Hi, I did not know about grsecurity. Thanks for the hint. After some quick browsing it seemed it works like the windows code execution protection. I will try to compile the kernel with this patch like you did.
Linux is the most secure OS IMHO - distributing this patch in debian would be great I think (as soon as all apps are compatible). Mit freundlichen Grüßen / best regards, Kevin Olbrich. (mobil vom iPhone) -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und/oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > Am 20.01.2014 um 00:49 schrieb Marko Randjelovic <[email protected]>: > > On Sat, 18 Jan 2014 15:04:48 -0500 > Noah Meyerhans <[email protected]> wrote: > >>> On Sat, Jan 18, 2014 at 08:30:49PM +0100, Marco Saller wrote: >>> i am not sure if this question has been asked or answered yet, please do >>> not mind if i would ask it again. >>> Is it possible that the NSA or other services included investigative >>> software in some Debian packages? > > They don't need to do it. Software is full of security bugs. Most > suitable are web browsers. NSA controls Internet backbone routers. Just > check CVE records for Internet Explorer, Firefox or Chrome. Firefox ESR > is meant for security, but 17 ESR had 11 updates, which means before > bugs were corrected you were vulnerable. And probably there are still, > but 17 ESR is not anymore supported and you have to go to 24 ESR which > certainly brings new bugs and so on. > >> >> It is absolutely possible. It's even possible that you yourself have >> added such software to Debian! Can you prove that you haven't? >> >> That line of thinking leads to madness. The only rational conclusion, >> once you start down that path, is to turn off your computers and move to >> a remote cabin in the wilderness. > > What would make you highly suspicious. > >> It will never be possible to prove >> that there is no malicious software in Debian or in any other OS. Beyond >> that, it will never be possible to prove that there is no malicious >> *hardware* running executing your OS. >> >> We can and do take care to ensure that all changes to Debian are made by >> people authorized to make those changes. (Package uploads must be signed >> by a Debian developer.) We can and do take care to ensure that that the >> packages you download have not been modified in transmission (signing of >> Release files, checksums on Packages files and on packages themselves.) >> Etc. If deficiencies are found in our mechanisms or policies, then we >> take steps to improve them. If violations are found, then we take steps >> to audit for impact and resolve any potentially malicious actions that >> we identify. We take great care to minimize the likelihood of any sort >> of backdoor or malicious code in Debian, but none of this can provide >> 100% proof that such a thing doesn't exist. > > But Debian doesn't support grsecurity and similar security enhancements > for linux kernel[1], though PaX[2] is a serious protection from > exploiting security bugs in software. I needed a lots of time in order > to successfully patch Debian kernel with grsecurity, though I > immediately removed all features/* patches. It's because patch B can > assume patch A is applied and when patch A is not applied, than patch B > fails. But it is possible patch B is still needed. For that reason, and > the reason of availability of newer kernel in backports repo, my > opinion is features patches are unneeded and make more problems than > benefit. > >> Anybody that claims that >> they can prove otherwise, for Debian or any other OS, is either lying or >> ignorant. >> >> noah > > [1] https://lists.debian.org/debian-devel/2003/09/msg01133.html > [2] https://en.wikipedia.org/wiki/PaX > > -- > Education is a process of making people see what is advanced and not > obvious, but also not seeing what is basic and obvious. > > http://markorandjelovic.hopto.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
