Thread replies: 202
Thread images: 22
Thread images: 22
Anonymous
grsecurity shuts down access for non-subscribers 2017-04-27 05:52:22 Post No. 60099503
[Report] Image search: [Google]
grsecurity shuts down access for non-subscribers 2017-04-27 05:52:22 Post No. 60099503
[Report] Image search: [Google]
File: debian cve by year.png (28KB, 1103x738px) Image search:
[Google]
28KB, 1103x738px
grsecurity shuts down access for non-subscribers
Anonymous
2017-04-27 05:52:22
Post No. 60099503
[Report]
https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/
For those who don't know, grsecurity is a patch set for the Linux kernel that implements a wide array of exploit mitigations. For years, it's been on the cutting edge of security research and has pioneered many techniques. There isn't anything else like this. https://grsecurity.net/compare.php
From now on, it'll only be available to paying customers. This is a severe blow to non-enterprise Linux users (especially Hardened Gentoo users, who used the test banch), because they've lost the best (by far) security features out there. Now there's nothing to protect you from more shitty network stack vulns in the future, among other things.
>>
If they were actual security fixes, why don't they just submit them to the linux kernel?
>>
>>60099503
"To date and going forward, Grsecurity's patches are and will be distributed under the GPLv2 free-software license, just like the Linux kernel. You could, therefore, pay for future code and release it for everyone, but that would be a surefire way to end your Grsecurity subscription for good."
Nice loophole, faggots.
>>
>>60099554
Would that even hold up in court?
>>
>>60099583
Would the GPU itself hold up without a giant beardo getting in the way and blocking the view?
>>
>>60099554
There's nothing in the GPL preventing you from selling copies of your source code, but also doesn't prevent your customers from sharing it for free.
When the GPL was written, it was unthinkable that you could enforce people spilling the source for free.
This is literally a GPL violation, you're not actually allowed to reveal the source without having future access to GPL code revoked.
>>
>>60099525
Because Linus thinks grsecurity is "insane and very annoying and invasive code." (Source: https://lwn.net/Articles/313765/)
He was interviewed in 2015 about his ideas of kernel security now that Linux has become widespread, and he said that he has other priorities like performance and flexibility: http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
Draw your own conclusions.
>>
>>60099650
Two stubborn open source belligerents unable to meet in the middle and find some common ground? Color me surprised.
>>
File: smug_puffy.png (203KB, 800x689px) Image search:
[Google]
203KB, 800x689px
>mfw Linux users have to pay for something we OpenBSD users get out of the box
>>
>>60099503
Hardened Gentoo doesn't need grsecurity.
>>
>>60099650
He's in the NSA's pocket.
>>
>>60099863
Thread's over, the shitposter's found it!
>>
>>60099878
Just filter all tripfags and everything will be alright, anon.
>>
File: Spectacle.nn5681.png (27KB, 642x305px) Image search:
[Google]
27KB, 642x305px
>>60099503
This comment (pic) is interesting.
https://lwn.net/Articles/689385/
https://lwn.net/Articles/689437/
>>
>>60099650
>Because Linus thinks grsecurity is "insane and very annoying and invasive code."
When not taken out of context, Linus is again very correct. Many of the grsec stuff has tradeoffs when it comes to compatibility or performance and cannot be suitable for the mainline kernel.
>>
>>60099885
Those don't qualify as GPL violations. Also, Alpine Linux and the BlackBerry Priv come with grsec.
>>
>>60099911
Fuck off NSA shill.
>>
File: fuckyourshit.png (101KB, 281x225px) Image search:
[Google]
101KB, 281x225px
>>60099911
Reminder that Windows has had mitigations since forever and the whole world hasn't fallen apart due to lack of compatibility or performance.
>>
>>60099954
Windows is pretty awfyl, so I don't know how this helps your argument.
>>
File: do tell.jpg (44KB, 300x300px) Image search:
[Google]
44KB, 300x300px
>>60099954
Reminder that Windows is consumer garbage-ware that cannot run on a mere 25% of the stuff Linux does plus doesn't have the same level of security of grsec because it's shit
>>
>>60099919
Shut up schill.
>>
>>60099988
>Windows is pretty awfyl
Exactly.
What does that tell you when your operating system is even worse than fucking Windows, lincuck?
Stay rectally shattered!
>>
>>60100020
>actually supporting windows
Let me guess: you're a gaymer. Gayboy.
>>
>>60099988
If it's so bad then why is the majority of Desktop users Windows?
>>
>>60100039
>supporting Windows
You're not good at text comprehension, are you? No wonder you use Loonix.
>>
>>60100052
Actually supporting windows and now avoiding the subject. How surprising.
>>
>>60100040
Because it comes preinstalled and majority of consumers don't even know what "OS" means.
>>
>>60100101
In other words, it's the operating system for the lowest common denominator - the normalfag with the reading comprehension of a 12 year old. No wonder they're all gaymers.
>>
>>60099954
>windows
>secure
lmao
>>
>>60100126
That's defining the Linux community in a nutshell.
>>
>>60099843
OpenBSD master race
>>
File: Pathetic.gif (3MB, 320x240px) Image search:
[Google]
3MB, 320x240px
>>60100175
>y-y-you too!
