<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>In an earlier e-mail I wrote: "Complexity isn't seen to be a
liability, it is seen as an asset." But there are exceptions.<br>
</p>
<p>This morning I was reading about Qubes (Linux distribution that
makes it easy, at the GUI level, to isolate different activities
in different Xen VMs, including protecting the OS itself).</p>
<p>In their FAQ they brag:</p>
<p> </p>
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<span style="color: rgb(51, 51, 51); font-family: Helvetica,
Arial, sans-serif; font-size: 14px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 300; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;">Our GUI
infrastructure introduces only about 2,500 lines of C code (LOC)
into the privileged domain (Dom0), which is very little, and
thus leaves little space for bugs and potential attacks.</span></blockquote>
<p>Bragging about how few lines-of-code?!</p>
<p>Yes! Simplicity as a feature. <br>
</p>
<p>Reading about why Qubes isn't multiuser, they seem to have
suffered greatly over establishing system boundaries; there wasn't
a way for both non-privileged users to control Xen and to protect
those non-privileged users from each other. <br>
</p>
-kb, the Kent who can't help but think their job in building this
larger secure system would be so much easier if the subsystems they
are wrangling were designed to have clean (and defined!) system
boundaries.
<p></p>
</body>
</html>