iOS 4 [8], the latest version of iOS, includes ASLR, DEP, a sandbox, and code signing

Having never used IOS long enough to compare with other systems, it might impress on the phone front, but I am unconvinced its really competing against the Desktop. In fact, its an apples and oranges comparison anyway.

Firstly, having read the article - its incredibly lacking in exposure to many operating systems. After this, the technologies quoted are all available in most modern distros of Linux, plus more including resource limitations to prevent abusing memory or CPU and mandatory access control mechanisms.

From a security perspective seeing as with a smart phone you are carrying your online persona outside with you its at much greater risk of data theft than with a fixed desktop.

Because someone is in a position of trust, with privileges raised to do their job, doesnt mean you cannot do anything if the trust is breached.

You need to account for the commands and time spent on a box that an admin might do, so that if there ever was a breach of trust there is sufficiently strong logs to detect how and when and what happened. If people know that their work is (if needed) being recorded theres less incentive to do damage that might be criminally motivated.

You also need to detect and be reported of activity that would not typically fall within the boundaries of an admins daily routine (such as deleting large quantities of files perhaps, or execution of of programs (like shred) that you wouldn't typically use.

You have not mentioned the platforms you are working with, or if your talking about a platform - or just some CMS but Linux for example has audit, you can set this up to monitor virtually anything you might want to watch for. It takes a little more creativity to audit from a thresholds perspective (where work is permitted but too many events at once is a threat) but it can be done. Audit can be locked once you've finished setting up the ruleset meaning the box needs to be rebooted for you to change the ruleset at all.

There are also pam modules for linux (like pam_tty) that can log literally every character a user pressed into their terminal (including non-space characters like escape and backspace) which can be useful to help determine the impact of incidents that you might be after avoiding.

SELinux on Linux on newer distros (typically thinking enterprise linux 6) has flexible support for role based access controls, which can further restrict an admins abilities exactly down to least privilege needed to do their job. Learning SELinux to the extent you can really do this efficiently might be a commitment though you might not have the time for - although I certainly recommend learning about Mandatory Access Control policies, especially for situations like this.

Transport these logs to a remote machine, if necessary one nobody has access to without some form of local authorization (like using pam_usb). Theres no point doing logging just on the audited box that a potential admin has access to.

Detection can be more difficult. Prelude is a open source security application that offers some stuff you might find of benefit here, other than that rolling your own scripts might help too - depending on your skills and experience in such things.

Finally, and more importantly - people who are given positions of trust like this should be trustworthy. This is purely a management problem, but screen your guys effectively. Dont hand the keys to the city to some bloke you pulled in off the street without doing at least some background checking.

Whilst this solution does not particularly offer any more device consistency with what is already in Fedora, the idea here I believe is to make the ethernet configuration stateless in addition to consistent.

This is not the case at the moment, as the network scripts add udev rules binding ethX named devices against the MAC address of the underlying device itself (so Mac AA:BB:CC:DD:EE:FF is always ethX). This additionally offers no indication of which PCI device this is referring to, and on ethernet cards with multiple ports, which port the ethernet device is associated against.

I think this is over-engineering a solution if your only after seeking for device naming consistency across reboots, but it makes more sense when you understand that what Fedora want to do is be able to make their logical naming schemes for network devices map to the physical devices, in addition to providing device naming consistency.

KSM is a great idea, much of its abilities are available in Fedora 12. I tried it and I had higher expectations to be honest.

That is not to say that it is no good - its great but there is a bit of a cost analsysis that should be done before implementing it. You dont get something for nothing - and in this case ultimately your offloading the higher memory usage onto the CPU. Depending on your hypervisor setup this might not be such a bad thing of course.

In my somewhat narrow testing of it I found that:-

a) Even with the same O/S images running multiple times the memory I saved was about 5-10%.

b) It effectively used about 50% of one CPU running the feature.

I think that to really see a benefit to this you have to be running a huge hypervisor with a ton of memory and cpus and a lot of guests as there is a plateau which beforehand makes it quite inefficient to use the features seeing as (at least with my results) the payback is less than 10% anyway.

But the IPv4 version appears to be a hell of a lot slower than its v6 counterpart.

In fact i've found v6 runs much faster generally (probably cause so few people are using it at the moment). I use it quite often to download new Fedora distros at max speed.

I personally use qemu-kvm and im quite happy with it. Thats running on a dual core machine with 2G of ram (probably not enough ram though!).

For the KVM stuff you need have chips which support Intels VT or AMDS AMD-V so your processor is the most important aspect. A quad core would probably be suitable too if you can buy that.

For just experimentation usage its a fantastic alternative to VMWare (I personally got sick of having to recompile the module every time my Kernel got updated).

On my box myself i've had about 6 CentOS VMs running at once but frankly there were not doing much most of the time. Ultimately its going to boil down to how much load you inflict on VMS underneath, my experience with it has not been very load heavy so I could probably stretch to 9vms on my hardware which is probably on the lower end of the consumer range these days.

The most important bits are your CPU and RAM. If your after something low spec you can do dual core 2g ram but you could easily beef that up to quad core 8G RAM to give you something you can throw more at.

Oh and Qemu without KVM is painstakingly slow - I wouldn't suggest it at all.

I hope to god nobodies got a ** typo in an old script because that could be troublesome.

Even worse it could be simple enough to ** in error on the prompt.

But some PHP tinkering and you could probably do something to pass comments through spamassassin using a socket or something.

Spamassassin would need updating though to work with content-only data.

Wonder if anyones ever thought of this before?

Cmon Slashdot, your taking the piss now..