Turning your back on windows

Additional operating system/hardware discussion (Windows, Linux, *BSD and others)
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
VenomousPinecone
Posts: 2141
Joined: Mon Jun 20, 2005 2:10 pm
Location: Groom Lake, NV

Re: Turning your back on windows

Unread postby VenomousPinecone » Tue Mar 21, 2017 4:15 pm

Image

User avatar
Raion-Fox
Donor
Donor
Posts: 1332
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Turning your back on windows

Unread postby Raion-Fox » Tue Mar 21, 2017 4:39 pm

I recently installed 8.1 EI Pro without skipping a beat. Notably zippier, too!
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)
Thinkpad W530 i7 3940XM 3GHz, 32GB, K1000M Windows 8.1 Embedded rin
Thinkpad R40 Pentium M 1.5GHz 2GB RAM kasha

User avatar
Dodoid
Posts: 603
Joined: Mon Jul 04, 2016 1:36 pm
Location: Ottawa, Canada
Contact:

Re: Turning your back on windows

Unread postby Dodoid » Thu Mar 23, 2017 9:49 am

VenomousPinecone wrote:image

:lol:

Yes, I know it retrieves searches from numerous search engines. It's not perfect, but at least as a metasearch any censorship of anti-systemd content would have to exist on a LOT of search engines, all in different countries with different policies regarding governments as opposed to getting all your results from one source (eg. Google). As you say, it's "certain" search engines, not all of them. Even if all of them were trying to censor content, the chances that there wouldn't be at least one censorship algorithm which missed any given page would be very slim, causing it to show up on ixquick.
:Onyx: :O2000: :Fuel: :Octane: :Octane: :Octane: :O2: :O2: :Indigo2: :Indigo2: :Indy: :Indy:
and a small army of Image

User avatar
VenomousPinecone
Posts: 2141
Joined: Mon Jun 20, 2005 2:10 pm
Location: Groom Lake, NV

Re: Turning your back on windows

Unread postby VenomousPinecone » Thu Mar 23, 2017 1:28 pm

Dodoid wrote: Even if all of them were trying to censor content, the chances that there wouldn't be at least one censorship algorithm which missed any given page would be very slim, causing it to show up on ixquick.


No, that isn't how ixquick works unfortunately.
https://en.wikipedia.org/wiki/Ixquick#S ... _interface

User avatar
Dodoid
Posts: 603
Joined: Mon Jul 04, 2016 1:36 pm
Location: Ottawa, Canada
Contact:

Re: Turning your back on windows

Unread postby Dodoid » Thu Mar 23, 2017 4:48 pm

VenomousPinecone wrote:
Dodoid wrote: Even if all of them were trying to censor content, the chances that there wouldn't be at least one censorship algorithm which missed any given page would be very slim, causing it to show up on ixquick.


No, that isn't how ixquick works unfortunately.
https://en.wikipedia.org/wiki/Ixquick#S ... _interface


OK, that's good to know, but it still will return results that only appear on one search engine. I could find practically nothing relating to systemd security risks, apart from cases where dbus was configured stupidly. Besides, do you seriously suspect that the government is paying search engine companies to cover up the fact that systemd has backdoors, and that nobody has ever found those backdoors? I can understand, even agree with arguments about UNIX philosophy, and I am happy to hear discussion regarding security, but government backdoors? Why would they pick systemd as opposed to something like the Linux Kernel, the Python interpreter, or X.Org? All of those are likely more widespread than systemd is. They could even have backdoored other init systems if they wanted to, though an init system seems a strange place for such a thing. All that said, I would love to see concrete examples of systemd containing backdoors or even having more major security flaws which go unpatched for extended periods of time than other code which are not the result of idiotic configuration on the part of the user/distro/whatever.
:Onyx: :O2000: :Fuel: :Octane: :Octane: :Octane: :O2: :O2: :Indigo2: :Indigo2: :Indy: :Indy:
and a small army of Image

User avatar
Raion-Fox
Donor
Donor
Posts: 1332
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Turning your back on windows

Unread postby Raion-Fox » Thu Mar 23, 2017 5:22 pm

Dodoid, let me explain the systemd architecture so you can understand why it's vulnerable:

Systemd's PID 1 consists of two pieces, essentially - systemd-init and systemd-supervisor. systemd-init is essentially the role of sys v or bsd init, where as systemd-supervisor acts as an interface to cgroups, dbus and other external components. It manages service startup and shutdown etc.

