On 03/18/2013 05:38 PM, Kevin Chadwick wrote: >>> >>> It's one of Blueness projects based on Hardened Gentoo. It loads >>> into ram at boot (you need something like 4 gig of ram) which >>> takes ages from dvd but could be from an ssd/hdd (defeating half >>> the point without a ro switch though). It can update from the net >>> once booted too. >>> >>> Once done everythings in ram so firefox can literally pop up like >>> a web advert upon execution. >>> >> >> In other words, it's a distribution designed to not allow >> persistent storage that might possibly be poisoned, > > Not really, that is one benefit, but don't forget that BIOS, HDD or > Video card firmware could have been altered.
Sure. > > The main goals are reliability and leave no trace elements but it > does have some added tamper ensurance yes. > > I didn't spell it out because you should check the site to see all > the details and would be bound to get it a little wrong without > checking myself. > >> and instead get much of its security-conscious code updated over >> the network. >> > > Security conscious code??? What do you mean? That says to me things > like PAX brute force protection?? I mean everything that gets updated more frequently owing to its being a high-profile target in security contexts. Web browsers. Mail clients. Listening daemons. Having a static image that you need to update every time you boot is a bit like plugging in an unpatched Windows machine that you need to run updates on...every time you boot. It's a tad silly in that respect. > > Even though it is from a DVD it can be updated just like standard > linux. The problem is, if you run out of ram then things get killed. > > >> (Frankly, this sounds quite nice for kiosk environments.) > > Could be if you have a good enough network connection for Linux > kernel updates or cut it right down ;-) Local gigabit is cheap, and a gigabit connection would transfer the image in under a minute. A bit more, of course, if you've got an overloaded server being slammed by ten or twenty machines. (I wonder if one can anycast TFTP on a local segment. Hm. I think you could just barely pull it off, since you'd have resolved the layer 2 address for your syn packet, and that should stick with the connection.)
signature.asc
Description: OpenPGP digital signature
