Archive for the ‘BeOS’ Category

CanSecWest 2009 Pwn2Own and Misc Security Thoughts

March 20, 2009

This year’s pwn2own at CanSecWest hasn’t been targeted at operating systems but at browsers and mobile platforms. This has drawn some heat because it didn’t include Opera, which is increasingly popular on mobile devices. Rather, it was only IE, Firefox, and Safari on Windows and OSX as well as phones.

While I approve of targeting specific applications, especially given the role browsers now play in most users’ lives, there are significant enough differences between operating systems and how they’re used by most users that I wish contests like these would continue to include OS-specific targets.

Let me also say that to a certain degree, the change in this year’s format does better illustrate the bigger problem of software security which isn’t at the OS level but in the wider area of applications. As software is increasingly cross-platform, the problems are often not limited to one platform: a vulnerability in Firefox may or may not affect more than Windows, but it’s more likely than not going to affect Windows users for two reasons: Windows is the biggest target by nature of its widespread adoption and Windows has a more standardized set of libraries than other operating systems. Everyone wants to dish out on Microsoft (and I want to dish out on Apple, whose software I believe is tremendously less secure than Windows) but the magnitude of “problems” with it is due to the issue of critical mass — more people use Windows so it’s always going to be a bigger target for crackers.

Security  through obscurity isn’t security, it’s just obscurity. This is one reason why Linux wasn’t a target at pwn2own this year. It’s not that Linux is invulnerable to cracking or to malware like rootkits, it’s that hardly anyone in the aggregate uses it on desktops. Not security, obscurity.

If you want more security that way, use an even more obscure OS. Something nobody else is using, like BeOS or Haiku.

Change the topic from desktop to server and then look at the market share Linux has in that category and it’s a different story: where Windows desktop machines are great for botnets, they’re often herded from cracked Linux servers. Where Linux has less obscurity, it’s bigger target.

The number of compromised Linux servers — which  can only be estimated from the number of botnets shut down or observed to be operating (another part of security through obscurity that is dangerous is the feeling of invulnerability and the lack of tools to detect system compromise) — attests to the real problem with security: it’s not OS-specific, but rather a problem of buggy software and poor implementations and procedures. Just as it’s bad practice to use unpatched software on a Windows desktop, it’s bad practice to use unpatched software on a Linux server. And vice versa — buggy Linux desktops are just as bad as buggy Windows servers. Just as it’s poor procedure to run everything as administrator in Windows, it’s equally poor procedure to implement shoddy permissions in Linux (and some Linux CD-based distros run only as root). The problem really isn’t the OS, per se, but what’s being run on it and how it’s being run. The problem is really the user, the weakest link in the chain of security.

Desktop Linux users also tend to fit a less than lucrative target profile. While many people do choose Linux and BSDs for more than the free-as-in-beer reason, Linux users tend to fall in a very small demographic and it’s not a financially lucrative one. Whom would you target if you wanted money, someone who can afford to purchase a license or someone who brags about how Linux can run on cheaper, older hardware and doesn’t cost more than the cost of the installation media? People who try to rob cheapskates usually starve. In comparison, Bernie Madoff’s client list wasn’t filled with kids living in Mom’s basement but with celebrities and high society types and groups with considerable assets. Willie Sutton famously said he robbed banks because that’s where the money is; cybercrime targets Windows users because that’s where the money is — both in the aggregate (over 90% of desktops) and in the user demographics (above median income).

One more thing about this at it relates specifically to Linux. Tipping Point gives away computers and a few thousand dollars. These exploits have significant market value, more than a few thousand and an inexpensive laptop. There may be some prestige among colleagues in the security field for being able to crack something. But it pales to what others are willing to pay for exploits on the open market, whether from government agencies or from criminals. It’s folly — a non sequitur — to suggest that the lack of Linux-specific or even -targeted exploits at events like this indicate there are none or even few.

Back to pwn2own news… 

Day One was exciting with four zero day exploits against the targets. The first victim, and as usual the easiest and fastest one, was OSX via Safari. Charlie Miller won the MacBook for the second consecutive year. Then IE8 fell to “Nils,” whose three exploits netted him a Vaio (for being first to crack IE8 this year) and $15k (at a rate of $5k per demonstrated zero day exploit).

Day Two, with relaxed rules, proved less eventful. At last report, there were no more zero days demonstrated and few, if any, attempts to pwn phones.

