:: [DNG] GNU/Linux security and grsecu…
Góra strony
Delete this message
Reply to this message
Autor: Miroslav Rovis
Data:  
Dla: Arnt Gulbrandsen, Edward Bartolo, Taiidan, Rick Moen
CC: dng
Stare tematy: Re: [DNG] upgrade from Debian stretch to Devuan ascii?
Nowe tematy: Re: [DNG] security
Temat: [DNG] GNU/Linux security and grsecurity, WAS: upgrade from Debian stretch to Devuan ascii?
( citation manually inserted not to make two email replies; however, I'll skip
Rick Moen's reply in the thread that arrived in the meantime, since it's off
topic )
On 170919-07:43+0200, Edward Bartolo wrote:
> With a compromised CPU that has questionable smaller cores running a
> HIDDEN OS, I cannot see what advantages anyone gets by installing
> grsecurity. This is worse than having a compromised machine that is
> always connected to your computer.

I see your point. If https://forums.grsecurity.net weren't locked since they
were chased out by ingratitude and ripoff of their code, I'd ask there about
it. Curious about this aspect really... Well, I should first try and search
more on it (but how?), and then ask about it, where?... maybe at
https://www.superuser.com or elsewhere?
Maybe at:
https://lists.immunityinc.com/mailman/listinfo/dailydave ? If only the exploit
writers there were inclined to tell us their secrets (which is not so likely; but
they're certainly not hostile to whitehats... spender did participate
occasionally and briefly in that mailing list)...

Not much more dare I venture on this issue because it is not directly related
to Devuan
(
other than me offering documentation to newbies about grsecurity as I
wrote in my email to which Edward replied, and in which I gave the links to my
dev1galaxy grsecurity topic and github repo script; only, at this time, for
compiling grsecurity hardened kernel; later I would also like to provide kernel
deb packages --as I used to provide for Debian-- or, in case corsac
(
http://perso.corsac.net/~corsac
)
returns and picks up instead from unavailable original grsecurity, from
*minipli's* unofficial-grsecurity and starts packaging them for Debian, then
would like to try to test them for Devuan
)
I'm trying not to go off topic here... But just a few more words...

> ...
> There is yet the other uncertainty of what ISPs do with data
> travelling through their systems. Even if users set up completely
> secure systems, their data still has to travel through an ISPs
> infrastructure.

No, that ISP part can be fixed, if it isn't brute force censorship. It is/would
be very hard to control that part, but possible! (would be way offtopic trying
to go into details of my understanding on it, though)

> I am starting to believe computer security is an unattainable Utopia

No, Edward. If computer security weren't attainable we wouldn't have Wikileaks,
and neither would we have Edward Snowden.

No, it's not unattainable. If I ever become part of a team, we'll be using what
FSF recommends (and it's what *taiidan* wrote extensively about recently on
this mailing list: IBM Talos II Power9 processor-based server; BTW, in that
discussion the winning argument is, as often, Rick Moen's :-) on the sanity of
what FSF recommends:
https://lists.dyne.org/lurker/message/20170912.000313.f8275717.en.html
with the link to:
https://www.fsf.org/blogs/licensing/support-the-talos-ii-a-candidate-for-respects-your-freedom-certification-by-pre-ordering-by-september-15
).

And then you fix Linux with grsecurity, and you would have a secure GNU/Linux
server...


On 170919-10:24+0100, Arnt Gulbrandsen wrote:
> For example, some attack kits must be hoarded. They're very powerful, but
> every time they're used they risk disclosure,

Disclosure is what I'm fighting tooth and nails to get... My:
http://github.com/miroR/uncenz is all about that...

And disclosure is what can be seen in the first installment of the same type as
this second installment in Devuan forums:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598
where the first installement was four months ago, with what happened in my
Gentoo system:
Strange script planted with Bash
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/index.php
But it's a very partial disclosure... because I'm not an expert...

> if the victim notices and
> sends the computer off to someone like Citizenlab. The attacker has great
> power and is almost unable to use it.

I looked up
https://citizenlab.ca/
but didn't find a way to ask there about help on my issue above repeated...

I hope I haven't gone too much off topic. I presented my problem's basic
aspects, and it's grsecurity that helped uncover it... unofficial-grsecurity
that I try to offer tips about to newbies in Devuan
( for clarity: Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596 )

Regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr