Discussion in 'all things UNIX' started by BoerenkoolMetWorst, Aug 27, 2015.
Almost NOTHING makes me mad, but this made me furious, specially considering US's legal system. If there was an actual violation than the US government could help grsecurity with the money to fight this "multi-bilionaire" company, because they will surely WIN and that means money for everybody, and more importantly = justice towards grsecurity. But since the US government is ran by corporations, I'm sure this company would buy the government so that they didn't help grsecurity.
I swear, if I was a billionaire I'd help grsec.
I guess change this won't affect most people.
Arch's default linux-grsec kernel is, well, the latest (even more up-to-date than Arch's regular Kernel).
Debian is always pulling things from Sid to Testing, and before freezing Testing will have at least a 10-day-old GRSec Kernel, which isn't too bad. Debian also has the backport system and I think it's very possible to backport the latest grsec-testing to Debian Stable, or at least the patches themselves.
Does Debian use GrSec by default?
You would think they could get funding from the DOD or NSA.
No, but there are such kernels available.
Jacob Appelbaum says the unnamed companies are Intel and Verifone:
I don't know Could they?
FWIW, there is currently a discussion among kernel developers about Kernel Hardening with the aim to add protections from grsecurity to the official kernel. Several prominent developers like Kees Cook, Thomas Gleixner, Andy Lutomirski etc. are participating. Let's hope that this discussion will lead to a favorable conclusion.
I'll keep my fingers crossed for that. Torvalds has for years now repeatedly blocked any efforts to move grsec/pax to the official kernel. Torvalds said they wanted add a "giant blob of code" to the kernel.
Well both the NSA and DoD need to be as secure as is possible from attacks and funding grsec/pax would be a drop in the bucket for them. Everything I have read points to systems using grsec as being the safest Linux systems.
It would be a great loss for these not to be continued and eventually brought into the kernel.
I don't think that is going to happen. Here's why:
The LTS branch of Grsecurity won't be available to the general public;
Anyone could sponsor Grsecurity and get the LTS branch available;
Helping GRSecurity with this lawsuit would benefit mostly the users, not to mention it would be so much more expensive than just being a sponsor.
So if the NSA/DoD are really interested in the LTS branch of GRSec they could just pay low ammounts of money and become a sponsor instead of spending millions helping GRSecurity fight Intel and that other company.
One of the posts in the kernel hardening thread has a link to 'Google Project Zero' blog and I was surprised to read that Android apparently runs SELinux.
I don't know, but probably not. There's a thread here somewhere showing a twitter that says "Intel and" a company that I don't remember.
Yes Android runs SELinux since Android 5.x if I remember correctly.
Thse days its possible to have it either enabled, disabled or in some kind of hybrid mode.
Wind River Linux which is owned by Intel apparently. A commercial product. Their marketing blurbs mention using grsec to harden their kernel. The other offender appears to be Verifone
Here they try to get support in the grsec forum
Brad's answer to Verifone seeking support is pretty funny.
Sorry, we don't provide free support to a multi-billion dollar company that sells devices using grsecurity while violating the license of its GPL license and that of all other GPL code on the devices. Your MX900 and Petro series of products don't ship with the associated source code, nor is any written offer provided for the source code. Purchasers of these products have no idea at all that they use GPL-licensed software or that they have a right to its modified source code. It's fitting that a company profiting off the exploitation of open-source developers that license under the GPL (and not BSD) for a reason would come here for free support. Fitting, but incredibly rude.
Google uses grsec in ChromeOS. They could buy the product and hire the developers. With Google as the mothership its less likely there would be people ripping it off. This would be something that would be admired by the community.
I had somehow missed your post, sorry.
Found a good paper on SELinux in Android here:
Good paper on the state of kernel security
That is an awesome presentation. Thanks!
@amarildojr one more reason for me why anti malware products are needed on linux
No we don't! There is absolutely no need for such product! We've been over this already!
I get it, you're somehow afraid and think that we need such products on Linux, but we don't. If you want to install Sophos or whatever "antimalware" on Linux than that is up to you. If you don't know jack about Linux security (like you said it yourself) than don't even bother trying to explain to more experienced users why you think "a fish needs a bycicle" or whatever illogical thoughts you have, and don't pretend that we have not given you enough explanation on why bringing the Windows mindset to Linux is a waste of time.
Saying again that we need "anti-this and anti-that" on Linux is an insult considering we gave you reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason on why that is not needed!
You know what I learned after that thread of yours? That you don't care about reason or logic. All you do is make ridiculous claims by which you can never back up (I never saw you proving any one of them); and no matter how much other people say you're wrong, you will still hold tight to something you should know isn't true.
So go ahead, install Sophos on Arch and have a peace of mind, for god's sake. At least this way you won't bother people with this kind of stuff anymore (I hope).
Antimalware is not the be-all and end-all of software security, and IMO it's really a shame that the software industry has duped intelligent people into thinking that.
Antimalware itself is, more or less, a band-aid. It's a very specific defense against a very specific set of problems. For good and actually comprehensive security, you at least need
- A trustworthy and robust kernel
- With a credible implementation of mandatory access control
- Running on top of trustworthy hardware
Windows on x86 might provide one of those (access control). Linux provides zero (because access control is not doable on X11 workstations).
The only systems I know of that can provide all of those, BTW, are industrial mainframes or supercomputers.
Not in the traditional form of an anti-virus/anti-malware program though.
Proactive anti-exploit in the form of kernel hardening, iptables, and installing only signed programs.
Read my thread again, read the .pdf I quoted again and you get reasons and reasons and reasons why anri-malware is needed. Because linux is exploitable, just as windows, just as easy as windows and trojans, password stealers, bot nets,... All exist for linux too.
@AutoCascade I agree, especially with the kernel hardening. But as seen above, the kernel isnt hardened enough and exploitable. And there will always be 0 day exploits. Anti malware won't fix the exploit (maybe anti-exploit products will but that is more the kind of kernel hardening) but it might block and delete the malware files that come through the exploit.
Tue that. I never said anti.malware is the "all we need". But its another line of defense. And since many/most if not all other lines of defense are broken (or can be broken) another defense (especially when it is some very different one with the same goal, defending the system from getting infected) would make sense.
Separate names with a comma.