On 08/11/2007, Don Jackson <[EMAIL PROTECTED]> wrote:
>
> As a minor note, I also found this article to be in interesting
> introduction to Xen:
>
> http://www.acmqueue.org/modules.php?name=Content&pa=printer_friendly&pid=443&page=1
The article is interesting, however it also claims:
"virtualizat
On 08/11/2007, Martin Schrvder <[EMAIL PROTECTED]> wrote:
> 2007/11/8, Don Jackson <[EMAIL PROTECTED]>:
> > It is not at all clear to me that the existance of a Xen port of
> > OpenBSD would detract from the security or performance of the non-Xen
> > ports of OpenBSD.
>
> Since you believe to know
2007/11/8, Don Jackson <[EMAIL PROTECTED]>:
> It is not at all clear to me that the existance of a Xen port of
> OpenBSD would detract from the security or performance of the non-Xen
> ports of OpenBSD.
Since you believe to know more about security then Theo, why don't you
fork your own XenBSD? Sh
Just a bit more follow up on this topic:
Kirk Ismay wrote:
> I don't think it would be appropriate to have Xen included with the stock
> OpenBSD
> kernel/distribution, due to both the security issues, and license issues (Xen
> is GPL).
> It may be better for the project to have Xen available as
On 10/29/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> As for LPARs, I don't really need them. Unless, I suppose if they
> really do provide rock-solid virtualization so I can run an OpenBSD
> firewall in one LPAR and another instance of OpenBSD (or Debian,
> whatever) in another LPAR for doi
On Mon, Oct 29, 2007 at 09:11:01AM -0400, bofh wrote:
> On 10/29/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> > So if nobody makes really good hardware then there's nobody to reward
> > for it, so you end up buying bad hardware and rewarding the maker for
> > it.
>
> If given a choice, I thin
On 10/29/07, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> So if nobody makes really good hardware then there's nobody to reward
> for it, so you end up buying bad hardware and rewarding the maker for
> it.
If given a choice, I think I like Sun's sparc hardware most of all.
Though IBM's boxes do a
On Sun, Oct 28, 2007 at 10:31:31PM -0400, Nick Holland wrote:
> It's a pretty simple concept, really.
> A few years ago, I was giving a talk at a local high school. One of
> the students asked me why his computer crashed a lot, "why can't they
> build an operating system that doesn't crash?". I
Douglas A. Tutty wrote:
> On Sun, Oct 28, 2007 at 05:34:17PM -0400, bofh wrote:
>
>> Why would you do that? Go read The Software Conspiracy. The author,
>> Minasi, got, on the record, interviews from VPs of development at
>> Microsoft, Netscape, Sun, Oracle, etc basically saying that they don't
On Sun, Oct 28, 2007 at 05:34:17PM -0400, bofh wrote:
> Why would you do that? Go read The Software Conspiracy. The author,
> Minasi, got, on the record, interviews from VPs of development at
> Microsoft, Netscape, Sun, Oracle, etc basically saying that they don't
> give a shit about lousy soft
On 10/28/07, Shawn K. Quinn <[EMAIL PROTECTED]> wrote:
> On Wed, 2007-10-24 at 20:27 -0500, L. V. Lammert wrote:
> > The fact that Microshaft crap has hundreds or thousands of
> > vulnerabilities
> > is the other extreme of the list.
>
> I have gone as far as to say Windows is "insecure by default"
On Wed, 2007-10-24 at 20:27 -0500, L. V. Lammert wrote:
> The fact that Microshaft crap has hundreds or thousands of
> vulnerabilities
> is the other extreme of the list.
I have gone as far as to say Windows is "insecure by default" which is
still much more true than it should be. Of course I'm st
On 10/26/07, Matt Rowley <[EMAIL PROTECTED]> wrote:
>
> > Some but not all. If you buy a Dell 2950 quad and load it up with 8
> > Gig. You can spend $500 on an ESX 3i license and run 10 - 15 512 MB
> > OpenBSD single processor VMs. The difference here is that you can
> > max out the duty cycle on
> Some but not all. If you buy a Dell 2950 quad and load it up with 8
> Gig. You can spend $500 on an ESX 3i license and run 10 - 15 512 MB
> OpenBSD single processor VMs. The difference here is that you can
> max out the duty cycle on the box where as a single OS running on the
> same Iron won't
Well, this post seems to get a lot of attention throughout the Internet. I
normally do not participate on argumentations about opinions. However, I
feel like I should get involved, as this is the field I am currently
commencing my PhD research in.
First, I think Theo is right when he states, that
On 10/25/07, Tom Van Looy <[EMAIL PROTECTED]> wrote:
>
> I think you forgot to count power savings here?
>
> Theo de Raadt wrote:
> > And when physical servers cost less than some vmware licenses
> > Then it is even more dumb to defend such stupid practices.
>
>
Some but not all. If you buy
Don Jackson wrote:
I wanted to add my 2 cents to this thread.
Ignoring the debate/flamage on this thread regarding the security
merits/risks of virtualization, I beleive there are a number of us who
would like the option to run OpenBSD as a guest under various virtual
machine frameworks. Even i
On Thu, Oct 25, 2007 at 03:27:07PM -0700, Adam Getchell wrote:
> On 10/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
> > On Thu, Oct 25, 2007 at 01:45:23PM -0500, L. V. Lammert wrote:
> > > At 02:28 PM 10/25/2007 -0400, Jason Dixon wrote:
> > > >Sure you do. You claim that the following statement
2007/10/26, Adam Getchell <[EMAIL PROTECTED]>:
> On 10/25/07, Theo de Raadt <[EMAIL PROTECTED]> wrote:
>
> > You're also a sysadm who refuses to read a paper written by a google
> > researcher, who's team found massive bugs in every VM.
>
> That's not quite correct. Restating (yet) again:
>
> 1. Or
2007/10/25, L. V. Lammert <[EMAIL PROTECTED]>:
> At 05:08 PM 10/25/2007 -0400, Stuart VanZee wrote:
> >I finally get it...
> >
> >LEE! YOU ARE A FUCKING GENIUS!
[+]
> you mean security from those bad
> guys, apparently you are talking about security from the
> damn sheep who couldn't break th
On 10/25/07, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> You're also a sysadm who refuses to read a paper written by a google
> researcher, who's team found massive bugs in every VM.
That's not quite correct. Restating (yet) again:
1. Ormandy [1] states that Xen's design is congruent with good se
On 10/25/07, Jason Dixon <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 25, 2007 at 01:45:23PM -0500, L. V. Lammert wrote:
> > At 02:28 PM 10/25/2007 -0400, Jason Dixon wrote:
> > >Sure you do. You claim that the following statement is wrong, but you
> > >don't offer any explanation. That's crap.
> > >
On 10/25/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> So, if I take your point or 'applications domain' and and translate this
> in more practical term and stop using words out of the far fetch paper
> and use more pragmatic day to day example. You argue that in this case,
> if a setup is using
L. V. Lammert wrote:
Certainly! That is not the point, however. The point is that users of
OTHER 'application domains' have better security with a VM (or one of
the other approaches discussed) because THEIR environment has no ability
to interact with the OTHER environments. The digression into
* Don Jackson <[EMAIL PROTECTED]> [2007-10-25 13:33:29]:
> I wanted to add my 2 cents to this thread.
>
> Ignoring the debate/flamage on this thread regarding the security
> merits/risks of virtualization, I beleive there are a number of us who
> would like the option to run OpenBSD as a guest un
At 05:08 PM 10/25/2007 -0400, Stuart VanZee wrote:
I finally get it...
LEE! YOU ARE A FUCKING GENIUS!
Beautiful!
[Taking Bow]
I finally get it...
LEE! YOU ARE A FUCKING GENIUS!
Hey everyone...
In Mr. Lammert's world, as long as NOBODY is trying to
break the system, VMs give a HUGE security plus!