CanSecWest closes today.

April Fools

April 1, 2008

I haven’t had much time to check out different sites’ April Fools gags yet, but the two I’ve found have been kind of amusing.

The first I encountered was gmail’s new “custom time” feature; unfortunately, this one was broken in text browser (lynx) when I first looked (tip of the day if you think gmail loads too slowly in your browser: enable imap and use your email client or use a text browser like elinks or lynx). This feature means never having to offer belated wishes for a happy birthday, anniversary, or anything else. Could come in really handy on deadline projects, too.

The second was before I fired up Firefox so I’m going to have to go watch Shawn Powers’ announcement that Linux Journal is going to include a lot more BeOS coverage and the Pentium Pro technology that makes BeOS shine.

I just looked at the LJ site in Firefox and the graphics are worth the visit today.

The “apple sucks” category is because Apple chose NeXT over BeOS for what became OSX. I’m not saying BeOS was inherently better, but rather Apple has given Unix a bad name.

Haiku Propaganda and… haiku

April 24, 2007

I may as well go scorched-earth since nobody has appreciated my positive comments about HaikuOS. Here are some ideas for peddling your little piece of BeOS.

  • Haiku – Insecure by Default!
  • Haiku – Almost as Safe and Stable as Win95!
  • Haiku – Sure, It Reboots Often — But It Reboots Quickly!
  • Haiku – So Easy to Crash a Kid from a Baltic State Can Do It!
  • Haiku – All Your Machines Are Belong to Latvia!
  • Haiku – Affronting Simplistic Poetry through Instability and Insecurity!
  • Haiku – The Last Two Syllables of A Seventeen Syllable Curse!
  • Haiku – Because Linux Already Works!
  • Haiku – Putting the BE Back in Weekend at BErnie’s!
  • Haiku – BeOS’ Ninth Life!

And I’d be remiss if I didn’t offer a little five-seven-five in the spirit of it all:

Haiku has a hole
That some teen from Latvia
Owns computers with.

Is computer on?
All your computers are BE-
long To Latvia.

Be-O-S, Zeta,
Haiku — same shit with same fate.
Nobody wants Be.

Be-O-S, Zeta,
Haiku — all the more reason
To use BSD.

Haiku is the best
Attempt yet to recreate
Windows 95.

Haiku has the same
Security features as
Windows 95.

I used Be-O-S
In the 1990s ‘fore
Haiku was around.

The true BE-lievers
Said Be-O-S’d save the world.
Haiku won’t take off.

How many users
Does Haiku really have, dude?
Fewer than Be had.

The world will adopt
Haiku when pigs grow six wings
And they f***ing fly.

Haiku only has
One vulnerability:
Nobody wants it.

Why build new Haiku
When you could have Amiga
Instead? Dumb. Dumb. Dumb.

Ease, Stability, Etc.

April 19, 2007

One of the Haiku fanboys at OSNews gave me a challenge:

Talk to me about the ‘ease’ of configuring certain parts of any GNU/Linux distribution you care to mention. Talk to me about stability, reliability issues, re-installing Windows, failed Linux installs etc.

About a month ago, I had two Linux distros (MepisLite and DamnSmallLinux) and NetBSD installed on the computer I’m using right now. This machine is the same one on which I used to run BeOS exclusively — 400 mhz Celeron, 128 MB RAM, not very flashy at all.

A month ago, I repartitioned my drive so I could enlarge my swap partition because I’m developing something that requires a lot more memory than I’m ever going to put in this little old computer (I need to update that page for a progress report). I reinstalled DSL 2.1b with a normal Debian-type install without apt-get support. This computer has ZERO downtime since the reinstall.

got yer stability right here, dude

So there’s your stability. No crashes and nearly a full month of uptime. Try that with Haiku.

How long did it take me to back up data, repartition my drive, clear out MBR, reinstall DSL, and get everything set up the way I want? Maybe half an hour tops, but I know what I’m doing. DSL is only 50 MB so installation goes quickly. It uses hardware detection scripts from Knoppix. It was a freakin’ breeze (as usual) — install, go. I also don’t have any goofy hardware because my rule of thumb is to buy hardware that doesn’t require any proprietary driver or that will give me headaches working in the operating systems I use (primarily Linux, BSD, and — very rarely — Windows XP). So there’s your ease of configuration.

I noted two things in my reply at OS News. First, that I’ve never had a “failed install” of Linux. That includes Slackware, Debian, Red Hat, Mandrake  (never tried it since it changed its name to Mandriva), or any derivatives of those (DSL, Mepis, Kubuntu, Knoppix, etc.). Second, there are plenty of distros that are easy enough to set up that even a BeOS user can set them up: Ubuntu and its offspring, PCLinuxOS, and Mepis have excellent hardware detection and will set up very quickly and easily for most Linux novices. There may be some quirky hardware that will give anyone fits, but that’s the kind of dross that shouldn’t be bought in the first place because it was only intended to work (locked in) with Windows or Mac.

Beating a Dead OS Again

April 6, 2007

The true believers at OSNews won’t give it up, so neither will I. How many BeOS servers are there on the Internet? Were there ever many?

I just did a quick run-through at netcraft to see if any Be-related sites actually run off Be-servers. No surprises. After all, Be is dead (RIP) and Haiku’s (a) not ready for prime time and (b) completely desktop-oriented. So much for it displacing Windows and Linux in the next two to five years, which was one of the more absurd responses I got at OSNews.

Haiku’s website is hosted on a Linux server. BeOS Radio’s site is hosted on a FreeBSD server. BeBits is hosted on a Linux server. Begroovy.com is hosted on a Linux server. BeOSonline.com is hosted on a Linux server. BeUnited.org’s site is hosted on Linux. When Netcraft last checked, the BeOS Max site was hosted on Linux. BeTips.net is hosted on Linux.

BeTips.com is interesting. They’re currently hosted on FreeBSD, but have also been hosted on Windows servers.

Finally, I didn’t even know it was running, but the Be, Incorporated, website is up and hosted on Linux. The site only has shareholder information on it — hope y’all didn’t spend your 58-cents per share in one place.

There ya go, true Believers. That’s how relevant you are in the real world.

More on BeOS/Cast Out the Heretic!

April 5, 2007

I know loyalties can run pretty deep but I never imagined I would wear out my welcome at OSNews so quickly. It’s a little disheartening considering I attempted an approach that sought to avoid a “my OS is better than your OS” skirmish by pointing out my respect for BeOS’ technical merits and my admiration for those working on Haiku. It’s not surprising, though, that someone would respond like this as if I’m trying to rob him of his joy or that this is an all-or-nothing battle for the “souls” of computers:

What are you afraid of, that Linux will lose the battle? You like Linux so much, then stick with it and let the rest of us enjoy BeOS/Haiku.
–tonestone57

Well, I do use Linux for the most part. I also use OpenBSD and Windows XP (very rarely for work), and I have an old computer with NT Workstation that never gets used anymore. For a long time, I ran BeOS PE on this very computer and even added a BeOS partition to the NT computer. I’m not tied to any single operating system. I’m no fanboy, I’m no zealot. I have no fear of Linux “losing” anything, nor do I fear Haiku or any other OS ascending in usage. I just doubt that’s going to happen. (See below: I’ve heard this tired refrain for years. How long will you sing it while the rest of the world passes you by?)

I suppose shit is always going to hit the fan when pointing a true believer to facts and a reality he or she just won’t face. BeOS is dead. Blue-Eyed OS is dead. Cosmoe is dead. PhOS was never supposed to be released, but is dead. Zeta may or may not have been legally developed, but it’s dead. All of it’s dead because there wasn’t enough interest for any of it to be feasible from a business stand point or even from a hobbyist’s/ free developer’s standpoint. You can whine all you want about “what might have been” — the problem is things didn’t go that way. It’s called reality. Are you in touch with it?

BeOS was abandoned (dead!) in 2001; had it continued to today, then it would have been a different story.
— tonestone57

I don’t care for such circular reasoning or impractical hypotheticals. It’s not a different story because it didn’t happen the way you wish it had. Things turned out very badly for Be, for BeOS, and for BeOS fans.

So that leaves the world with Haiku. I wrote that I admire Haiku. I also know its current limitations, which I believe will have a bearing on future limitations (as it relates to adoption). Guess some people don’t care to hear or accept them. Fine, keep your blinders on and remain so blind to reality that you see only the “potential” without getting bogged down in details like these:

  • It lacks a fully functional network stack.
  • It can’t run on its own yet.
  • It’s not scalable.
  • It’s destined for the desktop with no roadmap to mobility.
  • There’s no groundswell of interest in it outside those who’ve used BeOS.