>>
>>60100040
True but consider the following:
- Microsoft has deals with hardware companies, so most laptop and desktop computers comes bundled with their products.
- Most people uses whatever comes bundled with the hardware and i can bet a lot of them doesn't even know what is an operative system and that you can choose it. If the brand "Windows" were related to quality then WP would be the most used mobile operative system because the demand would be high.
- Microsoft has deals with schools, so people is trained from a young age to use microsoft products. For a lot of them it's a question of being a comfort zone, not even about the difficulty. I can say this because in my own experience most windows users never solve their own problems, they ask other people to solve their problems.
- Microsoft has a huge lock-in with their formats and APIs. Independently on if we can consider they products are good or bad, the fact is that they use anti-competitive measures to lock their users and developers. For example their document formats doesn't honors the "ISO standard" they supposedly issued. If they care about interoperability with competing solutions they would use the well documented version of their format. But no, they uses their dominant position to push a version of the format only they know exactly how it works (interestingly and despite this, i have gotten problems even with different versions of MSO). Most of the documents in this format are created with MSO and most people doesn't even knows about the strict version of the format, this makes their format a moving target for competitors at best. Their development tools is another good example if a lock-in, they only care about compatibility on markets where they're losing like server or mobile.
>>
>>60100161
>Linux open sourced and free.
>Has to begin paying for Security updates
Lol
>>
>>60100208
Yeah, but at least it doesn't have a webserver right in the kernel, nor is the GUI rendered there.
>>
File: namecalling.png (66KB, 702x534px) Image search:
[Google]
66KB, 702x534px
>>60100175
This defines the Windows community in a nutshell.
>>
>>60099954
Windows doesn't run on phones and Pis and random SoC shit to does it?
>>
>>60100208
Ahm, pretty sure as long the user controls the hardware they receive all the security updates unless there's an exception i don't know about. Grsecurity is not mainlined in the kernel so it's an optional different product.
>>
>>60099863
>>60099863
The entire point of hardened Gentoo was grsecurity in hardened-sources, you already have PIE+SSP base+userland with new compilers by default.
>>
>>60100302
soon
https://www.qualcomm.com/news/snapdragon/2016/12/07/windows-10-powered-snapdragon
>>
>>60100319
You are free to hold that opinion but it just isn't true. You don't need to enable any grsecurity features using hardened Gentoo.
>>
>>60100332
It will fail because of slow x86 emulation that eats all your battery and unusable "native" apps from windows store.
I mean, Office is pretty demanding as it is, emulating it on an underpowered ARM chip will bring it to a grinding halt.
>>
>>60099503
https://www.archlinux.org/packages/community/x86_64/linux-grsec/
oh noes wot do now?
>>
>>60100273
Ummm... it does though.
>>
>>60100011
Explain how they violated the GPL then instead of calling me names, you fucking troll. Refusing support to someone who distributed your code never did and never will.
>>
>>60100398
Then you don't know what Gentoo hardened is.
Main thing is grsecurity/PaX + hardened toolchain ( which now everyone has ) & SELinux & RBAC that's what Gentoo Hardened has.
https://wiki.gentoo.org/wiki/Project:Hardened
>>
>>60100256
This isn't Windows vs. Linux, you dumbasses.
It's OpenBSD vs. Linux. We're OpenBSD users.
The fact that OpenBSD is so superior to your shit penguin hobby OS that you have to keep comparing it to Windows to save face is laughable.
As I said, even the shitfest that is Windows has mitigations, yet Linux hasn't. That's really embarrassing for you!
>>
>>60099843
bullshit.
openbsd faggots always had to pay for binary updates.
>>
>>60100478
>hobby OS
You do realize Linux is mainly developed by professional coders working for corporations like Red Hat, IBM, etc. ? Those corporations are also responsible for most of the funding.
By contrast, who is the main development force behind OpenBSD? Right, a bunch of hobbyists.
So how about you go suck Theo's cock before you embarrass yourself any further (if at all possible)?
>>
>>60100450
Not him and not sure if it can be considered a loophole or not but the licence supposedly guarantees the right for any user to redistribute the source, while you can argue that they technically cannot sue you for making public their GPL work, by threatening to not give you access to future releases the intention is clearly to deter (by threatening) their users from redistributing the code, so i consider it easily can be a violation of that term but only a court can decide that at the end.
>>
File: laughinlinus.jpg (12KB, 221x336px) Image search:
[Google]
12KB, 221x336px
So is the hardened gentoo/Arch/Alpine developers just going to bite the bullet and pay for a subscription that will then be distributed among their users?
I would actually be okay with donating to the Hardened Gentoo project if they did that.
>>
>>60100462
You should probably read about those tools before you start shitposting that hardened Gentoo is grsec, you obviously have never used it.
>>
>>60100478
>BSD user calling "hobby OS" to linux.
Do you grasp the same name calling can apply to BSD right? Yet i'm pretty sure you know a lot of developers that contribute to linux and BSD are paid professionals and both are used widely in the industry. You're just full of salt.
>>
>>60100545
>not even trying to make your lies believable
This is a new low even for lincucks.
