[00:00:59] comotion_: what did you mean about the vm thing? if one vm instance is compromised, only that one is compromised. [00:02:48] *** Joins: Kebap (Max@RBOSE-dp051m.adsl.hansenet.de) [00:03:06] if not the host system is compromised that is, or the kernel, or some other stuff that every system runs. [00:04:40] -nobody- Kebap23 has joined on FREENODE [00:04:41] -nobody- mode change by ChanServ on FREENODE: +v Kebap23 [00:08:11] *** Joins: Hakufu (jonte@RBOSE-aa2ikg.bredband.comhem.se) [00:08:24] scrdcow: if one virtual machine is compromised, there are ways to compromise other vms or the host [00:08:51] comotion_: in what ways, and there are no solutions for that? [00:08:59] the area of vm security is rather underdeveloped and and not well understood [00:09:55] up until now I have mosly seen it as, making it harder for people, since theres more to it. but it's also about convinience and cleaner setup imo. [00:09:56] by far the coolest sploit is when you use the hypervisor idea to create a runaway vm that isn't visible to the host [00:10:47] since there is more to it == more complexity == enemy of security [00:11:14] cleaner intuitively is uglier low-level [00:11:31] you think so even if your not first owned on one of the vms? [00:12:07] well no, at that point (runaway vm) you've owned the hypervisor [00:12:48] which might be a stretch as typically it's a tiny OS that just multiplexes machines [00:12:51] ah ok. [00:12:56] yes [00:12:59] but keep in mind that in linux the kernel is the hypervisor [00:13:23] depending on setup? [00:13:35] in kvm [00:13:37] yes [00:13:45] I can't run kvm thou (on my planned server) [00:13:51] xen then [00:13:53] have to go with xen or other.. [00:13:56] yes [00:14:41] but what I mean was more that, if they own one vm, they can maybe (I haven't research it, but you tell me so) easier own the others, but atleast they have to put more effort into it. [00:14:59] problem of vm security paradigm is that instead of ONE kernel to secure with ONE security paradigm mapping to one set of hardware you have many kernels running different paradigms running on virtualized hardware interfacing with hypervisor interfacing with real hardware [00:15:05] one extra layer. any faults in that thinking? [00:15:37] the fault is in thinking these are layers of security, when I would call them "attack surfaces" [00:15:48] I will be semi-lazy, security.debian.org will do ;- [00:15:49] ;-) [00:15:50] scrdcow: Error: "-)" is not a valid command. [00:16:02] Key is a weirdo [00:16:02] comotion_: Error: "is" is not a valid command. [00:16:22] chatty bot, that Key [00:16:44] comotion_: yes, it's both imo. I meant like different layers on the same plane, but if you own one, and on that machine then trying to own another == another layer. [00:16:59] comotion_: atleast that's how i'm thinking. [00:17:56] ok, so you should look at timing attacks, vm escapes and bluepill [00:18:15] also, if your VM's all share the same subnet, owning one is all you need [00:18:35] yeah (first) [00:18:40] why? (second) [00:18:55] take a look at arp spoofing [00:19:16] the above stated reasons, amongst others, are why theo de raat has said they will *never* allow virtualization into FreeBSD [00:19:49] you mean openbsd? (or he actually said that about freebsd?) [00:19:57] I mean openbsd I guess [00:20:00] hehe [00:20:36] just making sure :-) [00:21:05] can't find the direct link but here is a quote: http://www.c0t0d0s0.org/archives/3651-Theo-de-Raadt-about-virtualisation.html [00:21:07] Title:  Theo de Raadt about virtualisation - c0t0d0s0.org (at www.c0t0d0s0.org) [00:21:11] but in what way would you compromise with arp spoofing? how do you get acess to the machine.. [00:21:50] you can play around with data that gets sent over the net.. but.. hmm.. [00:21:52] do you need to, when you can kill it and fake the machine to any other? [00:22:19] you mean if you own the hypervisor yes. [00:22:29] no, I mean as a subverted VM [00:23:03] look, your threat model says "one compromised machine can't comprimise the others" [00:23:22] ok. maybe i'm to tired. but I don't really see how arp spoofing could help you into owning further vms. [00:24:19] that is the prefered. but I see it more like this "one compromised machine is one machine compromised, now you have to go on to the next one" [00:25:10] but maybe that is faulty thinking or it's so damn easy and hard to fix that it doesn't really matter in the end. [00:25:11] axx to a vm == you are running code. on the hardware. do you really think there is no way of subverting the security mechanisms that you so cherish for isolation? [00:25:40] but what I was talking about is when the vms all share a subnet, then you don't need to even try that (admittedly more difficult) route [00:26:28] by instead of attacking the other machines, attack the connecting clients [00:26:28] comotion_: I dunno. I haven't looked into how diffent virtualisation software try to fix that issue and make it harder etc. [00:26:54] comotion_: I just guess there must be some thought into it. [00:27:00] that's the thing, no such overview exists for this terribly complex and underdeveloped field of security [00:27:09] ok :-) [00:28:02] ok, sure. you can attack the clients. or try to grab the precious data-gold on the net, if it's not encrypted. [00:28:30] it usually isn't, or it's susceptible to MITM [00:29:47] have to think that part through. haven't got a clear design yet thou. not even sure what I shall run. mainly it was for convinience, but also thought it could add some extra security. [00:30:14] convinience and learning that is. [00:30:51] cool :-) tell me the reason you can't run kvm? [00:31:17] comotion_: old comp [00:31:26] no paravirt extensions eh? [00:31:33] comotion_: only have older virt. [00:31:44] comotion_: no.. it's a p4 from the dump hehe [00:31:54] if you want to learn a lot, try running FreeBSD with jails [00:32:07] if you want linux, I recommend looking at lxc [00:32:21] I feel like sticking with debian actually. [00:32:29] atleast as host and main vms. [00:32:31] lxc is very new but very promising way of running many linux systems with the same kernel... on debian [00:32:47] could try out other stuff aswell on some vmms. [00:32:50] ah ok. [00:33:27] with no performance impact, where virtualisation without hardware extensions sucks biiiiig balefully blue ballz [00:33:50] what do you have to say about openvz or xen? [00:34:02] oh :-/ [00:34:14] thout it would be pretty decent since it's no emulation. [00:34:28] trust me, I share debian boxen running on older hardware with a friend, he wanted to run xen/kvm and we could hardly run one egggztremely slow vm on the box [00:34:39] *** Joins: shaolin (shaolin@RBOSE-pjrgdm.bredband.comhem.se) [00:34:41] it does have old xv vx, or whatever the name is. older intel virt tech. [00:34:47] but maybe that doesn't help alot. [00:35:11] openvz was cool, the approach is similar to LXC, advantage of it is it's better documented, while advantage of LXC is that it's going to be _the_ way on linux [00:35:54] allright. [00:35:57] maybe it helps a bit? our systems had none, and it was pieces of shit all over [00:36:05] hehe, what hardware? [00:37:22] dl650 [00:38:25] dunno what