlos”). I wanted to focus on what usually a trojan does. For reference, take a look at the wikipedia entry. The email sending example was just one way of doing this.

In addition to this I want to say something about the people who stated, that for the example, user action is needed. This is true, and I never said anything else. Actually I even wrote it myself on the last post, that you have to open your mail attachment. But the point is, when an application tries to spread itself by some network stuff, on every other system the user gets notified about this. This is not the case for ZETA.

Furthermore I would like to write some notes about the fact, that all ports are closed on a default installation. This is absolutely true. But you could easily expand the add_on by some pieces of code, which are sending your IP to somewhere else and is waiting for a connection on one or multiple ports. The user does not know, which ports are opened, as he never gets asked, wether a port should be opened, or an application is allowed to open a port. It all just happens automatically. And as we all know, the user is the biggest security issue for an operating system. For more information about networking, take a look on the API at magnussoft documentation. It is not as up-to-date as when you are scanning the headers, they have much more informations, especially for UDP and TCP transfers.
Finally do not forget, that all these problems we are talking about, are applying to BeOS and Haiku also. There was a short discussion on the Haiku mailinglist, where axeld could easily name more problems, which are much deeper in the system design. So I only scratched the surface a little bit…

January 4, 2007

secure due to ignorance?

Category: Development — kaldor @ 1:16 am

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

It’s been a long time since I wrote an article about the Magnussoft ZETA operating system (http://www.zeta-os.com ), but today I really feel like it. After several weeks I took a look at the newspage on www.zeta-os.com and read an entry about security on Magnussoft ZETA. For non german native speakers it is about that the german home secretary Schäuble suggests that intelligence agencies should be allowed to have access to your private data on your computer at home.

Magnussoft claims that this is not doable with Magnussoft ZETA as “it is not possible to examine a system from the outside without notifying the user due to the architecture of this software” (”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt”).

This is really interesting news and I guess many people even believe in this. I was pretty surprised as the news article went even better and better. Magnussoft states, that it is not possible to attack a Magnussoft ZETA machine from the internet. Dialer, trojans, hack-attacks are without any chance.

So, this said, it is time to analyze these statements and you will be surprised how easy it is to show that Magnussoft ZETA has many security holes and conceptional issues.

Before you continue reading, I just want to make sure that this article is not ment to motivate anyone to develop harmful pieces of software, neither to damage magnussoft’s reputation. In addition all the informations you will get are already available on the developer documentation webpage of magnussoft itself, this is just a collection of hints, where security issues are to be solved. No deep knowledge of the operating system is needed for this. I hope that some people responsible for the development of this operating system feel like taking some work on it to assure the amount of security their marketing is already praying.

Working in the background
If you want to run some pieces of code without getting attention by the user easily, there is one point, where you can perfectly start your project. The add-on structure of Magnussoft ZETA loads all add-ons during startup of the different servers. So you have multiple chances to plug in to the system. Media Kit, Mail Kit, Translation, etc. But the most convenient way is the input server (http://www.zeta-os.com/cms/custom/API/TheInputServer.html ). This one gets started very early during the boot process and is needed in any case. Remember if you get into KDL you are still able to type. As already mentioned the input_server launches ALL add-ons, there is no check, wether the user wants specific add-ons to be loaded or not. Additionally there is no way to see, which add-ons are loaded even when the user wants to examine the system. You might want to start your own thread during construction of your add-on object or wait for some specific event.
Just for the fun, we let our system do something when the user presses ALT+c for copying an element he has selected. For people not used to this system, BeOS related operating systems use ALT as the default modifier. Before the window gets the message, the key event goes through our filter by calling the function
virtual filter_result Filter( BMessage* message, BList* outList) [virtual]
Following you can see some code, which simply repeats what has been written above:

