Re: [Nolug] Fwd: Re[6]: [Hou-freebsd] Semi-relevant VMWare question

From: Christopher Jones <techmaster_at_gmail.com>
Date: Wed, 11 Apr 2007 16:29:58 -0500
Message-ID: <945e1c690704111429y7a2acc6ue80b5df82b1a9597@mail.gmail.com>

I've always been a strong supporter of the principle that a system's
security level is only as secure as its administrator is knowledgeable. I
can make a Windows host more secure than the average person can make a Linux
host. To me, the only exception to the rule would be an OS like Debian,
Gentoo, or BSD, where upon installation all you have is a kernel running.
You then create any services you want running, on your own. That can be
better than a lot of firewalls, considering that often times a firewall is
only as secure as the host it is running on. What good is it to block
certain packets, if they will crash the network stack before the firewall
can even examine them? If security is my top concern, I will hands down
choose a BSD OS. Development moves slower on BSD than Linux, but that is
because they spend more time in testing phases. Linux tends to be a lot
more bleeding edge, and its developers tend to risk some stability and
security for the sake of performance. Windows security has improved by
leaps and bounds, it's a shame that Microsoft had to implement the "Are you
sure?" protection to make it happen. Most end users that don't know better,
will just click "YES" to get the annoying pop-up off their screen. Over the
years, Windows users have learned that "YES" equates to "Go away!" Also, I
personally run absolutely no antivirus at home on my Windows PC's, because
it slows a PC down considerably. And in the past 10 or so years, have I
picked up any viruses? Well, I guarantee you I probably have at least 10 on
my hard drives. But they're not "installed". ;) People that simply don't
know better, are much more likely to run something without question. The
days of easily hacking into a machine through its programming flaws are
close to being over, and social engineering is most definitely the future of
hacking. As computers get better and better, people will always be idiots.

