New Sandbox Framework For Chromium Released

← Back to Stories (view on slashdot.org)

New Sandbox Framework For Chromium Released

Posted by Soulskill on Friday August 13, 2010 @08:04AM from the spicy-security dept.

Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."

109 comments

Min score:

Reason:

Sort:

Chromium Browser? by Flea+of+Pain · 2010-08-13 08:10 · Score: 1, Insightful

Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?

--
Do not argue with an idiot. He will drag you down to his level and beat you with experience.
1. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 08:11 · Score: 3, Informative
  
  Chromium is the community project from which Google Chrome is derived.
2. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 08:13 · Score: 0
  
  No, it's about the vertical scrolling shoot-em-up game.
3. Re:Chromium Browser? by xMilkmanDanx · 2010-08-13 08:13 · Score: 2, Interesting
  
  The browser. TFA states somewhat incoherently that it isolates javascript execution and if google is using javascript in their OS, their not google.
  
  --
  I am not in anyway affiliated with Max Cannon
4. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 08:15 · Score: 3, Informative
  
  Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?
  Last line of the summarized article:
  
  he researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."
  Third link from Google, third party description.
  
  Chromium Web Browser
  
  I'm relatively new here. Is this how most people are on this site?
5. Re:Chromium Browser? by Captain+Splendid · 2010-08-13 08:20 · Score: 4, Informative
  
  I'm relatively new here. Is this how most people are on this site?
  
  Yes, it's considered SOP not to read TFA around here. The real hardcore don't even bother reading TFS either.
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
6. Re:Chromium Browser? by xMilkmanDanx · 2010-08-13 08:26 · Score: 3, Informative
  
  The REALLY really hardcore don't even bother reading the comment they're responding to
  
  --
  I am not in anyway affiliated with Max Cannon
7. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 08:28 · Score: 0
  
  I guess that means you're not REALLY really hardcore.
8. Re:Chromium Browser? by spoilsportmotors · 2010-08-13 08:30 · Score: 5, Funny
  
  I'm astounded that you - or anybody else would agree with RIAA's heavy handed tactics. For shame.
9. Re:Chromium Browser? by xMilkmanDanx · 2010-08-13 08:31 · Score: 1
  
  ah the dangers of cough syrup and slashdot... that should be they're, not their
  
  --
  I am not in anyway affiliated with Max Cannon
10. Re:Chromium Browser? by bhcompy · 2010-08-13 08:33 · Score: 1
  
  While I can't decipher what this article is referring to in particular, Chromium is the base for Chrome. Think of it as the development platform. Everyone should be using Chromium instead of Chrome because Chromium doesn't have the built in usage tracking that Chrome has
11. Re:Chromium Browser? by egcagrac0 · 2010-08-13 08:34 · Score: 1
  
  There, there - it's all right. I'm sure everyone knew what you meant.
12. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 08:36 · Score: 1
  
  You mean, the usage tracking which can be turned off with a single checkbox? And that's somehow harder than, say, installing ffmpeg and friends to get video working in Chromium?
  
  --
  Don't thank God, thank a doctor!
13. Re:Chromium Browser? by DIplomatic · 2010-08-13 08:39 · Score: 1
  
  I completely agree that POTUS is off his rocker with this latest linux distro and there is nothing wrong with the metric system! Now if you'll excuse me, I'm off to finish porting NES ROMS to a Timex watch running OpenBSD. Cue Apple fanboys in 3......2.......1......
14. Re:Chromium Browser? by Tumbleweed · 2010-08-13 08:50 · Score: 4, Informative
  
  The REALLY really hardcore don't even bother reading the comment they're responding to
  I like pie.
15. Re:Chromium Browser? by Raenex · 2010-08-13 08:55 · Score: 1
  
  The real problem is Chrome is not open source. It's a proprietary, binary blob that is based on open source. If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.
16. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 08:55 · Score: 0
  
  Chromium also doesn't auto-update, decode H264 (as you mentioned), update Flash, or include Google's PDF implementation. Not a deal-breaker, but without those features I would go back to Firefox.
17. Re:Chromium Browser? by Spewns · 2010-08-13 09:06 · Score: 1
  
  I guess that means you're not REALLY really hardcore.
  Neither are you.
18. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 09:26 · Score: 0
  
  Their, they're - it's all right. I'm sure everyone knew what you meant.
  ftfy
19. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 09:30 · Score: 0
  
  If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.
  This sentence is plain stupid. It's implying that people who use Windows' Chrome build don't use IE because it's closed source. They don't use IE because it sucks! IE's standards compliance has improved somewhat, but its UI is still utterly atrocious. Most people have no problem using Opera or Safari; I think they would love it if Microsoft released a Chromium-based browser... it would be a large improvement over Trident/IE.
20. Re:Chromium Browser? by bhcompy · 2010-08-13 09:31 · Score: 1
  
  Which is the crux of the problem. I don't want or need google's tracking built in(among whatever else they have in it) even if I have the option to turn it off. Chromium works fine, Chromium Updater exists for updating it, and it works very well.
21. Re:Chromium Browser? by Raenex · 2010-08-13 09:41 · Score: 1
  
  This sentence is plain stupid. It's implying that people who use Windows' Chrome build don't use IE because it's closed source.
  I wasn't implying that. I used Microsoft as an example of a company that wouldn't get a free pass for releasing an "open source" browser consisting of a proprietary binary based on an open source base.
22. Re:Chromium Browser? by bhcompy · 2010-08-13 09:43 · Score: 1
  
  Realistically, you should be using Firefox anyways since Chrome doesn't support the hooks that NoScript needs to work, and NoScript is required(imho) for any power user(which everyone on Slashdot should be, or used to be). As far as the rest, there are ways available to put native PDF/flash support in Chromium, support H264, and update. The benefits of open source
23. Re:Chromium Browser? by Lennie · 2010-08-13 10:15 · Score: 1
  
  Hint, you don't need to read any comments if you get first post. :-)
  
  --
  New things are always on the horizon
24. Re:Chromium Browser? by Lennie · 2010-08-13 10:17 · Score: 1
  
  The problem ofcourse is, while it wasn't intentional, it does contain the code. :-)
  http://www.osnews.com/story/23670/Chromium_Sends_Data_to_Google_Turns_Out_It_s_a_Regression
  
  --
  New things are always on the horizon
25. Re:Chromium Browser? by roman_mir · 2010-08-13 10:35 · Score: 0, Offtopic
  
  OMG PONIES!
  
  --
  You can't handle the truth.
26. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 10:39 · Score: 0
  
  Except that Chromium isn't just a part of a browser, it's the full-fledged browser codebase. Chrome's additions are licensed material they have no right to release (PDF) or additions that hit their webservers hard (binary updates). I don't know why Chromium is missing the Google syncing/assistance services -- probably to encourage third-party developer adoption, similarly to how the Android OS codebase does not depend on Google; if it did, companies would not use it.
27. Re:Chromium Browser? by gmiernicki · 2010-08-13 10:52 · Score: 1
  
  So, I was playing my penis and decided... HEY! I'll just go onto /. and post about it in a comment box!
28. Re:Chromium Browser? by Raenex · 2010-08-13 11:01 · Score: 1
  
  And I am not implying that Chromium isn't a full browser. My only point is that Chrome is a proprietary, binary blob, and as such not open source. Whatever excuses Google might have for that is no better than any excuses Microsoft might put forth if they had released a similar browser. If you care about open source, then you should know that Chrome is not open source.
29. Re:Chromium Browser? by quickOnTheUptake · 2010-08-13 11:33 · Score: 0, Offtopic
  
  how did this not get modded up?
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
30. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 11:50 · Score: 0
  
  Chromium is not quite the same as Chrome:
  http://en.wikipedia.org/wiki/Chromium_(web_browser)
31. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 12:02 · Score: 1
  
  If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.
  Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight. And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?
  Now, consider the unfortunate alternative -- if Chromium was the only version, there'd be a scary process -- no matter how streamlined, it'd still have to present the user with scary legal warnings -- to get h.264 working, which, unfortunately, is needed for good HTML5 video support.
  