>>60100553
>I trust corporations more than I trust enthusiasts
The end results are out there for everyone to see: my OS has mitigations; yours hasn't. My X has been running unprivileged for 10 years now, yours still runs without privilege separation to this day. My virtual memory has been encrypted since forever, yours is still plainly stored. Etc., etc, etc....
Talk about embarrassment.
>>
>>60100553
>LMAO
Exactly made by corporations.
They don't care about security, you can turn off SMEP/SMAP, bypass all other stuff.
Not to mention all the silent vuln fixes that can be used against LTS kernels.
It's just one giant circle jerk.
>>60100614
You are a moron, hardened-sources has grsecurity which is one of the things Gentoo hardened is, together with SELinux and hardened toolchain.
Infact i'm running it now.
>>
>>60100631
The difference is Linux was made by a student as an educational project, while BSD was developed by a renowned university funded by DARPA. Stay anally overwrought.
>>
>>60100680
forgot to mention that it had grsecurity testing patches in it.
>>
>>60100599
You're not entitled to support from them, they can offer it to you on whichever terms they want.
>>
>>60100680
So you know that you are just shitposting then.
>>
>>60100682
Every DARPA funded project that went public and civ ended up being filled with flawed design or exploits (TOR, etc).
>>
>>60100704
>being this dumb
>>
>>60100642
>>I trust corporations more than I trust enthusiasts
Nice try moving the goalposts.
I never said I trust corporations (I don't), I was merely responding to your claims about Linux being a hobby OS (which it's not).
>>
File: loonix_dieded.png (347KB, 479x341px) Image search:
[Google]
347KB, 479x341px
>>60100726
Okay, enjoy your systemd OS.
>>
>>60100716
You can stand by your assertation that hardened gentoo requires grsec and look like a dipshit if you want to, freedom of ideas and all.
>>
>>60100613
I had assumed they were already doing that because hardened gentoo runs old as fuck kernels.
>>
>>60100752
Explain to me what Gentoo hardened is then?
It doesn't require grsec, but it's all kinds of things like grsec and SELinux and toolchain.
You can enable what you want, you don't have to use grsec, but honestly then it's not that hardened :)
>>
>>60100776
I don't need to explain it to you, because you already know I'm right.
>>
>>60100478
Such a low effort goalpost.
>>
>>60100776
Not him, but Hardened Gentoo is Gentoo Linux with a series of additions for security, one of which is GRSecurity patches in the kernel.
You have to manually enable any of the GRSec features, but the patches are there so you can.
I think you're right.
>>
>>60100798
I know it's a bad troll.
>>
test
>>
>>60100682
What? no counterarguments and only comparing how they started as argument? i'm waiting but not forever salty boy.
>>
File: snapshot_21.11_[2016.07.28_03.59.09].png (3MB, 1920x1080px) Image search:
[Google]
![snapshot_21.11_[2016.07.28_03.59.09].png](https://i.imgur.com/jt1R841.jpg "snapshot 21.11 [2016.07.28 03.59.09]")
3MB, 1920x1080px
>>60099503
hahahahaah linax aaahahahahah
>>
>>60100822
>counterarguments
That term assumes there are arguments to counter, lad.
>>
>>60100701
>You're not entitled to support from them.
I know, please point to me where i stated otherwise.
>they can offer it to you on whichever terms they want.
This is where i think you're wrong. Their work is a derivative of the kernel developers work which is being released under a license that enforces for derivatives to be licensed under the same license and one of the aspects of this license is to guarantee the right to distribute the source code. This license is viral but it's made that way to discourage freeloaders which curiously is what i think they're now trying to pull now. If they was going to disagree with the license they should have based their work on a project like BSD which allows to create proprietary forks always or create their own kernel from scratch with a license they choose or by adding a CLA which would allow them to have much more right than their contributors.
This guys constantly thrash talks the linux kernel and their developers which i think is not the most sensible thing to do if you depend on their work. Is like if my product depends on windows and i constantly thrash talk the windows developers calling them incompetents but getting angry when they don't provide free L3 support or they simply don't want to support me in any way with the argument that without my project windows is a shit. Seriously, the biggest problem of this guys is their attitude because otherwise i would definitely feel their work would be sponsored by red hat or the linux foundation easily but they're constantly burning their bridges. At this point this guy's argument is "i already wasted 15 years of my life working on your kernel now you guys owe me to do what i want under the terms i want".
>>
Macbook Pro doesn't have this problem.
>>
>>60101002
>That term assumes there are arguments to counter, lad.
ok so:
>BSD user calls Linux hobby OS.
>Counterargument with the fact that both projects are developed by paid professionals and used widely in the industry.
>Then he doesn't address the counterargument but also uses as argument that "the way BSD started is more cool" which is unrelated.
>point's that hes claim is unrelated.
>LOL there's no argument in the first place.
Ok, last chance: "Both projects are developed significantly by paid professionals and/or they're used widely in the industry".
Any objections?
>>
File: 1325487626733.jpg (37KB, 324x375px) Image search:
[Google]
37KB, 324x375px
>>60099503
Good
Now we get SElinux and PAX to do them same.
Freetards ruin everything.
>>
>>60099503
Everything started because a giant (intel, maybe) used their brand without consent. In the end they realized how to make money with GPL software.