Problem is, there are a lot of very bad motherfuckers out
there who ARE trying to break the system. So, when someone
st
On Thu, Oct 25, 2007 at 01:45:23PM -0500, L. V. Lammert wrote:
> At 02:28 PM 10/25/2007 -0400, Jason Dixon wrote:
> >Sure you do. You claim that the following statement is wrong, but you
> >don't offer any explanation. That's crap.
> >
> >"There is *nothing* in any virtualization software that m
I wanted to add my 2 cents to this thread.
Ignoring the debate/flamage on this thread regarding the security
merits/risks of virtualization, I beleive there are a number of us who
would like the option to run OpenBSD as a guest under various virtual
machine frameworks. Even if it is less secure t
> At 01:58 PM 10/25/2007 -0600, Theo de Raadt wrote:
> > > Certainly! That is not the point, however. The point is that users of
> > OTHER
> > > 'application domains' have better security with a VM (or one of the other
> > > approaches discussed) because THEIR environment has no ability to interac
At 01:58 PM 10/25/2007 -0600, Theo de Raadt wrote:
> Certainly! That is not the point, however. The point is that users of
OTHER
> 'application domains' have better security with a VM (or one of the other
> approaches discussed) because THEIR environment has no ability to interact
> Certainly! That is not the point, however. The point is that users of OTHER
> 'application domains' have better security with a VM (or one of the other
> approaches discussed) because THEIR environment has no ability to interact
^
At 03:09 PM 10/25/2007 -0400, Stuart VanZee wrote:
Quite frankly, I tire of your dumb-ass attitude. This was VERY ON TOPIC.
Indeed it is! I also tire of the dumb replies that don't have any
relationship to the original subject.
Security for the "applecation domain" is a function of the le
L. V. Lammert:
>At 12:08 PM 10/25/2007 -0400, Stuart VanZee wrote:
>
>>The reason that people are going to #2 is that, if you are concerned about
>.security, that is the optimal way of setting things up. One box, one
>>task. That is true "separation". In this light, the question of if #3 is
>>mo
At 02:28 PM 10/25/2007 -0400, Jason Dixon wrote:
Sure you do. You claim that the following statement is wrong, but you
don't offer any explanation. That's crap.
"There is *nothing* in any virtualization software that makes having it
*more secure* than not having it at all."
Quit dodging li
Quoting "Douglas A. Tutty" <[EMAIL PROTECTED]>:
> Problem: in your analogy, there is some limit to the number of bad guys
> before they become obvious to local law-enforcement. In the computer
> case, best to consider the number of bad guys unlimited; you can only
> limit the _rate_ at which they
On Thu, 25 Oct 2007 11:26:53 -0500, "L. V. Lammert" <[EMAIL PROTECTED]> wrote:
> At 12:23 PM 10/25/2007 -0400, you wrote:
>>On Oct 25, 2007, at 10:06 AM, "L. V. Lammert" <[EMAIL PROTECTED]> wrote:
>>
>>>On Wed, 24 Oct 2007, Jason Dixon wrote:
There is *nothing* in any virtualization s
At 12:23 PM 10/25/2007 -0400, Jason Dixon wrote:
On Oct 25, 2007, at 10:06 AM, "L. V. Lammert" <[EMAIL PROTECTED]> wrote:
On Wed, 24 Oct 2007, Jason Dixon wrote:
There is *nothing* in any virtualization software that makes having
it *more secure* than not having it at all.
Is that direct en
At 12:08 PM 10/25/2007 -0400, Stuart VanZee wrote:
The reason that people are going to #2 is that, if you are concerned about
security, that is the optimal way of setting things up. One box, one
task. That is true "separation". In this light, the question of if #3 is
more secure than #1 is tr
On Oct 25, 2007, at 10:06 AM, "L. V. Lammert" <[EMAIL PROTECTED]> wrote:
On Wed, 24 Oct 2007, Jason Dixon wrote:
There is *nothing* in any virtualization software that makes having
it *more secure* than not having it at all.
Is that direct enough for you?
