Re: Linux Distribution Recomendation

From: Vincent (pros-n-cons_at_bak.rr.com)
Date: 03/13/04

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: email address "spoofed""
    Date: Fri, 12 Mar 2004 18:44:01 -0800
    To: security-basics@securityfocus.com
    
    
    

    On Thu, 11 Mar 2004 10:47:41 +0100
    peter@devbox.adamantix.org (Peter Busser) wrote:

    > Hi!
    I probably shouldn't reply to this as its trivial & getting offtopic but a few things stick out.
    > [About security features costing a significant amount of performance]
    >
    > > Fair enough, significant was the wrong word, I was trying to recall what I
    > > learned between you and Ingo from the debian-devel list a few months back.
    > > Now I see it was the VM issue and full compatibility that still had hurdles.
    >
    > Yeah, this stuff has more impact on the compatibility level than on the
    > performance level. But it is possible to make even the Sun Java environment
    > to work on a PaX kernel with a bit of tweaking, so it isn't all that bad.
    > Especially because most programs and libraries simply work without any extra
    > work.
    >
    > The debian-devel discussion was mostly about Russel Coker and Ingo's claims
    > that his patch does everything that PaX does, without breaking compatibility.
    > That is simply not true. It provides less protection and even then still
    > breaks compatibility. You cannot download the XFree86 source code, recompile
    > it with ELFLoader module support and run it as is on his kernel patch. I
    > respect the fact that people make trade-offs, OpenBSD made similar trade-offs.
    > Basically they trade in a bit of security for a bit of compatibility. That is
    > ok, if compatibility is more important than security.

    Are we talking about the same thread?
    http://lists.debian.org/debian-devel/2003/debian-devel-200311/msg00206.html
    In this one Ingo explicitly states a few times PaX is more secure than exec-shield.
    Like it doesn't support other arch's and will never attempt to fix lib bss data.
    Also the XFree problem was a bug in XFree it relied on execution on non exec area.
    With my admittingly limited knowledge of the subject I interpret this to be
    something like the old standards compliant GCC issue where it broke apps, but
    only cause those apps were relying on a broken implementation. He said X was
    used properly on other archs but on i386 it did not. I guess cause read-only
    memory can be executed people used it which sounds like a design flaw to me.
    http://lists.debian.org/debian-devel/2003/debian-devel-200311/msg00285.html

    I use fedora and have heard people mention breakage of wine with exec-shield
    enabled but haven't looked into why so it obviously isn't 100%. This is the
    'middle ground' stuff you were talking about, not as good as others, but better
    than the default. Now I'm off to actually get informed on this whole subject =)

    > What troubles me is the lack of openness about it. I mean, some people try to
    > make it look as if there is no trade-off, i.e. that they provide full security
    > AND full compatibility. That is simply not true.
    >
    > > So the point that security almost always asks for something in return holds true
    > > to some degree.
    >
    > Right!
    >
    > Groetjes,
    > Peter Busser
     

    
    



  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: email address "spoofed""

    Relevant Pages

    • Re: Linux Distribution Recomendation
      ... > Now I see it was the VM issue and full compatibility that still had hurdles. ... respect the fact that people make trade-offs, ... Basically they trade in a bit of security for a bit of compatibility. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: I turned off UAC
      ... I prefer the added security, but I haven't had any problems at the particular sites I frequent. ... The real issue is compatibility and security. ... Because too many people complained so much that it was too hard to use or too hard to get used to or too annoying, etc. Real power users do not need it, but many regular home users do. ... something that takes admin permission? ...
      (microsoft.public.windows.vista.general)
    • Re: [Full-Disclosure] SP2 is killing me. Help?
      ... But the user has control over installing service packs. ... > written code, or to fix the security problem, but not both. ... The data execution issue is one clear example; ... > always taken the route of less security and more compatibility, and I, ...
      (Full-Disclosure)
    • QuickTime 7.6 now on SU
      ... "QuickTime 7.6 includes changes that increase reliability, ... Improves compatibility with iChat and Photo Booth ... For information on the security content of this update, ...
      (uk.comp.sys.mac)
    • Re: [Full-Disclosure] SP2 is killing me. Help?
      ... But the user has control over installing service packs. ... >> written code, or to fix the security problem, but not both. ... >> rather take the secure system and let the developers of those few ... >> always taken the route of less security and more compatibility, ...
      (Full-Disclosure)