OSNews

If you're good enough to build this HSS system why would you buy load balancers for 40k? "

It doesn't surprise me. Unless you've got a decent clued up sysadmin, buying an appliance seems like a good deal.

For everyone playing along at home, HAProxy can do software load balancing at 10GbE line speed on a fairly cheap low end box, and it can do it for a hell of a lot less than €40,000

Yeah, this guy sounds like some 1337 kid that wants to sell his snake oil.

Creepy stuff ... if the HSS patches for the kernel are so great that a proprietary front end can generate millions in revenue than maybe someone should take a look at the source (or tell Harald Welte if the source isn't published)

Man, I have never seen somebody having eaten the wisdom with spoons, like you. Really. I am so impressed of all your technical knowledge you have given to your best here in this whole discussion. You did not had one real technical interest instead of blowing farts into this blog. I am sure that was developpping already, when you were still running around the Christmas Tree with a drum around your neck.

The culture I come from, works differently from your's. I have learned during my 52 stays in the US, to keep my tongue under control, and not to talk around like it has grown, and behave differently to Americans, you know, there are these dos and donts, but "hey", with a buddy like you, I feel like at home and probably tomorrow, all the things we wrote about affect me like a pee in the Mississippi.

God bless you, Soul(bit)bender

Actually, I feel for your frustration. It's extremely difficult to have a positive conversation about what you are doing when there are so many cynics waiting to knock you down. Now, instead of understanding the product better, everyone will get caught up in an unproductive flame war about tangential details. Sometimes people resort to obnoxious reasoning in order to control the discussion - it is all hugely distracting.

Yes, I know, this post is ironically guilty too.

This attitude appears to be the norm everywhere as far as I know, is german culture any different?

I am interested in what you've done to make linux more secure (not as a customer, since I'm poor, but as a computer scientist).

Edited 2011-07-01 00:35 UTC

Normally, I'd agree with you. But that positive conversation can't take place here. If there are kernel security experts here, they don't have access to their product and can't evaluate their claims. If there are not kernel security experts here, their product hasn't earned the respect of the experts elsewhere. Its not really worth discussing the potential security benefits of an untrusted, untestable system. So, people end up focusing on the crazy claims of espionage and international three letter acronym intrigue that make this seem as shady as a back alley kidney transplant.

I've read white papers of products I already use and pay for that I know are full of sh*t and don't do half the things as well as they claim. The real important information about a product comes from independent third parties that test and use the systems.

Bill Shooter of Bul,

"If there are kernel security experts here, they don't have access to their product and can't evaluate their claims. If there are not kernel security experts here, their product hasn't earned the respect of the experts elsewhere."

Sure, those are valid concerns for people interested in buying the product.

"Its not really worth discussing the potential security benefits of an untrusted, untestable system."

I disagree, Alex may very well have some valuable insight to contribute to a discussion on linux security. I am interested in the mechanisms used to control access in the kernel and it is worth discussing regardless of whether the product is proprietary or not, IMHO.

"So, people end up focusing on the crazy claims of espionage and international three letter acronym intrigue that make this seem as shady as a back alley kidney transplant."

Yes, I don't think Alex was expecting this. He got off on the wrong foot.


Technical questions for Alex:

1. What kind of context does HSS consider when deciding whether to permit or deny a request?

2. When a process executes "su", does the kernel invoke a userspace permission check through IPC? Is this somehow cached in the kernel, or repeated for every security check?

3. You indicated fewer scripts were required to use HSS, are events scriptable under HSS or do they have to follow a strict pattern engine?

4. How does HSS deal with concurrency? In particular, can the userspace portion handle parallel IPC requests (assuming there is a userspace portion) or are they serialized?

5. What is the impact to performance when the permission checks are enabled?

6. Does HSS do anything special to help debug app problems caused by restrictive permissions? How do I determine why my app is failing?

7. Does HSS work with a customized kernel?

8. Are the configuration files human read/writable or are they binary?

And I might as well ask, are you hiring english speaking devs?

Well, It was a sales pitch with minimal technical info. If they wanted to discuss the technology behind it, thats great they should have tried that instead of the sales pitch.

But for what its worth Google translate does a fair job on their whitepaper. it doesn't make me feel any more comfortable about the product, but you might find some good discussion points

http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http~*~...

I will have translated the white paper at 10th. of July.

Cheerio
Alex

Hi Alfman,

I will come up with the answers after the weekend.

Thank you

Alexander

Hi Alfman,

I will send you a license. Where to please?

BRegs
Alex

Nice job insulting my technical knowledge (of which you know nothing). Nowhere in my post did I insult the technical skills of you or your team. Maybe you have a great product, maybe not. There's now way for me to tell because you provided so very little technical information and there are no sources of information.



There was little technical info provided. You mostly provided hyperbole and a sensationalist conspiracy theory as to why someone broke into your office. As I said, an interview with technical details provided by the designer would have resulted in a more technical and interesting discussion.



You don't even know what my culture is. Hint: not american.



I wouldn't bet on it.

You started insulting, I don't care for your culture. And I will not anwer any replies to you anymore, nor will I send you a copy of the product.

I think I will give Dave Adams a copy, he can eval the tool then with his people of trust and write about it.

Cheerio and bye forever.

Well, while I can agree that Soulbender took a very negative tone (TypeOnegative, I lol'ed!), I'd say that generally people here on OSNews have very little patience with what they percieve as marketing fluff so you shouldn't take it as something personal.

As for the whole culture thing, I've never really bought into that. AFAIK Soulbender is (like me) from Sweden and certainly don't feel any 'cultural bond' with him or his views and I certainly doubt that he does towards me. Let's leave generalizations concerning nationality out of this discussion please.

Hyperbole?

Take a look at the claims for their file transfer protocol.

http://ipisec.de/index.php?option=com_content&task=view&id=17&Itemi...

Didn't you hear the man? They're keeping a low profile because everyone wants to steal the code for their open source product. Uhm..no wait...wtf.



It's not, as long as you use it right. It certainly has some flaws but as long as you're aware of them and use the tool as intended it can be useful. Used wrong anything can be made to be "bad security".



Scare mongering = sales.

Hi Soulbender, it is me, Alex.

So let me give you some answers.n.runs AG is one of the best pentesting companies here in Germany and tested it. Call them, one of the two directors is American. http://www.nruns.com/_en/impressum.php. It is DOnald Lee.

You forgot the 4 Laptops in addition to the 2 LBs.

It first has been published in IDG Computerwoche in the online blog "Security Expert Council - called Security Expertenrat", but IDG closed that blog in 2010. Look it up in Google Cache please.

We are not afraid that somebody steels the code for the Unix OS, but for the control panel software (licenseware) which controls the security functions we have implemented. We have no intention of making people scary, we are just selling a secure OS.

Why do you argue so agressive? Be happy. Somebody invented something for good. By the way, Chief Developer was Marc Delling. Laugh, we are going to make our money with it anyhow, we already do. But just in case, that somebody spends 10 mandays in front of an SE-Linux to get it secure, we have a quicker, and well, of course a more expensive solution.

We send David a copy of the license soon, so maybe you got a chance to look at it too.

Bye for now, Alex

I figured that much but the sentence in the article is confusing.



Uh, ok? Is that fact supposed to impress me?



And why would the 3 letter agencies been interested in the control panel? It's just a front-end to the actual functions. I'm sure any shadow agency worth it's salt could put together a frontend of their own, if they even need one.



The answers in the interview has a pretty scare-mongering tone, especially with the "the shadow agencies of the world are out to get our stuff" spiel.



Good for you. Maybe you have a good product, maybe not, but either way you're not doing it any favors with the hyperbole and scare-mongering tone in the interview.

Yes, we would like to sell the server more. So to bring the discussion on a levels of facts, I suppose, you may wait until I will have translated our whitepaper into English. At the moment we only have the manual in English.

Cheerio
Alex

I hope you will apply more quality to the english version of the whitepaper (really, not uninteresting!) than to the german version witch iss ful of speling erors annd, a typogreffical kattastrofe. :-)

Really, I find your project interesting, and it deserves higher-quality representation text material. You really should invest into a person that knows German sufficiently well (and also can use proper professional typesetting tools for optimal presentation) and can also provide a well written english version. Low quality documentation should not be the reason why a good project is being laughed at.

Pages 5 and 7 are "good" examples full of spelling errors and typographical no-gos. To a professional reader, the missing quality might very well be a reason to stop reading after page 2, which would be sad as the document is quite informative, but very hard to read.

You should also pay more attention at using correct terminology; e. g. page 5 footnote 1 mentiones the IMMUTABLE flag which definitely is not limited to Linux operating systems (only).

As security experts, being precise and correct is mandatory. You see, I'm not insulting you; please see my comment as a friendly advice without any belitteling of you as a person or HSS as a project - see it as constructive criticism including stated reasons.

I have not find typos on pages 5 to 7 but some format problems in deed. Thanks, yes, will consider it. We are just in the start-up phase for marketing now, and I like contructive criticism. I will go through it again, when writing the English version.

