On Oct 24, 2007, at 10:59 AM, Theo de Raadt wrote: > You don't > build better security by building another gigantic layer. That > is obvious to anyone who actually works in the field.
Having worked in REAL VM :-) (IBM VM/ESA now z/VM) it isn't per se about security like we mean security ... preventing cracking attempts ... it is about isolation of processes. Isolation of processes does contribute to security but it's not the only point of flexion. In practice, mainframe VM varies greatly in security from installation to installation ... the protection of processes from one another in the VM operating system is as hardware/software perfect as the wit and skill of humankind can provide ... but I've found VM installations with accounts like USER passwd USER :-( All things being equal, the safest base installations in the universe would be those whose user instances were encased in some kind of solid VM and whose base instance administrators were provided with and followed best practices. In re that "solid" VM ... As Theo pointed out the other day, the Intel hardware support for virtualization is less than complete, i.e., less mature than the 35-year-old support for virtualization in the IBM 370/390 architecture. So we still gots a ways to go. -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