  --
  Don't thank God, thank a doctor!
32. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 12:05 · Score: 1
  
  Whatever excuses Google might have for that
  You mean, actual legal reasons?
  
  no better than any excuses Microsoft might put forth
  "Excuses" Microsoft has used in the past include "Open source is less secure because people can see the source."
  
  If you care about open source, then you should know that Chrome is not open source.
  Caring about open source doesn't mean I demand it for absolutely everything. The fact that Chrome is almost entirely based on Chromium tells me two things: First, that Chromium is there waiting for me if Chrome ever becomes a problem, and second, Chrome isn't likely to have anything particularly evil attached to it.
  
  --
  Don't thank God, thank a doctor!
33. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 12:09 · Score: 1
  
  Why does it bother you that it's there, although you can turn it off? That's a bit like complaining that it has a back button, even if you never use back buttons -- do you actually need it to not be compiled in?
  I mean, if you do, that's one of the perks of a source distro like Gentoo, but it seems like a waste to me.
  
  --
  Don't thank God, thank a doctor!
34. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 12:15 · Score: 1
  
  Chrome doesn't support the hooks that NoScript needs to work,
  Which hooks would those be? In particular, if Adblock Plus can work, why can't NoScript?
  
  NoScript is required(imho) for any power user(which everyone on Slashdot should be, or used to be).
  No thanks, I'd much rather have a blacklist than a whitelist, for several reasons. One is that I like to be aware of the kind of crap each website is offering to the layman -- for example, I try to avoid websites that use Kontera and the like, rather than trying to make them tolerable.
  Another is that when scripting is enabled, a site can progressively enhance itself to actually improve the experience. As I understand it, the NoScript theory is that I can selectively enable scripting on sites that need it to work -- but how would I know a site would work better with scripting enabled, if I don't first view it with scripting enabled? If the scripts are a problem, that's what Adblock is for.
  As for my power user credentials, when I first set up Gentoo, it took at least a week, likely longer, until I had a working GUI. During this time, I used GPM and Lynx. I'm still generally not happy if a website doesn't work with Lynx, and I have used Lynx occasionally since.
  But that doesn't mean I'm going to, say, surf with images off until I think I need them. I'd much rather give the website the benefit of the doubt.
  
  --
  Don't thank God, thank a doctor!
35. Re:Chromium Browser? by Danieljury3 · 2010-08-13 12:17 · Score: 1
  
  I love that game http://chromium-bsu.sourceforge.net/
36. Re:Chromium Browser? by foniksonik · 2010-08-13 13:02 · Score: 1
  
  Hmm sorry, don't need noscript. I have a good hosts file. Pretty sure that trumps your power user argument and let's me use any browser I want.
  
  --
  A fool throws a stone into a well and a thousand sages can not remove it.
37. Re:Chromium Browser? by Raenex · 2010-08-13 13:35 · Score: 1
  
  Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight.
  Actions speak louder than words. Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering. Trusting Google because of their motto is ridiculous.
  
  And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?
  What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols? That would be a major pain in the ass, even if the two binaries were the largely the same, which I doubt would be the case anyways.
  
  Now, consider the unfortunate alternative -- if Chromium was the only version, there'd be a scary process -- no matter how streamlined, it'd still have to present the user with scary legal warnings -- to get h.264 working, which, unfortunately, is needed for good HTML5 video support.
  Firefox seems to manage. Besides, I'd prefer people actually be informed of the patent bullshit they're paying for, in one way or another. Perhaps Google could help by using non-patented formats on YouTube. Also, H.264 legal issues don't explain why Google tracking is part of the proprietary binary version.
38. Re:Chromium Browser? by Anonymous Coward · 2010-08-13 16:01 · Score: 0
  
  Over time, my husband will desire me less sexually, but he will always enjoy my pies.
39. Re:Chromium Browser? by SanityInAnarchy · 2010-08-13 17:26 · Score: 2, Interesting
  Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering.
  Microsoft's evil also involves outright lies, and the concept of "FUD" was pretty much invented, I suspect, to describe Microsoft.
  Google, by contrast... "Big Brother"? Have you read 1984? Google likes to gather information, yes -- and like Facebook and everyone else, they only gather information from people who willingly donate said information, or from information already in public spaces.
  Unlike Facebook and everyone else, they have a track record of, in the very worst example I'm aware of (wireless snooping), gathering more information than people think they should -- by accident. By contrast, Facebook employees have been known to casually browse people's private information, and otherwise abuse user data.
  
  What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols?
  Actually, I was proposing to wait and see, or to observe the behavior of the browser itself, and then disassemble and otherwise reverse engineer the parts that look suspicious.
  
  Firefox seems to manage.
  By having, say, youtube.com/html5 not work at all. Yeah -- they "manage" by not supporting, either directly or through any sort of extension framework, the most popular video site on the planet. Surprisingly, Safari seems to be the only browser taking a sane approach -- they delegate to QuickTime, which is essentially the OS X media framework, and support any codecs they find, so there's nothing stopping users from installing theora codecs if they like.
  Of course, one of the results of this is that YouTube has further incentive to continue to use Flash, because Flash works in Firefox, but HTML5 with h.264 doesn't. Which do you think is the lesser of two evils?
  
  Perhaps Google could help by using non-patented formats on YouTube.
  There are several problems with this.
  First, most video is, unfortunately, shot in h.264. Since I don't particularly care about obeying software patents covering codecs and file formats, I prefer to keep media in as close to the target format as I can, and only re-encode when I have to. You can do that with YouTube -- you can upload the video that your camera encoded to h.264 (in hardware!) and it's quite possible YouTube won't re-encode it for the high quality version.
  So, this not only applies to their entire library that they'd have to re-encode, it also applies to pretty much all new video.
  Second, only Theora might be open. Google does have WebM, and they have (hopefully) released it, but it's too close to h.264, and still manages to be inferior in many ways. You just get worse quality for the same amount of bandwidth, and that likely means millions of dollars of bandwidth for YouTube to maintain the same quality.
  I'm not saying I have a solution to this, and I certainly don't like it. But refusing to play is not a solution.
  
  Besides, I'd prefer people actually be informed of the patent bullshit they're paying for, in one way or another.
  I'd prefer people be informed, but "This doesn't work, let's go back to IE and Flash" isn't the way to inform people. Realistically, it seems like this goes only a few ways:
  
  HTML5 Video never takes off, partly because of Firefox.
  HTML5 Video is a hit, but Firefox users can't view it. Users switch to other browsers.
  HTML5 Video is a hit, and someone forks Firefox.
  Sadly, Safari has had the way out the entire time -- delegate this stuff to the OS. Windows has DirectShow, OS X has QuickTime, Linux has GStreamer. Use those, and you get both licensing and hardware acceleration for free.
  In fact, I've
  --
  Don't thank God, thank a doctor!
40. Re:Chromium Browser? by Raenex · 2010-08-14 00:30 · Score: 1
  
  Google, by contrast... "Big Brother"? Have you read 1984?
  Yes I have. Obviously the current situation isn't like the brutal dictatorship in the book, but the information gathering is getting there. Not a camera in your home, but spying on all the sites you visit.
  
  they only gather information from people who willingly donate said information, or from information already in public spaces.
  "willingly" would be opt-in, instead of having to opt-out. How many web sites use Google Analytics? Google also owns DoubleClick.
  
  by accident
  There's nothing accidental about collecting all this information (ignoring the wireless case), which once collected, can be abused. If they get a National Security Letter they will have to comply with it. If a rogue employee decides to misuse the data, it's done. If Google decides to misuse the data, it's done. All this is possible because they collect the data.
  
  By having, say, youtube.com/html5 not work at all.
  It's completely Google's fault for requiring H.264. They could always fall back to another format. HTML5 does not require H.264. If you want to talk about FUD, then H.264 is where it's at, straight from Google: "If [youtube] were to switch to theora and maintain even a semblance of the current youtube quality it would take up most available bandwidth across the Internet." http://people.xiph.org/~greg/video/ytcompare/comparison.html
  
  YouTube won't re-encode it for the high quality version.
  Nothing is stopping them. At the worst, they can offer a lower-quality version, they way they do now with Flash Video. Requiring a patent-laden format to view video content on the web is evil. It's GIF all over again.
  
  Second, only Theora might be open.
  More FUD. It's been around for years, and there's no evidence that it isn't. There's no need to use scare words.
41. Re:Chromium Browser? by SanityInAnarchy · 2010-08-14 05:55 · Score: 1
  
  "willingly" would be opt-in, instead of having to opt-out.
  Which is precisely how this functions.
  
  How many web sites use Google Analytics?
  How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them? If you don't trust a website to not use Google, why would you trust that website with the same information?
  
  If they get a National Security Letter they will have to comply with it.
  They have publicly fought government requests for information.
  
  If a rogue employee decides to misuse the data, it's done.
  And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.
  
  It's completely Google's fault for requiring H.264. They could always fall back to another format.
  At what cost? Either massive amounts of CPU to transcode on the fly, or massive amounts more storage to store yet another encoding.
  That said, they do have a few videos in WebM format.
  
  If you want to talk about FUD, then H.264 is where it's at, straight from Google...
  I'm not an encoding expert, but the comparison you link to actually favors H.264:
  
  In the case of the 499kbit/sec H.264 I believe that under careful comparison many people would prefer the H.264 video.
  And that's a single clip. Google has the resources to actually test this on a large scale. They also have a huge library of h.264 videos which would suffer a drop in quality at re-encoding, and, again, cameras encode h.264 in hardware, so they'd have brand-new h.264 videos for which the quality would instantly drop.
  I also wouldn't be terribly surprised if H.264 deals with re-encoding H.264 videos better than Theora does.
  
  At the worst, they can offer a lower-quality version, they way they do now with Flash Video.
  Is that really what you're suggesting -- that we should use Theora and HTML5 only for lower-quality versions? I'm not sure I understand what you're saying here.
  
  It's GIF all over again
  Regarding that article, why compare Vorbis to MP3? There's AAC -- compare those. There's also the mention of On2, which has now become WebM, which was my point in saying that only Theora might be open -- WebM is patented, and may be infringing patents.
  A few things to remember about GIF:
  First, PNG still hasn't replaced it. You still can't do animated PNG -- there are two competing proposals for how to do it, neither of which have universal browser support. Hell, it's only recently that transparent PNG was properly supported in IE.
  Second, there hasn't really been anything that's replaced gif, png, or jpeg in each of their respective areas. The relevant GIF patents have expired, and if jpeg hasn't, it will soon. The problem is that video is a lot more bandwidth, and is still an area of active research. Any codec we choose today is likely to be obsolete eventually, so we should be looking at what the next codecs are. If they don't become obsolete, the patents will expire, and when that happens, I'd be much happier with higher quality from h.264.
  Finally, aside from animations, PNG actually did beat GIF. It was better at absolutely everything else than GIF was. The same is true of gzip vs compress, and seems to be true today with lzma (or 7zip) vs rar, at least for files which need to be compressed at all. Theora is worse than H.264 -- the anti-FUD article you linked to says so. I'm not sure how vorbis compares to AAC, but AAC isn't even the latest and greatest -- I just use FLAC.
  I don't have a solution. What I would like to see is a genuinely better codec emerge, which is actually free -- and I suspect Google would support such a format. But Theora isn't it.
  
  --
  Don't thank God, thank a doctor!
42. Re:Chromium Browser? by Raenex · 2010-08-14 10:01 · Score: 1
  
  How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them?
  And who actually consented to a massive, collusive information gathering program? People are just browsing normally for other reasons, not to be spied on. They have to go out of their way to avoid this spying. That's why it's opt-out, and not opt-in.
  
  They have publicly fought government requests for information.
  Very well, but they could always lose in such a suit.
  
  And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.
  Whatever procedures they have in place, the possibility is there. And how do you know it doesn't actually happen at Google? How many years was Facebook around before you heard about data breaches? And what about China's successful hacks into Google? The data is there, it's a risk because they collect it. You're asking for trust against governments, employees, hackers, and future business decisions.
  
  I'm not an encoding expert, but the comparison you link to actually favors H.264
  Why don't you quote the rest of the paragraph?
  "However, the difference is not especially great. I expect that most casual users would be unlikely to express a preference or complain about quality if one was substituted for another and I've had several people perform a casual comparison of the files and express indifference. Since Theora+Vorbis is providing such comparable results, I think I can confidently state that reports of the internet's impending demise are greatly exaggerated. "
  Did you look at the comparisons yourself? Do you think the quality difference is that big of a deal? YouTube had shit quality videos for years. Theora isn't shit quality. It's comparable to H.264.
  
  Is that really what you're suggesting -- that we should use Theora and HTML5 only for lower-quality versions? I'm not sure I understand what you're saying here.
  I'm saying they should offer a low-quality version if they don't want to re-encode something that's in H.264. Of course, I'd rather they support Theora at high resolutions too. The point is it should never be a requirement that you have H.264.
43. Re:Chromium Browser? by Anonymous Coward · 2010-08-14 11:51 · Score: 0
  
  The REALLY really hardcore don't even bother reading the comment they're moderating
  FTFY
44. Re:Chromium Browser? by SanityInAnarchy · 2010-08-14 17:50 · Score: 1
  
  And who actually consented to a massive, collusive information gathering program?
  You did, with every website you visited -- though I have to wonder where you get "collusive" from.
  
  People are just browsing normally for other reasons, not to be spied on.
  And people are just typing into Facebook for other reasons, not to be spied on. It's still entirely your choice to play or not to play.
  
  They have to go out of their way to avoid this spying.
  Connecting to any given website is already your action -- you're already going "out of your way".
  
  Very well, but they could always lose in such a suit.
  Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.
  
  Whatever procedures they have in place, the possibility is there.
  In the same way that, say, the possibility is there for employees of a major CA to forge the certificates they'd need for massive MITM attacks. It might be worth investigating what's been put into place to ensure this doesn't happen.
  
  How many years was Facebook around before you heard about data breaches?
  Facebook was just some random website, without a particularly good "privacy policy", or particularly good security. I wouldn't need to hear about a data breach to know not to trust them with anything I care about.
  
  You're asking for trust against governments, employees, hackers, and future business decisions.
  And again... Trust with what?
  For one thing, does Google know more about you than your ISP? Who do you trust more with that data? I've never seen my ISP fight a court battle on my behalf -- indeed, their policies say specifically that they will do nothing to protect me, that they will cooperate with law enforcement, etc.
  
  Why don't you quote the rest of the paragraph?
  Let's see...
  
  However, the difference is not especially great.
  So what? YouTube should deliberately drop quality? Or they should pay, again, large amounts more money on bandwidth, storage, transcoding, and CDN storage/bandwidth?
  
  I expect that most casual users would be unlikely to express a preference or complain about quality if one was substituted for another...
  And this was taken from an uncompressed, rendered source. As I said:
  
  They also have a huge library of h.264 videos which would suffer a drop in quality at re-encoding, and, again, cameras encode h.264 in hardware, so they'd have brand-new h.264 videos for which the quality would instantly drop.
  Do you have a comparison of H.264 videos re-encoded in Theora?
  And that's assuming that they were actually equal, actually comparable. This is probably the most favorable comparison I've seen of Theora to H.264, and H.264 still comes out ahead.
  
  I'm saying...
  I asked a yes or no question. Whatever you're saying, it isn't yes or no, and I can't derive a yes or no from it. The critical point:
  Are you suggesting that Theora and HTML5 should be the only option at whatever "lower quality" level they're used?
  If so, that's a lot of browsers (new and old) which can't play them, and you can't wrap them in Flash to help those browsers out.
  If not, you're suggesting that there be two completely separate encodings at a given resolution/quality, just so one of them can be Theora. That's a lot of money.
  
  --
  Don't thank God, thank a doctor!
45. Re:Chromium Browser? by Raenex · 2010-08-15 02:31 · Score: 1
  
  You did, with every website you visited -- though I have to wonder where you get "collusive" from.
  A huge number of 3rd party sites agree to give Google data on your browsing habits. People are just trying to live their lives normally -- the web is just part of the basic infrastructure. Web sites don't prominently display their data collection activities. Most people are not technical and don't understand stuff like Google Analytics. This is a massive, data sharing program without informed consent, and Google is the ring-leader.
  
  Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.
  They're evil for collecting all this information where it can be misused. The Big Brother comparison is in regards to the scope of information collecting. By the way, I'm pretty sure when Google is presented with a warrant they serve it. I have to wonder what they do or have done when presented with a National Security Letter, as you're not even allowed to talk about them.
  
  For one thing, does Google know more about you than your ISP?
  It depends on what kind of logs they maintain. You're certainly right the ISP is an even bigger threat than Google, but that doesn't mean Google should collect all this information. They also pose some unique threats -- see YouTube vs Viacom, for instance, where Viacom was seeking the logs to look for evidence of copyright infringement.
  
  So what? YouTube should deliberately drop quality? Or they should pay, again, large amounts more money on bandwidth, storage, transcoding, and CDN storage/bandwidth?
  If the quality drop is insignificant, and it means an open format for the web, something which Google likes to say they support, then yes. As for the transcoding, they already do it now to serve lower quality videos.
  
  Do you have a comparison of H.264 videos re-encoded in Theora?
  Nope, but this was independent research to counter unsubstantiated and ludicrous claims by a Google employee on a standards working group. Do you have a comparison?
  
  Are you suggesting that Theora and HTML5 should be the only option at whatever "lower quality" level they're used?
  Yes, at the lower levels if Google won't re-encode H.264 at high-definition.
  
  If so, that's a lot of browsers (new and old) which can't play them, and you can't wrap them in Flash to help those browsers out.
  HTML5 and the video tag is new. There's no reason that new browsers which support it shouldn't be able to display Theora.
46. Re:Chromium Browser? by SanityInAnarchy · 2010-08-15 05:36 · Score: 1
  
  Web sites don't prominently display their data collection activities.
  Many have "privacy policies" -- how prominent would be prominent enough?
  
  Most people are not technical
  Yes, and whose fault is that? The information they would need is readily available. Alternatives exist.
  Maybe I'm being insensitive here, but I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer -- that they need to be protected from themselves. The entire antivirus market currently thrives on this assumption, when the single best way to avoid a virus is to avoid downloading random crap.
  Most people are not technical, but most people are not automotive engineers, yet most people manage to avoid driving their cars into trees.
  Clearly, the implication here is that most people don't care about security or privacy, at least not enough to educate themselves about the basics -- because, frankly, most people are entirely capable of being at least technical enough to be secure and private.
  Personally, I don't care much about privacy -- the few things I am private about, I do take measures to keep private, but it would also not be terribly devastating if the whole world knew. I do care that it should be possible to be private, because I do feel that's a fundamental right -- but it is possible.
  
  The Big Brother comparison is in regards to the scope of information collecting.
  Even here, it fails -- I don't have to sneak off into the woods to avoid surveillance, nor is there a hidden camera in a bed and breakfast, recording my illicit affair.
  
  As for the transcoding, they already do it now to serve lower quality videos.
  Yes, but only a single version at each quality level, to reach customers they might otherwise not be able to (slower connections).
  
  HTML5 and the video tag is new. There's no reason that new browsers which support it shouldn't be able to display Theora.
  I doubt IE will. I know Safari won't -- FUD or not, Apple refuses to touch anything their lawyers haven't told them is OK, patent-wise.
  And with that, YouTube loses most of the Internet-browsing population, unless they can convince everyone to install a plugin -- which isn't viable on, say, the iPad, where even if Apple were to allow such a plugin, it wouldn't have a hardware decoder to use.
  This would be especially ironic, considering Apple is one of the main reasons people are actually implementing HTML5 video -- to reach iPhone and iPad, where they can't run Flash.
  
  --
  Don't thank God, thank a doctor!
47. Re:Chromium Browser? by Raenex · 2010-08-15 06:17 · Score: 1
  
  Many have "privacy policies" -- how prominent would be prominent enough?
  You have to visit the site before you can even read the privacy policy. And who wants to read a bunch of legalize just to browse the web?
  
  Maybe I'm being insensitive here
  Yes, you are. You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy. It's as if every business you visited in public decided to identify you and report your whereabouts to a central party. That's fucked up.
  
  I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer
  I care about privacy, I'm technically literate, I avoid cookies, and browse with NoScript. However, even I wasn't aware until a year or two ago about Flash cookies. Expecting the average citizen to keep up in a technological arms race to avoid being spied on is unreasonable and makes excuses for those doing the massive information gathering.
  
  I doubt IE will. I know Safari won't -- FUD or not, Apple refuses to touch anything their lawyers haven't told them is OK, patent-wise.
  Then fuck 'em. Visitors using those browsers can get the old Flash version. YouTube is big enough that they can dictate the terms here. When people start switching browsers watch how fast IE and Safari turn around.
48. Re:Chromium Browser? by SanityInAnarchy · 2010-08-15 07:13 · Score: 1
  
  You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy.
  And where did I say that?
  
  It's as if every business you visited in public decided to identify you and report your whereabouts to a central party.
  Do you use a credit card? They do.
  
