Congratulations: You have a 21st century terminal.
Its not worth the tradeoff anymore and here's why: Malware has expanded into attacks on hardware and firmware, two layers of our systems that have plenty of exploitable quirks of their own.
I've been using Xen Qubes for about 3 years: Using the IOMMU it automatically 'jails' NICs within a virtual machine at the hardware level. The result is that my Wifi/NIC can be attacked, and if they succeed they will only gain a foothold that confers the advantages of taking over one of my routers. My other VMs are insulated, and the non-networked ones completely isolated from mischief.
Other hardware can be selected for isolation in the Qubes GUI, and the Split-GPG and Anti-evil-maid protections are also quite compelling.
OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.
I, for one, think OpenBSD's approach is dead wrong. Its not just the low functionality... its the philosophy of "security through correctness"/while/ turning a blind eye to formal verification. That makes OpenBSD the wost of all worlds, IMO: Neither small-and-tight nor large enough to be functional, with a concept of correctness that boils down to a slogan.
I'll pit a Xen-based Linux system like Qubes against OpenBSD any day, and I won't even take points off for not being able to run apps. Even Windows 7 running on Xen Qubes is ultimately more secure.
This is also what Torvalds is missing in this debate: He's kind of in denial that much of the Web runs on Linux installs that are encapsulated within type-1 hypervisors like Xen. Linux and *BSD have already been demoted WRT security.
There are different ways to implement security, and I think this discussion of Torvalds' and ours is a sign that security ingrained within large monolithic kernels is a demoted (if not dead) model.
Hypervisors like Xen are at the forefront of security. They embody a sandboxing-done-right philosophy where the baremetal system runs only a small, dedicated hypervisor and all of the rich functionality is contained within VMs. In a system like Qubes, which adds an integration layer on top of Xen that is very small and tight and seals-off known avenues for VM breakouts, you get (mostly) the best of both worlds. Even hardware devices are virtualized in Qubes, and it works.
In this model, the hypervisor acts as a microkernel and the Linux/Windows kernels act as drivers and services. IMO, this is 'microkernels done right'.
Of course, any security model worth its salt won't engender a black-and-white view as Linus complains. One accepts that individual VMs that are exposed to risk (browsing remote web pages, for instance) may be compromised. But a compromised browser shouldn't mean a high risk of privilege escalation (the monolithic kernel disease) and having sensitive data stolen, or the system itself turned into a surveillance or attack platform -- any successful attack on an application should be contained by default.
Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow.
You think Samsung, LG, HTC, etc. would refuse to sell devices in the UK if Google didn't provide what was required? I think you're forgetting that Android is open source.
The search engine, maps and other services are not, however.
Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow. And this may not sound comforting to you, but Apple users in particular may find their devices irreplaceable.
Sure, but you still have the problem that hardly anyone would do it.
I think plenty would. We're not talking about PGP Mail here, and there are examples of millions of people installing alternate apps and utilities for communication. The act of adding a stronger cipher to a device should be painless and having chat/telephony apps that inform the user of the cipher strength could reinforce the opt-in dynamics.
Besides the option to withdraw from the UK market in protest (coordinating this with Apple would be highly effective, I think) you could also make your security protocols modular, so users can freely download stronger FOSS versions.
This is an interesting idea! Then the government would be in the position of trying to approve every little bit of software a user downloads in order to make their panopticon work.
Its simple, elegant and uses a feature of personal computing to defeat a clueless bureaucracy.
AC makes a good point. Google and Apple should tell their UK customers the law leaves them open to hacking and mass surveillance and they will withdraw from that market instead of weakening their products.
Think about it: Person with a Google product enters the UK and has to expect their device suddenly becomes weak? That's untenable. The user must assume the device can be spoofed into weak mode wherever they are.
Qubes does integrate security context display into the window manager. That is, at least, some UI innovation the OP may be interested in. It also solves security problems with cut-and-paste between domains.
That is fine on a disembodied, anonymous forum like this. In more critical situations (like school and employment) your argument goes out the window entirely.
A lot of people don't know when respectful disagreement turns into discrimination and harassment. But any interpretation of the First Amendment that nullifies the legal standing of the latter two is harboring an environment of intimidation.
