AV is decent, and is useful is you have a large network to maintain, or users who don't know what they are doing.
If you know what you are doing, keep your OS patched and locked down, use a secure browser, keep up maintenance like looking out for odd files/processes etc, then AV is not going to add any additional protection. IN fact, the presence of AV, since it generally has to run as Administrator, adds an unnecessary attack vector. There are very few, if any scenarios where the security of a machine will be increased by the presence of an AV if the machine is well maintained and locked down and the user knows what they are doing. There are plenty of situations where having an AV could lead to a DoS, shell or false sense of security.
There is nothing wrong with a security researcher not using AV and using a more secure approach,especially given the nature of her work and the sensitive information she deals with.
If you can limit everything that people can do after exploiting a vulnerability and being on the system, and reducing root to nothing, how does this vulnerability/exploit differ?
I understand why the Police are doing this, and I think it is a good move. Yes, I am an Australian, and a QLD'er.
This will let people know who truly do not, and can prevent crimes such as identity theft, downloading illegal stuff etc.
For the record, operating an insecure wifi AP is not illegal, this is just a helpful initiative.
The thing is, it is 2009. For the last 5 years at least, most AP's have security enabled by default, or at least as a mandatory step of the setup.
At the very least, there will be a warning that will be hard to miss.
For the last 5 years or so, information on this has been forthcoming to people who are not overly technical via:
* TV shows, non technical like 60 minutes or a talk show
* Magazines, including many of which are non tech magazines
* Various websites, including many non tech websites, such as MSN
* Your operating system, such as Windows, OS X or Ubuntu giving you warnings
* User guides or manuals in very, very, simple to understand language
* Warning stickers on the box or device
* Probably quite a few other avenues as well
There is very little reason to not be aware of the risks of running an insecure network. All too often it is a case of stupidity, as people do this for the sake of convenience. Nothing is going to change these peoples minds.
The whole point of SELinux and RSBAC is that they provide additional security. Not least, true enforceable separation of duty and principles of least privilege.
I am aware there are more granular levels, but they are all largely ineffective, and may stop some attacks. SELinux does not give cryptic error messages, any more than OpenBSD does. It gives a very clear error message, detailing the access request being denied, and why.
Now, let's look at your list.
Even if the chroot is secure, it will not prevent accessing data within the chroot, accessing other machines on the network, defacing a website or something...
The OpenBSD privilege separation is not complete, and not system wide. There is certainly no separation of duty, with root still being god...
sysctls are a nice touch, but again, necessarily limited are are not going to help that much
Stack Protection is a preventive measure, and no, it is not half the reason you would use SELinux. Assume something gets past stack protection, SELinux prevents the attacker from being able to do anything, as were on OpenBSD they can still do a hell of a lot.
Encrypted Swap...OK....again, not relevant, and available on Linux....not sure what your point is here...
Randomized malloc()....again, it won't help in the face of a successful attack, which was the point of my post. Also available on Linux.
Have a look at some of the models and example policies used by SELinux to get a better idea.
If SELinux is sufficient for the NSA to use..., I trust SELinux and RSBAC because they have companies working on them auditing their code and have an excellent track record, with considerably less vulnerabilities than OpenBSD.
The overall security track record is irrelevant, as distros tend not to enable SELinux. If they did, most security problems not a result of user stupidity would likely disappear overnight.
A focus on quality is part of a fous on security, and is a necessary step. By itself, a quality system is not necessarily secure. As I stated, there is much more to being a secure system than just not having vulnerabilities.
I am aware of the reasoning behind secure by default. My point above only meant to demonstrate that such a configuration is not synonymous with not having any vulnerability in a real world scenario, which many OpenBSD fans try to equate it as being.
So the ports tree has been removed? I was not aware of this. So OpenBSD now no longer audits 3rd party software, and the entire system security can be reduced by running a server not in the official OpenBSD release? You see, a secure system would have methods to help protect against this, in the case of an attack.
No point of my post was contradictory. I can run a Linux server, full of vulnerable software, and with a correct SELinux or RSBAC policy, it will be more secure than OpenBSD, by far.
A secure system is more than just not having vulnerabilities.
Secure systems, for a start, should have the ability to control and restricts information to a fine grained level. Unfortunately, Theo is stubborn that things like MAC and RBAC should not be included, as they are not necessary. Which is remarkably short-sighted. DAC has many problems, any any truly secure system should have an alternative. As much as I like OpenBSD for what it is, and as much as I respect the development team, a focus on quality is not the same as a focus on security. Secure by default is a good approach, but is somewhat meaningless, as you are limited in what you can do with it. A true metric would be to look at the vulnerabilities of software in the ports tree, of which there is still a lot.