Their unstable releases has lower performance too, and now nobody will test their software. A good way to be irrelevant even if they have many more advance ideas than MS or BSD towards hardening software.
>>
>>60101142
>forfeit claims of superiority
>best you can do at this point is "b-both are just as good, o-okay?!"
MAXIMUM DAMAGE CONTROL
>>
>>60101289
>forfeit claims of superiority
Where?
>"best you can do at this point is "b-both are just as good, o-okay?!"
So no objections to what i said?
>MAXIMUM DAMAGE CONTROL
Well there goes your last chance, bye.
>>
so skids won't be able to access the patchset now?
sounds like an improvement
>>
>>60099843
>Grsecurity
A bunch of patches for Linux to be applied by the user; it still doesn't seem to be incorporated into any mainline Linux distros.
>OpenBSD
Features like stack smash protection and W^X are in the base system, on all possible platforms ,always on, and there's no easy "off-switch", so crapplications HAVE to be improved in order to work. I can't prove this (and I doubt anyone could), but I suspect that OpenBSD has resulted in more improvements to programs commonly used on Linux than GRSecurity has.
>>
>>60100642
>This is a new low even for lincucks.
just checked, openbsd now has free binary updates for base since 6.1 which was released 2 weeks ago.
>New syspatch(8) utility for security and reliability binary updates to the base system.
https://www.openbsd.org/61.html
sry for not keeping up with your OS.
>>
>>60099843
https://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
>>
>>60100126
>i believe the OS i choose to use makes me an intelligent individual
wanna know how I know you have autism and are fat?
>>
>>60102306
oh look, is that blog with FUD about OpenBSD that gets posted as a last resourced by Lunix fanboys when they are out of arguments
NEXT
>>
>>60102335
You're wrong on both. I am over 12 though which most windows users aren't (mentally).
>>
>>60102376
>don't counter any the points made on said blog
>simply attack the blog as fud
NEXT
>>
>>60099503
Sysadmins at my school were fans and contributors to that shit 10 years ago.
Hosted projects on their servers couldn't do shit before being killed for "security" reasons.
Half of them ended working as advisors for government agencies.
Everywhere they go, you can kiss your production goodbye...
>>
Hard working professionals want to get paid for their contributions and FOSS nerds are up in arms.
So much for "you can make money with free software"
>>
>>60099843
Feels good man. I have been a desktop user since I saw the pledge talk
>>
>>60099503
Is there anything stopping a paying customer from providing them to the rest?
Sure they could end your subscription but only if they can link it back to you. There are plenty of anon hosting sites you could drop it on and announce in some way that can't link back to you.
>>
>>60102504
Just read the comments on the blog you imbecile.
There is nothing else to say about a 2010 post with a bunch of lies that will always get posted by faggots like you.
>>
>>60102689
They will ban random people or even fine their entire suscriptor base, they're that retarded
Out distribute fingerprinted versions to their customers like Hollywood does with screeners
>>
>>60102707
>still doesn't counter any points
NEXT
>>
>>60101059
Agreed: I believe this is a violation of s2(b) and s4 of GPLv2.
>>
grsec is one big shill
>>
>>60102613
>hard working professionals
He should do it because he's passionate, not because he's greedy.
The Canadian government funded me to work on Linux and FreeBSD for 18 months on NSERC
>>
>>60101645
OpenBSD doesn't have forward edge CFI'd kernel which eliminates ROP entirely.
No mprotect, no UDEREF no KERNEXEC no STACKLEAK, no size overflow plugins and tons of other things.
You can't turn those off on a running kernel either.
Linux has had SSP for awhile too.
It misses a lot that grsecurity/PaX has.
>>
>>60099583
Yes. GPL says you have to release the source code to the people you release your program to, which is only paying customers in this case.
>>
>>60103937
It also says you have to respect their four essential freedoms, those being the right to distribute copies, modified or unmodified, and the right to view and modify the source code.
>>
>>60104074
Ok, so if someone wants to buy it and give away the source code, they're allowed to. But nobody's done that yet
>>
>>60104094
>your subscription will be terminated and you will be permanently banned
lol ok
>>
>>60104298
The GPL doesn't have any restrictions on who he distributes it to. If he chooses not to distribute it to you, for any reason, he's allowed to.
>>
>>60104333
This is a violation of freedoms 1 and 3
>>
>>60104379
No, he has the right to not distribute to you; he doesn't have the right to force others to not distribute to you.
Sure, threats of banning are a form of coercion, but it's his right to not distribute.
>>
>>60104415
Explain to me how the coercion is not a clear violation of freedoms 1 and 3.
>>
>>60104430
Another anon, but only freedom 3 is breached, because grsec blackmailed everybody who release their patch outside their subscribers. Their price is enough high to make it hard decision to release at least a binary so it's not a free software anymore. Not elegant, but they want money.
>>
>>60104430
Probably getting into mental gymnastics territory here, but basically the only action he's taking to punish your exercise in freedoms 1&3 is to stop associating with you, which is his constitutional right.
If he were taking actual legal action, that would be a clear violation, or if he were otherwise violating your rights.
To be clear I don't support this; I use GRSecurity and this is very bad for me; I'm just trying to find a rationale because I'm very pissed off.
>>
File: nico nico okeeeeei.png (141KB, 502x502px) Image search:
[Google]
141KB, 502x502px
This just goes to show that free software doesn't pay the bills, you dumb commies.
If you don't want to fucking starve, you're going to sell out.
>>
>>60104554
Go back to /a/, you fucking NEET. Free Software can pay the bills just fine; Spengler is just being a greedy nigger.
>>
>>60099650
linus is probably right
>>
>>60099623
so should we report this to stallman?
>>
are there any vulnerabilities this patches that aren't meme vulnerabilities?
shit that you need physical access to make happen?
>>
>>60099919
>no serious distro
>b-but alpine lonix does!
not serious then, dummy
>>
>>60104554
Freetards on suicide watch
>>
>>60106922
That fat commie fuck can't even steal McD WiFi.
>>
>>60106945
>that aren't meme vulnerabilities?
RCEs are memes now?
>>
So gentoo hardened is on borrowed time now basically until there is a vuln in 4.9.* a patch for which doesn't play nicely with the grsec patch?
>>
>>60109436
>Can't even steal McD wifi
What is the joke here? The fact that many locations have complimentary wifi for their customers? The fact being that "stealing" the wifi proper is non-possible due to it typically being for the patrons of the store?
>>
So is that a GPL V2 violation yes or no?
You're not forbidden from distributing the code, but they won't do business with you any longer.
Technically you got a piece of software along with all the basic freedoms.
Is having access to any future versions of the software from the vendor written anywhere in the license?
>>
>>60100870
>.png (3.17 MB
Aw shit nigga.
>>
>>60109638
>Is having access to any future versions of the software from the vendor written anywhere in the license?
No.
And since "people exercising their freedoms according to GPLv2" isn't a protected class they can legally discriminate against by refusing as clients, there is really no recourse.
Maybe Stallman should've registered GPL as a religion
>>
>>60100419
Office is arm native tho
>>
>>60100795
Filtered
>>
>>60100008
>Reminder that Windows is consumer garbage-ware that cannot run on a mere 25% of the stuff Linux does
Irrelevant
>plus doesn't have the same level of security of grsec because it's shit
Ever heard of EMET? Not to mention that grsec isn't even in the kernel.
>>
>>60099650
Linus is a fucking faggot. He'd rather have a 1% performance gain than employ security features into the mainline kernel. His point of view on kernel security is asinine, and I hope it blows up in his fucking face someday. Somebody link that post from grsec's dev about how shitty kernel sec is right now.
>>
>>60099503
> stemmed from alleged misuse of Grsecurity's trademark by an undisclosed company that appears to have been Intel's Wind River.
https://forums.grsecurity.net/viewtopic.php?f=3&t=3713
> Can anyone help with delivering exact fix in above commit so that we can porting it into our kernel and try EFI booting again? Or, should we try any other approach to fix EFI booting failure?
I don't get it. So companies use your product for free without support, big deal. It's their problem now, and if they don't upstream THEIR fixes, they can be sued for GPL violation.
>>
>>60109974
>Ever heard of EMET?
It's on EOL support now though. And I actually don't quite understand what's the supposed replacement is. According to that https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/ it's "to migrate to Windows 10"? What the fuck is that supposed to accomplish, how do I enforce ROP mitigations for programs or use other EMET features in Windows 10 anyways?
>>
>>60100256
>Yeah, but at least it doesn't have a webserver right in the kernel
Which can be and is normally disabled on desktop systems.
>nor is the GUI rendered there
Isn't that what Wayland is doing? And why do you act like Xorg isn't a huge pile of insecure shit?
>>
>>60099503
Shitnux, not even once.
>>
>>60109992
> He'd rather have a 1% performance gain than employ security features into the mainline kernel.
Not to mention that the entire shit is fully configurable, i.e. there is zero overhead if you don't enable protections in the kernel config.
>>
>>60110015
Supposedly they're baking in those features into the OS making EMET not necessary, though I saw a study that tested the current mitigations and it seems like the implementation is not complete. We'll have to wait and see when the EOL comes along if they've completed it.
>>
>>60099503
This is fucked.
>>
>>60109992
>tfw there are morons that still chino that the "masturbating monkeys" it's funny
Well, the line it's funny, bit that also shows how irresponsable he is.
>>
>https://www.reddit.com/r/Gentoo/comments/67qecx/future_of_gentoo_hardened/dgszq0r/
So according to this guy hardened-sources is going to be maintained for now, for 4.9 kernel branch, although I wonder who's going to undertake this task since there is a huge difference b/w writing an ebuild that pulls in kernel sources and a ready to apply kernel patch and actually making sure that 4.9 updates are backported and work correctly with the patch for the older kernel version. Not to mention that grsecurity patch itself may have bugs, fixes to which by upstream are now unattainable. This shit really sucks.
>while working to merge as much of PaX/GrSecurity into the upstream kernel as possible.
lol good luck with that
>>
>>60109992
And how exactly would it blow up in his face?
He maintains the kernel to be flexible and fast. focusing on security adhoc interferes with that.
His main argument is that vendors love to sell you the illusion of security because thats the core of their business. Anyone telling you that their kernel or OS is more secure than another (open or closed) is full of shit.