You see? Lovely AC getting all brave with the free abuse, cowardly spouting about brave (non-anonymous) people dying.
I'll agree at least that I don't give a fuck what you say (and in case you didn't notice, its so not just about "me" and what I think). For all I know, all the bigoted AC trolling on/. could be four pimply losers obsessively posting from their parents' basements.
Your stupid cultural majority is gone. Its subject to the same advocacy-for-banning-whatever that has long existed in this country under the First Amendment. If you're not engaged with making exceptions to free speech fair ones, then you're supporting the fantasy that the exercise of rights has no limits. Its really NOT hard to figure out: Where does one person's rights begin to impose on another's rights?
If you dehumanize me and deny me my individuality, why should I respect your right to free speech? If I have a right to be an individual, then I have a right to be considered such in the eyes of the law *and* other public institutions and probably on the public airwaves and cable rights-of-way as well. Free speech is subject to the same mitigating rules about encroachment against other rights that, well, other rights are subject to.
And for those who still don't get it: This notion about mutual respect (and civility, and individuality) centers around the aspects of identity that people don't choose. It doesn't place proselytized religion on a pedestal, for example, exempting it from criticism. It should be obvious why its a very different matter to paint Muslims as misguided or evil with a broad brush.
People who tolerate venom and bigotry in schools and places of work especially are just enabling the scumbags. Someone who needlessly creates a hostile work environment should face consequences; Don't expect the targets of bigoted bullshit to just think "Oh, free speech!" If you do, you're twisting something good into something evil by grossly oversimplifying it.
No, you reduce "freedom" to a cynical buzzword if your "free speech" makes a case to exclude or discount people based on their background, sex or skin color. That's why "freedumb" is such a resonant pejorative today, because libertarians are actually talking out both sides of their mouths as they create a hostile environment for anyone who doesn't line up with "the language" and "the culture".
Seriously, if mutual respect doesn't come into it, then you better get used to being verbally attacked in kind.
This is the same fake outrage we saw when anti-vaxers became a news item. Most of those awful "Liberals" turned out to be libertarians asserting their "sovereign individual" fantasy.
OTOH, if you want an environment of "intellectual freedom" where people are routinely attacked because of their backgrounds instead of the content of their character, then I can't think of a more deserving group to tar-and-feather than the Politically Incorrect crowd. They are defining a false kind of freedom without respect or responsibility.
Wow, that's just plain ignorant. You have confused socialism with totalitarianism which is another common mistake people make and socialism isn't a dirty word. We already accept public police, schools, roads, all sorts of things.
A concise example of Democratic Socialism is the UK Labour Party. It means that state ownership is "on the table", as in their NHS healthcare system (which has recently been partially privatized), and the democracy is a core value including democracy in the workplace - unions. Democratic Socialism is widely considered center-left.
IRL Debian package maintainers spend a lot of time and effort building dependancy lists into their packages so you DON'T have to have all those libraries on your system if you are not going to use them.
This is a question of reasonable default configurations.
What if someone wants to write a program for their own use or for distribution among a small group of friends/coworkers/associates? The person could target the LSB so they can have a reasonably complete set of libraries and tools to work with and not have to chase down dependencies on each and every 'unique' Linux system where the program is going to run.
A specification like LSB is part of the solution to Dependency Hell. People who aren't familiar enough with the packaging system to whip up dependency lists (especially properly spec'd ones that don't cause update/install problems) for each and every program and script they write... We need something like LSB. For other people who don't want 'extras' that come with LSB, they can remove it easily enough.
Clearly, Linux Foundation is not putting effort into marketing LSB as a target platform, so people just take its effects for granted. Given their stature, they should have marketing that looks more like Mozilla's and the way they court application developers. They should also have a program that partners with OEMs to create reference hardware platforms (yes, reference PCs and servers that you can buy).
Seriously, it looks like some kind of joke about denial. You are invoking privilege escalation attacks, and a successful one against a guest kernel won't get the attacker much of anything *except* an opportunity to attack the hypervisor (or perhaps access to your other apps data, if you were stupid enough to group them into the same VM).
Relying on security that is melded into a highly complex monolithic kernel is always asking for trouble. A bare metal hypervisor is simpler by orders of magnitude and in practice appears to be proportionally more secure.
