[Freedombox-discuss] Policy questions
dr at jones.dk
Sun May 8 09:00:35 UTC 2011
On 11-05-08 at 10:10am, Rob van der Hoeven wrote:
> On Sun, 2011-05-08 at 06:52 +0800, Sandy Harris wrote:
> > Rob van der Hoeven <robvanderhoeven at ziggo.nl> wrote:
> > >> A standard tactic for security is isolation of services.
> > >> ...
> > >>
> > >> Clearly we cannot expect to use a separate machine
> > >> for each FB service, but we need some strategy that
> > >> limits the damage if any one service turns out to have
> > >> a security flaw. Some list posts suggest using virtual
> > >> machines, and that is one plausible solution, though
> > >> costly.
> > >
> > > Hi Sandy,
> > >
> > > I am the one that suggested virtual machines, and i am using them at
> > > this moment. ...
> > >
> > > In my opinion building a FreedomBox without using VM technology is very
> > > dangerous.
> > To me, the question seems more complex and still open. It is
> > clear that we need strong security, and therefore a carefully
> > designed strategy for isolation. It is not clear to me that VM
> > techniques are the way to go.
> > There are plenty of other candidates. The OS provides
> > mechanisms intended to do what we need, process
> > isolation, chroot, file permissions and so on. There are
> > extensions like SE-LInux and GRsecurity that give
> > more.
> You are right. A competent sysadmin can build a secure system without
> using virtualization. I don't think that an average FreedomBox user can
> manage the more advanced security features that you mention. So, must
> they become dependent on FreedomBox security experts every time they
> want to install a new service that connects to the internet? That's no
> freedom to me. In my design i use VM's as sandboxes. Users are free to
> install whatever they want inside a VM.
Sure, users are free to whatever with their FreedomBoxes - it is Free
But the FreedomBox is a *subset* of Debian with additional constraints
especially on user-friendliness. I do not consider "aptitude install
whatever your heart desire" as especially user-friendly.
I envision that we decide on some pieces in Debian, work with the
maintainers of those pieces to make them possible to not only be
installed in the "aptitude install, tinker with configfiles until happy"
fashion that we are used to, but also supports hooking up with a
dead-simple design which we invent - or (hopefully) discover that others
have invented and convince someome to package and maintain in Debian.
So I expect the "dead-simple" interface of FreedomBox to only be able to
add/remove - or enable/disable if there are so few that it makes sense
to inlude them all as part of the "core" - those services which are sane
for the device - which means both user-friendly and considered secure.
> > There may also be problems with the VM method.
> > Random numbers are one. More-or-less all crypto
> > depends on those. random(4) depends on the
> > driver having access to things like mouse clicks
> > and disk interrupts. I doubt that it will work well
> > on a headless server with solid state disk, let
> > alone in a VM.
> > This is just one problem that seems obvious.
> > Has anyone done a security audit on one of
> > the VM methods? Without that, should it be
> > trusted?
> Maybe the cloud companies have done some research on that? You have a
> valid question here. I'm very interested how secure the virtualization
> i use (LXC) is.
You expect cloud companies to have done research in running
virtualization on crippled hardware without dedicated RNG or even CPU
> > > Not all the software running on the FreedomBox will be mature
> > > and i expect a lot of serurity/stability issues.
> > I tend to think only mature software should be used.
> > There are other places for development and experiments.
> > The box needs to be very solid.
> One of the goals of the FreedomBox is to decentralize popular social
> networking services. The software to do so is still in development or
> does not exists. In order to develop the software FreedomBoxes are
> needed. Are you going to wait until Diaspora is mature in order to let
> it run on the FreedomBox?
I am going to bet on alternatives to Diaspora not building everything
from scratch, e.g. Buddycloud - approached as an XMPP extension with
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: Digital signature
More information about the Freedombox-discuss