The problem, unlike say a system like runit or OpenRC is that systemd leaves PID 1 open to race conditions in the supervisor essentially taking over the root process of the computer. There's no escape at that point for the userland as you have full control at that point outside of any kernel mechanisms.

Systemd advocates claim that namespaces, selinux etc. negate any possible race conditions, but I object to the philosophy of burying problems rather than fixing them. Kind of like how UAC accomplishes nothing on Windows by itself since it doesn't fix the fundamental problems with the way early NT and 9.x windows versions lacked any privilege separation - but fixing those problems would break compatibility.

You can also crash systemd 209-231 with this command as any user.

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

Not to mention the retardedness that comes with binary logging - there's no transactional integrity with how systemd does it.
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)
Thinkpad W530 i7 3940XM 3GHz, 32GB, K1000M Windows 8.1 Embedded rin
Thinkpad R40 Pentium M 1.5GHz 2GB RAM kasha

User avatar
Dodoid
Posts: 603
Joined: Mon Jul 04, 2016 1:36 pm
Location: Ottawa, Canada
Contact:

Re: Turning your back on windows

Unread postby Dodoid » Thu Mar 23, 2017 6:14 pm

So if I understand correctly the issue with systemd's security is that if the supervisor were compromised, the entire system would be. Can you elaborate on what race conditions the supervisor could run into which may create a vulnerability?
:Onyx: :O2000: :Fuel: :Octane: :Octane: :Octane: :O2: :O2: :Indigo2: :Indigo2: :Indy: :Indy:
and a small army of Image

User avatar
Raion-Fox
Donor
Donor
Posts: 1332
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Turning your back on windows

Unread postby Raion-Fox » Thu Mar 23, 2017 6:26 pm

So, in a normal init process for BSD init you have ~2000 lines of code. In the systemd core code, main.c alone has 2300 lines. That doesn't include the full PID 1. So we already know from the headers, functions and everything imported that you're dealing with code a magnitude bigger and with a magnitude of functions that the old inits don't have.

Following me? Now, in UNIX-style process management, all root processes are forked from init. In a system like OpenRC, init spins up the rc service manager. In runit, init spins up sv. In systemd, init and the service manager are combined. But not only that, it depends on udev and dbus to even begin the boot process after the kernel fires it up. So already you're introducting lots of processes into the mix.

The problem fundamentally is in systemd, your fork() for service daemons, root processes, and so-on are all carried out by a massive binary that we cannot verify due to its size if it is bug free. Under the systemd model, you have to implicitly trust all of your services aren't going to exploit the manager.

If you look through the bugs for systemd you'll see PID 1 has a habit of segfaulting. Often, when other processes, including those such as journald and logind which directly talk to udev and the PID 1, misbehave.

In a traditional system, your init process is small enough to reasonably assume its bug free under most conditions.

Another way to look at it is, if the BSDs are staying the hell away from the manner in which Linux or Apple is doing something, there's probably good reason for it.
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)
Thinkpad W530 i7 3940XM 3GHz, 32GB, K1000M Windows 8.1 Embedded rin
Thinkpad R40 Pentium M 1.5GHz 2GB RAM kasha

User avatar
Dodoid
Posts: 603
Joined: Mon Jul 04, 2016 1:36 pm
Location: Ottawa, Canada
Contact:

Re: Turning your back on windows

Unread postby Dodoid » Thu Mar 23, 2017 6:33 pm

Certainly sounds problematic, but do you believe it is enough of an issue that Qubes use of systemd makes it less secure (even with virtualization and all the security stuff) than something like Devuan? Of course, no code is perfect, but I would think Qubes still has the advantage, even with systemd?
:Onyx: :O2000: :Fuel: :Octane: :Octane: :Octane: :O2: :O2: :Indigo2: :Indigo2: :Indy: :Indy:
and a small army of Image

User avatar
Raion-Fox
Donor
Donor
Posts: 1332
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Turning your back on windows

Unread postby Raion-Fox » Thu Mar 23, 2017 7:35 pm

Dodoid wrote:Certainly sounds problematic, but do you believe it is enough of an issue that Qubes use of systemd makes it less secure (even with virtualization and all the security stuff) than something like Devuan? Of course, no code is perfect, but I would think Qubes still has the advantage, even with systemd?