As I strongly implied, type 1 hypervisors are more secure, not less, than type 2. Try at least reading the parent post before lapsing into your "no, no, no..." mantra. Implying that type 2 is more secure is absurd.
In short, a jailed process on a host system still has a very complex, privileged kernel to try and exploit. But in a Xen guest VM, its only the complexity of the hypervisor interfaces that matter since the kernel is unprivileged and must go through the same interfaces to attempt an attack on anything else in the system.
Here's another way to think about it: BSD security literature relies heavily on jails. But what proportion of BSD-based applications are running in BSDs that are merely virtualized guests?
Finally, how do jails deal with attacks on firmware or misbehaving hardware? That I'm aware of, using an IOMMU to assign a (real) NIC on a PCI bus to a jail is not possible, and would be pointless if it were. But with hypervisors like Xen on hardware that supports IOMMU, assigning hardware devices to guest VMs is a feasible way to increase security that is growing in popularity.
In KVM there were 4 in an entire year; in Xen there had only been 2 -- and those were only if you had really unusual hardware setups (like >5TiB of RAM).
This makes an important point: Xen is pretty special in a field that already enhances security. Xen is basically the 21st century version of a microkernel, one that works in the real world.
You are probably thinking of the convenient type 2 hypervisors like virtualbox (or just kvm) that need a whole host OS to operate.
A type 1 hypervisor like Xen decreases critical attack surface drastically, especially if services like graphics are not present or are properly virtualized as in Qubes OS. Amazon AWS and EC2 also rely on Xen for security.
As for guest complexity, a certain amount of that is a given and will create opportunities for attack. The question is whether VM breakout is possible -- can all the other domains be kept safe from an attack on domain X?
Kernel-based permission systems are complex and practically guaranteed to fail. That is, unless, your user base is rather small.
Slashdot Mirror
Congratulations: You have a 21st century terminal.
Its not worth the tradeoff anymore and here's why: Malware has expanded into attacks on hardware and firmware, two layers of our systems that have plenty of exploitable quirks of their own.
I've been using Xen Qubes for about 3 years: Using the IOMMU it automatically 'jails' NICs within a virtual machine at the hardware level. The result is that my Wifi/NIC can be attacked, and if they succeed they will only gain a foothold that confers the advantages of taking over one of my routers. My other VMs are insulated, and the non-networked ones completely isolated from mischief.
Other hardware can be selected for isolation in the Qubes GUI, and the Split-GPG and Anti-evil-maid protections are also quite compelling.
OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.
I, for one, think OpenBSD's approach is dead wrong. Its not just the low functionality... its the philosophy of "security through correctness" /while/ turning a blind eye to formal verification. That makes OpenBSD the wost of all worlds, IMO: Neither small-and-tight nor large enough to be functional, with a concept of correctness that boils down to a slogan.
I'll pit a Xen-based Linux system like Qubes against OpenBSD any day, and I won't even take points off for not being able to run apps. Even Windows 7 running on Xen Qubes is ultimately more secure.
This is also what Torvalds is missing in this debate: He's kind of in denial that much of the Web runs on Linux installs that are encapsulated within type-1 hypervisors like Xen. Linux and *BSD have already been demoted WRT security.
There are different ways to implement security, and I think this discussion of Torvalds' and ours is a sign that security ingrained within large monolithic kernels is a demoted (if not dead) model.
Hypervisors like Xen are at the forefront of security. They embody a sandboxing-done-right philosophy where the baremetal system runs only a small, dedicated hypervisor and all of the rich functionality is contained within VMs. In a system like Qubes, which adds an integration layer on top of Xen that is very small and tight and seals-off known avenues for VM breakouts, you get (mostly) the best of both worlds. Even hardware devices are virtualized in Qubes, and it works.
In this model, the hypervisor acts as a microkernel and the Linux/Windows kernels act as drivers and services. IMO, this is 'microkernels done right'.
Of course, any security model worth its salt won't engender a black-and-white view as Linus complains. One accepts that individual VMs that are exposed to risk (browsing remote web pages, for instance) may be compromised. But a compromised browser shouldn't mean a high risk of privilege escalation (the monolithic kernel disease) and having sensitive data stolen, or the system itself turned into a surveillance or attack platform -- any successful attack on an application should be contained by default.
Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow.
You think Samsung, LG, HTC, etc. would refuse to sell devices in the UK if Google didn't provide what was required? I think you're forgetting that Android is open source.
The search engine, maps and other services are not, however.
Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow. And this may not sound comforting to you, but Apple users in particular may find their devices irreplaceable.
Sure, but you still have the problem that hardly anyone would do it.
I think plenty would. We're not talking about PGP Mail here, and there are examples of millions of people installing alternate apps and utilities for communication. The act of adding a stronger cipher to a device should be painless and having chat/telephony apps that inform the user of the cipher strength could reinforce the opt-in dynamics.
Besides the option to withdraw from the UK market in protest (coordinating this with Apple would be highly effective, I think) you could also make your security protocols modular, so users can freely download stronger FOSS versions.
This is an interesting idea! Then the government would be in the position of trying to approve every little bit of software a user downloads in order to make their panopticon work.
Its simple, elegant and uses a feature of personal computing to defeat a clueless bureaucracy.
AC makes a good point. Google and Apple should tell their UK customers the law leaves them open to hacking and mass surveillance and they will withdraw from that market instead of weakening their products.
Think about it: Person with a Google product enters the UK and has to expect their device suddenly becomes weak? That's untenable. The user must assume the device can be spoofed into weak mode wherever they are.
Qubes does integrate security context display into the window manager. That is, at least, some UI innovation the OP may be interested in. It also solves security problems with cut-and-paste between domains.
Qubes is a very interesting Linux distro.
However, its USP is security, instead of the 3D Web 4.0 synergistic paradigms the submitter is asking.
I'll second that. Qubes is very innovative in the area of security.
They sell "legal intercept" services to governments. *Ahem*
That is fine on a disembodied, anonymous forum like this. In more critical situations (like school and employment) your argument goes out the window entirely.
A lot of people don't know when respectful disagreement turns into discrimination and harassment. But any interpretation of the First Amendment that nullifies the legal standing of the latter two is harboring an environment of intimidation.
You see? Lovely AC getting all brave with the free abuse, cowardly spouting about brave (non-anonymous) people dying.
I'll agree at least that I don't give a fuck what you say (and in case you didn't notice, its so not just about "me" and what I think). For all I know, all the bigoted AC trolling on /. could be four pimply losers obsessively posting from their parents' basements.
Your stupid cultural majority is gone. Its subject to the same advocacy-for-banning-whatever that has long existed in this country under the First Amendment. If you're not engaged with making exceptions to free speech fair ones, then you're supporting the fantasy that the exercise of rights has no limits. Its really NOT hard to figure out: Where does one person's rights begin to impose on another's rights?
If you dehumanize me and deny me my individuality, why should I respect your right to free speech? If I have a right to be an individual, then I have a right to be considered such in the eyes of the law *and* other public institutions and probably on the public airwaves and cable rights-of-way as well. Free speech is subject to the same mitigating rules about encroachment against other rights that, well, other rights are subject to.
And for those who still don't get it: This notion about mutual respect (and civility, and individuality) centers around the aspects of identity that people don't choose. It doesn't place proselytized religion on a pedestal, for example, exempting it from criticism. It should be obvious why its a very different matter to paint Muslims as misguided or evil with a broad brush.
People who tolerate venom and bigotry in schools and places of work especially are just enabling the scumbags. Someone who needlessly creates a hostile work environment should face consequences; Don't expect the targets of bigoted bullshit to just think "Oh, free speech!" If you do, you're twisting something good into something evil by grossly oversimplifying it.
No, you reduce "freedom" to a cynical buzzword if your "free speech" makes a case to exclude or discount people based on their background, sex or skin color. That's why "freedumb" is such a resonant pejorative today, because libertarians are actually talking out both sides of their mouths as they create a hostile environment for anyone who doesn't line up with "the language" and "the culture".
Seriously, if mutual respect doesn't come into it, then you better get used to being verbally attacked in kind.
This is the same fake outrage we saw when anti-vaxers became a news item. Most of those awful "Liberals" turned out to be libertarians asserting their "sovereign individual" fantasy.
