[openbeos] Re: BeOS/Zeta is (not) immune to attacks
- From: "Ryan Leavengood" <leavengood@xxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Fri, 5 Jan 2007 16:20:09 -0500
On 1/5/07, Niklas Nisbeth <noisetonepause@xxxxxxxxx> wrote:
This was widely reported on BeOS news sites, but I wanted to just
throw it out here. While security is obviously not going to be a big
issue in the real world any time soon, I think these issues need to be
looked at and addressed BEFORE we achieve world-domination, so we can
send the black hats & script kiddies to /dev/null from day 1. Some of
the points Maurice make are good...
http://maurice.kaldience.com/?p=21
As I posted on his site in a comment to this article, Maurice's
examples are pretty bad (in my opinion.)
Both problems assume that the malicious code already has full access
to the given machine, meaning it is already running on it. That
requires user action and given those requirements I imagine every
operating system in existance could have similar "security holes."
Heck a simple shell script containing "rm -rf ~/" could cause havoc on
plenty of systems if clicked in an email client.
And while we're at the security discussion, can I just reiterate a
point I make whenever I get the opportunity: People talk about
multi-user as though it's the holy grail of computer security, and
that you must have it for your systems to be secure. I'm not
convinced: all the stuff that's actually important to me is in my home
folder; that's the stuff I do backups of, and that's what I'd miss if
it was erased. Multi-user doesn't change that, programmes I run can
still erase my home folder, there's no check there. Rendering my
system unbootable by wiping /boot/beos is a nuisance at best if I have
an installation CD. I don't think rm -r /boot/beos/* is something we
need to be concerned with, but rm -r /boot/home/* is a *very* big
issue.
After reading about Mac OS X Leopard's Time Machine software, I've
thought about making a very simple and easy to use BeOS/Haiku backup
system which might alleviate some of your concerns.
Because given the kind of access Maurice describes, the only solution
is constant and annoying dialog boxes from the operating system saying
things like "Application X is trying to delete some files in your home
directory. Should this be allowed?"
After a while of those coming up, most users start to ignore them and
automatically click "Yes." Or they turn them off (which should always
be an option.)
Still we should certainly think about security issues and try to come
up with REAL security flaws based on the internal knowledge many of us
have of the system.
Regards,
Ryan
Other related posts:
