On 10/24/07, L. V. Lammert <[EMAIL PROTECTED]> wrote: > Sorry, it's YOU that missed the point! I never said or made any comparison > to physical machines - the entirety of that I said is: > > "Running services/application domains in VMs increases security." As I > said in a previous email, only an idiot would think that separatey > physical machines would NOT increase security, and I give this crowd much > more credit than that so I did not bother to include such information. > > I still stand by my original statement. Running application 'domains' in > VMs instead of on a single server increases security.
What you're saying, appears to be: 1) 3 applications in one OS - less secure. 2) 3 applications in 3 physical servers - more secure 3) 3 applications in 3 virtual servers each running one OS - in between #1 and #2 for security What the others are telling you is that you are wrong. While there is a continuum, is it closer to #1 or #2? I believe it is closer to #1. This is because, nobody has done an independent security audit of the VMWare ESX platform. When we say something is more secure, we can show it in 2 ways - a track history, like openbsd, or some 3rd party verification, fips, orange book, certification, whatever. ESX's recent history is extremely damaging. Again, go look up all the advisories. Taking over a guest allows taking over a host?!?!?! Where is your "separation" again?! And yes, you did not specify VMWare in your statement. But the vulnerabilities being exploited in VMWare shows that the same kind of attacks can be made against other VMs. And you do understand the history of how the x86 platform came to be, right? IBM wanted to dip their toe in that "microcomputer" thing that had the world so excited. Gave the head guy 9 months, or kill the project. So, the revisionists now adays say "we use off the shelf products to be compatible" is bullshit, they had a strict time limit, and could design and fab their own cpu and other things. Looked around, checked out the motorola and intel CPUs. Hey, lookie here, the intel cpu's spec book comes with an appendix full of interesting shit. Look, they even have a simple design for a microcomputer you can build with their cpu. So, IBM basically took that design, and built a PC, and sold it. Why do you think while IRQ 5 has higher priority than 6 (lower IRQ has higher priorty), but IRQ 10 has higher priority than IRQ 5?!?! Because the original design had *8* slots, and *8* IRQs, but a bunch was taken up by the system, and so you couldn't actually use all 8 slots. So, in PC/XT, they kludged something in. And then the 8088 -> 8086 or thereabouts happened, what did Intel do? Gee, we have this 32 bits of memory space, should we let them use it all? Nah, just use 20 bits and mask the rest of that shit out. So, the PC we have today is full of legacy shit, each piece lovingly crafted on top of another, built like a freaking tower. So, when Theo says the hardware itself is shit, and impossible to virtualize, I believe him. And when he says x86 virtualization is shits because of the hardware, I believe him. And when Secunia comes out with all its advisories against ESX, wow, I guess Theo did know what he was talking about. -- "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation.