At the moment, SELinux or RSBAC are far more secure systems, despite those platforms having more vulnerabilities. If you gain a root shell through Apache for example, you will not be able to do a damn thing. On OpenBSD, as there is no defence in depth, the system is yours. Even NetBSD and FreeBSD seem to have more of a focus on actual security, with efforts like SEBSD, executable signatures, PAX/NX support etc.
OpenBSD is quality, top not software. It is not however, a secure system.
You can probably guess where I come down on the issue. I do believe in God. I can't prove it, but I accept it as a tautology. I also believe in evolution as a natural process. I believe that the creation of the universe was a more subtle process than most Biblical literalists do. God set up the rules and conditions so that what he wanted to happen would happen. Sort of a 15+ billion year bank shot. To me, that is _much_ more impressive than "Wham, here's everything".
Believing in God guide natural processes is absolutely fine. Unless your god is Abrahamic, in which case you are not just wrong, but a hypocrite.
Many games have great humour. The key is to do it in dialogue that you overhear, cutscenes, scripted responses to actions etc. Most games don't deal with this because the best selling games are semi realistic shooters or etc, but there are a great many examples of humour in games. NOLF, Serious Sam, Duke Nukem, any simpsons game, the fallout games, etc and etc and etc
So. The US is happy to go after nay country that has a different version of copyright law to that of the US, such as Canada, even putting them on a watchlist. They want everybody to respect US law, without being willing to do the same for other countries? Honestly, as stupid as the law is, it should be respected until it is lobbied to be changed. Besides, wiki is an international foundation, sureley something can be done to the local UK branch? I actually hope the UK would grow some balls, and extradite the user to the UK for trial....
Actually, you're just plain wrong about that. July 4th is a very important day for North Koreans. It is when Americans celebrate their independence, and their capitalist freedoms. The propaganda in North Korea starts from a very young age. July 4th is a bad day for North Koreans and they are taught that THAT day is when their mortal enemy celebrates and plots their demise.
Oh, please.
What are you basing that on other than pure speculation? Have you been to NK? Do you have any idea what you are tlaking about? Most NKeans simply won'T care about July 4th, despite being aware of what it means to Americans.
Well, if you think a slash id indicates any kind of experience, you are sorely mistaken. Hopefully mine is low enough that you will listen, since that is apparently a metric you like to you.
To put it simply, you are wrong.
Windows was never as terrible as you make it sound, and you have some bent desire to vilify them more than is necessary. If you were doing something to make Windows crash that much, then I have to question your experience and knowledge, pr perhaps just your capability. Besides, for the last 10 years, Windows has been every bit as stable, if not more so then Linux. People need to get over their outdated preconceptions and start to judge things objectivley. I really think it is you who should learn the truth, instead of spreading FUD.
Is the lack of RBAC and MAC, or any decent non discretionary access controls.
Solaris has RBAC, Linux has RSBAC and SELinux. OpenBSD staunchly refuses to add anything similar, and no, a system call interceptor does not count.
It's all well and good to have quality code and aim to get rid of vulnerabilities at the core, but a really secure system would be able to protect from attack, in the event it did happen.
As it stands, a system with SELinux or RSBAC is far, far more secure than OpenBSD, because of this fact.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
after all what guy (guys have big penis's, yummy) would not want an attractiv model to spread her legs? which is what i will do if you help me.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
after all what guy (guys have big penis's, yummy) would not want an attractiv model to spread her legs? which is what i will do if you help me.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
idiots...openbsd team are excellent coders, they know nothing about security though...look at this, if a hole is found the whole system is vulnerable....not secure at all....
i. am. posting. this. to. see. if. or. how. it. makes. the. page. wider. i. don't. know. if. it. will. work.
now i also want to post something related to the topic but while i am writing this i forgot what it is.
now i will write about how i want sarah michelle gellar to strip of and let me stick my 9" into here, while she screams in pane, i then want to get natalie portman in here and let me fuckher from behind while sarah licks my arsehole and JLO gives me the bloejob that she has been perfecting.
Slashdot Mirror
Using the 9 ball exploits? Didn't even make the list?
Honestly.
AV is decent, and is useful is you have a large network to maintain, or users who don't know what they are doing.