  Expecting the average citizen to keep up in a technological arms race...
  Not particularly -- pick a few reputable sources and follow them.
  Regarding Flash cookies, well, the simple/paranoid approach is to not install Flash, or any third-party proprietary plugin, without good reason.
  
  Then fuck 'em. Visitors using those browsers can get the old Flash version.
  That's not "fuck 'em", that's "oh shit, now we really do need to keep two versions around."
  
  YouTube is big enough that they can dictate the terms here.
  And yet, even you don't seem to be suggesting they can -- you're suggesting YouTube spend huge amounts on disk space, bandwidth, CDNs, etc, to keep both the old Flash version and the new HTML5 version, when they could just keep the old Flash version.
  Not that this would necessarily stop them -- they do host a few WebM videos, as I said -- but you seem to be saying that they have no good reason not to do this.
  But let's consider what would happen if they actually did try to dictate terms. Seems to me, they'd instantly lose the people who are "not technical" enough to install a new browser, and these are likely the same people who never try to use a higher-quality version, or can't (not enough bandwidth) yet don't realize they need more bandwidth.
  In other words, the same people the low quality version is meant for would be the people least likely to have anything capable of HTML5 at all, let alone something which will play Theora in HTML5.
  
  --
  Don't thank God, thank a doctor!
49. Re:Chromium Browser? by lennier · 2010-08-15 10:03 · Score: 1
  
  Since I don't particularly care about obeying software patents covering codecs and file formats,
  Because I live in New Zealand, I'm legally allowed to do this - but if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
  Mass civil disobedience might indeed be the appropriate response to broken software patent law, but if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?
  Or you could just avoid using the broken patented technology. Seems easier to me.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
50. Re:Chromium Browser? by SanityInAnarchy · 2010-08-16 15:07 · Score: 1
  
  if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
  It is -- so I call it civil disobedience.
  Except it doesn't require lawbreaking. I have a copy of Windows 7, which includes an h.264 decoder. I have an nVidia video card, which includes a hardware h.264 decoder, and a Linux driver for it. Both of these are bought and paid for, including all licensing fees.
  So, if Firefox just used what my OS already had available -- if it just hooked into GStreamer, DirectShow, CoreVideo, etc -- it would Just Work, and it would be entirely legal. They refuse to do this.
  
  if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?
  Not without a fight -- indeed, jailbreaking is now legal, and no one had to go to trial over it.
  
  Or you could just avoid using the broken patented technology.
  What's broken about it? It's technically superior -- it's the legal situation that's broken.
  
  --
  Don't thank God, thank a doctor!
51. Re:Chromium Browser? by CTachyon · 2010-08-16 17:16 · Score: 1
  
  if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
  It is -- so I call it civil disobedience.
  Notwithstanding your comment about how you already have a patent license through other means, "civil disobedience" isn't the same as "doing it and not getting caught". In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law. DeCSS in your .signature is civil disobedience, downloading a gray-market codec from a non-US APT repository is merely getting away with it.
  
  --
  Range Voting: preference intensity matters
52. Re:Chromium Browser? by SanityInAnarchy · 2010-08-16 17:29 · Score: 1
  
  "civil disobedience" isn't the same as "doing it and not getting caught".
  Oh, I agree...
  
  In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law.
  I suspect the public is too lazy for that to really work, but I'm also too lazy to make a huge public show of it. However, I make no secret about the fact that, for instance, I crack DVD copy protection, because my only other options are to boot Windows just to watch a DVD, or revert to an absurdly old version of Ubuntu that I got from Dell which (I think) came with legal copies of the relevant codecs and an approved player.
  In other words, I'm not marching the capital steps with a movie playing on my laptop, but if anyone asks if I'm doing this, I'll say yes, and I'll give them an earful about how stupid it is that it's illegal to do so.
  
  DeCSS in your .signature is civil disobedience,
  That's actually a tempting thought. I don't use signatures at the moment, but maybe I'll do that. I might also wear it on a shirt...
  But if I actually want to compare what I'm doing to civil disobedience, I'd identify a lot more with Rosa Parks than with Martin Luther King. I'm not making impassioned speeches on the streets of Washington, at least, not yet. But I'm also not giving up my seat on the bus.
  
  --
  Don't thank God, thank a doctor!
Similarities with FreeBSD's jail... by toejam13 · 2010-08-13 08:10 · Score: 1

They say that they have working code for FreeBSD release-8. It makes me wonder if there is some relationship between Capsicum and FBSD's jails, or if FBSD is just being used because it is an environment of interest with the security/sandboxing community right now.
1. Re:Similarities with FreeBSD's jail... by Anonymous Coward · 2010-08-13 08:24 · Score: 1, Informative
  
  At least two of the researchers are active in the FreeBSD project (Kris + Robert). Also Robert Watson's pet project has been TrustedBSD MAC extensions to FreeBSD since 5.something.
2. Re:Similarities with FreeBSD's jail... by Anonymous Coward · 2010-08-13 11:11 · Score: 0
  
  They say that they have working code for FreeBSD release-8. It makes me wonder if there is some relationship between Capsicum and FBSD's jails, or if FBSD is just being used because it is an environment of interest with the security/sandboxing community right now.
  Nope. Jails are generally used to separate (say) applications: SMTP in one jail, IMAP in a second.
  What this does is allow the IMAP software to fork into different processes, and then one process has to talk with the network so it restricts itself so it can't access the file system at all. The other process limits itself to only access the file system, and can even restrict itself to certain parts (e.g., only /var/mail/), and also makes it so it can't talk to the network. Both could also further restrict themselves such that they can't do any more fork()ing or exec()ing (to prevent exploit code from running if there is a vulnerability.
  Basically the programmer determines which CAPABILITIES the program needs, and after basic initialization, tells the OS to restrict it to only those that it needs to functions. Then further on, if there's a risky bit of code, a fork() can be done, and the dangerous part can be further restricted.
  It's similar to what (say) Apache does: it needs to be "root" to bind() to port 80, but once that's done it starts dropping privileges.
Kinda of misleading. by stanlyb · 2010-08-13 08:12 · Score: 1, Interesting

It looks like user-space extension which you have to use, if you wanna your application to be sandboxed. But what about the malicious applications which don't wanna to be sandboxed???
1. Re:Kinda of misleading. by xMilkmanDanx · 2010-08-13 08:16 · Score: 2, Insightful
  
  The point being sandboxed applications which deal with unknown, insecure content (i.e. the web) can keep said content from affecting anything outside the sandbox.
  
