We shouldn't ever trade security for performance. Doing that is how Microsoft ended up putting shit like font rendering into the kernel. Made Windows very fast, but made it so much worse when a bug was found.
That's pretty broad. I have a gaming machine with practically no personal data on it, I just want it to be fast. But the tradeoffs for my work machine are way different. Security is ALWAYS a tradeoff. If we wanted perfect airline security we'd fly naked.
Also not like limiting vulnerabilities to user space is always a big improvement. If someone hacks my user account on a single user computer, they have access to all the data I care about anyway. They could ransomeware my stuff even without kernel access.
Correct, it's an inversely proportional relationship, security vs. convenience and/or performance. I could care less if my gaming box gets owned but many others are much more serious about their gaming and would hence have other workarounds.
This is impossible... perfect security would require not having ANY performance. All security is about trade offs, and the answer can't be "trade everything for security"
We ran a 100-petabyte cluster with all Meltdown/Spectre mitigation turned off because there was no foreign code running on it that didn't have access to the data itself.
It's all about the threat model. Engineers at the company were considered trusted actors and they were the only ones permitted to connect. If that layer failed, there is no way cache invalidation errors would be the fastest way in.
A machine which is turned off is much slower and more secure than a machine which is turned on, but for some reason people insist on turning their computers on.
Security mechanisms which prevent you from doing the thing you're setting out to do are worthless. Making a computer too slow to be useful is one of the ways to do that. In this specific case, if moving Little Snitch's functionality to userland means that the performance hit of running it was large enough that I have to turn it off when doing network performance sensitive things (say, video conferences) then it'd be a net loss in security compared to the status quo of it running in kernel mode.
/dev/random vs /dev/urandom, you could argue that a new seed via /dev/random is somewhat better, but you wouldn't block everything constantly to get new entropy
I can't give you an example but it's perfectly plausible that many users don't store volatile data on their computer and/or are not careless with downloading and running programs. These users might prefer the extra speed up.
Agreed. Remember ancarda, it's always about the threat modeling. Every scenario has different business/user needs, and therefore, different tradeoffs that can/will be made. Sometimes, it does make sense to trade performance for security. (N.B. not always, or actually, probably not most of the time.)
Not yet, though I am working on replacing proprietary software I use with free software that's Linux/BSD compatible.
It's a long journey - started using Windows. macOS is a nice gap-stop, but the long term destination is probably something like OpenBSD or Qubes OS.
Perhaps eventually replacing much of the old software on my machine with stuff written in memory safe languages like Rust. There's some far-off efforts like Redox OS that may well end up being an option for me.
I keep my eye on security developments and I try to improve my situation as and when I have the time/energy to.
EDIT: To say, I have also switched from iOS to Android - after many years of waiting till Android itself became more secure. I've also dumped a lot of non-free software like Google Authenticator for free alternatives like andOTP. I'd like to eventually run something like Replicant or whatever is current/actively developed in the future.
I did the opposite, went from Android to iOS because of security. I'd rather live in this "walled garden" instead of the vulnerabilities that pop up in Android now and then, the malware that's always popping up in their app-store, and finally the fact that Google is always looking over your shoulder at everything you do, even despite how much you "turn off" things in the OS, it still phones home. Microsoft is the same. I'm tired of it. Not to mention that Android manufacturers idea of an "update" to the OS means you basically have to buy a newer model, as they often lag months behind on software/security updates from Google, and Apple supports their phones and tablets with updates years after. For instance, Google only provides updates to their Pixel phones for 3 years. Meanwhile, my wife's iPhone 6s is still chugging along with the latest OS after 5 years.
But this is just me. Everyone should use what they are comfortable with.
Trading security for performance is never a good idea. In this case the downside might be that traffic is able to pass through undetected as a result of moving to user space. If your goal is security through monitoring, can you really trust monitoring software that can't see everything?