On 4/11/07, Dustin Puryear <dustin@puryear-it.com> wrote:
>
> I thought this was an interesting thread..
>
> This is a forwarded message
> From: Dustin Puryear <dustin@puryear-it.com>
> To: "Chris Lalos" <chris.lalos@gmail.com>
> Date: Tuesday, April 10, 2007, 11:07:00 AM
> Subject: [Hou-freebsd] Semi-relevant VMWare question
>
> ===8<==============Original message text===============
>
>
> That's a good idea. Now, whether FreeBSD drivers are any "safer" is a
> good question, but at least we know there are fewer people attacking
> it.
>
>
>
> I like the whole idea of Parallels and the seamless window experience
> (ala Citrix). That's going to make running a non-Windows system while
> maintaining your Windows applications real easy. (I touched on this
>
> athttp://www.techevangelism.com/2007/04/09/a-linux-consultants-not-so-linux-desktop/.)
>
>
>
> ---
>
> Puryear Information Technology, LLC
>
> Baton Rouge, LA * 225-706-8414
>
> http://www.puryear-it.com
>
>
>
> Author:
>
> "Best Practices for Managing Linux and UNIX Servers"
>
> "Spam Fighting and Email Security in the 21st Century"
>
>
>
> Download your free copies:
>
> http://www.puryear-it.com/publications.htm
>
>
>
>
>
> Tuesday, April 10, 2007, 8:48:49 PM, you wrote:
>
>
>
>
> >
>
> I wonder if this is an argument for going in the other direction: having a
> FreeBSD Host CPU where you run Windows as a guest OS. So you can use windows
> for all your desktop faves but all the 'real stuff' would be FreeBSD, and
> thus less likely to be effectively attacked (presumably).
>
>
>
> - C
>
>
>
>
>
> On 4/10/07,Dustin Puryear<dustin@puryear-it.com> wrote:
>
> No, a jail would not help.
>
>
>
> As far as how to protect against this (assuming the device driver
>
> itself is vulnerable), it depends on where the device driver runs and
>
> whether the kernel is sufficiently paranoid. I just googled and found
>
> an interesting mention of this issue:
>
>
>
> http://www.schneier.com/blog/archives/2006/07/wifi_driver_att.html
>
>
>
> I'm no expert in this area, so I'd love to hear more from others that
>
> may know more.
>
>
>
> ---
>
> Puryear Information Technology, LLC
>
> Baton Rouge, LA * 225-706-8414
>
> http://www.puryear-it.com
>
>
>
> Author:
>
> "Best Practices for Managing Linux and UNIX Servers"
>
> "Spam Fighting and Email Security in the 21st Century"
>
>
>
> Download your free copies:
>
> http://www.puryear-it.com/publications.htm
>
>
>
>
>
> Tuesday, April 10, 2007, 6:47:38 PM, you wrote:
>
>
>
> > Dustin,
>
> > Would a jail be any help at all in that situation?
>
> > =====
>
> > Craig Wiseman
>
>
>
>
>
> > At 05:25 AM 4/10/07 -0500, Dustin Puryear wrote:
>
> >>I would agree that running BSD under VMWare is going to give you some
>
> >>added protection against spyware and such while surfing. However, as
>
> >>far as normal "network-layer" attacks, VMWare doesn't always help.
>
> >>I've read of some attacks that specifically target your wireless
>
> >>card's device driver, so the attack could potentially compromise your
>
> >>actual computer before traffic is even pushed up the network stack.
>
> >>
>
> >>Scary, eh?
>
> >>
>
> >>---
>
> >>Puryear Information Technology, LLC
>
> >>Baton Rouge, LA * 225-706-8414
>
> >>http://www.puryear-it.com
>
> >>
>
> >>Author:
>
> >> "Best Practices for Managing Linux and UNIX Servers"
>
> >> "Spam Fighting and Email Security in the 21st Century"
>
> >>
>
> >>Download your free copies:
>
> >> http://www.puryear-it.com/publications.htm
>
> >>
>
> >>
>
> >>Saturday, April 7, 2007, 3:53:20 PM, you wrote:
>
> >>
>
> >>> On 4/7/07, Chris Lalos <chris.lalos@gmail.com> wrote:
>
> >>>> I'm sitting in a cafe right now (Brasil on Dunlavy and Westheimer).
>
> >>>> Non-threatening yuppie hipsters, non-threatening jazz, the whole
>
> > experience.
>
> >>>>
>
> >>>> Someone at the next table asked me if they have Wifi here. I do not
>
> > know. My
>
> >>>> laptop reports an unsecured wireless network named 'dlink'. This
> would
>
> >>>> appear to be run by either 1) someone profoundly unknowledgeable, or
> 2) a
>
> >>>> crook.
>
> >>>>
>
> >>>> Which brings me to my question . . .
>
> >>>>
>
> >>>> It occurs to me, that I ought to be able to run FreeBSD in a VMWare
>
> > session,
>
> >>>> fire up KDE or Gnome or whatever, and do my surfing from there. I
> could
>
> >>>> connect to whatever naive looking hotspot I choose. The idea is, if
> this
>
> >>>> hotspot was run by a bad guy bent on attacking people who hop on the
>
> >>>> network, then he'd really only be attacking my VMWare session, not my
>
> > 'real'
>
> >>>> laptop beneath.
>
> >>>>
>
> >>>> My question is, what kind of protection does this really provide.
> Would he
>
> >>>> really have no access to the underlying filesystems, etc? Or would it
> not
>
> >>>> really be any protection at all.
>
> >>
>
> >>> Hello Chris,
>
> >>
>
> >>> The VMWare session certainly provides an extra layer of protection.
>
> >>> Although that layer is logical and the protection is not absolute. In
>
> >>> other words, data always flows from the host to the guest machine.
>
> >>> Should an attacker find a flaw in the host's stack, the system in its
>
> >>> entirety (including the guest machines) is toast.
>
> >>
>
> >>> More often, the rogue access point is there to collect your network
>
> >>> traffic. It's theoretically so much easier.
>
> >>
>
> >>> Youssef
>
> >>> _______________________________________________
>
> >>> Hou-freebsd mailing list
>
> >>>Hou-freebsd@houfug.org
>
> >>>http://www.houfug.org/mailman/listinfo/hou-freebsd
>
> >>
>
> >>_______________________________________________
>
> >>Hou-freebsd mailing list
>
> >>Hou-freebsd@houfug.org
>
> >>http://www.houfug.org/mailman/listinfo/hou-freebsd
>
> >>
>
>
>
> > _______________________________________________
>
> > Hou-freebsd mailing list
>
> >Hou-freebsd@houfug.org
>
> >http://www.houfug.org/mailman/listinfo/hou-freebsd
>
>
>
> _______________________________________________
>
> Hou-freebsd mailing list
>
> Hou-freebsd@houfug.org
>
> http://www.houfug.org/mailman/listinfo/hou-freebsd
>
>
>
> ===8<===========End of original message text===========
>

___________________
Nolug mailing list
nolug@nolug.org
Received on 04/11/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST