Re: Proposing amd64-hardened architecture for Debian
On Fri, 18 Apr 2014 14:57:41 +0200
Aaron Zauner wrote:
> > Usually the Linux kernel itself provides more than enough entropy. This
> > can (and probably should) be enhanced but should not be done in a
> > specific distribution.
I know there has been a little work on the kernel in this area, mainly
when you have a modern cpu you will be fine but are the days of waiting
on gpg and being asked to move the mouse on the latest Linux Kernel and
whichever kernel lands in debian 8 over? You should be able to write
gigabytes of random data to disk without any worry.
> > Building exploit mitigations isn’t easy. It’s difficult because the
> > attackers are relentlessly clever. And it’s aggravating because there’s
> > so much shitty software that doesn’t run properly even when it’s not
> > under attack, meaning that many mitigations cannot be fully enabled.
> > But it’s absolutely infuriating when developers of security sensitive
> > software are actively thwarting those efforts by using the world’s most
> > exploitable allocation policy and then not even testing that one can
> > disable it.
> Nothing to add here, very well said!
I realised just after sending that I had removed one too many seperating
lines (before the link).
So I wasn't as clear as I meant to be in that the bit above was taken
from an OpenBSD devs (Teds) page about Heartbleed.
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
Reply to: