Re: [gNewSense-users] Grsecurity on gNewSense, but for real?

[tryngf1]

On 08/31/2013 at 8:25 PM, "Sam Geeraerts" <address@hidden> wrote:
>
>Op Sat, 31 Aug 2013 09:20:38 +0000
>schreef address@hidden:
>
>> That is an old out-of-reality misery apparently purposefully left
>> there for users' confusion.
>
>I agree that it's a strange package. But don't assume malice when 
>lack
>of resources and expertise [1] is a more logical explanation. This 
>also
>goes for gNewSense: because we deblobbed Debian's kernel source 
>chances
>of getting this to work are even smaller, but we don't have time 
>and
>people to fix this.
>

It was, and still is, hard for me to figure out why the best security structure,
 IMO, the Grsecurity/Pax, has been completely left out as option, and
what is its arch-rival, the NSA's SELinux, has been granted, in part, in default
kernel, and in full, when hardening of Debian is recommended, deployment.

Only disreputable sneerers and liers, such as those I have
these days been a victim of:

http://forums.gentoo.org/viewtopic-t-967806.html

can declare that rival structure clean and the program an honest offer, esp. in 
this
post-Snowden era, I really can not understand those who now don't want
to understand that reality.
But in view of the liers and sneerers I'll refer to this world's top spying
agency, by a nickname Madam Impeccable that I am giving it now, since it only 
hacks on
criminals, oh how impeccable!, God!
On criminals such as the UN, and goverments friendly to the USA, right?
(go read Der Spiegel or view Russia Today, or search the blogosphere on that)
Let alone NGOs and investigative journalists...
Only on criminals the No Such Agency spies on...
Let alone the carpet wiretap on basically any, any, do you read me, any
communication which that internet invention first deployer and exporter nation's
and most of the world's internet traffic hoster nation's agancy can get
hold of. That's almost any user anywhere in the world!

Anyway, I was saying, it is hard for me to figure why the best security
 option, by the greatest minds, who are also honest and not vainly 
knowledgeable,
in the world of Debian GNU/Linux, is left completely out, not even thought about
for, in the Debian packaging system, and instead, its arch-rival the SELinux, 
which
absolutely has lots of doubts left over it with regard to its inception...
(That was to be someone else's but not Madam Impeccable's product, it was to be
Red Hat's, but the story couldn't be sold successfully, so the Madam had
to own up to it. Poor Madam!)
...and which by those true security minds was reveal to be, back when the LSM
(Linux Security Model) was created by the GNU Linux kernel team (the Linus's
team) to accomodate for
its inclusion, was revealed to be, that LSM, full of hooks for rootkit.

http://www.crmbuyer.com/story/39565.html

So it is hard for me to uphold complete honesty in the whole of Debian team
of developers, when Grsecuriy/Pax is left completely out, not even thought
about for, in the
Debian packaging system, and instead, its arch-rival the SELinux, is
sitting pretty for all the newbies (there is a little of SELinux, not full
deployment, in default Debian packaged kernel, and they have to learn to compile
the kernel and surpass more obstacles specific to Debian, like I did.
That can be found about on forums.grsecurity.net (I am there user 'timgo'), how 
it's
not trivial for non-experts, because I have spent really long days to learn and
figure out and solve the problems that
arose, which I did with some occasional help, but mostly with my own time and 
effort...

So why these programs of the best security minds of today, and who have not sold
to any governments, nor to big business as they could have (wouldn't say 
Microsoft
have paid dearly to Spender if he was a money-lover, and sought profit,
wouldn't they rather paid him and get the patent than, what they did, stole his
code to deploy it in  Skype?

http://expertmiami.blogspot.com/2012/05/skype-does-away-with-random-supernodes.html
http://arstechnica.com/business/news/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft.ars
 )

Actually I'm somewhat fearful of their (both Spender's and the Hungarian's that 
is only
known by the pseudonym Pax Team) persecution, but hopefully not yet, rather 
later
in the future (I hope we all have some more time for things good that we do),

So why these programs of the best minds in security of today, the 
Grsecurity/Pax,
have been completely left out, and Madam Impeccable's
rootkit-hooks-having-been-deployed-for (and probably still being), programs are
granted full deployment in Debian?

SELinux is not easy, it's very complex and it is also very hard to learn for
a beginner, people say. In comparison, Grsecuriy/Pax is a breeze, I mean in
comparison, because no true deployment of security is easy...

If it's not something other and not just lack of development resources and
expertise, why were, comparably so much of those resources spent on SELinux,
when less resources, but used to deploy Grsecuriy/Pax, would secure Debian users
sooo much better? Why?

