Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Re:Who? (Score 1) 681

Seriously, it looks like some kind of joke about denial. You are invoking privilege escalation attacks, and a successful one against a guest kernel won't get the attacker much of anything *except* an opportunity to attack the hypervisor (or perhaps access to your other apps data, if you were stupid enough to group them into the same VM).

Relying on security that is melded into a highly complex monolithic kernel is always asking for trouble. A bare metal hypervisor is simpler by orders of magnitude and in practice appears to be proportionally more secure.

Comment Re:Who? (Score 2) 681

As I strongly implied, type 1 hypervisors are more secure, not less, than type 2. Try at least reading the parent post before lapsing into your "no, no, no..." mantra. Implying that type 2 is more secure is absurd.

If you haven't already stopped reading (again), you might want to read this: http://blog.invisiblethings.or...

In short, a jailed process on a host system still has a very complex, privileged kernel to try and exploit. But in a Xen guest VM, its only the complexity of the hypervisor interfaces that matter since the kernel is unprivileged and must go through the same interfaces to attempt an attack on anything else in the system.

Here's another way to think about it: BSD security literature relies heavily on jails. But what proportion of BSD-based applications are running in BSDs that are merely virtualized guests?

Finally, how do jails deal with attacks on firmware or misbehaving hardware? That I'm aware of, using an IOMMU to assign a (real) NIC on a PCI bus to a jail is not possible, and would be pointless if it were. But with hypervisors like Xen on hardware that supports IOMMU, assigning hardware devices to guest VMs is a feasible way to increase security that is growing in popularity.

Comment Re:Who? (Score 1) 681

In KVM there were 4 in an entire year; in Xen there had only been 2 -- and those were only if you had really unusual hardware setups (like >5TiB of RAM).

This makes an important point: Xen is pretty special in a field that already enhances security. Xen is basically the 21st century version of a microkernel, one that works in the real world.

Comment Re:Who? (Score 2) 681

You are probably thinking of the convenient type 2 hypervisors like virtualbox (or just kvm) that need a whole host OS to operate.

A type 1 hypervisor like Xen decreases critical attack surface drastically, especially if services like graphics are not present or are properly virtualized as in Qubes OS. Amazon AWS and EC2 also rely on Xen for security.

As for guest complexity, a certain amount of that is a given and will create opportunities for attack. The question is whether VM breakout is possible -- can all the other domains be kept safe from an attack on domain X?

Kernel-based permission systems are complex and practically guaranteed to fail. That is, unless, your user base is rather small.

Submission + - Thousands of Photos by Apollo Astronauts now on Flickr

schwit1 writes: A cache of more than 8,400 high-resolution photographs taken by Apollo astronauts during trips to the moon is now available for viewing and download. Kipp Teague, who created the massive image repository Project Apollo Archive in 1999, recently uploaded new, unprocessed versions of original NASA photo scans to the image sharing service Flickr.

Teague says every photo taken on the lunar surface by astronauts with their chest-mounted Hasselblad cameras is included in the collection, along with numerous other Hasselblad photos shot from Earth and lunar orbit, as well as during the journey between the two.

View the Flickr gallery here.

Submission + - Explosion of shortsightedness due to LCD (

Taco Cowboy writes: An epidemic of myopia has exploded amongst the young people in many countries — 96% of Koreans age 19 suffer from nearsightedness while 4 out of 5 Chinese students are also shortsighted

The root cause? LCD screen on their smartphones!

Back in 2013 eye surgeons already warned about the link of staring at smartphones and the development of shortsightedness ( ) but unfortunately the warning went unheeded

Comment Re:Clarification? (Score 1) 106

You can't get away from complexity. What you can do is organize the system around a simplified choke point with the complex parts (even hardware like NICs) mapped into unprivileged VMs. In this case, Qubes OS utilizes a type 1 hypervisor as if it were a microkernel...

And yes, the proportion of eyes to LOC does seem to matter for Xen (it runs AWS and EC2) and this is why it was chosen for Qubes desktop.

Comment Re:Yes, we should give up because it is hard.. (Score 1) 684

I do believe you got that backward. The challenges of existing on Mars mirror the ecological problems that are mounting here on Earth. Pouring R&D dollars (and political will) into achieving a balance here will no doubt pay off in giving us the ability to establish a balance on Mars. Plus we get the 'little' bonus of saving humanity and its home, instead of perishing here with the cold comfort that a Mars outpost watches us dive before they do the same.

Its a cosmic intelligence test: Can you spot the Red herring?

Comment Thinkpads and more (Score 1) 237

Yeah, my T430s has been great with Linux and Qubes OS. Its also really tough, IMO. Thinkpads (not the consumer Ideapads) have remained near the very top in the Linux compatibility column.

OTOH, if you want something that is built to be SO compatible with Linux that all the hardware will run using open-source drivers, take a look at the Purism Librem. They have sexy 13" and 15" models.

Last but not least, you should know about Hardware Compatibility Lists (HCLs): All of the Linux ones I know about have become shrunken and worthless *except* for Ubuntu's which can recommend a wide variety of certified-compatible models. If it works with Ubuntu, there is a very high probability it will work with other decent distros.

We all like praise, but a hike in our pay is the best kind of ways.