On Wed, Jan 13, 2010 at 2:08 AM, Eric Furman <ericfur...@fastmail.net> wrote: > On Wed, 13 Jan 2010 08:31 +0200, "Ciprian Dorin, Craciun" > <ciprian.crac...@gmail.com> wrote:
>> Sorry, but you guys from OpenBSD have proved that you <<can trust >> the skills of **some** developers to write an __supposed__ perfectly >> secure operating system>>, so why not trust other developers to write >> a __supposed__ secure software emulation with the help of hardware. >> (Let me say it more simply: we have trust in you, but why don't you >> have the disposition to trust in others?) How did "you guys... have proved that you can trust the skills" turn into "we can trust virtualization developers". Since when have the virtualization developers demonstrated that tust? >> > 2.) If systems and application software runs fine on real hardware, but >> > fails to run on emulated/virtualized hardware, then the problem is in >> > the virtualization software. --In other words, take questions and >> > complaints to the vendor of your virtualization software. >> >> Agree. This is the same as with software: if software runs >> perfectly on one version of OpenBSD, but not on another it does not >> mean that its the fault of the new version. (But Xen is not all about >> emulation, it cooperates with the guest kernel, so in this case the >> blame could be on both sides.) > > Wrong. If it works on real hardware and fails in virtualization > the virtualization software is *always* to blame. I think he's thinking of para virtualization, which open bsd doesn't do, iirc. >> > 3.) Many of the benefits you gain by running a stable and secure >> > operating system like OpenBSD are lost when you run it as a "guest" on >> > top of some other insecure "host" operating system. >> >> This is only true if either: >> * there is a security bug in the virtualization software (highly >> improbable, and maybe easibly fixed); > > BWAAAAHAHHAHAHAHAHH. Have you ever actually worked with any > virtualization software? > There have been many documented security bugs in every virtualization > software. > Try Securityfocus or your favorite search engine. I just finished sans 560 pen testing class. We had some discussions about day 0 exploits of guest->host bugs. "Highly improbably" should be changed to "it's out there" -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
