Archive for the ‘Haiku’ Category

With End of Sun Comes End of Schwartz’ Reign (Thank Goodness)

February 5, 2010

I’d written a few posts on my non-tech blog about Sun’s demise from a finance rather than tech standpoint. Without a doubt Sun had some of the sharpest minds in the industry as far as their technology was concerned; too bad the company lacked the same acumen and expertise when it came to the business side of the equation. Now Sun employees are Oracle employees, at least for a while. It’s only a matter of time before Ellison and company pare their hefty investment down to make it a profitable enterprise. I suspect that paring will be done with an axe rather than scalpel.

Jonathan Schwartz has been rumored to have no place at Oracle –and why should he have a place there after running Sun straight into the ground and overseeing stupid purchases (e. g., MySQL) that Sun was never able to monetize? Larry Ellison doesn’t run that kind of company. Schwartz posted of his departure on his Twitter account yesterday. It’s not too surprising he’d take the demise of the company as seriously as he took running it. He leaves with haiku.

It’s also not surprising that Schwartz views Sun’s demise as tied to the financial collapse, as if that’s the only thing that doomed Sun. In fact, though, Sun’s fortunes fell with the dot-com bubble a decade ago and with executives — like Schwartz — who were in way over their heads. I’ll go further and say that Sun’s management was utterly incompetent and too ideological and caught up with buzz words to ever come up with a coherent business model which could monetize Sun’s vast assets (technology, people, etc.). That’s what led Sun from being “the dot in dot com” and a share price over $200 a few years ago to crack-whoring itself over the last year in a desperate attempt to find a buyer. Maybe I should tone down that analogy since it might give crack whores a bad name.

I have my own tortured haiku to offer to give a clearer perspective of Sun’s demise.

Once the dot in dot   
Com, now put a fork in Sun.
Ponytail failure.

Goodbye, Jonathan. I hope for the sake of hard-working employees and shareholders everywhere that you never run another company as long as you live. I know I’ll never work for or invest another cent in anything you touch.

CanSecWest 2009 Pwn2Own and Misc Security Thoughts

March 20, 2009

This year’s pwn2own at CanSecWest hasn’t been targeted at operating systems but at browsers and mobile platforms. This has drawn some heat because it didn’t include Opera, which is increasingly popular on mobile devices. Rather, it was only IE, Firefox, and Safari on Windows and OSX as well as phones.

While I approve of targeting specific applications, especially given the role browsers now play in most users’ lives, there are significant enough differences between operating systems and how they’re used by most users that I wish contests like these would continue to include OS-specific targets.

Let me also say that to a certain degree, the change in this year’s format does better illustrate the bigger problem of software security which isn’t at the OS level but in the wider area of applications. As software is increasingly cross-platform, the problems are often not limited to one platform: a vulnerability in Firefox may or may not affect more than Windows, but it’s more likely than not going to affect Windows users for two reasons: Windows is the biggest target by nature of its widespread adoption and Windows has a more standardized set of libraries than other operating systems. Everyone wants to dish out on Microsoft (and I want to dish out on Apple, whose software I believe is tremendously less secure than Windows) but the magnitude of “problems” with it is due to the issue of critical mass — more people use Windows so it’s always going to be a bigger target for crackers.

Security  through obscurity isn’t security, it’s just obscurity. This is one reason why Linux wasn’t a target at pwn2own this year. It’s not that Linux is invulnerable to cracking or to malware like rootkits, it’s that hardly anyone in the aggregate uses it on desktops. Not security, obscurity.

If you want more security that way, use an even more obscure OS. Something nobody else is using, like BeOS or Haiku.

Change the topic from desktop to server and then look at the market share Linux has in that category and it’s a different story: where Windows desktop machines are great for botnets, they’re often herded from cracked Linux servers. Where Linux has less obscurity, it’s bigger target.

The number of compromised Linux servers — which  can only be estimated from the number of botnets shut down or observed to be operating (another part of security through obscurity that is dangerous is the feeling of invulnerability and the lack of tools to detect system compromise) — attests to the real problem with security: it’s not OS-specific, but rather a problem of buggy software and poor implementations and procedures. Just as it’s bad practice to use unpatched software on a Windows desktop, it’s bad practice to use unpatched software on a Linux server. And vice versa — buggy Linux desktops are just as bad as buggy Windows servers. Just as it’s poor procedure to run everything as administrator in Windows, it’s equally poor procedure to implement shoddy permissions in Linux (and some Linux CD-based distros run only as root). The problem really isn’t the OS, per se, but what’s being run on it and how it’s being run. The problem is really the user, the weakest link in the chain of security.

