Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Slashdot Deals: Deal of the Day - 6 month subscription of Pandora One at 46% off. ×

Comment Re:Sounds like a psycopath. (Score 1) 481

Fear not, the Clintons have made 'getting in on the act' their career. Bill Clinton picked up the neocon script back in 1998, stating that Iraq had WMD and Saddam had to be deposed:

Some reading about Hillary's favorite neocons (having become one herself):

Comment Re:To Slashdot Resident Statists... (Score 4, Insightful) 93

At the altar of sacrosanct police and military spending you'll find the most anti-welfare-state, anti-public-infrastructure activists imaginable. And notice that its *private* services that always seem to be on the cutting edge of expanding surveillance in this country.

Police states form when the political class feels that police and military are the first and last resort to peace and prosperity. And they may resort to impoverishing the public to keep those police and soldiers well staffed and well fed.

Comment Re:Agree (Score 4, Insightful) 267

FF still ignores OS themes, making their special "complete themes" necessary for many people. And I do mean "necessary"...

I like to read at night without having to turn display brightness to nearly zero (which is still too bright and makes everything look like dishwater). Even if I use an extension like BYM to darken web pages, I still have the FF GUI blaring at my eyes. The solution is to use an addon like DeepDark to tame the UI.

Now I'll have a browser that neither honors my Gnome dark theme setting, nor honors its own custom dark theme. THAT is a clusterf*ck.

Comment Re:Security as a trade-off (Score 1) 291

See my other response here.

TL;DR... Sorry, Xen has far, far fewer major vulns than Linux and I was being generous in the linked comparison. Type-1 hypervisors are firmly entrenched in security culture. They are one of the few things that actually work.

As for OpenBSD, too many of its vulns are marked as partially fixed. No thanks. The user base is still miniscule and coasting on a kind of security by obscurity. Plus, there are now L4 distros that are about as functional.

The 'point' about x86 is disingenuous. I don't see you suggesting different hardware......

Comment Re:Security as a trade-off (Score 1) 291

I'd disagree on most points. Although 3D is a challenge for the Qubes project, it is possible to securely use it... if you dedicate a second video card to a VM. Fully integrated (properly virtualized) 3D is in development. Anyway, who uses OpenBSD for 3D apps??

Qubes does not use temporary home dirs by default (unless you're using a disposable VM).

Readonly-ness of apps/configs is a feature of Qubes' template-based VMs. If you don't want that, then create standalone VMs. Its your choice.

Comment Re:Why safety "alone" is productive: (Score 1) 291

LOL... Those are bad examples. The first is virtualbox, a type-2 hypervisor. The second one might be exploitable once in a blue moon (generally, the attacker will gain a little info outside any VMs). The third one was from a floppy driver that one gets when installing the full-fat qemu inside dom0 (which seems pointless) -- it also didn't affect Qubes or AWS.

The CVE-2015-7835 which just occurred is a good example of a Xen vulnerability. Still, quantity and severity matter. Linux has racked up 3X the number of CVEs over 5.0 so far this year, compared to Xen. And of those, Xen had zero with a score of 8.0 or higher -- while Linux had a staggering six. Xen has had only two of these (both 8.3) ever, so looking back to Jan. 2015 is being very, very kind to Linux.

I think what the CVE charts are showing is an inherent mitigation effect due to structural features of type-1 hypervisor.

Comment Re:Security isn't a product (Score 1) 291

I sleep much better knowing Xen is 1/10th the size of OpenBSD's kernel (which is still monolithic like Linux). The bolt-on-security-afterward mindset has led to one very positive trend: Running Linux instances under type-1 hypervisors.

Think about how much of the Web (indeed, the world) runs under Amazon AWS/EC2. That is Xen.

Linux mostly provides features, and while Torvalds has not fully woken-up to this fact, the software ecosystem has and it is providing a better form of security-correctness than the BSDs can.

Comment Re:Security as a trade-off (Score 1) 291

Congratulations: You have a 21st century terminal.

Its not worth the tradeoff anymore and here's why: Malware has expanded into attacks on hardware and firmware, two layers of our systems that have plenty of exploitable quirks of their own.

I've been using Xen Qubes for about 3 years: Using the IOMMU it automatically 'jails' NICs within a virtual machine at the hardware level. The result is that my Wifi/NIC can be attacked, and if they succeed they will only gain a foothold that confers the advantages of taking over one of my routers. My other VMs are insulated, and the non-networked ones completely isolated from mischief.

Other hardware can be selected for isolation in the Qubes GUI, and the Split-GPG and Anti-evil-maid protections are also quite compelling.

OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.

Comment Re:Security as a trade-off (Score 1) 291

I, for one, think OpenBSD's approach is dead wrong. Its not just the low functionality... its the philosophy of "security through correctness" /while/ turning a blind eye to formal verification. That makes OpenBSD the wost of all worlds, IMO: Neither small-and-tight nor large enough to be functional, with a concept of correctness that boils down to a slogan.

I'll pit a Xen-based Linux system like Qubes against OpenBSD any day, and I won't even take points off for not being able to run apps. Even Windows 7 running on Xen Qubes is ultimately more secure.

This is also what Torvalds is missing in this debate: He's kind of in denial that much of the Web runs on Linux installs that are encapsulated within type-1 hypervisors like Xen. Linux and *BSD have already been demoted WRT security.

Comment Why safety "alone" is productive: (Score 1) 291

There are different ways to implement security, and I think this discussion of Torvalds' and ours is a sign that security ingrained within large monolithic kernels is a demoted (if not dead) model.

Hypervisors like Xen are at the forefront of security. They embody a sandboxing-done-right philosophy where the baremetal system runs only a small, dedicated hypervisor and all of the rich functionality is contained within VMs. In a system like Qubes, which adds an integration layer on top of Xen that is very small and tight and seals-off known avenues for VM breakouts, you get (mostly) the best of both worlds. Even hardware devices are virtualized in Qubes, and it works.

In this model, the hypervisor acts as a microkernel and the Linux/Windows kernels act as drivers and services. IMO, this is 'microkernels done right'.

Of course, any security model worth its salt won't engender a black-and-white view as Linus complains. One accepts that individual VMs that are exposed to risk (browsing remote web pages, for instance) may be compromised. But a compromised browser shouldn't mean a high risk of privilege escalation (the monolithic kernel disease) and having sensitive data stolen, or the system itself turned into a surveillance or attack platform -- any successful attack on an application should be contained by default.

Comment Re:Interesting philosophical dilemma (Score 1) 418

Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow.

You think Samsung, LG, HTC, etc. would refuse to sell devices in the UK if Google didn't provide what was required? I think you're forgetting that Android is open source.

The search engine, maps and other services are not, however.

Comment Re:Interesting philosophical dilemma (Score 1) 418

Large tech companies -- including Google -- have exited countries before over repressive laws; The "someone will build it" argument therefore rings hollow. And this may not sound comforting to you, but Apple users in particular may find their devices irreplaceable.

Sure, but you still have the problem that hardly anyone would do it.

I think plenty would. We're not talking about PGP Mail here, and there are examples of millions of people installing alternate apps and utilities for communication. The act of adding a stronger cipher to a device should be painless and having chat/telephony apps that inform the user of the cipher strength could reinforce the opt-in dynamics.

A failure will not appear until a unit has passed final inspection.