OTOH, if you want an environment of "intellectual freedom" where people are routinely attacked because of their backgrounds instead of the content of their character, then I can't think of a more deserving group to tar-and-feather than the Politically Incorrect crowd. They are defining a false kind of freedom without respect or responsibility.
Max Headroom was not an exaggeration after all (the episode with junk falling from the sky).
Wow, that's just plain ignorant. You have confused socialism with totalitarianism which is another common mistake people make and socialism isn't a dirty word. We already accept public police, schools, roads, all sorts of things.
A concise example of Democratic Socialism is the UK Labour Party. It means that state ownership is "on the table", as in their NHS healthcare system (which has recently been partially privatized), and the democracy is a core value including democracy in the workplace - unions. Democratic Socialism is widely considered center-left.
IRL Debian package maintainers spend a lot of time and effort building dependancy lists into their packages so you DON'T have to have all those libraries on your system if you are not going to use them.
This is a question of reasonable default configurations.
What if someone wants to write a program for their own use or for distribution among a small group of friends/coworkers/associates? The person could target the LSB so they can have a reasonably complete set of libraries and tools to work with and not have to chase down dependencies on each and every 'unique' Linux system where the program is going to run.
A specification like LSB is part of the solution to Dependency Hell. People who aren't familiar enough with the packaging system to whip up dependency lists (especially properly spec'd ones that don't cause update/install problems) for each and every program and script they write... We need something like LSB. For other people who don't want 'extras' that come with LSB, they can remove it easily enough.
Clearly, Linux Foundation is not putting effort into marketing LSB as a target platform, so people just take its effects for granted. Given their stature, they should have marketing that looks more like Mozilla's and the way they court application developers. They should also have a program that partners with OEMs to create reference hardware platforms (yes, reference PCs and servers that you can buy).
Seriously, it looks like some kind of joke about denial. You are invoking privilege escalation attacks, and a successful one against a guest kernel won't get the attacker much of anything *except* an opportunity to attack the hypervisor (or perhaps access to your other apps data, if you were stupid enough to group them into the same VM).
Relying on security that is melded into a highly complex monolithic kernel is always asking for trouble. A bare metal hypervisor is simpler by orders of magnitude and in practice appears to be proportionally more secure.
As I strongly implied, type 1 hypervisors are more secure, not less, than type 2. Try at least reading the parent post before lapsing into your "no, no, no..." mantra. Implying that type 2 is more secure is absurd.
If you haven't already stopped reading (again), you might want to read this: http://blog.invisiblethings.or...
In short, a jailed process on a host system still has a very complex, privileged kernel to try and exploit. But in a Xen guest VM, its only the complexity of the hypervisor interfaces that matter since the kernel is unprivileged and must go through the same interfaces to attempt an attack on anything else in the system.
Here's another way to think about it: BSD security literature relies heavily on jails. But what proportion of BSD-based applications are running in BSDs that are merely virtualized guests?
Finally, how do jails deal with attacks on firmware or misbehaving hardware? That I'm aware of, using an IOMMU to assign a (real) NIC on a PCI bus to a jail is not possible, and would be pointless if it were. But with hypervisors like Xen on hardware that supports IOMMU, assigning hardware devices to guest VMs is a feasible way to increase security that is growing in popularity.
In KVM there were 4 in an entire year; in Xen there had only been 2 -- and those were only if you had really unusual hardware setups (like >5TiB of RAM).
This makes an important point: Xen is pretty special in a field that already enhances security. Xen is basically the 21st century version of a microkernel, one that works in the real world.
You are probably thinking of the convenient type 2 hypervisors like virtualbox (or just kvm) that need a whole host OS to operate.
A type 1 hypervisor like Xen decreases critical attack surface drastically, especially if services like graphics are not present or are properly virtualized as in Qubes OS. Amazon AWS and EC2 also rely on Xen for security.
As for guest complexity, a certain amount of that is a given and will create opportunities for attack. The question is whether VM breakout is possible -- can all the other domains be kept safe from an attack on domain X?
Kernel-based permission systems are complex and practically guaranteed to fail. That is, unless, your user base is rather small.
Especially since most distros look to hypervisors to implement strong security. They leave less attack surface exposed than sandboxing/jailing.
By implication, you make an excellent point -- American meat portions are too large.