Linked by Thom Holwerda on Tue 30th Aug 2011 17:29 UTC, submitted by Dale Smoker
OSNews, Generic OSes "What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security."
Order by: Score:
OSNews?
by gedmurphy on Tue 30th Aug 2011 19:14 UTC
gedmurphy
Member since:
2005-12-23

What's going on?

We get actual operating system news and it gets 3 lines on the second page.
We get patent news and it gets force fed to everyone.

Maybe it's time for a name change to PatentNews.com
:)

Reply Score: 3

RE: OSNews?
by Bill Shooter of Bul on Tue 30th Aug 2011 19:46 UTC in reply to "OSNews?"
Bill Shooter of Bul Member since:
2006-07-14

Well your content-less comment certainly helped prove just how much regular readers are engaged by Serious OS news.

I, for one, would be interested to play with Qubes. From the article, it would seem to mean that Qubes would really perform poorly when compared to other operating systems. Instead of just one operating system, you'd be running 3-6. Most of that would be duplicate processing and duplicate memory usage. Also while you data may be secure due to the isolation of the virtual machines, a bot net would be more than happy to just inhabit one of them and continue attacking other systems, sending spam, and/or burrowing further into your network. Maybe it raises the bar a bit, but is the marginal security improvement worth the complexity? The more separated the virtual machines are, the more difficult it would be to interact with them. The less separated, the less secure. I think SeLinux is just now starting to be worth it for me.

Reply Score: 6

RE[2]: OSNews?
by joshv on Tue 30th Aug 2011 23:59 UTC in reply to "RE: OSNews?"
joshv Member since:
2006-03-18

Meh, 4 GB is min now, 8GB will be standard soon.

Sure your browsing instance could get infected and become a bot, but at least it's not going to spread to the base OS or the other VMs. And it's also very very easy to re-image a suspect VM with a known safe image.

Reply Score: 1

RE[3]: OSNews?
by Bill Shooter of Bul on Wed 31st Aug 2011 16:44 UTC in reply to "RE[2]: OSNews?"
Bill Shooter of Bul Member since:
2006-07-14

Meh, 4 GB is min now, 8GB will be standard soon.


Yeah, there are always tradeoffs to be made. In this case you'd be trading memory ( and maybe speed) for security. As I said before, maybe its worth it for some people. I just get sick of marketing material that promises a great improvement in X, while completely ignoring the accompanying regression in Y. Its always best to present all the info up front so people can evaluate technologies quickly and easily as possible.

Sure your browsing instance could get infected and become a bot


I think that's the primary goal of bot writers. So maybe the best approach for system admins is to regularly reimage the browsing vm to disrupt botnets and malware.

Reply Score: 2

Joanna Rutkowska
by fran on Tue 30th Aug 2011 23:00 UTC
fran
Member since:
2010-08-06

She's hot too. She can totally secure my PC.

Reply Score: 2

RE: Joanna Rutkowska
by Gullible Jones on Tue 30th Aug 2011 23:13 UTC in reply to "Joanna Rutkowska"
Gullible Jones Member since:
2006-05-23

I was going to post something insulting here, but eventually I realized a polite refutation would probably be more useful. So...

Rutkowska is a world-renowned security expert. I'm not sure what your credentials are - for all I know they might be quite impressive - but you've basically gone and indicated that her skills take a back seat to her looks. Which is pretty insulting.

Think about it. If you were a legit genius, and people said stuff like that about you, I'm betting you'd get pretty tired of it pretty fast.