Besides, how many modern platforms let you control the entire software stack anyway when imbedded software like trustzone, IME, etc exist?
>>
>>60110208
>And how exactly would it blow up in his face?
A vulnerability, or string of vulnerabilities that are so serious, (and perhaps encompasses an architectural flaw that is not easily fixed), that it causes massive damage to large part of worlds Linux infrastructure, causing millions of dollars in economical damages.
As much as I love linux, I hope it happens. Linus' ego is a danger to the security of the project. He needs real consequences to rock his shit so bad A-la-Microsoft-Windows-XP-era to make him change his perspective.
>He maintains the kernel to be flexible and fast. focusing on security adhoc interferes with that.
Why do you act like grsec is such a performance and flexibility problem? The real issue is Linus and Linux maintainers are willing to merge shitty insecure code into the kernel. Grsec protections make that code break. Who's fault is then? That compounded with the amount of kernels, and speed at which they commit to it make security in the kernel impossible.
>His main argument is that vendors love to sell you the illusion of security because thats the core of their business. Anyone telling you that their kernel or OS is more secure than another (open or closed) is full of shit.
And he's fucking wrong. Where is the illusion?
https://grsecurity.net/compare.php
Look at the list, if you don't understand how each of these protections mitigate exploitation then shut the fuck up and get the fuck out.
>Besides, how many modern platforms let you control the entire software stack anyway when imbedded software like trustzone, IME, etc exist?
Irrelevant, perhaps if the Linux kernel had exploit mitigations we wouldn't be having all these embedded devices on the internet get fucking popped all the time.
>>
anyone know what grsecurity are charging for a non-enterprise linux subscription? would any of you fags consider it because honestly nothing compares when it comes to kernel hardening
>>
>>60099503
Time to go OpenBSD.
There's no hope for Linux.
>>
>>60099650
(((Open source))) is (((communism))), it's inherently anti white.
>>
>>60099843
WHOSE HAND IS THAT
>>
>>60099843
Enjoy your FBI backdoor cuck.
>>
>>60099650
wtf i hate linus now!
>>
>>60102376
>>60102707
OpenMEMEsd doesn't even have MACs, how can you call it secure?
>>
>>60111257
>le epic FBI backdoor maymay
There's more proof of Trump Russia ties than a FBI backdoor in OpenBSD.
And the evidence of the former is ridiculous flimsy at best.
>>
>>60111297
>Has no argument
>It was never found so it doesn't exist :^)
Funny how openbsd wasn't in vault 7 leaks but freebsd was.
>>
>>60111272
MAC's are a poor form of security, and easily bypassed. Even if you fully understand SELinux/Apparmor (which very few do) it still isn't sufficient to secure a system. You need kernel level protection (GRSec, Seccomp).
For gov tier system hardening, use this guide and if you implement each aspect you will have a vastly more secure system than if you spent an equal amount of time "trying" to learn how to implement SELinux;
https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/
>>
File: 1463098591892.png (10KB, 694x53px) Image search:
[Google]
10KB, 694x53px
>>60100426
SHIEEET
WAT DO
>>
>>60099650
>https://lwn.net/Articles/313765/
>None of the basic issues [in PaX] have been solved.
>Date: Sat, 3 Jan 2009
Oh look, only just a bit over 4 and a half measly years until linux kernel will start getting a castrated version of ASLR implemented.
>https://lwn.net/Articles/569635/
>October 9, 2013
>Cook's kernel ASLR (KASLR) currently only randomizes where the kernel code (i.e. text) is placed at boot time.
>and thus any sane maintainer (me) should refuse to take them
Linus' stance on security is just utterly retarded. Same goes for "I treat security bugs just like regular bugs 'cause regular bug fixes should be celebrated too!" idiocy, because it's totally the same thing if there is a bug that causes my wm panel to crash or if there is one where somebody takes over my system, installs a rootkit and steals my bank passwords and keeps using my box as part of a botnet even after system reinstall, ofc both of these should get the same amount of attention…
>>
Reminder no amount of software security will help you as long as you have Intel management engine in your processor.
>>
>code that is not available for public audit
>secure
sounds like snake oil
>>
why are you people even using grsec kernel?
>>
>>60111467
Oh so it it's in my chipset I'm fine?
More seriously - why do you single out Intel, did AMD open-source their PSP already?
Also that "logic" is shit, because I don't know 100% that IME is compromised, if it is compromised maybe it's compromised by only one three-letter agency while others have to rely on software exploits, plus there are other countries that can't force Intel to install their backdoors so they have to largely rely on software exploits too, plus there are your run-of-the-mill individual hackers that software exploit mitigations protect from
>>60111507
kys retard, it's GPLv2 they just coerce their customers into not sharing it with anybody
>>60111516
autism
>>
>>60111550
Not him, but keyword is public. Kys retard.
>>
>>60099503
Just Fork It.™
>>
>>60111578
The fucking level of retardation...
It's GPLv2, if you get the patch you can share it for public audit all you want, but not one of grsec's customers is actually going to bother with it because "public audit" by a bunch of mongoloids like you and that other retard is worth shit compared to getting actual security updates from grsec.
>>
>>60103650
>The Canadian government funded me to work on Linux and FreeBSD for 18 months on NSERC
Tonight, on Shit That Never Happened...
>>
>>60103007
How? He's not restricting redistribution of the software, he's just conditioning his support on the non-redistributing of it. The GPL doesn't say anything about support, it doesn't force you to support the users you distribute your software to.
>>
>>60111272
You can implement MAC with pledge + chroot if you're not a mouthbreathing brainlet.
>>
>>60111729
All memes that don't actually work, freebsd jails are far more secure.
>>
>>60111775
>I'm a mouthbreathing brainlet
Don't worry, you can always do manual labour.
>>
>>60111807
Whoumst'd've are you quoting?
>>
>>60099503
>From now on, it'll only be available to paying customers.
Well, people will just download it from bittorrrent, then.
>>
>>60111312
nobody uses OpenBSD so the CIA didn't bother writing any malware for it
>>
>>60112061
The usual CIA "hack" is starts with stealing or burglary. A good encryption is a great step against them.
>>
>>60099554
>You could, therefore, pay for future code and release it for everyone, but that would be a surefire way to end your Grsecurity subscription for good.
There's only one way they could possibly know which customer's subscription to cancel: and that's if they released uniquely obfuscated source-code to each different customer.
If they didn't do that, then it's just a stupid, transparent bluff.
>>
>>60109424
So Azure too. Next time double check your master's stance on "open sores".
>>
File: acceptinded.png (328KB, 600x490px) Image search:
[Google]
328KB, 600x490px
>>60112250
They are enough greedy to do that, so only fork can save their patches from to be irrelevant slides on ftp about patches that used by few datacenters.
They just fucked this up.
>>
>>60109617
I believe the gnu site had an ad up a while back for a programmer to write software that is also javascript-free to utilize the wifi at McD. Anon is assuming that use case implies rms.
>>
>>60111682
you don't have to believe it but they did. I'm a grad student at a very well-regarded university and I wanted to implement a few things into the networking stacks as a research project. Government funded it, no problem.
>>
>>60104554
if the grsecurity devs were sane and reasonable and not autistic screeching monkeys unwilling to work with anybody because it would mean losing their pitiful 200$/month in the short term, he'd have worked with Linus to integrate the patchset into mainline and receive funding through the Linux Foundation.
But he's too much of an idiot.
>>
>>60109528
you shouldn't rely on only one form of protection. I'm on hardened without grsecurity personally.
>>
>>60112719
Are you implying that Linus is a reasonable individual regarding kernel security? Hell, are you implying that Linus is reasonable at all?
>>
File: 2017-04-28-103832_550x493_scrot.png (44KB, 550x493px) Image search:
[Google]
44KB, 550x493px
>>60110340
because, as linus said and as I've experienced, it is "annoying and invasive". grsecurity doesn't actually fix many of these "vulnerabilities" by patching them so that they're no longer vulnerable. They just tear functionality out of the kernel. It's so frustrating. I used grsecurity for 4 years and I've had to maintain my own patchset to re-patch their patchset with because of how horrible some of their "protections" are.
pic related is an example. In what way is it reasonable to completely forbid all user namespacing without even giving config option. It's just "if you have any grsecurity feature on, say goodbye to namespaces" What the fuck is that? You can't even run unprivileged lxc (which is MUCH more secure than root lxc) on grsec for "security reasons" like this. Their patchset is FUD and bullshit with very little actual good stuff (like disabling USB that's not present at boot. Things like that should be mainline for sure.).
>>
>>60112767
Linus is personally interested in fixing bugs, improving performance, and adding functionality.
He isn't focused on security, but he isn't against it either. Many grsec patches made it into mainline because they were demonstrably good and didn't completely shit all over everyone else's hard work without fixing anything like >>60112812 .
He will gladly accept pull requests if they fix more than they break.
>>
grsec is a meme
They use shills to make it seem like they're relevant.
>>
>>60112812
>I used grsecurity for 4 years and I've had to maintain my own patchset to re-patch their patchset with because of how horrible some of their "protections" are.
If you're going to repatch grsec and weaken the protections that you clearly don't understand then you're better off not using it at all.
> In what way is it reasonable to completely forbid all user namespacing without even giving config option. It's just "if you have any grsecurity feature on, say goodbye to namespaces"
I don't see a problem with this. Do you have a valid reason to give those permissions to a non root user?
>You can't even run unprivileged lxc
If I recall correctly, this works now
>>
>>60112734
>you shouldn't rely on only one form of protection
So you prefer to rely on 0 forms of protection instead (ca. the kernel)? There are plenty of nice things in gentoo-hardened other than grsec patchset indeed, like the default hardened specs of GCC but the biggest reason I use it is PaX/grsec
>>60112812
I read the discussion in the links and I kinda agree with the comment "Increases kernel attack surface in areas developers previously cared little about..." and that the review this code received is dubios.
Although grsec ofc could've separated this into an option to avoid "all or no protection" dilemma.
>grsecurity doesn't actually fix many of these "vulnerabilities"
No shit. It's an exploit mitigation project, not a kernel bug fixing project.
>>
>>60099650
Wrong. They were told to break up the patches and resubmit.