Bye and a good weekend
Alex

Example on page 5: 1.1 item 2 missing comma after "werden"; item 4 "d.h." missing non-variable space; item 5 supoerflous comma before "etc"; item 12 "dass" (conjunction daß) instead of "das" (article) required; footnote 1 exact opposite error.

Same page, 1.2 "sogenannten" unword according to newspeak, has to be "so genannten" now.

Superflous and missing commas, also missing hyphen in compound nouns. Also the typesetting is very bad on this page.

Those are of course not all errors on this page, there are more. I just picked those as an example to illustrate that they are definitely there. Proper proofreading will bring up many others.

Examples on page 7 contain typesetting again, there are massive "holes" in the text because of missing hyphenation. Also watch the commas.



Good idea, and honestly good luck, as properly reviewing and correcting the errors in content and form (which have to match each other if one wants a document to be taken seriously) are very important. And the project is worth it.

"Why do you argue so agressive? Be happy."

Because it's Soulbender's MO
TypeOnegative

That made me laugh but I'm not entirely sure why.

Not that I think I was that negative. If you seriously suggest that CIA/GRU/MI-whatever would try to steal the source for your control panel app than you get what you deserve.

Edited 2011-07-01 15:37 UTC

Yes, unfortunately it does create some sales, but it also scares away more informed customers. The article has me curious, but highly suspicious and dubious due to scaremongering tone. There have been a lot of snake oil security companies. Without wider distribution and use, it won't get the linux security community excited. If they get excited, then I'm excited and might consider it.

The security is obviously implemented in the closed-source administration tool!

...

yes! thanks. Control Panel = Licenseware

Hi Gullible Jones,

yes of course I do marketing for our new product, why not? IBM is doing marketing, HP does, Tesla does, and we do too. We have invested a lot of money and time in it.

Cheerio
Alex

An interview for a tech news site is the wrong venue for marketing your product. You'll just end up alienating your audience.
I"m sure many of the people here would have been more interested in an interview with Mark Dellinger.

If you have questions related to the server, I am pleased to answer them to you. Tomorrow. But now, I am going to have a big beer and will look the rest of the game of women's championship in soccer.

Cheerio Soulbender
Have a nice rest of the day.

Hi Alfman,

thank you for this objective comment.Apparmor was good, but...it is exactly how you write.

Agencies care about it, because we already sell it world wide, and there is no backdoor, there is no weak point in the server, except the one sitting in front of it.

No, I will ask where the source resides and let you all know. We do not bother to bring it up. We sold it silently the whole time. But we said, we can have more success if we make some "Rambazamba" as we say here in Germanistan.

Best Regards
Alexander

Let's try once more:

why would agencies be interested in the configuration front-end, when it's the GPL'ed code running in the kernel that's interesting security-wise?

Hi AndrewZ,

I have to ask Marc Delling, the Chief Developer and come back with an answer soon. I am sure he did.

Bye for now
Alex

See, this is an issue for me. This site is populated with engineers and developers that understand technology to absurd levels. Your chief developer should be the one who wrote the article for this site. You sent the wrong message to the wrong audience.

Well,

I am not a marketing guy, I studied information technology, but no worries, I understand the server quite well.

GPL compliance is pretty basic, IMHO. If you can't meet the obligations of the license, you can't distribute your product. That's sort of important to your business model, I would think.

Hi Bill,

yes we know and considered it. Thanks.

Alex

So what's your conclusion after you have considered them ?

Hi, what do you mean please?

And...? If you're selling a product based on GPL code, then you should re-distribute the same code under the same license. If you're selling it _without_ the source code, then you're violating the GPL.
It takes less than 5 minutes to submit a request to http://gpl-violations.org/, and afaik Germany is already a proven country for the validity of the GPL.
Where can we find the source code?
Cheers

To be fair, only those who have been given the binary are entitled to ask for the source. Any recipient of the source is welcome to release it for wider distribution for whatever cost they would like. Its not required to be provided to the general public, unless you are also distributing the binary to them.

But trying to keep GPL'd code secret is crazy. It is not a good sign that it is not generally available.

Actually, no you are not. You don't have to provide the source code unless someone specifically asks you for it. Then you are required to provide it. And of course, nothing is stopping you from taking the source once they give it to you and publishing it for all the rest of the world to see. That would be perfectly legal.

Bill, how old are you please?

I do not divulge more personal information than is necessary on the web in unsecured channels. Its like asking me what my mothers maiden name is or the city I was born in. You shouldn't ask those questions, and people shouldn't answer them.