It’s also way behind Windows, Linux, and Mac in every single one of  those measures — not to mention the measure of user adoption.

I think Haiku will make it, but won’t happen in 2 years, but take something like 5 years to start being noticed *and* Linux / Windows will lose users to Haiku. 
— tonestone57

This is like a broken record I’ve heard before. It first came from Be and from the Be Users Group — I was a member in the ’90s, but I wasn’t a true believer. I heard it all. Seems like yesterday. I kept waiting for it to happen — the impending wildfire when everyone suddenly would wake up and realize BeOS was technically better than Windows, remarkably easier to configure than Linux, and cheaper than a Macintosh. It never came.

It didn’t seem to matter to the true believers that BeOS never really had “mature” applications, that it wouldn’t work with stuff like that old handheld scanner, that it lacked support for even much of the new hardware it was designed to work with, and that no matter how clever and cute it was Be, in the end, couldn’t even give it away for free.

What relevance can something designed for the desktop have in the wireless age, where mobility counts? What will Haiku offer that isn’t already accomplished with other mainstream operating systems, including Linux?

The answer is the same to both those questions. Nothing. None. Nada.

The people I met at my BUG have moved on, grown up. Most of the people I still keep in touch with and see regularly went back to Macs (all the true believers are now back in the Mac cult). Some are using Linux. A few use Windows. Nobody uses Be, at least they’re not openly admitting it. Nobody’s clamoring for Haiku beyond those who stubborn few who’ve clung to the hope that BeOS would be resurrected and made relevant again.

Only one problem. It never really was relevant.

BeOS Spin-off Bites the Dust

April 4, 2007

This is a longer rant than I intended to make. I was going to write about this last week when the news was breaking that Zeta, which purported to be the legal offspring of BeOS, had (again) bitten the dust. I decided, though, it was too trivial to mess with. BeOS hasn’t been important for years. It won’t ever be.

As much as I liked BeOS — its speed and responsiveness, its fresh approach, its novelty, and being ahead of its time with its journaled file system, being oriented for multimedia, etc. — I understood the reality that it was built on a poor business model that really put all its eggs in one basket (trying to sell or license to Apple for the Mac). I haven’t been surprised that Palm or anyone else didn’t try to resurrect it because the demand just wasn’t there for it. The nails were in the coffin the day Steve Jobs returned to Apple and OS X’s development was tied to Mach/NeXT.

I replied to some questions while ago at OS News about why Access, the company claiming it owns the old Be intellectual properties, didn’t go after the small-time players involved in Zeta or other projects. In a nutshell, because there really was no financial interest to protect and no financial incentive to go after those involved in Zeta’s development or distribution.

From a business point of view, it’s no surprise Be withered and died and that Palm never even tried to improve it. It would have cost them more and it wouldn’t have ever paid for itself. From a business point of view, it’s no surprise others have failed — and at least as miserably — when trying to resurrect Be. Zeta went through two different distributors in recent months. The business reality finally hit the fan and it appears to be dead. (For now anyway. I have no doubt someone else will either try again or attempt to license or buy the Be IP from Access. They’ll fail, too.)

Looking at it from a technical point of view doesn’t address the business issues in the whole saga. It never caught on with enough people for anyone to make money with it. Changing personnel or distribution channels won’t change the economics. For all its appeal, it was a niche OS.

I’ll admit my admiration for those who’ve tried to recreate an open source BeOS-like environment. Some of the projects, though, only replicated the interface of BeOS — using a Linux kernel with Be-like icons doesn’t translate into the Be API, Tracker, etc. It was still Linux.

Haiku is getting closer to being a legitimate operating system. I haven’t tried it because I haven’t cared to mess with it until it’s mature enough that it can load into its own partition and be booted on its own. I follow its development, but I’m happy using Linux.

I wish Haiku lots of success. I know there’s a loyal group of ex-Be (and many still using it) users who’ll love it. I’m not convinced, though, that it’s the better mousetrap to which everyone will be drawn. The future isn’t on the desktop, it’s in wireless devices.

And I think that’s one of the great ironies: Be paid no homage to the past with support for legacy hardware — BeOS was intended only for current hardware. In recreating an open source BeOS, will Haiku be relevant to our increasingly smaller wireless future or will it be relegated to our increasingly archaic desktops?