If you know what you are doing, keep your OS patched and locked down, use a secure browser, keep up maintenance like looking out for odd files/processes etc, then AV is not going to add any additional protection. IN fact, the presence of AV, since it generally has to run as Administrator, adds an unnecessary attack vector. There are very few, if any scenarios where the security of a machine will be increased by the presence of an AV if the machine is well maintained and locked down and the user knows what they are doing. There are plenty of situations where having an AV could lead to a DoS, shell or false sense of security.
There is nothing wrong with a security researcher not using AV and using a more secure approach,especially given the nature of her work and the sensitive information she deals with.
How does this get past SELinux?
If you can limit everything that people can do after exploiting a vulnerability and being on the system, and reducing root to nothing, how does this vulnerability/exploit differ?
I understand why the Police are doing this, and I think it is a good move. Yes, I am an Australian, and a QLD'er.
This will let people know who truly do not, and can prevent crimes such as identity theft, downloading illegal stuff etc.
For the record, operating an insecure wifi AP is not illegal, this is just a helpful initiative.
The thing is, it is 2009. For the last 5 years at least, most AP's have security enabled by default, or at least as a mandatory step of the setup.
At the very least, there will be a warning that will be hard to miss.
For the last 5 years or so, information on this has been forthcoming to people who are not overly technical via:
* TV shows, non technical like 60 minutes or a talk show
* Magazines, including many of which are non tech magazines
* Various websites, including many non tech websites, such as MSN
* Your operating system, such as Windows, OS X or Ubuntu giving you warnings
* User guides or manuals in very, very, simple to understand language
* Warning stickers on the box or device
* Probably quite a few other avenues as well
There is very little reason to not be aware of the risks of running an insecure network. All too often it is a case of stupidity, as people do this for the sake of convenience. Nothing is going to change these peoples minds.
I am sorry, but you are incorrect.
The whole point of SELinux and RSBAC is that they provide additional security. Not least, true enforceable separation of duty and principles of least privilege.
I am aware there are more granular levels, but they are all largely ineffective, and may stop some attacks. SELinux does not give cryptic error messages, any more than OpenBSD does. It gives a very clear error message, detailing the access request being denied, and why.
Now, let's look at your list.
Even if the chroot is secure, it will not prevent accessing data within the chroot, accessing other machines on the network, defacing a website or something...
The OpenBSD privilege separation is not complete, and not system wide. There is certainly no separation of duty, with root still being god...
sysctls are a nice touch, but again, necessarily limited are are not going to help that much
Stack Protection is a preventive measure, and no, it is not half the reason you would use SELinux. Assume something gets past stack protection, SELinux prevents the attacker from being able to do anything, as were on OpenBSD they can still do a hell of a lot.
Encrypted Swap...OK....again, not relevant, and available on Linux....not sure what your point is here...
Randomized malloc()....again, it won't help in the face of a successful attack, which was the point of my post. Also available on Linux.
Have a look at some of the models and example policies used by SELinux to get a better idea.
If SELinux is sufficient for the NSA to use..., I trust SELinux and RSBAC because they have companies working on them auditing their code and have an excellent track record, with considerably less vulnerabilities than OpenBSD.
The overall security track record is irrelevant, as distros tend not to enable SELinux. If they did, most security problems not a result of user stupidity would likely disappear overnight.
Some points, in response to your post.
A focus on quality is part of a fous on security, and is a necessary step. By itself, a quality system is not necessarily secure. As I stated, there is much more to being a secure system than just not having vulnerabilities.
I am aware of the reasoning behind secure by default. My point above only meant to demonstrate that such a configuration is not synonymous with not having any vulnerability in a real world scenario, which many OpenBSD fans try to equate it as being.
So the ports tree has been removed? I was not aware of this. So OpenBSD now no longer audits 3rd party software, and the entire system security can be reduced by running a server not in the official OpenBSD release? You see, a secure system would have methods to help protect against this, in the case of an attack.
No point of my post was contradictory. I can run a Linux server, full of vulnerable software, and with a correct SELinux or RSBAC policy, it will be more secure than OpenBSD, by far.
A secure system is more than just not having vulnerabilities.
Secure systems, for a start, should have the ability to control and restricts information to a fine grained level. Unfortunately, Theo is stubborn that things like MAC and RBAC should not be included, as they are not necessary. Which is remarkably short-sighted. DAC has many problems, any any truly secure system should have an alternative. As much as I like OpenBSD for what it is, and as much as I respect the development team, a focus on quality is not the same as a focus on security. Secure by default is a good approach, but is somewhat meaningless, as you are limited in what you can do with it. A true metric would be to look at the vulnerabilities of software in the ports tree, of which there is still a lot.