Edited 2011-08-30 23:13 UTC

Reply Score: 1

RE[2]: Joanna Rutkowska
by RshPL on Tue 30th Aug 2011 23:31 UTC in reply to "RE: Joanna Rutkowska"
RshPL Member since:
2009-03-13

Oh, come on. To say that a woman is pretty, it is quite a compliment. To ignore her qualities as a woman, that would be insulting IMHO. ;) Smart, pretty, and world-known expert - guys must have quite a hard nut to crack, or she may already have a happy personal life, so good for her! Loosen up. ;)

Reply Score: 4

v RE[3]: Joanna Rutkowska
by mdupont on Wed 31st Aug 2011 08:50 UTC in reply to "RE[2]: Joanna Rutkowska"
RE[4]: Joanna Rutkowska
by Thom_Holwerda on Wed 31st Aug 2011 10:51 UTC in reply to "RE[3]: Joanna Rutkowska"
Thom_Holwerda Member since:
2005-06-29

No. This sexist kind of behavior makes me think of http://xkcd.com/322/


Really. The only sexist behaviour in this thread are the men assuming this lady needs protecting. Saying a girl is pretty is not sexist - it's a compliment, and I can assure you, most girls perceive it that way.

I happen to be one of those guys who has always preferred hanging out with women, and I can assure you: women are no different. They talk about us guys in the exact same way, and they sure as hell don't need men "sticking up for them" whenever a guy calls them pretty.

So, I'll just be upfront about it: she indeed looks quite attractive, and there's nothing wrong with stating as such.

Edited 2011-08-31 10:52 UTC

Reply Score: 2

RE[2]: Joanna Rutkowska
by Soulbender on Wed 31st Aug 2011 14:32 UTC in reply to "RE: Joanna Rutkowska"
Soulbender Member since:
2005-08-18

Maybe an actual woman could chime in on this rather than men thinking they defend women.
If I say I don't think she's hot is that an insult or a compliment?

Reply Score: 4

RE: Joanna Rutkowska
by Radio on Tue 30th Aug 2011 23:13 UTC in reply to "Joanna Rutkowska"
Radio Member since:
2009-06-20

Too bad she'll never read your ILOVEYOU email.

Reply Score: 4

RE: Joanna Rutkowska
by bugmenot on Wed 31st Aug 2011 08:28 UTC in reply to "Joanna Rutkowska"
bugmenot Member since:
2006-02-26

There is some people saying that she used to be a .. he.
(source: http://www.rutkowska.yoyo.pl )

:P

Reply Score: 3

RE[2]: Joanna Rutkowska
by Morgan on Wed 31st Aug 2011 10:49 UTC in reply to "RE: Joanna Rutkowska"
Morgan Member since:
2005-06-29

And...what's your point? Have we not, as rational thinkers, far exceeded the point where the person's sexual orientation takes a back seat to their accomplishments?

Guy, girl, transgender, natural sex, it doesn't matter! Whether you agree with someone's research or not, personal attacks -- especially of a sexual nature -- are not only childish but really have no place here. I'd expect this kind of pedantry on Slashdot but I thought the OSNews readership had grown up some.

And I do realize you weren't making an accusation yourself, rather just bringing up the topic. But my point is, who the hell cares? I certainly don't, and my opinion of the person's research is not affected in the least by the question of her sexuality.

Reply Score: 3

RE[3]: Joanna Rutkowska
by bugmenot on Wed 31st Aug 2011 11:29 UTC in reply to "RE[2]: Joanna Rutkowska"
bugmenot Member since:
2006-02-26

I was just pointing that information to people saying that "she is hot" because maybe they don't know about this.

My opinion of her research is not affected in anyway.

Reply Score: 2

RE[2]: Joanna Rutkowska
by bannor99 on Thu 1st Sep 2011 19:34 UTC in reply to "RE: Joanna Rutkowska"
bannor99 Member since:
2005-09-15

<span>There is some people saying that she used to be a .. he.
(source: http://www.rutkowska.yoyo.pl" http://www.rutkowska.yoyo.pl</... )

:P</span>


I was going to dismiss this out of hand but after taking a closer look, it's slightly plausible.
First off, she's only "hot" if you haven't seen an attractive woman in a while. I'm not saying ugly but definitely not hot.
Regarding her gender, she does have man-hands and is very slim-hipped but there doesn't seem to be any trace of an Adam's apple. She also has good-sized breasts, although hormones or implants can easily provide those.
So I think she's just a woman with a few manly characterstics.