it is. [00:38:31] what processor etc? [00:38:38] google didn't say much [00:38:56] jsut want to get a feeling of how fast it is so that I can compare it to my p4 half-garbage ;-) [00:39:01] p4 [00:39:05] ok [00:39:17] total garbage [00:39:30] *** Quits: kalken (default@RBOSE-pjrgdm.bredband.comhem.se) (Ping timeout: 241 seconds) [00:39:35] as in, they were throwing two away and we grabbed them both [00:39:38] brb, have to get some food. [00:39:42] ah. [00:39:49] no prob, I'm gonna sign off [00:39:51] my friend have this contact at the dump [00:39:56] cool [00:40:00] so he can place orders for stuff ;-) [00:40:14] I work in a firm that throws away a lot of servers once they phase them out [00:40:15] so he had tons of p4 boxens but later threw them away, but I grabbed some. [00:40:31] they are all right, don't really need much [00:40:39] to serve awesomeness [00:40:40] comotion_: your not allowed to take any? [00:40:42] but not vir [00:40:45] mm [00:40:51] sure I'm allowed to take as many as I can carry [00:41:02] nice [00:41:04] I have more RAM than I can carry [00:41:25] too bad there are so few mobos out there with shittons of RAM slots [00:41:35] mm [00:41:47] but I don't need much either, but I bet virt will eat alot... [00:41:55] anyways, like Viper was saying, trust nothing and you'll be home free [00:42:01] virt eats as much mem as you give it [00:42:13] I mean, what I really need. [00:42:18] and all CPU if you don't have Virt exTensions [00:42:36] that is a good default. but you do have to trust to be able to actually do stuff. [00:42:45] compromise :D [00:43:08] :-) [00:43:11] amd/intel can update disable your cpu without asking you LOL [00:43:37] Viper: amd/intel runs selinux - nsa ownes amd/intel - turns off all cpus [00:43:39] ;-) [00:43:39] scrdcow: Error: "-)" is not a valid command. [00:45:03] Key: tycker du är error [00:45:04] scrdcow: Error: "tycker" is not a valid command. [00:46:06] comotion_: thanx for info. ttyl [00:49:14] `test [00:49:15] this is a test [00:54:43] *** Quits: kman (kman@RBOSE-hhm.9h0.94.93.IP) (Ping timeout: 241 seconds) [00:56:17] *** Quits: nobody (UFO@Unidentified.Flying.Object) (Connection closed) [00:56:22] *** Quits: Key (supybot@root.password) (Connection closed) [01:02:41] *** Joins: nobody (UFO@RBOSE-gkfu2h) [01:02:47] *** RBOSE sets mode: +o nobody [01:03:16] *** Joins: SoNeta (piespy@RBOSE-gkfu2h) [01:03:16] *** RBOSE sets mode: +v SoNeta [01:03:32] -nobody- nobody has joined on FREENODE [01:03:36] -nobody- mode change by ChanServ on FREENODE: +o nobody [01:17:06] http://www.youtube.com/watch?v=9ckpQW9sdUg [01:17:08] Title:  MIT Physics Demo -- Dissectible Capacitor - YouTube (at www.youtube.com) [02:12:17] -nobody- Calyp has quit FREENODE (Quit: Leaving) [02:28:00] *** Quits: shaolin (shaolin@RBOSE-pjrgdm.bredband.comhem.se) (Connection closed) [02:31:24] http://www.youtube.com/watch?v=Y4m82cvThd8 [02:31:26] Title:  Eric Dollard Peter Lindemann Teslas Longitudinal Electricity - YouTube (at www.youtube.com) [02:57:38] -nobody- Kebap21 has joined on FREENODE [03:04:22] -nobody- Kebap23 has quit FREENODE (Ping timeout: 240 seconds) [03:13:38] !night all [03:13:39] ACTION wishes everbody in #RBOSE a Good Night! (Even if missboty will not go to sleep, but DNS requested that) [03:13:47] *** Quits: DNS (DNS777@RBOSE-b1mtfs.superkabel.de) (Quit: mo0h) [03:16:02] http://www.youtube.com/watch?v=A6KRxWEYCxo [03:16:06] Title:  Alternative Energy from Sound Waves can be achieved! - YouTube (at www.youtube.com) [03:16:10] loool [03:26:00] *** Quits: lukas (lukas@RBOSE-gkfu2h) (Quit: WeeChat 0.3.7-dev) [08:19:13] *** Quits: Slush-_ (Slush-@RBOSE-kh9mjp.cust.bredbandsbolaget.se) (Quit: leaving) [08:50:41] *** Joins: kalken (default@RBOSE-pjrgdm.bredband.comhem.se) [09:35:55] godmorning peeps [10:26:19] morning scrdcow [10:33:13] *** Joins: DNS (DNS777@RBOSE-g81rur.superkabel.de) [10:34:05] !morning all [10:34:06] ACTION wishes everybody in #RBOSE a wonderful morning and a great start in the day! [10:39:07] morning DNS :) [10:58:28] http://www.theregister.co.uk/2011/12/15/wd_warranty_period_cuts/ [10:58:31] Title:  WD slashes warranty periods on Blue and Green drives • The Register (at www.theregister.co.uk) [10:58:33] http://www.theregister.co.uk/2011/12/16/seagate_cutting_warranties/ [10:58:36] Title:  Seagate matches and raises WD disk warranty cuts • The Register (at www.theregister.co.uk) [11:08:29] *** Joins: Caly (Caly@RBOSE-r8cclu.cust.telenor.se) [11:12:11] hi all [12:27:34] *** Joins: lukas (lukas@RBOSE-gkfu2h) [12:51:59] hi [13:13:10] Yo! [13:13:16] `f [13:13:16] Viper: Q: What is printed on the bottom of beer bottles in Minnesota? A: Open other end. [13:35:26] *** Joins: antilect (antilect@RBOSE-pjrgdm.bredband.comhem.se) [13:43:50] www.youtube.com/watch?v=Soj7O_OXOas [14:21:54] *** Joins: APE (sixth_ape@RBOSE-pffksj.mweb.co.za) [14:45:45] *** Joins: Hakufus (Hokafu@RBOSE-32j.kem.88.62.IP) [14:54:16] *** Joins: kman (kman@RBOSE-hhm.9h0.94.93.IP) [15:43:56] *** Quits: Hakufus (Hokafu@RBOSE-32j.kem.88.62.IP) (Ping timeout: 241 seconds) [15:46:38] o// [16:50:25] *** Joins: iamme110 (iamme@RBOSE-444.1i5.31.41.IP) [17:32:16] *** Quits: DNS (DNS777@RBOSE-g81rur.superkabel.de) (Quit: y0y0y0 bbl) [17:37:07] https://www.youtube.com/watch?v=IkY9K3emAa8 [17:37:11] Title:  Chinese Authorities Lose Control as Village Revolts - YouTube (at www.youtube.com) [17:38:12] http://planet.gnu.org/gnutelephony/?p=22 [17:38:15] Title:  GNU Telephony » Blog Archive » GNU Telephony plans for 2012 (at planet.gnu.org) [17:46:05] *** Quits: ZyaX (9jti8d8@RBOSE-5lntnm.bredband.comhem.se) (Quit: In Soviet Russia peer's connection is reset by you.) [17:48:56] *** Joins: ZyaX (9jti8d8@RBOSE-5lntnm.bredband.comhem.se) [17:53:34] !morning all [17:53:34] ACTION wishes everybody in #RBOSE a wonderful morning and a great start in the day! [17:54:16] hi Kebap :) [17:57:48] i found this python magazine from the argentinian python user group, it is very funny and insightful: http://revista.python.org.ar/1/html-en/ [17:57:59] Title:  PET: English Translation (at revista.python.org.ar) [18:02:51] http://www.jeremyblum.com/2011/12/15/open-source-society-tedx/, [18:03:31] -nobody- Calyp has joined on FREENODE [18:03:32] -nobody- mode change by ChanServ on FREENODE: +v Calyp [18:16:50] *** Quits: iamme110 (iamme@RBOSE-444.1i5.31.41.IP) (Ping timeout: 241 seconds) [18:48:51] *** Quits: APE (sixth_ape@RBOSE-pffksj.mweb.co.za) (Quit: Nettalk6 - www.ntalk.de) [19:05:41] *** Quits: ZyaX (9jti8d8@RBOSE-5lntnm.bredband.comhem.se) (Ping timeout: 241 seconds) [19:05:45] *** Joins: ZyaX (9jti8d8@RBOSE-5lntnm.bredband.comhem.se) [19:34:00] *** Joins: DNS (DNS777@RBOSE-5v60vs.superkabel.de) [21:14:29] *** Quits: kman (kman@RBOSE-hhm.9h0.94.93.IP) (Connection closed) [21:25:45] *** Quits: Caly (Caly@RBOSE.org) (Quit: Leaving) [21:25:46] -nobody- Calyp has quit FREENODE (Quit: Leaving) [22:07:58] *** Quits: kalken (default@RBOSE-pjrgdm.bredband.comhem.se) (Ping timeout: 241 seconds) [22:10:01] *** Quits: antilect (antilect@RBOSE-pjrgdm.bredband.comhem.se) (Connection closed) [22:11:15] *** Joins: antilect (antilect@RBOSE-pjrgdm.bredband.comhem.se) [23:00:15] *** Quits: lukas (lukas@RBOSE-gkfu2h) (Quit: WeeChat 0.3.7-dev)