>>
>>60109638
>So is that a GPL V2 violation yes or no?
it's very likely against contract law in most regions if you get GPvL2 code but allegedly void your contract if you actually exercise your GPLv2 rights.
>>
>>60112324
>>60112250
So we buy two versions of it and compare the difference.
>>
>>60113404
If he terminates the contract, sure. But what about refuses to renew? Assuming he doesn't have a ton of clients that paid for years upfront, that's what he could safely do I think.
>>
>>60113321
>I don't see a problem with this. Do you have a valid reason to give those permissions to a non root user?
Yes. It's not like any user can create them. Only users that root assigns subuids and subgids to can do it. It's like sudo and sudoers.
It's not like a random apache exploit can allow the web server user to create rooted containers.
It allows exploits in the containers to be managed though. If an exploit causes a container to be rooted, and they somehow break out of the container, they are limited to a user that can do nothing but spawn new useless containers. On the other hand, old root namespaces allow any exploit in the container to directly affect the host.
It's one of the most important security features in linux containerization and virtualization and the retaded grsec devs turned it off just because they don't personally see the need or understand how useful it is.
>>
>>60099954
windows doesn't run on anything except x86, loonix runs on gorillion platforms like sparc and the fucking xbox. big difference.
>>
This is only relevant for servers
Which are mostly enterprise Linux users
WOW ITS FUCKING NOTHING
>>
>>60113457
>It's one of the most important security features in linux containerization and virtualization
It's literally the opposite. You go from no_new_privs usage to any user possibly abusing namespace creation to gain privileges. That's why the comment talks about 'proper review', the patch discussion displays how it's not well thought out.
>>
>>60113496
>You go from no_new_privs usage to any user possibly abusing namespace creation to gain privileges.
They aren't gaining anything. They now have a container, so what? That container is still limited to the permissions that the user originally had.
>>
>>60113588
Have you read the patch discussion?
> I'm talking about:
>clone with CLONE_NEWUSER
> - child does unshare(CLONE_NEWPID)
> - parent does setfd(child's pid namespace)
> Now the parent is running in the init userns with a different pid ns. Setuid binaries will work but will see the unexpected pid ns. With mount namespaces, this would be Really Bad (tm). With pid or ipc or net, it's less obviously dangerous, but I'm not convinced it's safe.
> I sort of think that setns on a *non*-userns should require CAP_SYS_ADMIN in the current userns, at least if no_new_privs isn't set.
> Yes. CAP_SYS_ADMIN in your current user namespace should make setns as safe as it currently is before my patches.
> That is just a matter of adding a couple nsown_capable(CAP_SYS_ADMIN)
permission checks.
> Right now I test for nsown_capable(CAP_SYS_CHROOT) for the mount namespace, which is probably sufficient to prevent those kinds of shenanigans but I am going to add a nsown_capable(CAP_SYS_ADMIN) for good measure.
The amount of "sort of" "I think" "this should be sufficient" is too great for my taste in a discussion of a potential priv. escalation.
>>
HAHAHA linuxtoddlers btfoooo
>>
>>60099843
>implying
>>
>>60099843
Why aren't we taking OpenBSD's code exactly?
BSD license wouldn't stop us
>>
File: thisKJFJA.png (39KB, 392x200px) Image search:
[Google]
39KB, 392x200px
>>60113438
>>
>>60099503
...AND...nothing of value was lost.
GRsec developer is an entitled whiny little bitch, I hope he goes out of business and finally fuck off from the Linux community.
>>
Reminder https://twitter.com/marcan42/status/724745886794833920
After this tweet the grsec developer blocked the guy and everyone who tweeted about the issue on twitter and banned him from the website. Soon after he made grsecurity twitter account private too.
>>
File: 1456473894044.png (83KB, 200x200px) Image search:
[Google]
83KB, 200x200px
Just fork the damn thing
>>
>>60114060
I think the issue with it is that only the patch's source is available not the code that generates it, and there is a lot of automation involved so it has to be "reverse-engineered" first so that you don't miss new/changed functions if you update the patch to the new version by hand. I think that's the issue anyway, maybe I'm wrong.
>>
File: 1473638775947.png (34KB, 640x480px) Image search:
[Google]
34KB, 640x480px
This is why GPLv3 must be mandatory for any big project
>>
>>60114035
Wow. More immaturity from PaXTeam in these HN comments:
https://news.ycombinator.com/item?id=14202421
>>
>>60114132
How would GPLv3 prevent them from discontinuing* the support provided to clients in the form of updated patches?
* by discontinuing I mean not terminating the already acting contract (since that would be a wrongful termination) but not allowing renewal of the subscription either
>>
>>60103860
>OpenBSD doesn't have forward edge CFI'd kernel which eliminates ROP entirely. No mprotect, no UDEREF no KERNEXEC no STACKLEAK, no size overflow plugins and tons of other things.
I don't know if you're still here, but a short write-up about each of these would be really nice. If you submit it to the "tech" mailing list, there might even be some traction on getting them added. If you would like to see those features in OpenBSD (and I would) then that'd be a good first step. I doubt they're reading grsec threads on 4chan.
Thread posts: 202
Thread images: 22
Thread images: 22