No, because it's wrong.
You're f
I think you forgot to count power savings here?
Theo de Raadt wrote:
And when physical servers cost less than some vmware licenses
Then it is even more dumb to defend such stupid practices.
On 10/25/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> The 'obvious' security benefits were in two or three other posts, . but, to
> summarize:
>
> > Separate UID/PWs for each domain/VM
Uh, how else would it work? How is this specific to virtualization?
> > Separate admin configurations & tool
At 12:23 PM 10/25/2007 -0400, you wrote:
On Oct 25, 2007, at 10:06 AM, "L. V. Lammert" <[EMAIL PROTECTED]> wrote:
On Wed, 24 Oct 2007, Jason Dixon wrote:
There is *nothing* in any virtualization software that makes having
it *more secure* than not having it at all.
Is that direct enough for
At 12:01 PM 10/25/2007 +1000, Damien Miller wrote:
On Wed, 24 Oct 2007, L. V. Lammert wrote:
> I still stand by my original statement. Running application 'domains' in
> VMs instead of on a single server increases security.
It no worse security-wise to run applications on VMs rather than on the
>>What you're saying, appears to be:
>>
>>1) 3 applications in one OS - less secure.
>>2) 3 applications in 3 physical servers - more secure
>>3) 3 applications in 3 virtual servers each running one OS - in
>>between #1 and #2 for security
>
>Yes, indeed!
>
>>What the others are telling you is t
At 08:06 PM 10/24/2007 -0400, Brian wrote:
Hi!
I think you are missing the point about x86 hardware being a mess.
No, I'm not. The discussion has nothing to do with hardware, but thanks for
the info.
Lee
At 09:57 PM 10/24/2007 -0400, you wrote:
You apparently missed my post. Allow me to re-summarize the situation.
There is *nothing* in any virtualization software that makes having
it *more secure* than not having it at all.
Is that direct enough for you?
Perfectly clear, and I agree totally
At 09:15 PM 10/24/2007 -0700, you wrote:
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> I have no clue what you're trying to say??? The original comment was the
> the number of vulnerabilities is a inverse measure of the security risk
> associated with a given OS.
Please stop feeding th
At 09:53 PM 10/24/2007 -0400, you wrote:
L. V. Lammert wrote:
The more discrete the security model (i.e. File/Print users are not valid
on the httpd server) the better.
There's something I think you don't see here. Let's assume, for a moment,
that you have a VM host running two guests, one O
At 09:46 PM 10/24/2007 -0400, you wrote:
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> Sorry, it's YOU that missed the point! I never said or made any comparison
> to physical machines - the entirety of that I said is:
>
> "Running services/application domains in VMs increases security.
On 10/24/07, Damien Miller <[EMAIL PROTECTED]> wrote:
> You obviously didn't read Tavis' virtualisation security paper. VM escape
> vulnerabilites are not theoretical. Tavis found vulnerabilities in every
> VM he tested using only a couple of fuzzers.
Restating my earlier post again, in regards t
At 05:56 PM 10/24/2007 -0700, you wrote:
L. V. Lammert <[EMAIL PROTECTED]> wrote:
>>security issues and protections do not add up like numbers.
>
> Sure they do. If I'm running Windoze as a guest OS, there are hundreds or
> thousands of possible vulnerabilities. If I'm runng OBSD as a guest OS,
>
On Wed, 24 Oct 2007, Jason Dixon wrote:
> You apparently missed my post. Allow me to re-summarize the situation.
>
No, I didn't.
> There is *nothing* in any virtualization software that makes having
> it *more secure* than not having it at all.
>
> Is that direct enough for you?
>
No, because it
On Thu, Oct 25, 2007 at 08:37:02PM +1300, Richard Toohey wrote:
> On 25/10/2007, at 8:28 PM, Richard Toohey wrote:
>
> >You are in charge of getting four ambassadors to a meeting. As
> >well as making sure they are happy and fed, you are in charge of
> >their security.
