Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Encryption Networking Security Linux

Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN ( 44

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.
This discussion has been archived. No new comments can be posted.

Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN

Comments Filter:
  • by Anonymous Coward on Saturday June 10, 2017 @02:59PM (#54592919)

    As usual, Windows is more secure than Linux and doesn't need these upgrades. Everything is half-assed and amateurish with Linux

    • by Anonymous Coward

      Totally agree.

      I remember a company trying to foist a complex and complicated virtualized "system" in 2011 on the company that I used to work a few years ago.

      I had more fun poking holes in all of the security flaws int hat "system".

      And the vendor's response to all of the security flaws? Yeah, we'll fix them... if you pay us a whole lot more money.

      BTW... the company, and a well-known one at that, that tried to sell that pile of $#!@ is still is business and still making loads of money.

  • by Anonymous Coward

    Slashdot: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley,

    eweek: ""Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like WhatsApp," McCauley said.

    Bite me, slashdot. Don't just take mainstream-marketing-bullshit and replace WhatsApp with Signal, 'cause it's more nerdy. It's still weapons-grade bullshit, next you're gonna tell us it's mil

    • Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.
      • by Kjella ( 173770 ) on Saturday June 10, 2017 @06:03PM (#54593479) Homepage

        Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

        Bullshit. Message transport has nothing to do with security, doesn't matter if you send a PGP message over SMTP (decentralized) or Facebook (centralized) as long as the cryptography is sound. And the clients are open source, the cryptography is vetted and all that. And if you don't want their servers recording any metadata the server code is open source too, with minor modifications you have your own Signal protocol network. Federation is mainly just a messy hybrid of client to server and server to server communication, either go full P2P and deal with all those routing/discovery/web-of-trust/revocation/denial-of-service/spam complications or just run one central server.

        The main reason to use it over PGP is that Signal gives you backwards secrecy, the algorithm is constantly upgrading the keys meaning even if you record messages and compromise a device later you can't decrypt anything other than the most recent ones. If you manage to get a private PGP key, you can decrypt every message sent to that key from the dawn of time. It doesn't do 90% of what PGP tries to do, but it does the last 10% much, much better. And most of all, simpler. Most people don't check Signal's MITM protection and doesn't care when they're notified of key changes, but the same people are not likely to use PGP at all. But since a few will check doing bulk surveillance would be discovered, while everyone intentionally or unintentionally in the middle can wiretap plaintext email all day long.

        • by Anonymous Coward

          It's called forward secrecy, dumbass.

  • by Anonymous Coward

    They're well-known for their cookie-cutter, "docker", which probably fits their business model to a tee but fails to provide all sorts of things you might want from a fully-fledged containering thing. Oh and then there's the compatability-with-itself issues, administrative access to hosts from within containers called "not a bug, but a feature" apparently with complete disregard or misunderstanding of security principles, and so on. And so now they're taking their secret sauce to VPNs and other security too

  • by Anonymous Coward

    I've used OpenVPN without any problems (well, other than the fact the configuration is a bit of a pain) since 2002.

    • maybe you know, maybe you don't, maybe other people will find this interesting - openvpn 2.4 can now be configured to be (so far) completely indistinguishable from regular https traffic when used with --tls-crypt option and run on the appropriate port.

  • by AaronW ( 33736 ) on Saturday June 10, 2017 @04:41PM (#54593251) Homepage

    Something needs to happen.

    Last night I tried to get pptp to work with our corporate VPN and it failed miserably. I ran Wireshark to figure out what the problem is and the Linux PPP stack just can't handle the options that it was being sent (bug opened on pppd). Next I tried to connect to my home firewall VPN which used to work and again this failed miserably because the Linux PPP stack refused to turn off the async char map negotiation (which isn't used for PPTP).

    I've also struggled to get ipsec in any form to work (no success) nor have I been able to get openvpn to work, requiring all the generation of certs and whatnot. PPTP, despite being quite insecure, at least used to work before the modern PPP brokeness.

    The problem with VPNs is that the solutions are overly complicated with a bazillion different options.

    IPSec + L2TP!?!?! This is insane. PPTP is just plain broken as well.

    I want something as simple as how PPTP used to work but without all the broken security (i.e. MD5 password hashes) and get rid of PPP.

    • OpenVPN isn't bad (Score:4, Informative)

      by Sycraft-fu ( 314770 ) on Saturday June 10, 2017 @04:54PM (#54593287)

      It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.

      However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.

      It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.

    • by decep ( 137319 )

      Linux VPN support is actually very good. You just should not be using PPTP. OpenVPN or some of the other user space type VPNs are great for connecting remote users.

      I agree that L2TP is insane for individual user VPNs, but for site-to-site VPNs, IPSec is the only option you should trust. The problem with a lot of user space VPN solutions, like OpenVPN, is once you have authenticated, it just kind of acts like a router for packets. You have to use a secondary controls like a firewall to control access. T

    • by bsDaemon ( 87307 )

      IKEv2 IPsec via StrongSwan or LibreSwan really isn't that difficult on Linux. Problem is a lot of these corp vpn products that don't have a Common Cirteria or FIPS mode don't support it, and many of these other technologies have to do lame hacks to get things like NAT traversal to work.

    • by tlhIngan ( 30335 )

      Actually, what's worse is SSL-VPNs, because there are no standards for them. They are insanely simple and very popular because they can be used from behind practically any firewall that allows SSL through. (This is vitally essential since many corporate firewalls block everything except 80, 443 and 21, and if you consult and need to VPN to home base, you need a VPN that can go through the firewall)

      The problem is all the SSL-VPN vendors are basically incompatible with each other - between Dell/SonicWall, Ope

      • by AaronW ( 33736 )

        We have Sonicwall at work. Unfortunately it requires running Java in the browser to connect to it through Linux.

    • Once you figure out how to connect... run it in a docker container.
      I set up an ubuntu container with openconnect and freerdp, and a couple of simple scripts. I can connect to my corporate VPN and RDP into my Win10 laptop from my Linux box in about 10 seconds. I could do it faster but I have it prompt me for the password. We use Azure for multi-factor authentication.

      If you do it this way then your container connects to the vpn keeping all of your other traffic off the corporate network.

  • by Anonymous Coward

    Docker is not responsible for WireGuard at all. A Gentoo developer (Jason A Donenfeld, AKA 'zx2c4') is responsible for WireGuard. As far as I know, he does not work for Docker.

    The wording in the summary is poor and doesn't reflect that. TFA (correctly) mentions WireGuard as an external project.

The trouble with money is it costs too much!