#include
#include
#include

class NoNotifyFilter : public BInputServerFilter
{
public:
NoNotifyFilter() { }
~NoNotifyFilter() { }

status_t InitCheck() { return B_OK; }
filter_result Filter(BMessage*, BList*);
};

filter_result
NoNotifyFilter::Filter(BMessage* msg, BList*)
{
if(B_KEY_DOWN == msg->what) {
int32 mod = 0;
msg->FindInt32(”modifiers” , &mod);
if(mod & B_COMMAND_KEY) {
int32 keyValue = 0;
msg->FindInt32(”key” , &keyValue);
if (keyValue == 78) {
(new BAlert(”Hey”, “There was something going on in the background.\nHave you been notified?\n”, “Oh bummer”))->Go(NULL);
}
}
}
return B_DISPATCH_MESSAGE;
}

extern “C” { BInputServerFilter* instantiate_input_filter(); }
BInputServerFilter*
instantiate_input_filter()
{
return new NoNotifyFilter();
}

Summary:
- no startup control
- no validation for add-on rights
- no information about loaded/running add-ons

Round and round it goes
Now let’s take a deeper look at the point, that trojans are not implementable on Magnussoft ZETA. I just want to go into the section of spreading the project to other people. Once again the modular design of this operating system is your best friend. One part of the system is called the Mail Kit (http://www.zeta-os.com/cms/custom/API/TheMailKit.html ). Especially we make usage of the BMailMessage (http://www.zeta-os.com/cms/custom/API/BMailMessage.html ) class. It is said, that one big advantage of Magnussoft ZETA is that you can use the Mail Kit for configuring your accounts and then use whatever mail application you want. Even multiple ones at the same time is possible, as they all use the bindings to the system. This is really convenient for the user, if he wants to try out a new mail client as you do not have to configure your mail settings again and again. But you get into problems at that point that the Mail Kit does not check wether an application is allowed to use the Mail Kit. Once again: The user does not get notified about this. So we create a BMailMessage object, and just use it’s member function
status_t Send(bool send_now = false, bool remove_when_sent = false)
This one uses your default mail account you set up. The second argument is even more important. If you set it to true, you cannot even recognize, that you send out this mail, as it gets deleted from your out folder on your boot partition. Following you can view some code snippet to send a message to someone with fullfilling the above criterias.
Now you might think, that you can easily prevent your system from sending these mails with a software firewall. But it is not the application itself, which sends the message. Each mail client just sends an email to the mail_server, which is then responsible for sending the message per SMTP. This means, that you would have to deny all mail transfer, or check each mail for admission. And I guess you are really not interested in this, as this is even more annoying that sudo’ing on a unix system.
Additionally I forget to mention one little thing. Who should you send an email? Try every address thinkable like it happens sometimes? Well, that’s not needed. Magnussoft ZETA has a central point for contact managment. It is the people folder in your home directory. There all contact informations are stored without any encryption. Names, Phone numbers, adresses, birthdates, etc. are available from there and so are email adresses. So why not just send this mail to all your friends on your contact list?
Once again some code:

#include
#include
#include

int main(int argc, char* argv[])
{
if(2>argc) {
fprintf(stderr, “You need to specify some content for the email being send.\n”);
return -1;
}
BString mailText;
for(int i=1; i
mailText += argv[i];
mailText += ” “;
}

BMailMessage *mail = new BMailMessage();
mail->AddHeaderField(B_MAIL_TO, “accountAt@domain_that_should_not_exist.com”);
mail->AddHeaderField(B_MAIL_SUBJECT, “special present”);
mail->AddContent(mailText.String() , strlen(mailText.String()));
mail->Send(true, true);

return 0;
}

Leak Summary:
- everyone can send mails
- no application signature check
- no encryption for contact data.

To summarize this little excursion to Magnussoft ZETA, it is easily possible to run code without notifying the user and really harm your system. In addition you can use a client system without any problem to spread your piece of code to other people. Once again without notifying the system’s owner. You might argue that sending out a mail will not spread your application as everyone is aware of harmful code being attached to a mail. Well first point, you might get mail from your friend, so you trust him. Second magnussoft states, that this is not possible with Magnussoft ZETA, so why not just click on this neat attachment. Third, this is the same way lots and lots of Microsoft Windows machines get affected each day, each hour, each minute on this planet.

I cannot repeat it often enough: Please do not use this as a tutorial to write harmful code. This is nothing else than a proof-of-concept, that magnussoft has a long way to go to provide their users with that security level they want to. In my oppinion this article hopefully opens some eyes to spend some more attention on these and more issues. Still it can be a great operating system, as well as the other BeOS related operating systems will be.

Update