[GTALUG] MP BIOS Toshiba - semi revival

Russell Reiter rreiter91 at gmail.com
Tue Mar 17 15:37:02 UTC 2015


I think what is important to remember is that most recently discovered
exploits were in fact known at one point or another, at least to the
original authors of the code, if not necessarily documented and shared. How
much information is shared between allies and foes is usually a matter of
operational security.

I believe that Debian has moved towards implement Dependency Based Booting
with an eye to, at sometime in the future, compiling the OS each time at
runtime.

In this case brevity would be a factor in the time it takes to initialize
key security layers and foiling "injected" exploits as opposed to
"discovered" ones. However, too much simplicity can lead to security holes
and other hidden features.

I tend to disagree that reliability and security are distinctly separate
and measurable. Each may be quantified as a measure of trust in
relationship to the other and acted upon accordingly in relation to any
OPSEC priorities.


On Tue, Mar 17, 2015 at 11:05 AM, Christopher Browne <cbbrowne at gmail.com>
wrote:

> On 17 March 2015 at 10:16, Russell Reiter <rreiter91 at gmail.com> wrote:
> > I'm not sure that performance and security aren't interchangable
> concepts.
> > While the implimentation of dash did improve performance it did also
> > mitigate the effects of the Shellshock vulnaribiliy discovered last year.
>
> Well, if you examine the package information about Dash, the description
> is reasonably specific...
> https://packages.debian.org/sid/shells/dash
>
> "The Debian Almquist Shell (dash) is a POSIX-compliant shell derived from
> ash.
>
> Since it executes scripts faster than bash, and has fewer library
> dependencies (making it more robust against software or hardware
> failures), it is used as the default system shell on Debian systems."
>
> I agree that performance is somewhat related to security; a denial of
> service can result from poor performance.  But the above seems to be
> descriptive of why Dash was chosen as the default shell in Debian
> post-Squeeze.
>
> Fewer library dependencies is an interesting additional property.
> That is presumably "more secure" as well, but I think they were after
> "more reliable" which, while not unrelated, is a distinctly separate
> measure.
> --
> When confronted by a difficult problem, solve it by reducing it to the
> question, "How would the Lone Ranger handle this?"
> ---
> Talk Mailing List
> talk at gtalug.org
> http://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20150317/a24f1e31/attachment.html>


More information about the talk mailing list