Reply Score: 2

Comment by orestes
by orestes on Tue 30th Aug 2011 23:04 UTC
orestes
Member since:
2005-07-06

Interesting concept, but one does wonder how difficult it will end up being to set up and maintain properly in real environments? It's not enough to be secure, it has to be usable from an administrative standpoint too.

Edited 2011-08-30 23:05 UTC

Reply Score: 2

Secure OS?
by Nicram on Wed 31st Aug 2011 08:31 UTC
Nicram
Member since:
2006-01-31

"What would an operating system look like it if were redesigned with security in mind?"

It would be OpenBSD then, that i use:)
KISS, great code quality and best manuals ever. Linux based distro is just... another Linux based distro, nothing more ;)

Reply Score: 3

RE: Secure OS?
by renox on Wed 31st Aug 2011 09:01 UTC in reply to "Secure OS?"
renox Member since:
2005-07-06

"What would an operating system look like it if were redesigned with security in mind?"

It would be OpenBSD then, that i use:)


Not really: OpenBSD doesn't have capabilities, doesn't use "safe" languages such as Ada, etc.

Reply Score: 4

RE[2]: Secure OS?
by moondevil on Wed 31st Aug 2011 10:35 UTC in reply to "RE: Secure OS?"
moondevil Member since:
2005-07-08

An operating system coded in a mix of C and Assembly, without capabilities and which relies on pure code review as security measures is by definition not secure.

I am a firm believer in the use of safe languages for system programming. A few examples do exist, but they take years before the status quo of current systems do change.

In a way we have to thank all the kids exploiting bad coded applications out there. They have raised the awareness that sometimes safety is better than raw speed and made easier to get research grants for OS development with safe system programming languages.

Reply Score: 2

RE[3]: Secure OS?
by joshv on Wed 31st Aug 2011 11:41 UTC in reply to "RE[2]: Secure OS?"
joshv Member since:
2006-03-18

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?

Reply Score: 2

RE[4]: Secure OS?
by renox on Wed 31st Aug 2011 11:53 UTC in reply to "RE[3]: Secure OS?"
renox Member since:
2005-07-06

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits.

Note that the JVM isn't coded in Java..
So JVM exploits doesn't count as Java's vulnerabilities.

Anyway, I agree with you that "safe" languages don't really exist, but "safer" languages (i.e safer than C) do exist.

Reply Score: 2

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:22 UTC in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

Safe languages are languages that do the following:

- Bound check validation of arrays;
- Use proper string data types;
- No direct port IO;
- No pointer arithmetic;
- GC enabled if possible;
- Force initialization of variables before use;
- No direct conversion between data types

Ada, Oberon, Modula-3, D, Spec# are a few examples of safe system programming languages with real OS written in them (except D).

Usually you can always do the same dirty tricks as C and C++ allow, but only via unsafe mechanisms. Which you do have to call explicitly and is is very easy to constrain its usage to specific modules. Whereas in unsafe languages they can happen anywhere on your code.

Plus, in very performance critical code it is possible to disable some of the security checks if you so wish, but then you are at your own risk.

Reply Score: 3

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:43 UTC in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?


Those exploits take advantage that most JVMs are written in a mixture of C, C++ and assembly. So they exploit buffer overruns in the JVM, by providing invalid .class files or the native methods that do image manipulation for example.

That is why there are a few research JVMs written in Java itself with minimal amount of C and assembly, like the Squawk and JikesRVM ones.

Reply Score: 3

RE[5]: Secure OS?
by joshv on Wed 31st Aug 2011 13:11 UTC in reply to "RE[4]: Secure OS?"
joshv Member since:
2006-03-18

Ah interesting, so a self-hosting VM based "safe" language could be considered to be safer than those that are hosted in a VM written in an unsafe language. Makes sense. Though I imagine there have to be some performance issues.