Desktop Linux users also tend to fit a less than lucrative target profile. While many people do choose Linux and BSDs for more than the free-as-in-beer reason, Linux users tend to fall in a very small demographic and it’s not a financially lucrative one. Whom would you target if you wanted money, someone who can afford to purchase a license or someone who brags about how Linux can run on cheaper, older hardware and doesn’t cost more than the cost of the installation media? People who try to rob cheapskates usually starve. In comparison, Bernie Madoff’s client list wasn’t filled with kids living in Mom’s basement but with celebrities and high society types and groups with considerable assets. Willie Sutton famously said he robbed banks because that’s where the money is; cybercrime targets Windows users because that’s where the money is — both in the aggregate (over 90% of desktops) and in the user demographics (above median income).

One more thing about this at it relates specifically to Linux. Tipping Point gives away computers and a few thousand dollars. These exploits have significant market value, more than a few thousand and an inexpensive laptop. There may be some prestige among colleagues in the security field for being able to crack something. But it pales to what others are willing to pay for exploits on the open market, whether from government agencies or from criminals. It’s folly — a non sequitur — to suggest that the lack of Linux-specific or even -targeted exploits at events like this indicate there are none or even few.

Back to pwn2own news… 

Day One was exciting with four zero day exploits against the targets. The first victim, and as usual the easiest and fastest one, was OSX via Safari. Charlie Miller won the MacBook for the second consecutive year. Then IE8 fell to “Nils,” whose three exploits netted him a Vaio (for being first to crack IE8 this year) and $15k (at a rate of $5k per demonstrated zero day exploit).

Day Two, with relaxed rules, proved less eventful. At last report, there were no more zero days demonstrated and few, if any, attempts to pwn phones.

CanSecWest closes today.

Why is There No Cult of Microsoft?

May 13, 2007

Michael Singer asks why Microsoft doesn’t have cult appeal like that shared by Apple, Linux, BSD, Oracle, Java, and other platforms (I would add Haiku to his list — a very sinister little cult that is!). He asks,

What about this: Is Microsoft in such control over its own products that nobody really cares to innovate around Microsoft software? Do they just go through the motions because that’s what they use at work?

I think most people aren’t excited about Microsoft because their product line is so pervasive and “traditional” — much like the lack of excitement of going to church or evangelism for most Roman Catholics and other denominations. I think people don’t get very excited about Windows or Office because it’s the standard. They can get excited by something novel — Linux, Haiku — or by a culture (cult) that fosters a certain status or elitism the way Apple has over the years. Microsoft really hasn’t done anything for brand-loyalty the way Apple has, which has led to Apple’s comfortable switch to the same Intel-based architecture that was so long Microsoft’s turf.

Interview With CanSecWest Mac Hacker

April 27, 2007

John Gruber has posted an e-mail interview of Dino Dai Zovi, the hacker who cracked a Mac at CanSecWest. He exploited a Java-based vulnerability in QuickTime, which he says is accessible via Firefox (including the Windows version) and Safari.

From the interview:

Gruber: I suspect some people might read this and think it’s good news that your exploit “only” gains user-level privileges. But an exploit like this is potentially catastrophic in the hands of an attacker. With user-level privileges, an exploit can read, delete, or corrupt anything in the user’s home directory – more or less all of the user’s own data. Technically, root exploits are harder and more powerful, but practically speaking, user-level privileges are all that an attacker needs. Correct?

Dai Zovi: A remote root exploit is typically much harder to come by than a remote user privilege exploit. However, in general, local user to root exploits are simpler to find than remote user-privilege exploits. So, in general, it is reasonable to assume that once an attacker has local user access to a system, root is not difficult to obtain. One should also point out, that if the user privileges are an admin user, it is possible to write to /Applications/ and /Library/, and this access is quite damaging. On a (primarily) single-user machine like a laptop or desktop, even non-admin user-level privileges are enough for most attacks (reading data, corrupting running applications, etc).

Nobody should run an operating system as a single-user-only, nor should any OS be used that doesn’t have at least two levels of permissions (root/admin and user) to minimize harm to the entire system. This is one of the real shortcomings of Haiku (as it now exists) and one of the reasons I compared it to Windows95 earlier this week — it’s not a trivial matter if anyone can make system-wide changes by obtaining access locally or remotely.

Haiku Propaganda and… haiku

April 24, 2007

I may as well go scorched-earth since nobody has appreciated my positive comments about HaikuOS. Here are some ideas for peddling your little piece of BeOS.

  • Haiku – Insecure by Default!
  • Haiku – Almost as Safe and Stable as Win95!
  • Haiku – Sure, It Reboots Often — But It Reboots Quickly!
  • Haiku – So Easy to Crash a Kid from a Baltic State Can Do It!
  • Haiku – All Your Machines Are Belong to Latvia!
  • Haiku – Affronting Simplistic Poetry through Instability and Insecurity!
  • Haiku – The Last Two Syllables of A Seventeen Syllable Curse!
  • Haiku – Because Linux Already Works!
  • Haiku – Putting the BE Back in Weekend at BErnie’s!
  • Haiku – BeOS’ Ninth Life!

And I’d be remiss if I didn’t offer a little five-seven-five in the spirit of it all:

Haiku has a hole
That some teen from Latvia
Owns computers with.

Is computer on?
All your computers are BE-
long To Latvia.

Be-O-S, Zeta,
Haiku — same shit with same fate.
Nobody wants Be.

Be-O-S, Zeta,
Haiku — all the more reason
To use BSD.

Haiku is the best
Attempt yet to recreate
Windows 95.

Haiku has the same
Security features as
Windows 95.

I used Be-O-S
In the 1990s ‘fore
Haiku was around.

The true BE-lievers
Said Be-O-S’d save the world.
Haiku won’t take off.

How many users
Does Haiku really have, dude?
Fewer than Be had.

The world will adopt
Haiku when pigs grow six wings
And they f***ing fly.

Haiku only has
One vulnerability:
Nobody wants it.

Why build new Haiku
When you could have Amiga
Instead? Dumb. Dumb. Dumb.

Haiku Insecurity

April 24, 2007

I shouldn’t have wasted my time responding to one of the true believers at OSNews. My previous remarks about BeOS, Zeta, and Haiku aren’t personal — they’re specifically aimed at a handful of issues I think are relevant to the present and future of computing:

  • user adoption
  • application availability
  • technological relevance

Novelty may appeal to a certain breed of user, but it won’t work for the masses. No mass appeal, no application development; no applications, no mass appeal. Vicious circle. But the true believers just can’t see that so they blissfully work on their own little word processor wasting GSoC resources (waste = really bad priorities: your OS doesn’t have a functional network stack yet!).

I’ve also touched on a few issues with respect to technological relevance. One of them is scalability: Haiku OS is 16MB uncompressed. Cool. Linux is 6MB compressed. Linux is scalable, Haiku (thus far) isn’t. The future isn’t the desktop, the future is mobile. Linux is mobile, Haiku isn’t. Etc. Thus, Linux is relevant, Haiku isn’t.

Another issue of technological relevance is security. Sadly, Team Haiku’s goal for R1 doesn’t include much in the way of security. It will be single user — just like BeOS, just like Win95. It will have nil security from levels of permissions to affect system-wide changes, just like Win95 (but something MS dealt with in NT server and workstation editions and carried over to ME, XP, and Vista). So Haiku’s early adopters will be computing in circa 1995 environment where a local or remote exploit can result in full control of the computer on which it’s running. That isn’t going to increase the rate of immigration from other OSes — that’s a barrier to adoption. Why on earth would anyone go from one vulnerable OS (e.g., any flavor of Windows from ME on) that has regular security maintenance to one that has none? Or worse, why would they change to an OS that has a security level about 12 years behind what’s needed now?

Worse, I found this on

One I can definitely state as a major security risk is that you can call delete_area() with the ID of *any* area, even of the kernel, and delete it from any process.
When you do that with a kernel area, chances are you’ll quickly find out how quickly your system reboots.

Fortunately, Haiku boots in just a few seconds. That may not be of much use, though, when a Baltic nation grade-schooler has control of your Haiku computer.

Ease, Stability, Etc.

April 19, 2007

One of the Haiku fanboys at OSNews gave me a challenge:

Talk to me about the ‘ease’ of configuring certain parts of any GNU/Linux distribution you care to mention. Talk to me about stability, reliability issues, re-installing Windows, failed Linux installs etc.

About a month ago, I had two Linux distros (MepisLite and DamnSmallLinux) and NetBSD installed on the computer I’m using right now. This machine is the same one on which I used to run BeOS exclusively — 400 mhz Celeron, 128 MB RAM, not very flashy at all.

A month ago, I repartitioned my drive so I could enlarge my swap partition because I’m developing something that requires a lot more memory than I’m ever going to put in this little old computer (I need to update that page for a progress report). I reinstalled DSL 2.1b with a normal Debian-type install without apt-get support. This computer has ZERO downtime since the reinstall.

got yer stability right here, dude

So there’s your stability. No crashes and nearly a full month of uptime. Try that with Haiku.

How long did it take me to back up data, repartition my drive, clear out MBR, reinstall DSL, and get everything set up the way I want? Maybe half an hour tops, but I know what I’m doing. DSL is only 50 MB so installation goes quickly. It uses hardware detection scripts from Knoppix. It was a freakin’ breeze (as usual) — install, go. I also don’t have any goofy hardware because my rule of thumb is to buy hardware that doesn’t require any proprietary driver or that will give me headaches working in the operating systems I use (primarily Linux, BSD, and — very rarely — Windows XP). So there’s your ease of configuration.

I noted two things in my reply at OS News. First, that I’ve never had a “failed install” of Linux. That includes Slackware, Debian, Red Hat, Mandrake  (never tried it since it changed its name to Mandriva), or any derivatives of those (DSL, Mepis, Kubuntu, Knoppix, etc.). Second, there are plenty of distros that are easy enough to set up that even a BeOS user can set them up: Ubuntu and its offspring, PCLinuxOS, and Mepis have excellent hardware detection and will set up very quickly and easily for most Linux novices. There may be some quirky hardware that will give anyone fits, but that’s the kind of dross that shouldn’t be bought in the first place because it was only intended to work (locked in) with Windows or Mac.

Beating a Dead OS Again

April 6, 2007

The true believers at OSNews won’t give it up, so neither will I. How many BeOS servers are there on the Internet? Were there ever many?

I just did a quick run-through at netcraft to see if any Be-related sites actually run off Be-servers. No surprises. After all, Be is dead (RIP) and Haiku’s (a) not ready for prime time and (b) completely desktop-oriented. So much for it displacing Windows and Linux in the next two to five years, which was one of the more absurd responses I got at OSNews.

Haiku’s website is hosted on a Linux server. BeOS Radio’s site is hosted on a FreeBSD server. BeBits is hosted on a Linux server. is hosted on a Linux server. is hosted on a Linux server.’s site is hosted on Linux. When Netcraft last checked, the BeOS Max site was hosted on Linux. is hosted on Linux. is interesting. They’re currently hosted on FreeBSD, but have also been hosted on Windows servers.

Finally, I didn’t even know it was running, but the Be, Incorporated, website is up and hosted on Linux. The site only has shareholder information on it — hope y’all didn’t spend your 58-cents per share in one place.

There ya go, true Believers. That’s how relevant you are in the real world.

More on BeOS/Cast Out the Heretic!

April 5, 2007

I know loyalties can run pretty deep but I never imagined I would wear out my welcome at OSNews so quickly. It’s a little disheartening considering I attempted an approach that sought to avoid a “my OS is better than your OS” skirmish by pointing out my respect for BeOS’ technical merits and my admiration for those working on Haiku. It’s not surprising, though, that someone would respond like this as if I’m trying to rob him of his joy or that this is an all-or-nothing battle for the “souls” of computers:

What are you afraid of, that Linux will lose the battle? You like Linux so much, then stick with it and let the rest of us enjoy BeOS/Haiku.

Well, I do use Linux for the most part. I also use OpenBSD and Windows XP (very rarely for work), and I have an old computer with NT Workstation that never gets used anymore. For a long time, I ran BeOS PE on this very computer and even added a BeOS partition to the NT computer. I’m not tied to any single operating system. I’m no fanboy, I’m no zealot. I have no fear of Linux “losing” anything, nor do I fear Haiku or any other OS ascending in usage. I just doubt that’s going to happen. (See below: I’ve heard this tired refrain for years. How long will you sing it while the rest of the world passes you by?)

I suppose shit is always going to hit the fan when pointing a true believer to facts and a reality he or she just won’t face. BeOS is dead. Blue-Eyed OS is dead. Cosmoe is dead. PhOS was never supposed to be released, but is dead. Zeta may or may not have been legally developed, but it’s dead. All of it’s dead because there wasn’t enough interest for any of it to be feasible from a business stand point or even from a hobbyist’s/ free developer’s standpoint. You can whine all you want about “what might have been” — the problem is things didn’t go that way. It’s called reality. Are you in touch with it?

BeOS was abandoned (dead!) in 2001; had it continued to today, then it would have been a different story.
— tonestone57

I don’t care for such circular reasoning or impractical hypotheticals. It’s not a different story because it didn’t happen the way you wish it had. Things turned out very badly for Be, for BeOS, and for BeOS fans.

