[ On Saturday, November 13, 2004 at 16:45:38 (+1100), Dmitri Nikulin wrote: ]
> Subject: Re: Preventative security features?
>
> Anonymizing is useful though.

Anonymity from a network point of view may fool you into thinking it's a
useful attribute for a system to have, but it is not and you will be
caught with your pants down anyway.

Any decent exploit, especially one for a published vulnerability in any
popular system, will flood itself out and try to target _all_ systems
regardless of what they may appear to be on the surface from the
outside.  I.e. the exploit will be tried anyway no matter what your
system looks like and if your system is vulnerable then it will be
exploited regardless of what you make it look like to an attacker.

> One thing that is definitely a very good privacy/security feature is 
> what FreeBSD implemented that can prevent users seeing the PIDs (or 
> indeed any info) of processes they don't own, via ps or top or whatever 
> else. Nobody can argue that this is a Good Thing on a shared shell 
> server. Whether or not this is easy to implement cleanly is another matter.

Though I suspect you meant to say "that this is _not_ a Good Thing",
your grammatical slip was right on the money since indeed many of us can
in fact argue quite well that _not_ hiding system info from normal users
is indeed a Good Thing.  :-)

No unix-like system can ever get even close to implementing true
multi-level security with full mandatory access controls (which are the
kinds of things such features might pretent to begin to offer).  Anyone
who thinks otherwise is simply fooling themselves.  And it's not just
issues of covert channels and such.  A full MLS implementation would
necessarily make the system very un-unix-like and would require a far
deeper ground-up re-design than simply hiding system level information
from unprivileged users.

Pretending to hide who's running what and who's accessing what from
other users of the same system is a pointless waste of time that simply
gets in the way of good, safe, systems management and debugging.

If you want privacy from your fellow users then get your own system!

You simply cannot ever achieve MLS in these kinds of systems without
physically partitioning them (well maybe virtual partitioning with the
likes of Xen (or zOS VM or whatever it's called these days :-) would be
sufficient for some uses, such as shared shell severs....).

Go get yourself a Multics system if you want really strong inter-user
security.  :-)


> My real point is, NetBSD has portability and now even awesome 
> performance (and passive security of course), why not branch out into 
> proactive security too? It could be the "something for everyone" system 
> that is actually good and clean, not like some others.

The things you have described are _not_ "proactive security", nor are
they really "preventative security" either.  They are for the most part
simply unnecessary and unproductive hinderances.  (randomizing some
information that's sent out on the network is sometimes a good thing)

NetBSD is already a very decent platform on which a trusted computing
base can be built so long as the desired level of that TCB is well
within the parameters that any general-purpose unix-like,
posix-compatible, system is capable of achieving.

I don't think NetBSD needs any more useless features just for the sake
of having more useless features to compare with other similar systems.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>