| 1 |
On 03/18/2013 05:38 PM, Kevin Chadwick wrote: |
| 2 |
>>> |
| 3 |
>>> It's one of Blueness projects based on Hardened Gentoo. It loads |
| 4 |
>>> into ram at boot (you need something like 4 gig of ram) which |
| 5 |
>>> takes ages from dvd but could be from an ssd/hdd (defeating half |
| 6 |
>>> the point without a ro switch though). It can update from the net |
| 7 |
>>> once booted too. |
| 8 |
>>> |
| 9 |
>>> Once done everythings in ram so firefox can literally pop up like |
| 10 |
>>> a web advert upon execution. |
| 11 |
>>> |
| 12 |
>> |
| 13 |
>> In other words, it's a distribution designed to not allow |
| 14 |
>> persistent storage that might possibly be poisoned, |
| 15 |
> |
| 16 |
> Not really, that is one benefit, but don't forget that BIOS, HDD or |
| 17 |
> Video card firmware could have been altered. |
| 18 |
|
| 19 |
Sure. |
| 20 |
|
| 21 |
> |
| 22 |
> The main goals are reliability and leave no trace elements but it |
| 23 |
> does have some added tamper ensurance yes. |
| 24 |
> |
| 25 |
> I didn't spell it out because you should check the site to see all |
| 26 |
> the details and would be bound to get it a little wrong without |
| 27 |
> checking myself. |
| 28 |
> |
| 29 |
>> and instead get much of its security-conscious code updated over |
| 30 |
>> the network. |
| 31 |
>> |
| 32 |
> |
| 33 |
> Security conscious code??? What do you mean? That says to me things |
| 34 |
> like PAX brute force protection?? |
| 35 |
|
| 36 |
I mean everything that gets updated more frequently owing to its being a |
| 37 |
high-profile target in security contexts. Web browsers. Mail clients. |
| 38 |
Listening daemons. |
| 39 |
|
| 40 |
Having a static image that you need to update every time you boot is a |
| 41 |
bit like plugging in an unpatched Windows machine that you need to run |
| 42 |
updates on...every time you boot. It's a tad silly in that respect. |
| 43 |
|
| 44 |
> |
| 45 |
> Even though it is from a DVD it can be updated just like standard |
| 46 |
> linux. The problem is, if you run out of ram then things get killed. |
| 47 |
> |
| 48 |
> |
| 49 |
>> (Frankly, this sounds quite nice for kiosk environments.) |
| 50 |
> |
| 51 |
> Could be if you have a good enough network connection for Linux |
| 52 |
> kernel updates or cut it right down ;-) |
| 53 |
|
| 54 |
Local gigabit is cheap, and a gigabit connection would transfer the |
| 55 |
image in under a minute. A bit more, of course, if you've got an |
| 56 |
overloaded server being slammed by ten or twenty machines. |
| 57 |
|
| 58 |
(I wonder if one can anycast TFTP on a local segment. Hm. I think you |
| 59 |
could just barely pull it off, since you'd have resolved the layer 2 |
| 60 |
address for your syn packet, and that should stick with the connection.) |
Archives