At the moment, SELinux or RSBAC are far more secure systems, despite those platforms having more vulnerabilities. If you gain a root shell through Apache for example, you will not be able to do a damn thing. On OpenBSD, as there is no defence in depth, the system is yours. Even NetBSD and FreeBSD seem to have more of a focus on actual security, with efforts like SEBSD, executable signatures, PAX/NX support etc.
OpenBSD is quality, top not software. It is not however, a secure system.
Believing in God guide natural processes is absolutely fine. Unless your god is Abrahamic, in which case you are not just wrong, but a hypocrite.
Many games have great humour. The key is to do it in dialogue that you overhear, cutscenes, scripted responses to actions etc. Most games don't deal with this because the best selling games are semi realistic shooters or etc, but there are a great many examples of humour in games. NOLF, Serious Sam, Duke Nukem, any simpsons game, the fallout games, etc and etc and etc
So. The US is happy to go after nay country that has a different version of copyright law to that of the US, such as Canada, even putting them on a watchlist. They want everybody to respect US law, without being willing to do the same for other countries? Honestly, as stupid as the law is, it should be respected until it is lobbied to be changed. Besides, wiki is an international foundation, sureley something can be done to the local UK branch? I actually hope the UK would grow some balls, and extradite the user to the UK for trial....
Oh that's right, they can't :|
Oh, please.
What are you basing that on other than pure speculation? Have you been to NK? Do you have any idea what you are tlaking about? Most NKeans simply won'T care about July 4th, despite being aware of what it means to Americans.
Well, if you think a slash id indicates any kind of experience, you are sorely mistaken. Hopefully mine is low enough that you will listen, since that is apparently a metric you like to you.
To put it simply, you are wrong.
Windows was never as terrible as you make it sound, and you have some bent desire to vilify them more than is necessary. If you were doing something to make Windows crash that much, then I have to question your experience and knowledge, pr perhaps just your capability. Besides, for the last 10 years, Windows has been every bit as stable, if not more so then Linux. People need to get over their outdated preconceptions and start to judge things objectivley. I really think it is you who should learn the truth, instead of spreading FUD.
Is the lack of RBAC and MAC, or any decent non discretionary access controls.
Solaris has RBAC, Linux has RSBAC and SELinux. OpenBSD staunchly refuses to add anything similar, and no, a system call interceptor does not count.
It's all well and good to have quality code and aim to get rid of vulnerabilities at the core, but a really secure system would be able to protect from attack, in the event it did happen.
As it stands, a system with SELinux or RSBAC is far, far more secure than OpenBSD, because of this fact.
That is an excellent point, this kind of competition is only good for the security scene as a whole.
I don't understand why it is not explorer further on slashdot, not just rsbac, but apparmor, grsecurity etc..,
But yes, RSBAC is an excellent and alternative approach, and should be checked out.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
after all what guy (guys have big penis's, yummy) would not want an attractiv model to spread her legs? which is what i will do if you help me.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
after all what guy (guys have big penis's, yummy) would not want an attractiv model to spread her legs? which is what i will do if you help me.
it might help if you had knowledge on what you were talking about.
and it suceeds, unlike freebsd linux has not been delayed another year.
hi. i was born a male. but now i want to be a female.
i currently lust after bitches in tight spandex, but now i have a different urge, i want to BE one of those bitches in tight spandex, i want to be some hunks sex slave, i want to suck cock all day and all night long, who will pay for my sex change op? i can pay you with free sex for a decade! i just want to be a little obediant bimbo, please help make my wish cum true!
please, pay for my sex change, and impale untill it hurts!
openbsd is not secure, i could be wrong, but all i see is good coding, no security measures implemented.
i only planned on saying yay here but it is making me wait 20 seconds the cunt thing.
lets see....freebsd better than openbsd....linux better than freebsd?
idiots...openbsd team are excellent coders, they know nothing about security though...look at this, if a hole is found the whole system is vulnerable....not secure at all....
I prefer a secure operating system.
i. am. posting. this. to. see. if. or. how. it. makes. the. page. wider. i. don't. know. if. it. will. work.
now i also want to post something related to the topic but while i am writing this i forgot what it is.
now i will write about how i want sarah michelle gellar to strip of and let me stick my 9" into here, while she screams in pane, i then want to get natalie portman in here and let me fuckher from behind while sarah licks my arsehole and JLO gives me the bloejob that she has been perfecting.
i wonder how many replies i will get?