I wouldn't say anything that uses such an insecure architecture like systemd would be more fundamentally secure because of it. I think you're comparing apples and oranges. Gentoo-Hardened vs, say Qubes I'd say that Gentoo-hardened is a great deal more secure. But don't take it from me, we do have a Gentoo developer who lurks. Paging Kumba.
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)
Thinkpad W530 i7 3940XM 3GHz, 32GB, K1000M Windows 8.1 Embedded rin
Thinkpad R40 Pentium M 1.5GHz 2GB RAM kasha

User avatar
guardian452
Donor
Donor
Posts: 3429
Joined: Tue Aug 21, 2007 10:12 pm
Location: United States
Contact:

Re: Turning your back on windows

Unread postby guardian452 » Thu Mar 23, 2017 7:43 pm

http://web.archive.org/web/201108120955 ... /24/352059

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.


Still true today. Thank you internet archive.

User avatar
Dodoid
Posts: 603
Joined: Mon Jul 04, 2016 1:36 pm
Location: Ottawa, Canada
Contact:

Re: Turning your back on windows

Unread postby Dodoid » Thu Mar 23, 2017 8:14 pm

Of course virtualization can have security holes. Holes have been found (and patched) in Xen multiple times. As the Qubes homepage says, it's "a reasonably secure operating system", not a perfect one. Still, compartmentalization is certainly an improvement, if not a panacea, especially considering that most malware is intended to attack a single system. Even if a Xen bug exists (and I'm sure plenty do), garden variety malware is unlikely to take advantage of it.

Sorry if I wasn't totally clear Raion-Fox, what I was saying is that while systemd may well be insecure, compartmentalization likely makes for better (though absolutely not perfect) security in spite of as opposed to because of systemd. I don't think anyone here is arguing that systemd makes you more secure. Remember that even if systemd, Firefox, and everything in between are completely broken and you can take over a system and run code as root just by loading a webpage, anything I care about is running in a VM (again, Xen isn't perfect but it's certainly "reasonably good") which has never and will never access any website I don't completely trust and in many cases isn't on the internet (again, Qubes could have a vulnerability that allows a netvm to be set on an "offline" VM but none is known) at all.

I haven't heard of Gentoo-hardened. Presumably no systemd. What security measures does it have? Is there any method of sandboxing apps should they be malicious or become compromised? Is removal of systemd really as much of a security improvement as compartmentalization?
:Onyx: :O2000: :Fuel: :Octane: :Octane: :Octane: :O2: :O2: :Indigo2: :Indigo2: :Indy: :Indy:
and a small army of Image

User avatar
Raion-Fox
Donor
Donor
Posts: 1332
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Turning your back on windows

Unread postby Raion-Fox » Thu Mar 23, 2017 8:50 pm

https://wiki.gentoo.org/wiki/Hardened_Gentoo

I don't want to have to regurgitate Gentoo Hardened specs, so sorry for the link drop.

I got your point, Dodoid. I was just saying, systemd isn't offering any Linux distro running it any pluses for security.
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)
Thinkpad W530 i7 3940XM 3GHz, 32GB, K1000M Windows 8.1 Embedded rin
Thinkpad R40 Pentium M 1.5GHz 2GB RAM kasha

User avatar
vishnu
Donor
Donor
Posts: 3174
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Turning your back on windows

Unread postby vishnu » Thu Mar 23, 2017 10:12 pm

Well, and as I'm fond of pointing out, I use the so-far systemd-less Slackware, both on my main workstation and on my firewall, which both run kernels I configured and compiled myself, and my firewall runs iptables with a configuration script that I wrote myself. Obviously there's no way to really know but I'm pretty sure the bad guys have yet to crack into my lan, knock on wood... :P
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
guardian452
Donor
Donor
Posts: 3429
Joined: Tue Aug 21, 2007 10:12 pm
Location: United States
Contact:

Re: Turning your back on windows

Unread postby guardian452 » Thu Mar 23, 2017 10:16 pm

I also like slackware. I use it with suckless dwm/dmenu... But its more of a hobby for me to boot into on the weekends, and I don't do that too often, anymore. I need windows and mac for day job.

For me it will forever be the canonical lnux. Every other distro manages to screw up something.

I bet it's fairly secure on account of the stock config not having much enabled, and the distro not messing with other people's shit. But that is fairly security-thru-obscurity I think.

It's the only linux where I can reliably take some random old app, build it, and have it work without hours of frustration dealing with config files etc.


Return to “Miscellaneous Operating Systems/Hardware”

Who is online

Users browsing this forum: No registered users and 2 guests