You can't get away from complexity. What you can do is organize the system around a simplified choke point with the complex parts (even hardware like NICs) mapped into unprivileged VMs. In this case, Qubes OS utilizes a type 1 hypervisor as if it were a microkernel... https:www.qubes-os.org
And yes, the proportion of eyes to LOC does seem to matter for Xen (it runs AWS and EC2) and this is why it was chosen for Qubes desktop.
Re:Yes, we should give up because it is hard..
on
Let's Not Go To Mars
·
· Score: 1
I do believe you got that backward. The challenges of existing on Mars mirror the ecological problems that are mounting here on Earth. Pouring R&D dollars (and political will) into achieving a balance here will no doubt pay off in giving us the ability to establish a balance on Mars. Plus we get the 'little' bonus of saving humanity and its home, instead of perishing here with the cold comfort that a Mars outpost watches us dive before they do the same.
Its a cosmic intelligence test: Can you spot the Red herring?
Yeah, my T430s has been great with Linux and Qubes OS. Its also really tough, IMO. Thinkpads (not the consumer Ideapads) have remained near the very top in the Linux compatibility column.
OTOH, if you want something that is built to be SO compatible with Linux that all the hardware will run using open-source drivers, take a look at the Purism Librem. They have sexy 13" and 15" models.
Last but not least, you should know about Hardware Compatibility Lists (HCLs): All of the Linux ones I know about have become shrunken and worthless *except* for Ubuntu's which can recommend a wide variety of certified-compatible models. If it works with Ubuntu, there is a very high probability it will work with other decent distros.
They use a vocabulary that's quite larger than yours, without the heaping doses of fallacy and hysteria -- and you are calling that Newspeak? I've got some news for you: The Bush II era is over.
But, thanks for "translating" and trying to weed out all the unnecessary words from/. and for being an example of the kind of anti-intellectual you pretend to rail against.
As for Israel not killing Muslims abroad, that's ludicrous. And at home there's evidence that the Israeli government has a tendency to "link" every attack of a Jew by a Muslim with organized terrorism. In the incident that lead up to their 2015 bombing campaign, Israel's claims about Hamas involvement were exposed as bunk. The fallacious nature of the claim didn't stop them from surging into the strip (an open-air prison packed with state-less people) which led to an escalation in hostilities.
I remember when Are Technica whined about their users' ad-blockers: My suggestion to them in the comment section was to use their fine technical chops to explore alternatives to the current model where the advertiser doesn't trust the content site. If they could resolve that trust issue, they could serve the ads from their own site and exercise some quality control while they're at it.
But maybe being embedded inside giant Conde Nast doesn't allow for that kind of experimentation.
And unfortunately, Michael completely decided not to help the Kernel devs debug this issue, because he was losing money on his benchmarks anyway. Let's disregard the fact he was a step beyond the packages on kernel.org
Interesting. I also have to wonder how close to either 'production' or 'personal use' Phoronix labs can get. These are people who pick and tear things apart and assemble in odd ways (nothing that a person wandering the computer aisle of Staples would recognize).
FWIW, I've been using a Qubes desktop on top of Btrfs for over 4 months now with very heavy usage. There have been no problems with the filesystem thus far (knock on keycaps...:). In terms of features, Btrfs is a flexibility dream. Using reflink copy I can clone VM images and other files instantly with hardly any overhead, and its great for small/informal snapshots of data.
It seems the highly 'exceptional' people in Jeff Bezos' circle have re-invented Taylorism, which is an abiding disregard for the well-being of workers. This indifference and disregard is called "scientific". Efficiency is something to be squeezed out of people second by second, the long-term effects be damned.
This feature only opens the TCP connection, it doesn't send the request until you click.
So What??? You can't imagine that phishers would generate links with a bunch of fake but unique subdomains or port numbers that would communicated to the main phisher domain while a user merely hovers over those links?
Uber was supposed to be a way to do IGT (intelligent grouping transportation) where the trips of different customers are automatically combined to save money/resources.
Instead, it turned into another war over cheap labor and skirting regulation with no actual ride sharing. Uber are liars and cheats who conduct 99% of their business on public streets.
Back in the 90s, he could easily have been ignorant about GMOs as a special class of intellectual property.
Schmeizer found a trait that was useful and did not cultivate his crops for seed production. Without the GMO aspect, that could fall under the traditional exemption in patent law for seed savers.
No spin: Before GMOs farmers could select for interesting traits without restriction.
Now they must assume that new traits they come across are someone else's "property" until proven otherwise. To say this is burdensome would be an understatement.
Well, that and the fact that it's 100% obvious to any judge that Schmeiser intentionally killed off his non Roundup-Ready crops to select for the trait. His fields were 95% Roundup Ready. That's not "Ow! Monsanto is pollinating my crops with its big, bad pollen!" That's, "Yay, I'm going to get this stuff without paying for it!"
So farmers cannot select for beneficial traits anymore. What are they to do -- keep databases of traits so they can determine which ones might be "property" of a genetic engineering firms?
And please don't try to tell me this ban on millennia-old behavior will stop at 'Roundup-readiness'.
Qubes OS uses a Type 1 hypervisor to simplify and harden system security against such vulnerabilities. The privileged parts of the system are kept relatively small and aren't used for any user applications. All apps and even some drivers (like NICs) are assigned to VMs, which the user can give different trust/risk designations and color codes.
Because isolating hardware is considered part of the solution, Qubes systems need IOMMU hardware to operate securely. But this high degree of isolation is what eliminates holes.
Formal proofs of the system would be nice, but they are hard to do and pointless without hardware isolation. So one could view Qubes as a way to take the smallest functional hypervisor with hardware isolation capabilities (Xen) and use it like a microkernel. One difference with a traditional microkernel is you have the rich feature sets of Linux and Windows kernels/drivers at your disposal within the unprivileged domains.
Like Windows, Linux is a complex rambling Swiss cheese and privilege escalations are pretty common.
Lean security protocols need to come first, which is why Qubes OS is based on a Type 1 hypervisor (Xen). An attacker can try to use an exploit (like in OP) all they want in an untrusted domain, but they aren't going to get access to the hardware (or the other VMs, unless the user has done something to specifically expose those VMs to the attack).
Yes, but Qubes isn't just about isolation. It reduces the attack surface of the isolation mechanism down to the functional minimum. Currently, that means using a Type 1 hypervisor like Xen, though in the future Qubes could be ported to a microkernel. Complex code (even device drivers) is relegated to unprivileged domains.
The term "sandbox" IMO has a connotation that it is something implemented directly by a complex OS with a monolithic kernel; That model isn't very secure.
Perhaps the debate is which desktop environment to recommend to first-time users of X11/Linux so that they don't get a bad impression and misblame it on Linux.
Why would first-time users blame a bad DE on a kernel? Because you introduced the whole shebang to them as "Linux"?
elementaryOS repudiates the 'Linux distro' concept for this very reason. They see promise in the Linux kernel and other components as good raw material, but also that giving average users or beginners an OS that looks/feels like Batman on one machine and The Joker on the next (and using the same term for them all to signify something buried deep within) is a recipe for consumer exasperation and rejection. App developers won't see a Linux distro as steady ground (i.e. a 'platform') on which to attract and support users, and those users won't be able to recognize "Linux" anyway.
Slashdot Mirror
On Linux there is also tcplay (in Debian and others) and Linux cryptsetup also understands truecrypt formats.
An open source example would be Anti Evil Maid which is a part of Qubes OS.
You can't get away from complexity. What you can do is organize the system around a simplified choke point with the complex parts (even hardware like NICs) mapped into unprivileged VMs. In this case, Qubes OS utilizes a type 1 hypervisor as if it were a microkernel... https:www.qubes-os.org
And yes, the proportion of eyes to LOC does seem to matter for Xen (it runs AWS and EC2) and this is why it was chosen for Qubes desktop.