> >
> >All four are hat
On Wed, Oct 24, 2007 at 10:07:59PM -0500, Tony Abernethy wrote:
> > only an idiot would think that separatey
> > physical machines would NOT increase security
>
> Many IBM PCs vs IBM mainframe
Apples and oranges. When people compare one box to many, they're
talking about the same arch of box.
On 24/10/2007, Lars Noodin <[EMAIL PROTECTED]> wrote:
>
> Seriously, what (affordable) non-x86 hardware options are available,
> especially those without AMT or AMT-like backdoors?
>
> http://softwarecommunity.intel.com/articles/eng/1148.htm
> http://www.intel.com/pressroom/archive/
On 2007/10/25 08:50, Rodrigo V. Raimundo wrote:
> could the virtualization environment be secure if all guest OSes run in
> userland? (User-Mode Linux, QEMU without acceleration, ...)
Some qemu bugs were specifically mentioned in the paper.
With all this discussion some questions went to me:
what's the hardware needed to do full and secure (para)?virtualization ?
is there some arch with this support ever created?
could the virtualization environment be secure if all guest OSes run in
userland? (User-Mode Linux, QEMU without accelerat
On 25/10/2007, at 9:00 PM, Lars Noodin wrote:
Richard Toohey wrote:
My analogies usually go to custard, but I'll try this one.
..
1. One car per ambassador. ...
With all four cars loaded onto a single car-carrier truck.
-Lars
Exactly!
Have you made each of the ambassadors "more secure" by
Richard Toohey wrote:
> My analogies usually go to custard, but I'll try this one.
>..
> 1. One car per ambassador. ...
With all four cars loaded onto a single car-carrier truck.
-Lars
On 25/10/2007, at 8:28 PM, Richard Toohey wrote:
My analogies usually go to custard, but I'll try this one.
You are in charge of getting four ambassadors to a meeting. As
well as making sure they are happy and fed, you are in charge of
their security.
All four are hated in their home cou
My analogies usually go to custard, but I'll try this one.
You are in charge of getting four ambassadors to a meeting. As well
as making sure they are happy and fed, you are in charge of their
security.
All four are hated in their home countries and you know their are
people wanting to kill the
Kevin Stam wrote:
> ... failed to satisfactorily explain why running a specific application
> in a VM is more secure then running it in a standard OS. It's nonsense that
> you think it's more secure that way. It saves a lot of money, yes -- you
> don't necessarily want a separate box just to run an
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> Virtualization provides near absolute security - DOM0 is not visible to
> the user at all, only passing network traffic and handling kernel calls.
> The security comes about in that each DOMU is totally isolated from the
> the others, while th
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> I have no clue what you're trying to say??? The original comment was the
> the number of vulnerabilities is a inverse measure of the security risk
> associated with a given OS.
Please stop feeding this trolling. LV you should know better --
i
> only an idiot would think that separatey
> physical machines would NOT increase security
Many IBM PCs vs IBM mainframe
Many mailboxes vs Fort Knox.
Many avenues of attack vs few.
People learn to count in kindergarden.
On Wed, 24 Oct 2007, Brian wrote:
> All of the theoretical attack vectors are exactly that: theoretical.
> But by adding complex layers does not guarantee any increase in security.
They aren't theoretical, they have been demonstrated. Read the paper:
http://taviso.decsystem.org/virtsec.pdf
On Wed, Oct 24, 2007 at 08:20:59PM -0500, L. V. Lammert wrote:
> On Wed, 24 Oct 2007, Darrin Chandler wrote:
> > On Wed, Oct 24, 2007 at 05:44:37PM -0500, L. V. Lammert wrote:
> > > At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:
> > >> L. V. Lammert wrote:
> > >>
> > >
> > > Wow, such intelli
On Wed, 24 Oct 2007, L. V. Lammert wrote:
> I still stand by my original statement. Running application 'domains' in
> VMs instead of on a single server increases security.
It no worse security-wise to run applications on VMs rather than on the
one OS, but that isn't the only choice - is it?
You
> The entire point is this: You cannot increase security by putting more
> things on one physical server. You can run your different 'Application
> Domains' on different physical servers. That is much closer to security
> than through obscurity.
And when physical servers cost less than some vmw
On Oct 24, 2007, at 9:20 PM, L. V. Lammert wrote:
On Wed, 24 Oct 2007, Darrin Chandler wrote:
Looking at what you've written, you seem to consider OpenBSD to be
pretty secure. By extension, let's assume the developers, and Theo in
particular, have some darned good knowledge about security and
L. V. Lammert wrote:
The more discrete the security model (i.e. File/Print users are not
valid on the httpd server) the better.
There's something I think you don't see here. Let's assume, for a
moment, that you have a VM host running two guests, one OpenBSD, one
Windows.
Now, the OpenBSD b
L. V. Lammert wrote:
> On Wed, 24 Oct 2007, Brian wrote:
>
>> Hi!
>>
>> I think you are missing the point about x86 hardware being a mess. Theo
>> made an excellent point about the architecture itself having so many
>> filthy quirks. If a VM is compromised through any means, that attacker
>> can
On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote:
> Sorry, it's YOU that missed the point! I never said or made any comparison
> to physical machines - the entirety of that I said is:
>
> "Running services/application domains in VMs increases security." As I
> said in a previous email, only an
On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]:
> > Remember back 10-ish years ago when VLANs were being touted as the
> > ultimate network segmentation technology by marketers of managed
> > switches? And now everyone hopefully real
On Wed, 24 Oct 2007, Jeremy Huiskamp wrote:
> On 24-Oct-07, at 5:59 PM, L. V. Lammert wrote:
> > At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:
> >> You must be more qualified with regards to the actual code than I am
> >> because I flat out don't believe this at all.
> >
> > Believe what? OBS
On Wed, 24 Oct 2007, Darrin Chandler wrote:
> On Wed, Oct 24, 2007 at 05:44:37PM -0500, L. V. Lammert wrote:
> > At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:
> >> L. V. Lammert wrote:
> >>
> >
> > Wow, such intelligence Now we get crap instead of ostrich logic.
> > Sheesh.
>
> Actually
On Wed, 24 Oct 2007, Brian wrote:
> Hi!
>
> I think you are missing the point about x86 hardware being a mess. Theo
> made an excellent point about the architecture itself having so many
> filthy quirks. If a VM is compromised through any means, that attacker
> can now leverage the dirty archite
L. V. Lammert <[EMAIL PROTECTED]> wrote:
>> > If not, then security issues compound due to multiple guest OSs and
>> each set
>> > of inherent vulnerabilities.
>>
>>security issues and protections do not add up like numbers.
>
> Sure they do. If I'm running Windoze as a guest OS, there are hundre
On Wed, Oct 24, 2007 at 05:44:37PM -0500, L. V. Lammert wrote:
> At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:
>> L. V. Lammert wrote:
>>
>
> Wow, such intelligence Now we get crap instead of ostrich logic.
> Sheesh.
Actually, that's a fair assessment at this point.
Looking at what yo
Hi!
I think you are missing the point about x86 hardware being a mess. Theo
made an excellent point about the architecture itself having so many
filthy quirks. If a VM is compromised through any means, that attacker
can now leverage the dirty architecture to bypass the hypervisors
(supposed) iso
On 24-Oct-07, at 5:59 PM, L. V. Lammert wrote:
At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:
You must be more qualified with regards to the actual code than I am
because I flat out don't believe this at all.
Believe what? OBSD is secure? I thought you were proud of the
project? Sheesh!
On Oct 24, 2007, at 3:41 PM, Theo de Raadt wrote:
> We know what a VM operating system has to do to deal with the PC
> architecture. It is too complex to get perfectly right.
I concur with this assessment and the discussion of actual x86 PC
implementation vs. 390 architecture which led up to it.
At 05:27 PM 10/24/2007 -0500, Tony Abernethy wrote:
L. V. Lammert wrote:
Wow, such intelligence Now we get crap instead of ostrich logic. Sheesh.