>If you want to see this fixed, please work with the Debian 
>maintainer
>(or the person who reported that bug) on a solution. When that 
>happens
>we can see about solving it for gNewSense too.
>

I have lost half of my summer this year trying to fix my systems and my SOHO
that, in my conviction, was attacked from the internet, over Debian, and into
Gentoo systems. The full story, actually not full, because I can not reach
the true technical conclusion about what exactly happened, since I am not
a developer, just somewhat advanced user; I only fix problems that I
encounter through huge investment of time and study, and obstinacy when 
working...
The problem is I am a late adopter and am slow at learning and doing things.
I am currently already months late with other things in my life.

But if any Debian developer is interested, however, and if I can trust his
credentials, like I would trust you, Sam Geeraerts, because I trust what
you are doing, then, I still have all the dd'ed images of both the Debian and
the Gentoo box that failed, and if I also get, or once I possibly get --I
stumbled into problems, about which I am planning a new topic on this list--
my gNewSense, working (or get
my systems in other ways secure enough for the internet, which is not
currently the case), well, then, if any Debian developer is interested, let
us see the end of that issue that is not completely solved yet.

May you, the Debian developer who I don't yet know (I'm addressing not you Sam
here, but possibly other Debian developers), and who are reading this message,
also look into:

https://forums.grsecurity.net/viewtopic.php?f=3&t=3709
("grsec: halting the system due to suspicious kernel crash")
and related and linked things.

Because this is, preconditions applied, my invitation to see if, firstly,
we can see a conclusive end
to the story there with the use-after-free bug, esp. in the sense of the
vulnerability that to my understanding was exploited there by some subject,
and, secondly, if the installation of Grsecurity/Pax on Debian can be done
in such a way that such abuses would be prevented.

>> I have no experience yet with gNewSense, I am in the process of
>> installing it
>
>Welcome.

Thanks, Sam!

>
>[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678942
>

I had a brief exchange of emails with Yves-Alexis Perez, and there goes
my slow understanding, it took me a while to get the difference btwn the
use of either Debian kernel and the pristine, or "pristine", kernel, which of
these was to be used with Grsecurity in which circumstances, and I hope I didn't
annoy him too much.
Now I know and it's easy for me to simply compile the pristine kernel in
Debian, patch it with Grsecurity/Pax and install it, if the Debian testing
 builds are not broken (which they were these days).

But I see where the problem lies.

In case there was a solution to let users have Grsecurity, and no SELinux
at all, in the Debian kernel (ok?), like I just wouldn't go for any gift,
given to me by Madam Impeccable, no thanks, then the first thing to be
applied to the pristine kernel would have to be the Grsecurity/Pax patch,
and the other Debian patches would probably need to be modified to include
the option for users like me, and only applied after the Grsecurity/Pax
patch has already been applied... well, then, there would have to be more
kernels for users to chose from, because Madam Impeccable's aficionados
(trawling behind them huge number of non-informed users, and 

###############################################################
### that is the crux of the matter in this whole story:
### most users, if they knew what SELinux was, wouldn't want to
### "harden" their GNU/Linuces with it
###############################################################

and that is the issue that needs to be let known to beginners, dear deveopers!,
but I was saying, well, then, there would have to be more
kernels for users to chose from, because Madam Impeccable's aficionados,
sparsed throughout the planet, would want the kernel with, and not without
SELinux...

Would Debian developers want to tread that path?

Also, for my purposes, it suffices if I can compile and install and later
manage, the pristine, Grsecurity/Pax kernel.

But I could test the Grsecurity/Pax Debian kernel if that starts to be
developed some day, if I am still free in my country that is regressing
from democracy by the traitors in power, and am not in jail or worse...
The developers only need to bear in mind my slowness in replying, which
I can not improve, reasons given above.

Miroslav Rovis
Zagreb, Croatia

There is another reply that I hope to be, God willing, sending to the
other message that I see on this list by Sam, and also afterwards,
there is yet another topic
that I believe I will open here, about gNewSense that I installed but have
issues pulling packages with apt-get/aptitude from my local SOHO mirror.
In that order, by the grace of God.
But if on gNewSense the pristine kernel can not be accomodated as in
Debian, pls. let me know, because then I am treading the path that does
not really have protection for my system, because I don't believe there
is any true protection in GNU/Linux with anything else that is not
Grsecurity/Pax, and without true security there is no true freedom, what
do you make of puritanist-free from all-and-any proprietories packages OS if
you don't have privacy to use that machine you installed it on,
as soon as you're on the internet?... The letter is fundamental to freedom,
and the purely free packages the icing on top of it.
And for the day that Grsecuriy/Pax will be deployed on deblobbed kernels,
for that day I live to see!