I run Qubes OS, you insensitive clod.
I do believe you got that backward. The challenges of existing on Mars mirror the ecological problems that are mounting here on Earth. Pouring R&D dollars (and political will) into achieving a balance here will no doubt pay off in giving us the ability to establish a balance on Mars. Plus we get the 'little' bonus of saving humanity and its home, instead of perishing here with the cold comfort that a Mars outpost watches us dive before they do the same.
Its a cosmic intelligence test: Can you spot the Red herring?
Yeah, my T430s has been great with Linux and Qubes OS. Its also really tough, IMO. Thinkpads (not the consumer Ideapads) have remained near the very top in the Linux compatibility column.
OTOH, if you want something that is built to be SO compatible with Linux that all the hardware will run using open-source drivers, take a look at the Purism Librem. They have sexy 13" and 15" models.
Last but not least, you should know about Hardware Compatibility Lists (HCLs): All of the Linux ones I know about have become shrunken and worthless *except* for Ubuntu's which can recommend a wide variety of certified-compatible models. If it works with Ubuntu, there is a very high probability it will work with other decent distros.
The Bundy Ranch now controls a piece of Nevada about the size of Connecticut, after having trained their guns on federal agents and turned them away.
They use a vocabulary that's quite larger than yours, without the heaping doses of fallacy and hysteria -- and you are calling that Newspeak? I've got some news for you: The Bush II era is over.
But, thanks for "translating" and trying to weed out all the unnecessary words from /. and for being an example of the kind of anti-intellectual you pretend to rail against.
That's a sensationalist mis-translation that the western TV decided to run with.
As for Israel not killing Muslims abroad, that's ludicrous. And at home there's evidence that the Israeli government has a tendency to "link" every attack of a Jew by a Muslim with organized terrorism. In the incident that lead up to their 2015 bombing campaign, Israel's claims about Hamas involvement were exposed as bunk. The fallacious nature of the claim didn't stop them from surging into the strip (an open-air prison packed with state-less people) which led to an escalation in hostilities.
I remember when Are Technica whined about their users' ad-blockers: My suggestion to them in the comment section was to use their fine technical chops to explore alternatives to the current model where the advertiser doesn't trust the content site. If they could resolve that trust issue, they could serve the ads from their own site and exercise some quality control while they're at it.
But maybe being embedded inside giant Conde Nast doesn't allow for that kind of experimentation.
The Drone Wars Have (original subject)
And unfortunately, Michael completely decided not to help the Kernel devs debug this issue, because he was losing money on his benchmarks anyway. Let's disregard the fact he was a step beyond the packages on kernel.org
Interesting. I also have to wonder how close to either 'production' or 'personal use' Phoronix labs can get. These are people who pick and tear things apart and assemble in odd ways (nothing that a person wandering the computer aisle of Staples would recognize).
FWIW, I've been using a Qubes desktop on top of Btrfs for over 4 months now with very heavy usage. There have been no problems with the filesystem thus far (knock on keycaps... :). In terms of features, Btrfs is a flexibility dream. Using reflink copy I can clone VM images and other files instantly with hardly any overhead, and its great for small/informal snapshots of data.
The warehouse work is like slavery, just short of a whip - except they now use virtual whips to get their slaves straightened out.
Sure, there's a little perk called a slaves wage, after-all, they need them to be fed in order to do the miles of walking per day.
A written expose here.
It seems the highly 'exceptional' people in Jeff Bezos' circle have re-invented Taylorism, which is an abiding disregard for the well-being of workers. This indifference and disregard is called "scientific". Efficiency is something to be squeezed out of people second by second, the long-term effects be damned.
This feature only opens the TCP connection, it doesn't send the request until you click.
So What??? You can't imagine that phishers would generate links with a bunch of fake but unique subdomains or port numbers that would communicated to the main phisher domain while a user merely hovers over those links?
Cleaned-up Firefox builds: Iceweasel and Palemoon
Uber was supposed to be a way to do IGT (intelligent grouping transportation) where the trips of different customers are automatically combined to save money/resources.
Instead, it turned into another war over cheap labor and skirting regulation with no actual ride sharing. Uber are liars and cheats who conduct 99% of their business on public streets.
Back in the 90s, he could easily have been ignorant about GMOs as a special class of intellectual property.
Schmeizer found a trait that was useful and did not cultivate his crops for seed production. Without the GMO aspect, that could fall under the traditional exemption in patent law for seed savers.
There is an exemption in patent law for farmers saving seed (and selling the produce for consumption).
No spin: Before GMOs farmers could select for interesting traits without restriction.
Now they must assume that new traits they come across are someone else's "property" until proven otherwise. To say this is burdensome would be an understatement.
Well, that and the fact that it's 100% obvious to any judge that Schmeiser intentionally killed off his non Roundup-Ready crops to select for the trait. His fields were 95% Roundup Ready. That's not "Ow! Monsanto is pollinating my crops with its big, bad pollen!" That's, "Yay, I'm going to get this stuff without paying for it!"
So farmers cannot select for beneficial traits anymore. What are they to do -- keep databases of traits so they can determine which ones might be "property" of a genetic engineering firms?
And please don't try to tell me this ban on millennia-old behavior will stop at 'Roundup-readiness'.
Qubes OS uses a Type 1 hypervisor to simplify and harden system security against such vulnerabilities. The privileged parts of the system are kept relatively small and aren't used for any user applications. All apps and even some drivers (like NICs) are assigned to VMs, which the user can give different trust/risk designations and color codes.
Because isolating hardware is considered part of the solution, Qubes systems need IOMMU hardware to operate securely. But this high degree of isolation is what eliminates holes.
Formal proofs of the system would be nice, but they are hard to do and pointless without hardware isolation. So one could view Qubes as a way to take the smallest functional hypervisor with hardware isolation capabilities (Xen) and use it like a microkernel. One difference with a traditional microkernel is you have the rich feature sets of Linux and Windows kernels/drivers at your disposal within the unprivileged domains.
Like Windows, Linux is a complex rambling Swiss cheese and privilege escalations are pretty common.
Lean security protocols need to come first, which is why Qubes OS is based on a Type 1 hypervisor (Xen). An attacker can try to use an exploit (like in OP) all they want in an untrusted domain, but they aren't going to get access to the hardware (or the other VMs, unless the user has done something to specifically expose those VMs to the attack).
Yes, but Qubes isn't just about isolation. It reduces the attack surface of the isolation mechanism down to the functional minimum. Currently, that means using a Type 1 hypervisor like Xen, though in the future Qubes could be ported to a microkernel. Complex code (even device drivers) is relegated to unprivileged domains.
The term "sandbox" IMO has a connotation that it is something implemented directly by a complex OS with a monolithic kernel; That model isn't very secure.
You're right. More interesting would be a comparison of Intel's benchmark cheats over the years...
http://yro.slashdot.org/commen...
http://tech.slashdot.org/story...
Perhaps the debate is which desktop environment to recommend to first-time users of X11/Linux so that they don't get a bad impression and misblame it on Linux.
Why would first-time users blame a bad DE on a kernel? Because you introduced the whole shebang to them as "Linux"?
elementaryOS repudiates the 'Linux distro' concept for this very reason. They see promise in the Linux kernel and other components as good raw material, but also that giving average users or beginners an OS that looks/feels like Batman on one machine and The Joker on the next (and using the same term for them all to signify something buried deep within) is a recipe for consumer exasperation and rejection. App developers won't see a Linux distro as steady ground (i.e. a 'platform') on which to attract and support users, and those users won't be able to recognize "Linux" anyway.