1 |
On 03/18/2013 05:38 PM, Kevin Chadwick wrote: |
2 |
>>> |
3 |
>>> It's one of Blueness projects based on Hardened Gentoo. It loads |
4 |
>>> into ram at boot (you need something like 4 gig of ram) which |
5 |
>>> takes ages from dvd but could be from an ssd/hdd (defeating half |
6 |
>>> the point without a ro switch though). It can update from the net |
7 |
>>> once booted too. |
8 |
>>> |
9 |
>>> Once done everythings in ram so firefox can literally pop up like |
10 |
>>> a web advert upon execution. |
11 |
>>> |
12 |
>> |
13 |
>> In other words, it's a distribution designed to not allow |
14 |
>> persistent storage that might possibly be poisoned, |
15 |
> |
16 |
> Not really, that is one benefit, but don't forget that BIOS, HDD or |
17 |
> Video card firmware could have been altered. |
18 |
|
19 |
Sure. |
20 |
|
21 |
> |
22 |
> The main goals are reliability and leave no trace elements but it |
23 |
> does have some added tamper ensurance yes. |
24 |
> |
25 |
> I didn't spell it out because you should check the site to see all |
26 |
> the details and would be bound to get it a little wrong without |
27 |
> checking myself. |
28 |
> |
29 |
>> and instead get much of its security-conscious code updated over |
30 |
>> the network. |
31 |
>> |
32 |
> |
33 |
> Security conscious code??? What do you mean? That says to me things |
34 |
> like PAX brute force protection?? |
35 |
|
36 |
I mean everything that gets updated more frequently owing to its being a |
37 |
high-profile target in security contexts. Web browsers. Mail clients. |
38 |
Listening daemons. |
39 |
|
40 |
Having a static image that you need to update every time you boot is a |
41 |
bit like plugging in an unpatched Windows machine that you need to run |
42 |
updates on...every time you boot. It's a tad silly in that respect. |
43 |
|
44 |
> |
45 |
> Even though it is from a DVD it can be updated just like standard |
46 |
> linux. The problem is, if you run out of ram then things get killed. |
47 |
> |
48 |
> |
49 |
>> (Frankly, this sounds quite nice for kiosk environments.) |
50 |
> |
51 |
> Could be if you have a good enough network connection for Linux |
52 |
> kernel updates or cut it right down ;-) |
53 |
|
54 |
Local gigabit is cheap, and a gigabit connection would transfer the |
55 |
image in under a minute. A bit more, of course, if you've got an |
56 |
overloaded server being slammed by ten or twenty machines. |
57 |
|
58 |
(I wonder if one can anycast TFTP on a local segment. Hm. I think you |
59 |
could just barely pull it off, since you'd have resolved the layer 2 |
60 |
address for your syn packet, and that should stick with the connection.) |