There’s many ways to judge if an operating system has made it to the big leagues, and one of the more unpleasant ones is the availability of malware. Haiku, the increasingly capable and daily-driveable successor to BeOS, is now officially a mainstream operating system, as it just had its first piece of malware.
HaikuRansomware is an experimental ransomware project designed for educational and investigative purposes. Inspired by the art of poetry and the challenge of cryptography, this malware encrypts files with a custom extension and provides a ransom note with a poetic touch. This is a proof of concept aimed to push the boundaries of how creative ransomware can be designed.
โซ HaikuRansomware’s GitHub page
Now this is obviously a bit of a tongue-in-cheek, experimental kind of thing, but it’s still something quite unique to happen to Haiku. I’m not entirely sure how the ransomware is supposed to spread, but my guess would be through social engineering. With Haiku being a relatively small project, and one wherein every user runs as root – baron, in BeOS parlance – I’m sure anything run through social engineering can do some serious damage without many guardrails in place. Don’t quote me on that, though, as Haiku may have more advanced guardrails and mitigations in place than classic BeOS did.
This proof-of-concept has no ill intent, and is more intended as an art project to highlight what you can do with encryption and ransomware on Haiku today, and I definitely like the art-focused approach of the author.
“This proof-of-concept has no ill intent, and is more intended as an art project to highlight what you can do with encryption and ransomware on Haiku today,”
WAT
Based on how many I get, I would think that most social engineering starts out as untargeted cold calls telling people to go to the computer and download remote access tools. I suspect the “hit” rate is quite low, but evidently some people do fall for them. The scammers seem to stay in business ๐
I’ve noticed that many have adopted IVR technology to automate a few prompts to screen victims before involving a human operator. That undoubtedly helps cast a much wider fishing net, but the “quality” is bad and most people will be alerted to the fact of the scam. I think AI is going to be the future of scam calls: very human-like interactions using native accents will help hook more victims. People should always be wary of giving away bank details to someone who called them, but people are just too trusting.
If I received a cold called asking me to login to my Haiku desktop – I’d want to speak to the person on the other end out of curiosity about what the heck was going on, haha.
The only one I’ve seen work in the last 10 years with 40 people I work with was a fake teams site that asked the user to login… it looked like someone else at the company had sent them a file.
Definitely agree on the AI point… anything you can do to make your scam appear or sound more legit increases your chances I am sure.
And more often than not, looking at the email domain would be a dead giveaway. Or their email was compromised. Or their domain didn’t have proper security enabled and allowed for spoofing.
Big phishing vector I see is “voicemails” or “remittances” constantly in the server quarantine.
I am under the impression that a majority of hacking is state sponsored. Sound to me like life could be simpler for everyone if simply choose to live in peace.
Sysau,
I don’t know if there’s any way to confirm it, but that’s probably true. Most governments are guilty: US, UK, china, israel, russia, north korea, etc…
Sometimes we know the actors behind them, other times we can only guess if they were used maliciously. All major platforms can be targeted.
https://en.wikipedia.org/wiki/EternalBlue
https://en.wikipedia.org/wiki/Shellshock_(software_bug)
https://www.csoonline.com/article/562859/the-heartbleed-bug-how-a-flaw-in-openssl-caused-a-security-crisis.html
en.wikipedia.org/wiki/XZ_Utils_backdoor
arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/
…
It’s never ending.
On the positive side, these actors will want to use their exploits at least somewhat conservatively since mass surveillance would “out” themselves rather quickly. Besides, corporations can accomplish much of the mass surveillance without any hacks at all, they just take the data out the front door.
“Why can’t everyone just get along” isn’t a bad philosophy in principal, but unfortunately in the real world it’s advantageous to gain the tactical advantage via hacking. And there’s no incentive to stop. Laws and even constitutions are just documents that governments secretly (or openly) ignore without consequence. Nobody ever gets prosecuted for those crimes, in fact it’s the whisteblowers who risk prison ๐
Not about Haiku, but really recent news on browser vulnerabilities, Mozilla just patched some critical FF vulnerabilities that were apparently being used in the wild.
https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/
It’s a “user after free” memory bug. Everybody should update.
This follows different vulnerabilities found in chrome.
https://www.securityweek.com/google-patches-critical-chrome-vulnerability-reported-by-apple/
https://thehackernews.com/2024/10/lazarus-group-exploits-google-chrome.html
We really need to start demanding memory safe software from all critical vendors vendors. Too often vendors fix an instance of a bug and move on without addressing the root causes. There’s tons of resistance to replacing C, many don’t want to throw out c code that works, but the reality is these C vulnerabilities have been going on for decades. We must recognize that this will keep on happening regardless of vendors promising to do better. Even experienced devs suffer from information overload in large projects. We should not be using programming languages that require manual validation of pointers and scopes….it’s time we switch to languages that stop code with invalid memory access semantics from getting compiled in the first place.
Ironic considering Mozilla created Rust. You would think they would have converted more of FF to rust rather than just kinda sit on it.
cb88,
Yea. I don’t follow mozilla development closely. Some parts are implemented in rust, but most of the browser hasn’t made the transition yet.
https://4e6.github.io/firefox-lang-stats/
Even for mozilla, converting may just take a long time. They also rely on 3rd party software, which I assume is all C/C++.