  --
  I am not in anyway affiliated with Max Cannon
2. Re:Kinda of misleading. by Ungrounded+Lightning · 2010-08-13 09:03 · Score: 1
  
  ... what about the malicious applications which don't wanna to be sandboxed???
  Build a launcher that sandboxes itself and then execs (or whatever) them.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
3. Re:Kinda of misleading. by mewsenews · 2010-08-13 09:11 · Score: 2, Funny
  
  The point being sandboxed applications which deal with unknown, insecure content (i.e. the web) can keep said content from affecting anything outside the sandbox.
  Until someone comes up with a specially crafted PDF... ;)
4. Re:Kinda of misleading. by Anonymous Coward · 2010-08-13 10:08 · Score: 0
  
  This is wrong, current sandboxing techniques protect against plugin escape by wrapping their execution in a rights-restricted process. Capsicum should work the same way because of how shared libraries work (I guess, I haven't read most of the details). The main problem is that many proprietary plugins require more privileges than they should need, resulting in extremely weak sandboxing protection to keep them working.
Yesterday by Anonymous Coward · 2010-08-13 08:12 · Score: 0

Was running this Sandbox yesterday.
More crap that won't work by pseudorand · 2010-08-13 08:17 · Score: 1

Sounds like the permissions you specify for Android apps. That's all fine and dandy for a new platform and we all wish someone had bothered to require least privileges back in the day for our favorite OS, but they didn't. And if they had, it would have been too much work to program for anyway, so something else would have become our favorite OS. So now we have to port all our code to use a new scheme and that's far more work than anyone is willing to do. So we'll remain insecure. Case in point: selinux. Sounds good in principle, but those of us who need to get stuff done don't have time for it.
for fuck's sake by Anonymous Coward · 2010-08-13 08:20 · Score: 1, Informative

"Web browsers have evolved into operating systems"
No, they haven't, calm down.
1. Re:for fuck's sake by bonch · 2010-08-13 08:54 · Score: 0
  
  Indeed. "For fuck's sake" really is the best response to that.
2. Re:for fuck's sake by Ungrounded+Lightning · 2010-08-13 09:10 · Score: 2, Interesting
  
  "Web browsers have evolved into operating systems"
  No, they haven't, calm down.
  I think he means that they have become application environments, giving access to all the fundamental services of the underlying operating systems, through their own API and security models, with their own set of bugs.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
3. Re:for fuck's sake by diegocg · 2010-08-13 10:29 · Score: 1
  
  In other words, they have become a toolkit.
4. Re:for fuck's sake by Anonymous Coward · 2010-08-13 11:04 · Score: 0
  
  Well, they've turned into an application layer that performs all the tasks of a typical desktop based operating system.
  The only difference is that, for now, they sit upon an OS layer.
  The idea is that said layer will slowly dissolve into worthlessness, as system use will infrequently require anything outside of the 'browser' (using browser very loosely here).
Academic Foolishness by Roguelazer · 2010-08-13 08:29 · Score: 3, Informative

These are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory. Yes, it might solve the problem that they sought to solve. But I would be very surprised to see this meet with any large-scale deployment. It's better to work with the system than to just arbitrarily decide Unix is wrong and rewrite it.

--
My Systems
1. Re:Academic Foolishness by Anonymous Coward · 2010-08-13 08:41 · Score: 5, Insightful
  
  I presume that you didn't actually read the API man pages. The interface follows squarely in the footsteps of the Unix design philosophy. No PID semantics are being changed, either. They've introduced process descriptors which, among other things, allow you to poll for process exit. They allow you to attach restrictions to descriptors, presumably so that a broker could open resources (files, sockets), restrict the allowable operations, and then pass them to sandboxed applications over a domain socket. It's all quite simple and powerful and exactly what I would love to see incorporated into POSIX.
2. Re:Academic Foolishness by IamTheRealMike · 2010-08-13 08:41 · Score: 5, Insightful
  
  Both Android and ChromeOS are based on UNIX but neither expose POSIX as an API, so researching ways to change for the better seems like a good use of time.
3. Re:Academic Foolishness by mcrbids · 2010-08-13 08:43 · Score: 1
  
  hese are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory.
  I don't think that they are expecting people to wholeheartedly change the 30+ year old POSIX API and adopt their new developments. This is research, remember? These are students who are exploring new ways to improve security and address problems with the POSIX API. It's there, we can adopt what we want, and in the meantime, students learn examples of how to write secure application development environments.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
4. Re:Academic Foolishness by Anonymous Coward · 2010-08-13 11:43 · Score: 1, Interesting
  
  These are major and invasive changes to POSIX
  No, they're not. They are additions to the current security model.
  An OS that has this functionality looks and acts exactly like a POSIX OS. It's up to the application program to call the appropriate APIs as necessary to properly sandbox things (and some parts of each app will potentially be sandboxed differently than other parts).
  One of the researchers involved is Robert Watson who has heavily been involved in FreeBSD for many, many years. Knowing that he's doing this reassures me that this is well thought out and designed.
  
  It's better to work with the system than to just arbitrarily decide Unix is wrong and rewrite it.
  You're right, which is why this project didn't rewrite Unix--they added some APIs and libraries to the ones already there.
  Adding ten lines of code to tcpdump, and having it not be exploitable anymore? Adding only 100 codes to a web browser, and not having to worry about zero-days from now on? Hardly foolishness.
5. Re:Academic Foolishness by Anonymous Coward · 2010-08-13 15:22 · Score: 0
  
  Both Android and ChromeOS are based on UNIX but neither expose POSIX as an API, so researching ways to change for the better seems like a good use of time.
  But Android and ChromeOS are implemented using POSIX, so they will be able to use Capsicum in their implementation -- and Google can provide new Android APIs based on Capsicum.
Browsers Interact Directly with Hardware? by iamhigh · 2010-08-13 08:42 · Score: 1, Insightful

Web browsers have evolved into operating systems unto themselves
Really? I am unaware of a (common) browser that is able to do much more than work with data...

Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.

--
No comprende? Let me type that a little slower for you...
1. Re:Browsers Interact Directly with Hardware? by blueg3 · 2010-08-13 08:58 · Score: 1
  
  Ever since that pesky von Neumann fellow, all any computer has done is work with data.
2. Re:Browsers Interact Directly with Hardware? by fluffy99 · 2010-08-13 09:25 · Score: 2, Interesting
  
  Web browsers have evolved into operating systems unto themselves
  Really? I am unaware of a (common) browser that is able to do much more than work with data...
  Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.
  There are certainly many companies out there that want your OS to be nothing more than a web browser. That way they can sell software as a service. For things like Google Gmail, Google Calendar , Google Docs, etc. Microsoft is slowly moving in that direction as well. Its much more profitable to sell based on usage or per month, rather than selling you a perpetual license. Many businesses are moving towards the desktop being little more than a terminal with the applications actually running on a centrally manager Terminal/Application/Web server.
3. Re:Browsers Interact Directly with Hardware? by xMilkmanDanx · 2010-08-13 09:28 · Score: 1
  
  Given virtualization as a concept no longer ties an OS to hardware interaction, browsers that can provide an increasingly powerful application framework are not that much removed from being an operating system. Firefox is capable of everything the old 8bit OS's were capable of and more. That is, other than provide direct hardware access.
  
  --
  I am not in anyway affiliated with Max Cannon
Erm, what? by SanityInAnarchy · 2010-08-13 08:44 · Score: 4, Informative

Chromium is the open source version that Chrome, the proprietary browser, is built on. (Basically, they take Chromium, add codecs they can't legally include in Chromium, maybe a little branding, and release it as Chrome.)
The same is true of the OS -- the only reason it's "Chromium OS" is that the actual "Chrome OS" hasn't been released yet, because the community version isn't done yet.

--
Don't thank God, thank a doctor!
1. Re:Erm, what? by Flea+of+Pain · 2010-08-13 09:15 · Score: 1
  
  I see. Thank you very much. I was unaware of this distinction and have learned something new today! Please mod parent informative.
  
  --
  Do not argue with an idiot. He will drag you down to his level and beat you with experience.
2. Re:Erm, what? by Anonymous Coward · 2010-08-16 07:22 · Score: 0
  
  (Basically, they take Chromium, add codecs they can't legally include in Chromium, maybe a little branding, and release it as Chrome.)
  >
  
  That's how the story goes, but Chrome is closed source - we don't know if it doesn't include more stuff, like things that would be bad for privacy (but good for Google).
3. Re:Erm, what? by SanityInAnarchy · 2010-08-16 15:12 · Score: 1
  
  we don't know if it doesn't include more stuff, like things that would be bad for privacy (but good for Google).
  However, the fact that most of the code is open means we have a lot more insight into how it works, meaning if anyone wanted to reverse engineer it, it'd likely be a lot easier than, say, IE.
  Also, if you look at the other things Google has released, very rarely do you find them using this pattern. It seems far more common that they either don't let you download anything, or they offer full source under a reasonable license. The "official story", boring as it is, makes sense.
  
  --
  Don't thank God, thank a doctor!
So... by lbalbalba · 2010-08-13 08:54 · Score: 1

... When will we see implantations of this in Linux, *BSD, and, even, commercial Unix flavors ?
1. Re:So... by micheas · 2010-08-13 22:33 · Score: 1
  
  ... When will we see implantations of this in Linux, *BSD, and, even, commercial Unix flavors ?
  I believe you can patch FreeBSD 9 (current) to use this. Check the FreeBSD security mailing list for a link to the patches.
  
  --
  Work bio at MMWD
Because their middle name is security by wowbagger · 2010-08-13 08:57 · Score: 2, Insightful

Y'know, I'm really glad Google wants to provide a new API for managing security. We need somebody to do this for us - somebody who really knows security, somebody who may as well have security as their middle name, to come out with an API framework for Mandatory Access Controls, preferably built right into th operating system kernel of a major distribution.
Yes, I'm really glad Google took the initiative on this.

--
www.eFax.com are spammers
1. Re:Because their middle name is security by Anonymous Coward · 2010-08-13 10:20 · Score: 0
  
  SELinux is too complex. Nobody understands it. This is also the opinion of many high profile Linux kernel hackers.
2. Re:Because their middle name is security by Anonymous Coward · 2010-08-13 10:20 · Score: 3, Informative
  
  I know it's /. and all, but a little effort to read the paper would be nice. Or even, a stop at pretending SELinux is the solution to everything, because that was never its aim (or achievement).
  
  5 Comparison of sandboxing technologies
  
  We now compare Capsicum to existing sandbox mechanisms. Chromium provides an ideal context for this comparison, as it employs six sandboxing technologies (see Figure 12). Of these, the two are DAC-based, two MAC-based and two capability-based. ...
  
  5.4 SELinux
  
  Chromium’s MAC approach on Linux uses an SELinux Type Enforcement policy [12]. SELinux can be used for very fine-grained rights assignment, but in practice, broad rights are conferred because fine-grained Type Enforcement policies are difficult to write and maintain.The requirement that an administrator be involved indefining new policy and applying new types to the filesystem is a significant inflexibility: application policies cannot adapt dynamically, as system privilege is required to reformulate policy and relabel objects.
  
  The Fedora reference policy for Chromium creates a single SELinux dynamic domain, chrome sandbox t, which is shared by all sandboxes, risking potential interference between sandboxes. This domain is assigned broad rights, such as the ability to read all files in /etc and access to the terminal device. These broad policies are easier to craft than fine-grained ones, reducing the impact of the dual-coding problem, but are much less effective, allowing leakage between sandboxes and broad access to resources outside of the sandbox.
  
  In contrast, Capsicum eliminates dual-coding by combining security policy with code in the application. This approach has benefits and drawbacks: while bugs can’t arise due to potential inconsistency between policy and code, there is no longer an easily accessible specification of policy to which static analysis can be applied. This reinforces our belief that systems such as Type Enforcement and Capsicum are potentially complementary, serving differing niches in system security.
3. Re:Because their middle name is security by wowbagger · 2010-08-13 10:57 · Score: 3, Informative
  
  Normally I don't even bother to read ACs, let alone respond to them, but in your case I'll make an exception since you are actually trying to make a cogent point.
  Security IS complex - that is why it is better to get it right in ONE place than getting it WRONG many places. Had the researchers put the effort into defining a meaningful set of security contexts within SELinux - contexts that could be used for the WHOLE SYSTEM - they could have not only secured the browser, but everything else. Instead, they took a Barbie-Doll "Security is HARD" approach, and only secured ONE application.
  The faults raised in the paper were not with SELinux itself, but rather with a specific implementation of a security policy, created by one vendor, which USES the SELinux framework.
  Personally, I'd rather see a set of security contexts and attributes:
  internet_tainted_file: this object (file) was created by a program which has accessed the Internet (more precisely, any network address not marked as trusted).
  sensitive-file: an object (file) that may NEVER be accessed by an internet-tainted-program (see below)
  non-internet-program - a program has no need to open ports outside the local network or access internet_tainted files.
  internet-program: a program which MAY access the internet, but has not yet done so.
  sensitive-tainted-program: a program which has accessed a sensitive-file, and thus may NEVER access the Internet. An internet-program may transition to the sensitive-tainted-program state by accessing a sensitive-file object.
  internet-tainted-program: a program which has accessed the Internet, or accessed an internet_tainted_file.
  That way, programs that have no need of frobbing the Internet (e.g. gedit) CANNOT access it. Programs that have touched sensitive files (e.g. /etc/shadow) likewise can NEVER touch the 'Net. Programs that have touched the 'Net can NEVER access sensitive files.
  That's just the tip of the iceberg - but getting a proper set of security contexts can not only protect the browser, but EVERY program on the system.
  And that is why I raised this point: all Google is securing is their own stuff (and only to the extent a malicious exploit cannot work around their solution, which is code in the application), rather than contributing to the greater security of the whole system.
  
  --
  www.eFax.com are spammers
4. Re:Because their middle name is security by Anonymous Coward · 2010-08-13 11:26 · Score: 0
  
  Yes, I'm really glad Google took the initiative on this.
  Robert Watson, one of the research involved, already knows about MAC—he wrote an implementation from scratch for FreeBSD. It's not enough, and very intrusive to the user. MAC is also a sys admin-level configuration item, and overkill for many people (e.g., my sister's laptop) and hard to manage.
  This system is a something that is orthogonal to MAC (and DAC): it can be used either on it's own, or in addition to MAC/DAC. Check out page 23 of the USENIX slides to see what each of these systems is capable of (and how many lines of code are needed to take advantage of each of them in Chromium):
  http://www.cl.cam.ac.uk/research/security/capsicum/slides/20100811-usenix-capsicum.pdf
  BTW, Ross Anderson (the author of "Security Engineering") is part of the same research group. Personally, I think Google teamed up with the right folks.
5. Re:Because their middle name is security by Anonymous Coward · 2010-08-13 11:33 · Score: 0
  
  Lets see how much SELinux helps you with that next kernel exploit that Tavis finds.
  Wunderbar emporium ring a bell?
  http://www.youtube.com/watch?v=arAfIp7YzZ4
6. Re:Because their middle name is security by Anonymous Coward · 2010-08-13 14:21 · Score: 0
  
  RIght. They're securing one program, rather than trying to secure everyone else, which in practice would result in zero programs being secured. There have been other people trying to get changes happen. People just don't care. Who knows, maybe this will actually get some people to realize it's possible to do that and get it more widely adopted.
7. Re:Because their middle name is security by Anonymous Coward · 2010-08-14 04:50 · Score: 1, Informative
  
  At the USENIX talk, the authors explained that one of the flaws in SELinux, not just Chromium's use of it, was the need to enumerate all sandbox domains statically in a policy file. The approach used in Chromium, and that you describe, allows different web sites to attack each other when rendered in the same browser, since they're not protected from each other. Capsicum allows applications such as Chromium to create as many sandboxes as they need dynamically. They also repeatedly said during the talk that capabilities complement, rather than replace, SELinux.
8. Re:Because their middle name is security by Anonymous Coward · 2010-08-15 20:53 · Score: 0
  
  The argument around SELinux is not that it's No Good, or than specific implementations of policy are incorrect, but that Mandatory Access Control is not the right primitive for every security task. It's excellent for some applications, when there's only one instance running and the set of things that the program can do are static and well-defined. For something as dynamic and generally powerful as a web browser, however, it's not so great because of the dual coding problem. Many policies for such applications grant too many rights, not because the people who wrote them are morons, but because it's a fundamental mismatch of technology to problem.
  For instance, the labels that you mention sound very reasonable, but how do you distinguish one internet-program from another? Two Konqueror instances may run with the same credentials and MAC labels, but if one is banking stuff and one is YouTube running on Flash, I'd still like to keep them separate.
  The Chromium case is interesting because very smart people have already tried to do sandboxing in five different ways, using three kinds of technology on three different platforms. Each technique provides some mitigation, but none seems a natural fit to the problem (for reasons described in more detail in the paper).
  Also, for the record: Capsicum is all about, as you said, "get it right in ONE place than getting it WRONG many places" - lots of existing applications try to sandbox themselves today, but existing OSes don't give them the right primitives to do it effectively, so they do it in application-specific ways. Capsicum is a kernel API that applications can use to say "I wish to be sandboxed" and the kernel is responsible for enforcement.
  Finally, if you can make a flexible sandboxing system out of MAC components like SELinux or AppArmor and demonstrate it, that would be a very useful contribution to the state of the art. Options are good, competition is good, and ultimately, different security technologies often complement each other (for example: user-credential-based DAC mitigates different threats from system-policy-based MAC, so you wouldn't throw away user accounts just because you also use SELinux).
Security innovation by Anonymous Coward · 2010-08-13 09:12 · Score: 1, Insightful

... there's been quite a bit of innovation on Windows security ...
What? There has? Do you mean the way it now asks me 'Are you sure you want to give this application a chance to destroy your computer? Y/N' and if I say 'No' I can't use the application?
I mean, if I really want to run that application I have no choice but to click 'Yes' and then if it was a virus after all I'm screwed.
What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash or maybe just set advanced settings for that specific application to disallow it from writing to specific registry/files/network/other process' memory.
1. Re:Security innovation by Thundersnatch · 2010-08-13 09:55 · Score: 2, Insightful
  
  What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash or maybe just set advanced settings for that specific application to disallow it from writing to specific registry/files/network/other process' memory.
  Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.
2. Re:Security innovation by Anonymous Coward · 2010-08-13 09:59 · Score: 1, Interesting
  
  Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.
  How? I've never got anything else except the choice to run an application or not run an application. Which is a choice I've usually already made before I run it.
3. Re:Security innovation by Anonymous Coward · 2010-08-13 11:19 · Score: 3, Informative
  
  He's referring to low integrity processes. It's only really exposed in the Windows API. But you can start a low-integrity process two ways AFAIK:
  
  1. Modify the image header. icacls notepad.exe /setintegritylevel low It will always start with the new privileges set from now on.
  
  2. Do runas /trustlevel:0x10000 notepad.exe to start it at whim with low privileges.
  
  Here's a screen capture of what happens to the latter when you try to access the user's desktop: http://i38.tinypic.com/wbs1vo.png.
Dang. I just commented and can't mod you up now. by Ungrounded+Lightning · 2010-08-13 09:24 · Score: 0, Offtopic

Which is just as well, since I was torn between Informative and Funny. B-)

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How timely by Daniel+Phillips · 2010-08-13 10:41 · Score: 1

This may serve well to provide sandboxing for Android in place of Java

--
Have you got your LWN subscription yet?
1. Re:How timely by Anonymous Coward · 2010-08-13 12:15 · Score: 0
  
  And it would require massive rewriting of Android components and almost all apps, ruining the current install base Android has built up. SMRT.
2. Re:How timely by Daniel+Phillips · 2010-08-13 12:39 · Score: 1
  
  And it would require massive rewriting of Android components and almost all apps, ruining the current install base Android has built up.
  Nonsense. Current apps would continue to work just fine and anybody who wants to take the risk can just stick with Java.
  
  --
  Have you got your LWN subscription yet?
Can't we just get this over with? by jthill · 2010-08-13 12:13 · Score: 1

It's too much to ask of IE, though if they did a good job it would reset the bar for awesome, but won't the other major browsers just break down and host an embedded emacs?

--
As always, all IMO. Insert "I think" everywhere grammatically possible.
1. Re:Can't we just get this over with? by cbhacking · 2010-08-13 12:26 · Score: 1
  
  Dammit, now I'm feeling bizarrely tempted to write a IE plugin that contains emacs. I have no idea why I'd want to do this; I don't even really like emacs. The idea is truly bizarrely compelling, though.
  
  --
  There's no place I could be, since I've found Serenity...
Link to non-slashdotted pdf (until now anyway) by Anonymous Coward · 2010-08-13 12:23 · Score: 0

http://www.trustedbsd.org/2010usenix-security-capsicum-website.pdf
Should be in the OS not the browser by goombah99 · 2010-08-13 12:46 · Score: 1

It makes very little sense to sandbox the application. sandboxing should be delegated from the application to the OS. I note that mac OSX have this built into the OS, but only a few applications like xgrid actually use it. The good news is that apps don't need to be sandbox aware to be sandboxed after the fact. I saw on mac osxhints were someone wrote a sandbox config file for firefox that forces firefox to run with reduced privledges and disk access.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Should be in the OS not the browser by SanityInAnarchy · 2010-08-13 14:05 · Score: 1
  
  sandboxing should be delegated from the application to the OS.
  Ideally, yes, but modern OSes (excluding Chromium OS, maybe) don't always provide sufficient sandboxing, and they do it in different ways. This would be both additional security where it's needed (as well as ways for communicating in and out of the sandbox), and, hopefully, support for whatever native sandboxing options are available (it kind of needs those anyway -- Chrome already uses a chroot jail, I think).
  But what does any of that have to do with what I wrote?
  
  --
  Don't thank God, thank a doctor!
Their past work by Anonymous Coward · 2010-08-13 14:49 · Score: 0

That's Robert Watson of the FreeBSD project who designed the DARPA-sponsored TrustedBSD security framework used in the iPhone, Ben Laurie who wrote OpenSSL and parts of Apache, and Kris Kennaway who worked on FreeBSD 7 SMP performance. Secure, powerful, and fast?
A bit more like Windows used to be.... by robsku · 2010-08-22 07:10 · Score: 1

...before it came an OS, that is Win3.x series (Win95 can be called OS, although DOS based but Win 3.x was not OS but one would not call it just a toolkit either).

--
In capitalist USA corporations control the government.