> [...] you meant (on _RHEL_ xyz is the case) [...] > Totally on me. We fight against it, but it's hard not to have the implicit context of RHEL/Fed be omnipresent on the Red Hat bugzilla. In fact, when I wrote the…
Sorry for not seeing your comment until now. Amazingly great vuln BTW. It's early in 2017, but this is probably going to be one of this year's best. It's very important for everyone to understand my advice is…
As I've discused before, seccomp can block ptrace and thus this VDSO-based attack (and currently does by default in some distros). Shameless self-link to that post:…
It's all the brainchild of hatter Colin Walters (originally as part of the Gnome project). RH's just very devoted to upstreaming/dogfooding.
I hate that the isolation of containers gets oversold as a security feature because there is real value in what you might call "configuration isolation". Often, I am reluctant to run something not because of a trust…
That's interesting. The UK also has more protections for small contractors (e.g. electricians, welders, etc.). I wonder if that's the common thread (meaning it's basically impossible to replicate in the US) or if…
Having moved to Australia in recent years, I was very happy to see that JayCar, their equivalent to Radio Shack, seemed to be doing quite well. This is judging by what I've seen of the stores in what is considered a…
cool story bro
"My point is that there is no difference between software and hardware." Okay, now I see where you're coming from. Theoretically I agree. However, practically there are a number of things that make hardware different: *…
"There's a lot of us contributing here, and much of the work isn't under the docker banner." Of course! If my comment could be taken as part of the mass of prose that can be read to imply otherwise, I apologize. I don't…
You don't need super-human chip designers because, as you say, "the difficulty of containment is proportional to the interface that is available". Hardware doesn't just seem better because "the syscall interfaces of…
This phrasing unfairly conflates VM/hypervisor technology and containers. Containers being a pure software technology do require near superhuman ability to secure but VM/hypervisors can lean on chip-level separation.…
This vulnerability is a good example of how a security bug is still a bug. That is: even if all the bad guys went away there would still be problems. This issue was fixed (as far as I can tell) pre-1.0 for non-security…
> [...] you meant (on _RHEL_ xyz is the case) [...] > Totally on me. We fight against it, but it's hard not to have the implicit context of RHEL/Fed be omnipresent on the Red Hat bugzilla. In fact, when I wrote the…
Sorry for not seeing your comment until now. Amazingly great vuln BTW. It's early in 2017, but this is probably going to be one of this year's best. It's very important for everyone to understand my advice is…
As I've discused before, seccomp can block ptrace and thus this VDSO-based attack (and currently does by default in some distros). Shameless self-link to that post:…
It's all the brainchild of hatter Colin Walters (originally as part of the Gnome project). RH's just very devoted to upstreaming/dogfooding.
I hate that the isolation of containers gets oversold as a security feature because there is real value in what you might call "configuration isolation". Often, I am reluctant to run something not because of a trust…
That's interesting. The UK also has more protections for small contractors (e.g. electricians, welders, etc.). I wonder if that's the common thread (meaning it's basically impossible to replicate in the US) or if…
Having moved to Australia in recent years, I was very happy to see that JayCar, their equivalent to Radio Shack, seemed to be doing quite well. This is judging by what I've seen of the stores in what is considered a…
cool story bro
"My point is that there is no difference between software and hardware." Okay, now I see where you're coming from. Theoretically I agree. However, practically there are a number of things that make hardware different: *…
"There's a lot of us contributing here, and much of the work isn't under the docker banner." Of course! If my comment could be taken as part of the mass of prose that can be read to imply otherwise, I apologize. I don't…
You don't need super-human chip designers because, as you say, "the difficulty of containment is proportional to the interface that is available". Hardware doesn't just seem better because "the syscall interfaces of…
This phrasing unfairly conflates VM/hypervisor technology and containers. Containers being a pure software technology do require near superhuman ability to secure but VM/hypervisors can lean on chip-level separation.…
This vulnerability is a good example of how a security bug is still a bug. That is: even if all the bad guys went away there would still be problems. This issue was fixed (as far as I can tell) pre-1.0 for non-security…