Linked by Thom Holwerda on Fri 5th Jan 2007 20:11 UTC, submitted by sogabe
Zeta MauriceK writes about security in the ZETA operating system. Apparently magnussoft, sole distributor of ZETA, makes security claims [on the German version] that with ZETA "it is not possible to examine a system from the outside without notifying the user due to the architecture of this software." MauriceK seems to think differently, and even gives examples on how code can be executed without the user's knowledge in ZETA. In related news, BeUnited is no more. Instant update: the discussion concerning security just made its appearance on the Haiku m-l.
Thread beginning with comment 198808
To read all comments associated with this story, please click here.
Not secure
by Eugenia on Fri 5th Jan 2007 21:20 UTC
Eugenia
Member since:
2005-06-28

Zeta and BeOS were never that secure. It was not developed as a secure OS and the engineers never paid any attention to security in any major way. In fact, I still remember the BeOSTipsServer site that ran on a BeOS web server how it was hacked within 20 minutes after a bet. Magnusoft doesn't know what they are talking about.

Reply Score: 1

RE: Not secure
by nelvana2005 on Fri 5th Jan 2007 22:42 in reply to "Not secure"
nelvana2005 Member since:
2005-07-29

I think that you are right.
But Zeta (as well as BeOS) is an OS where all ports are closed after the installation. If I do not start any server (e.g a ssh or a telnet server) and if I do not install any piece of software from "alien" software repositories, why should this Zeta be "unsecure"?
O.k., there are other factors like an outdated Firefox browser or a few old graphics libraries (libtiff, libpng).
But how realistic are Maurice K's scenarios? How could a cracker break into Zeta without the user's interaction or "help"?

Reply Parent Score: 1

RE[2]: Not secure
by molnarcs on Sat 6th Jan 2007 14:36 in reply to "RE: Not secure"
molnarcs Member since:
2005-09-10

But Zeta (as well as BeOS) is an OS where all ports are closed after the installation.

That doesn't make it secure. In fact, much depends on what you mean by "closed". Closed ports simply mean that there are no applications listening on a port, though they could open at any time. Open means that an application is listening on a port for connections or packets. Any OS that ships without active services listening for incoming connections have all ports closed by default. That does not mean they are secure. Of course, using a firewal helps inasmuch as it slows down port scans (your ports are not simply "closed," but filtered, which means that port scanners cannot determine their state), but port scans are looking for vulnerable applications running on open ports.

If I do not start any server (e.g a ssh or a telnet server) and if I do not install any piece of software from "alien" software repositories, why should this Zeta be "unsecure"?
O.k., there are other factors like an outdated Firefox browser or a few old graphics libraries (libtiff, libpng).
But how realistic are Maurice K's scenarios? How could a cracker break into Zeta without the user's interaction or "help"?


They are very realistic. User's help or interaction: the difference might be huge, depending on what you mean by these terms. Firefox is more secure than IE 6.x b/c it warns if something nasty tries to find its way to your computer. Disregarding these warnings is actively helping the cracker. However, we constantly interact with our computer, and what Maurice proves is that by mere interaction (not actively disregarding warnings) a cracker can break _easily_ into Zeta. From what I gather from this post is that Zeta's security is on par with Win98.

Edited 2007-01-06 14:39

Reply Parent Score: 2

RE: Not secure
by rayiner on Fri 5th Jan 2007 23:00 in reply to "Not secure"
rayiner Member since:
2005-07-06

BeOS security was a step ahead of the other desktop competition when Microsoft has shipping a Win9x kernel and Apple was shipping System 8, but that was a decade ago. The only major thing that BeOS R5 had over those OSs was protected memory. Otherwise, it was a single-user system with no permissions checking to speak of. Quite a far cry from either the NT, BSD, or Linux kernels...

Edited 2007-01-05 23:01

Reply Parent Score: 2

RE[2]: Not secure
by helf on Sat 6th Jan 2007 14:25 in reply to "RE: Not secure"
helf Member since:
2005-07-06

dude, Windows 95 has/had protected Memory. and I dare say it did a better job of it than BeOS ever did. And this is coming from a (ex)BeOS lover.

Reply Parent Score: 2

RE: Not secure
by Valhalla on Fri 5th Jan 2007 23:16 in reply to "Not secure"
Valhalla Member since:
2006-01-24

Eugenia wrote:
-"Zeta and BeOS were never that secure. It was not developed as a secure OS and the engineers never paid any attention to security in any major way."

of course not, security was not exactly a major focus in desktop os'es back then. nor was the internet as hostile.

Zeta builds on the Dano code iirc, so unless they've made alot of security oriented changes it is likely just as (un)safe as Beos was.

that said, the statement was -"it is not possible to examine a system from the outside without notifying the user due to the architecture of this software." all the examples from MauriceK where of abuses from the inside, in other words, it requires user action, like executing a malicious program. if he had shown examples that remotely connected and executed code on a zeta machine then it would have made some sense in this context.

Reply Parent Score: 4

RE[2]: Not secure
by molnarcs on Sat 6th Jan 2007 14:56 in reply to "RE: Not secure"
molnarcs Member since:
2005-09-10

the statement was -"it is not possible to examine a system from the outside without notifying the user due to the architecture of this software." all the examples from MauriceK where of abuses from the inside, in other words, it requires user action, like executing a malicious program. if he had shown examples that remotely connected and executed code on a zeta machine then it would have made some sense in this context.

The vast majority of security issues with WinXP is due to attacks from the inside, malicious code that found its way to your hard-drive. The statement Maurice set out to debunk is completely bogus. You can make the same claim of any OS, including win98 ;) ... until you ran an application that has remote code execution vulnerability. Or what about portscans - you can use use nmap to scan a Zeta machine, which surely qualifies as an examination from the outside ;) )) But jokes aside, what Maurice shows is that due to the "architecture of this software," it is very very easy to hide malicious software on the system without the user having any chance to notice them. Of course this depends on user-interaction, and once the code is on your puter, it qualifies as an "inside" attack vector, but still, the original statement is false (as in meaningless), and its only purpose is to lull users into a false sense of security.

Reply Parent Score: 2