So that leaves the world with Haiku. I wrote that I admire Haiku. I also know its current limitations, which I believe will have a bearing on future limitations (as it relates to adoption). Guess some people don’t care to hear or accept them. Fine, keep your blinders on and remain so blind to reality that you see only the “potential” without getting bogged down in details like these:

  • It lacks a fully functional network stack.
  • It can’t run on its own yet.
  • It’s not scalable.
  • It’s destined for the desktop with no roadmap to mobility.
  • There’s no groundswell of interest in it outside those who’ve used BeOS.

It’s also way behind Windows, Linux, and Mac in every single one of  those measures — not to mention the measure of user adoption.

I think Haiku will make it, but won’t happen in 2 years, but take something like 5 years to start being noticed *and* Linux / Windows will lose users to Haiku. 
— tonestone57

This is like a broken record I’ve heard before. It first came from Be and from the Be Users Group — I was a member in the ’90s, but I wasn’t a true believer. I heard it all. Seems like yesterday. I kept waiting for it to happen — the impending wildfire when everyone suddenly would wake up and realize BeOS was technically better than Windows, remarkably easier to configure than Linux, and cheaper than a Macintosh. It never came.

It didn’t seem to matter to the true believers that BeOS never really had “mature” applications, that it wouldn’t work with stuff like that old handheld scanner, that it lacked support for even much of the new hardware it was designed to work with, and that no matter how clever and cute it was Be, in the end, couldn’t even give it away for free.

What relevance can something designed for the desktop have in the wireless age, where mobility counts? What will Haiku offer that isn’t already accomplished with other mainstream operating systems, including Linux?

The answer is the same to both those questions. Nothing. None. Nada.

The people I met at my BUG have moved on, grown up. Most of the people I still keep in touch with and see regularly went back to Macs (all the true believers are now back in the Mac cult). Some are using Linux. A few use Windows. Nobody uses Be, at least they’re not openly admitting it. Nobody’s clamoring for Haiku beyond those who stubborn few who’ve clung to the hope that BeOS would be resurrected and made relevant again.

Only one problem. It never really was relevant.

BeOS Spin-off Bites the Dust

April 4, 2007

This is a longer rant than I intended to make. I was going to write about this last week when the news was breaking that Zeta, which purported to be the legal offspring of BeOS, had (again) bitten the dust. I decided, though, it was too trivial to mess with. BeOS hasn’t been important for years. It won’t ever be.

As much as I liked BeOS — its speed and responsiveness, its fresh approach, its novelty, and being ahead of its time with its journaled file system, being oriented for multimedia, etc. — I understood the reality that it was built on a poor business model that really put all its eggs in one basket (trying to sell or license to Apple for the Mac). I haven’t been surprised that Palm or anyone else didn’t try to resurrect it because the demand just wasn’t there for it. The nails were in the coffin the day Steve Jobs returned to Apple and OS X’s development was tied to Mach/NeXT.

I replied to some questions while ago at OS News about why Access, the company claiming it owns the old Be intellectual properties, didn’t go after the small-time players involved in Zeta or other projects. In a nutshell, because there really was no financial interest to protect and no financial incentive to go after those involved in Zeta’s development or distribution.

From a business point of view, it’s no surprise Be withered and died and that Palm never even tried to improve it. It would have cost them more and it wouldn’t have ever paid for itself. From a business point of view, it’s no surprise others have failed — and at least as miserably — when trying to resurrect Be. Zeta went through two different distributors in recent months. The business reality finally hit the fan and it appears to be dead. (For now anyway. I have no doubt someone else will either try again or attempt to license or buy the Be IP from Access. They’ll fail, too.)

Looking at it from a technical point of view doesn’t address the business issues in the whole saga. It never caught on with enough people for anyone to make money with it. Changing personnel or distribution channels won’t change the economics. For all its appeal, it was a niche OS.

I’ll admit my admiration for those who’ve tried to recreate an open source BeOS-like environment. Some of the projects, though, only replicated the interface of BeOS — using a Linux kernel with Be-like icons doesn’t translate into the Be API, Tracker, etc. It was still Linux.

Haiku is getting closer to being a legitimate operating system. I haven’t tried it because I haven’t cared to mess with it until it’s mature enough that it can load into its own partition and be booted on its own. I follow its development, but I’m happy using Linux.

I wish Haiku lots of success. I know there’s a loyal group of ex-Be (and many still using it) users who’ll love it. I’m not convinced, though, that it’s the better mousetrap to which everyone will be drawn. The future isn’t on the desktop, it’s in wireless devices.

And I think that’s one of the great ironies: Be paid no homage to the past with support for legacy hardware — BeOS was intended only for current hardware. In recreating an open source BeOS, will Haiku be relevant to our increasingly smaller wireless future or will it be relegated to our increasingly archaic desktops?