Lee
Paul de Weerd wrote:
> Why compare this to all departments on one machine, all on the same
> OS ? That's not a fair comparison.
"Why"? Because that's what happens *anyway*.
--
Matthew Weigel
hacker
[EMAIL PROTECTED]
L. V. Lammert wrote:
* L. V. Lammert <[EMAIL PROTECTED]> [2007-10-25 00:11]:
> At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote:
>> * L. V. Lammert <[EMAIL PROTECTED]> [2007-10-24 23:22]:
>> > Running
>> > different application domains on separate VMs provides isolation BETWEEN
>> > those application domains.
>>
>> n
At 11:26 PM 10/24/2007 +0200, Henning Brauer wrote:
* L. V. Lammert <[EMAIL PROTECTED]> [2007-10-24 23:22]:
> Running
> different application domains on separate VMs provides isolation BETWEEN
> those application domains.
no, it does not.
Is that your ostrich response?
Lee
At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:
> Certainly there is a small, compount risk increase due to multiple OS
> images involved, but the OS images must be analyzed independently FIRST,
> and THOSE risks addressed.
Certainly you pulled that assesment out of your ass.
I thought it w
> You have failed to satisfactorily explain why running a specific application
> in a VM is more secure then running it in a standard OS. It's nonsense that
> you think it's more secure that way. It saves a lot of money, yes -- you
> don't necessarily want a separate box just to run an application
> Certainly there is a small, compount risk increase due to multiple OS
> images involved, but the OS images must be analyzed independently FIRST,
> and THOSE risks addressed.
Certainly you pulled that assesment out of your ass.
> **IF** OBSD were available as a host OS, that would be good securi
* L. V. Lammert <[EMAIL PROTECTED]> [2007-10-24 23:22]:
> Running
> different application domains on separate VMs provides isolation BETWEEN
> those application domains.
no, it does not.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Se
Theo de Raadt wrote:
The security benefits are at the "ability to buy a steak for dinner"
level.
I vote to add it to theo.c.
Thanks
Daniel
Index: src/usr.bin/mg/theo.c
===
RCS file: /cvs/src/usr.bin/mg/theo.c,v
retrieving revisi
On Wed, 24 Oct 2007, Theo de Raadt wrote:
> > At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:
> >
> > > > Anything we can do to increase security, *including* setting up VMs (of
> > > any
> > > > flavor) is an improvement [that also increased hardware utilization].
> > >
> > >This last sentence
You have failed to satisfactorily explain why running a specific application
in a VM is more secure then running it in a standard OS. It's nonsense that
you think it's more secure that way. It saves a lot of money, yes -- you
don't necessarily want a separate box just to run an application - but
th
On Oct 24, 2007, at 4:16 PM, Henning Brauer <[EMAIL PROTECTED]>
wrote:
* Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]:
Remember back 10-ish years ago when VLANs were being touted as the
ultimate network segmentation technology by marketers of managed
switches? And now everyone hopefu
On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
> without bad config errors (that are getting harder to make, except on
> cisco, they got the semantics completely wrong and stupid defaults) and
> usedcorrectly, yes, VLANs perfectly isolate network segments.
I'm curious about this. Do you h
On Wed, 24 Oct 2007, Theo de Raadt wrote:
> > The security benefits are at the application level, *NOT* at the OS level.
>
> What hogwash.
>
> The security benefits are at the "ability to buy a steak for dinner"
> level.
>
Nah, I like steak, I hate enterprise computing.
> You've already made the
It's a very simple concept.
There is *nothing* in any virtualization software that makes having it
*more secure* than not having it at all.
Period.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
* Darren Spruell <[EMAIL PROTECTED]> [2007-10-24 21:48]:
> Remember back 10-ish years ago when VLANs were being touted as the
> ultimate network segmentation technology by marketers of managed
> switches? And now everyone hopefully realizes that while VLANs
> technically do offer network segmentati
1 - 100 of 159 matches
Mail list logo
