Strict Standards: Redefining already defined constructor for class wpdb in /www/htdocs/w006f36b/wp-includes/wp-db.php on line 49

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/cache.php on line 35

Strict Standards: Redefining already defined constructor for class WP_Object_Cache in /www/htdocs/w006f36b/wp-includes/cache.php on line 400

Strict Standards: Declaration of Walker_Page::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_Page::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 534

Strict Standards: Declaration of Walker_PageDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 553

Strict Standards: Declaration of Walker_Category::start_lvl() should be compatible with Walker::start_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_lvl() should be compatible with Walker::end_lvl($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_Category::end_el() should be compatible with Walker::end_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 649

Strict Standards: Declaration of Walker_CategoryDropdown::start_el() should be compatible with Walker::start_el($output) in /www/htdocs/w006f36b/wp-includes/classes.php on line 674

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/query.php on line 15

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w006f36b/wp-includes/theme.php on line 505
MauriceK, caught between dev and drums » The urge to clarify…

January 9, 2007

The urge to clarify…

Category: General, Development — kaldor @ 10:00 pm

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

Wow. During the last days this page really went popular. Much more than it ever was my intention. First it all started of at beuser, followed up by a discussion on the zeta-os.com forum itself, a post on isComputerOn and somehow it even made it up to osnews.com. Today, also Bernd Korz found some time to spend on this topic. The last post really showed me, that the BeOS community is not as dead as it seems to be most of the time. And because of this, I think I have to clarify some points of my last post.

First, it is true, that keyboard handling is not managed by the input_server when you are in KDL. This was a misinformation from my side and I would like to thank marcone to correct this. Marcus Overhagen was the first person who told it me, but I was too lazy to update. You can easily capture this in the frequency of me posting something here :)

All in all it seems like the main point of this post has been misunderstood by some people. It never was my target to show any weaknesses of hacking a ZETA machine from the outside. Basically this entry was intended to target two points mentioned in the magnussoft news:
- “The architecture does not allow to analyse the system from the outside, without notifying the user about it”.(”Die Architektur der Software vereitelt das ein System von außen durchsucht wird, ohne dass der Betreiber davon Kenntnis erlangt.”). Here I wanted to concentrate on the notifying the user aspect. Both examples, sending a mail as well as integrating an unknown plugin, can actually be done without notifying the user. This has already been mentioned also in my previous post.
- “[…], but also dialer, trojans […] are without any chance”.(”[…], sondern auch Dialer, Trojaner oder anderweitige Hackerangriffe sind […] chancenlos”). I wanted to focus on what usually a trojan does. For reference, take a look at the wikipedia entry. The email sending example was just one way of doing this.

In addition to this I want to say something about the people who stated, that for the example, user action is needed. This is true, and I never said anything else. Actually I even wrote it myself on the last post, that you have to open your mail attachment. But the point is, when an application tries to spread itself by some network stuff, on every other system the user gets notified about this. This is not the case for ZETA.

Furthermore I would like to write some notes about the fact, that all ports are closed on a default installation. This is absolutely true. But you could easily expand the add_on by some pieces of code, which are sending your IP to somewhere else and is waiting for a connection on one or multiple ports. The user does not know, which ports are opened, as he never gets asked, wether a port should be opened, or an application is allowed to open a port. It all just happens automatically. And as we all know, the user is the biggest security issue for an operating system. For more information about networking, take a look on the API at magnussoft documentation. It is not as up-to-date as when you are scanning the headers, they have much more informations, especially for UDP and TCP transfers.
Finally do not forget, that all these problems we are talking about, are applying to BeOS and Haiku also. There was a short discussion on the Haiku mailinglist, where axeld could easily name more problems, which are much deeper in the system design. So I only scratched the surface a little bit…

2 Comments »


  1. Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

    […] Update « Hesitating posts…   The urge to clarify… » […]

    Pingback by MauriceK, caught between dev and drums » secure due to ignorance? — January 9, 2007 @ 10:02 pm


  2. Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /www/htdocs/w006f36b/wp-includes/formatting.php on line 76

    Yes, very right.

    The emphasis of user activity to get hacked is an important hint anyway. In most cases @Windoze, you even don’t need this (user) intervention ;-) thnx to ActiveX/RPC non-declared .Net Features or whatever.

    The biggest advantage in my opinion is the fact, that Zeta has the opportunity to improve security via their BMessaging model.

    On Unix/Clones (FreeBSD, Linux, OS X etc.) or Windows you get security on FS-Level (user rights & profiles) and Process-level (security profiles for processes).

    On Zeta’s (and Haiku’s) unique BMessaging feature, any task/process/inode/stream is mangled with BMessaging for processing purposes to obtain Kernel processing time from the I/O scheduler of the Kernel.

    If you now screw the Zeta - Kernel further up, parallelly with vital components of the system to secure Zeta even more through BMessaging proofing (_native_ threads/_system_threads/_user-caught_threads/_automated(cron)_threads, etc.), we can get a far higher security as now.

    But this is quite theoretical and needs very experienced BeOS developers to put their brains together with well experienced (System & Network) Security Geeks.

    But the result would be a _very_ secure OS at the end, without tricky virtualization of the OS in Kernel-Land (read: Windows Vista).

    Kind Regards,
    pasha

    Comment by pasha — January 10, 2007 @ 12:38 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags):
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> .