
Reasonably Secure Computing in the Decentralized World - DyslexicAtheist
https://www.qubes-os.org/news/2017/09/13/joanna-rutkowska-secure-computing-decentralized-world/
======
xj9
i'm developing an os with an architecture similar to qubes, in part because i
disagree with the idea of using hardware virt as an isolation mechanism. i
think this can be done with os virtualization much more cheaply without being
much more difficult to secure. still quite early in the project, but i think
we're touching on some interesting stuff.

[https://www.heropunch.io/tomo/os/grid/](https://www.heropunch.io/tomo/os/grid/)

[https://www.joyent.com/tech-videos/going-container-
native](https://www.joyent.com/tech-videos/going-container-native)

[https://genode.org/about/index](https://genode.org/about/index)

~~~
walterbell
Are you planning to use L4?

~~~
xj9
yes, I'm partial to seL4 in particular. I'm using flatpak as the application
image format. these require sessions, but I see that as a plus. the goal isn't
compatibility, rather to build an os platform specifically for running p2p
applications. linux is a convenient abi and makes windows compat easy.

i am using linux and genode to compose a more modern version of the plan 9
system. other core tech includes ipfs, i2p, secure scuttlebutt, and mqtt.

------
Immortalin
This is very interesting! At Praecantatio, we are actually working on
something similar, though instead of using blockchains, we run ours like an ad
network. If anyone is interested on working on distributed computing, drop me
an email. Email's in profile!

[http://praecantatio.ai](http://praecantatio.ai)

------
zellyn
Can anyone who knows these things comment on the essential differences between
Qubes and Sandstorm? Thanks in advance…

~~~
kentonv
Product-wise, Qubes is for local desktop apps whereas Sandstorm is for web app
servers.

Technology-wise, Qubes uses virtual machines whereas Sandstorm uses Linux
namespaces and seccomp (aka containers, but Sandstorm's sandbox prioritizes
security over compatibility, unlike most other container engines).

~~~
zellyn
Thanks, Kenton!

------
jstewartmobile
Classic Theo:

" _x86 virtualization is about basically placing another nearly full kernel,
full of new bugs, on top of a nasty x86 architecture which barely has correct
page protection. Then running your operating system on the other side of this
brand new pile of shit._

 _You are absolutely deluded, if not stupid, if you think that a worldwide
collection of software engineers who can 't write operating systems or
applications without security holes, can then turn around and suddenly write
virtualization layers without security holes._"

[https://marc.info/?l=openbsd-
misc&m=119318909016582](https://marc.info/?l=openbsd-misc&m=119318909016582)

~~~
tptacek
You want the rest of the list of architectural security features Theo also
doesn't believe in? It's pretty long.

For a very long time, Theo subscribed to the philosophy that the way to get a
secure OS was to keep it as simple as POSIX and historical BSD would allow him
to (and no simpler) while eradicating all the bugs. Eradicating bugs is
obviously a good thing, but the track record of that strategy in the real
world has not been great.

That's obviously changed over the last 5 years or so, but you should be
careful reflecting DeRaadt cynicism from a decade ago into modern discussions.

Qubes is surely a better bet than vanilla OpenBSD.

~~~
jstewartmobile
We've had all the king's horses and all the kings men, working around the
clock, decade after decade, applying layer upon layer of tweaks and
countermeasures, and all we have to show for it is a sort of paper mache wad
that no one fully trusts or understands. Fix one flaw, introduce two.

At the same time we treat the underlying hardware as inviolable because of
"costs", which are probably just a drop in the bucket compared to the damage
wrought by still using hardware that takes a life's work for a Linus Torvalds
or a Matt Dillon to program, and even then there's still doubt about what they
missed.

I just get the creeping feeling that we've got the economics backward, and
that maybe it's time to do "code review" on the underlying architecture
instead of investing in more bandages.

~~~
tptacek
Something something definition of insanity is something something.

~~~
jstewartmobile
Serves me right for expecting anything more from HN's prince of bandages.

~~~
tptacek
I shouldn't snark, but I'm making a serious point, which is that we've already
tried retrenching in code quality improvement (and nothing else), and have
already empirically seen that approach fail.

There are architectural components to our security problems (we still run
systems with 1980s security models) and that needs to change.

By the way, I have no idea what "prince of bandages" means.

~~~
jstewartmobile
Layers.

I'm an embedded guy, so I'm looking from the outside in. Whenever I have to
trunk something to the server room, they're usually trying to do _just one
thing_ , like e-mail (just as an example).

Of course there's an OS firewall, but you can't trust that, so you have to
have another firewall, and that doesn't help so much with DDOS, so there's
also cloudflare, and the firewall doesn't understand e-mail, so there has to
be an e-mail pre-filter, and you can't really trust the OS to isolate things,
even though that's kind-of in it's job description, so you have to have a
hypervisor, and since some things are too important to trust to the
hypervisor, you have an extra box or two, and now that you have a half-dozen
different systems in play, there has to be some form of monitoring service. I
have seen almost every layer of this melt down in one way or another and take
the rest of the chain down with it, and _that isn 't even my job_.

I just think if we had saner hardware, where we could write performant-enough
code without having to dirty our hands with pointer arithmetic, memory
boundaries, manual boxing and tagging, manual memory management / software-
based garbage collection, etc., we'd at least be in there with a shot at
writing an e-mail server that could be put straight behind cloudflare that
would also let the IT guys drop their prilosec prescriptions and get eight
hours of sleep every night.

edit: my main point is that PC architecture is garbage. when I wrote "code
review", I meant over the silicon. Both DeRaadt and Rutkowska are putting
their fingers in the dam. It's heroic, but it's also a waste of two very
bright people.

------
vectorEQ
love how this os is progressing, bit heavy still on the resources, but thats
fair for a hypervisor, those tend not to run on potatoes. :D so much fun to
fiddle with!

------
shmerl
The event was hosted by the Golem project:
[https://golem.network](https://golem.network)

