Dmitri Nikulin wrote:
> Randomizing PIDs doesn't seem that useful (unless somebody can argue 
> this), but TCP sequence numbers (Free and OpenBSD get a maximally hard 
> score, NetBSD doesn't) and all that /could/ be useful. Of course this 
> has to be done without any ghastly overhead that would add a lot of 
> latency to packet generation.

IIRC we do randomize TCP sequence numbers.
 
> Anonymizing is useful though. If there is some exploit released that 
> affects only some systems and NetBSD is one of the few, then the time 
> between the exploit being known and being patched is when any system 
> advertising itself as NetBSD is more likely to be targetted by some 
> lamer. Of course on the other hand they could just waste time hammering 
> every system out there and hoping something worked.

Arguably, it's about as hard to try the exploit as to run nmap
against the machine.
 
> One thing that is definitely a very good privacy/security feature is 
> what FreeBSD implemented that can prevent users seeing the PIDs (or 
> indeed any info) of processes they don't own, via ps or top or whatever 
> else. Nobody can argue that this is a Good Thing on a shared shell 
> server. Whether or not this is easy to implement cleanly is another matter.

This might indeed be useful. I had a look into this, and it seems
this could easily be implemented with one condition in
init_sysctl.c:sysctl_doeproc(), plus some sysctl machinery
to export setting to userland.

> stalk or manipulate users. I find this really handy to give interactive 
> tutorials into Unix usage to newbies without having to re-ask at every 
> moment "well what's happening?" and without having to tell them to run 
> screen. Of course the security of watching for attempts at local 
> exploits is a huge benefit too.

This also seems useful. I think it wouldn't be too hard to implement
using some 'intercept' hook in tty layer.

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.cz/
-=- We should be mindful of the potential goal, but as the Buddhist -=-
-=- masters say, ``You may notice during meditation that you        -=-
-=- sometimes levitate or glow.   Do not let this distract you.''   -=-