Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 19 Sep 2019, 08:46
All times are UTC - 4
 Forum index » Off-Topic Area » Security
How to make Puppy Linux security distribution?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [15 Posts]  
Author Message
Dennis Mitnick

Joined: 26 Aug 2019
Posts: 2

PostPosted: Mon 26 Aug 2019, 21:04    Post subject:  How to make Puppy Linux security distribution?
Subject description: Security, Privacy, Anonymity
 

Hello!

How to make Puppy Linux security distribution?

Thank you in advance !
Back to top
View user's profile Send private message 
musher0

Joined: 04 Jan 2009
Posts: 14307
Location: Gatineau (Qc), Canada

PostPosted: Mon 26 Aug 2019, 21:36    Post subject:  

Hi Dennis.

You mean something like the TAILS distro? I think some PuppyLinux member has come
up with a simili-clone of TAILS, but I can't remember who exactly, ATM. Sorry.

But for general daily use, any Puppy is already quite secure as is. To ascertain that, you
may wish to install and use Lobster's GROWL utilities.

Still not convinced? Install the lsof utility and run it as lsof -i. This will list all the insects on
your line!!! (Prepare for a surprise: on a Puppy, you won't find any!) Wink

Finally, the subject of security on Puppy Linux has numerous threads, so many in fact
that in the end you'll understand what the expression "ad nauseam" really means...

So I won't go into it further here. But feel free to do a bit of a search on this board on the
subject if you need more info.

IHTH.

_________________
musher0
~~~~~~~~~~
Je suis né pour aimer et non pas pour haïr. (Sophocle) /
I was born to love and not to hate. (Sophocles)
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 2073

PostPosted: Mon 26 Aug 2019, 23:41    Post subject: Re: Security Puppy Linux
Subject description: Security, Privacy, Anonymity, Distribution
 

Dennis Mitnick wrote:
Hello!

How to make Puppy Linux security distribution?

Thank you in advance !


Hello Dennis,

I recommend the version of puppylinux known as Puli. There are two variants:
(although I haven't personally tried puli)
- Puli 6.0.5 - based on tahrpup (pearltrees)
- Puli 3.8.3 bark 6, released Nov 2014 - based on precise (pearltrees)

Tails was mentioned above. You can do something like that with iptables to set up tor's transparent proxy.

https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

Regarding tor, some members have some security concerns related tor using to with puppy. For instance the user known as nosystemd/learn2code/figosdev claims puppy uses the ping utility in a way that may not be good for a tor user. I haven't looked into this yet but if ping was used in this way it should be easy enough to disable this behaviour with iptables.

Other security measures you can look into is the use of containers. EasyOS has something called easy containers and the user rufwoof has implemented similar containers on fatdog64 and dpup stretch.

As a final note, if you are looking to run puppy as a non-root user, you might want to give tazpup a try.

_________________
Find me on minds and on pearltrees.
Back to top
View user's profile Send private message Visit poster's website 
Sylvander

Joined: 15 Dec 2008
Posts: 4420
Location: West Lothian, Scotland, UK

PostPosted: Wed 28 Aug 2019, 04:47    Post subject:  

Also take a look at Banksy 3.
[Loads from a CD, user is then prompted to remove the CD]
Storage locations are normally not available, but can be, IF the user knows how.
I've been told how [in PM] by greengeek.

I use the "b3impgeneric_RC5.iso" linked HERE. Don't think I've tried RC8, also linked there.
Made for me, so as to be able the personalize the OS [install extras? I installed WINE and Xfe.]

I tried Puli.
It was good, but rather too complicated for me.
Settled on Banksy 3.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 2044
Location: N.E. USA

PostPosted: Wed 28 Aug 2019, 21:31    Post subject:  

I will add that most any pup or dog can be run from a CD or DVD. When done shutdown NO SAVE. The only other problem with security is the browser... unfortunately the default settings (thousand or more) are not secure enough. Personally, I have gone through two browsers FF27 and FF6605. Each needed over 400 changes to the default setttings. Shocked That required quite a bit of time, and is probably not for everyone (but doing the FF6605 was 'easier' due to previous experience with FF27). The reward is that FF6605 has the latest certs using TLS 1.2 and 1.3... the old FF27 still has two good certs out of 20 or so original.

Regards
8Geee

_________________
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
purple379

Joined: 04 Oct 2014
Posts: 128

PostPosted: Mon 09 Sep 2019, 10:10    Post subject: Security version of Puppy
Subject description: Easy OS
 

Barry's project of "Easy OS," Then perhaps run for multi-session optical disk. Thank you Barry Kauler.

Perhaps better needed is a book of how to do things in a private, secure way. Check lists of what not to do, how to proceed. I might call it a recipe book.

At least a list of when to re boot after we do which.

Keep in mind that encryption is usually broken not in the theory of the encryption but in practice. People make mistakes in using encryption that usually gives away the value of encryption.

I see, on the internet several distros talking about security. I also notice that some seem to only have only three (or less) developers, who I assume work part time. Hmm.

At least Puppy Linux is not Windows, part of whose goal now is to broadcast what we do on the internet.
Back to top
View user's profile Send private message 
nosystemdthanks


Joined: 03 May 2018
Posts: 686

PostPosted: Mon 09 Sep 2019, 20:19    Post subject: Re: Security version of Puppy
Subject description: Easy OS
 

purple379 wrote:
People make mistakes in using encryption that usually gives away the value of encryption.


indeed, puppy makes a few of those that reduce its worth in terms of security or privacy.

the problem with secure puppy isnt that its called puppy, its that most users dont want to take security seriously. if you its not important to you enough to change your habits or alter designs, then all you can do is come up with some bandages and slap the word "secure" onto the thing.

lets try this:

what are the three biggest security problems for regular puppy? answer that, and start by fixing at least one of those. but that wont make it secure, it will make it less insecure. security is about tradeoffs, and puppy makes a few in the other direction.

minimalism is good though.

one gradual route to security is to figure out what you dont need, then remove it so that it isnt a vector. easier to secure a simple distro than a complicated one, though adding security will complicate certain things.

Quote:
At least Puppy Linux is not Windows, part of whose goal now is to broadcast what we do on the internet.


that is a plus.

_________________
"microsoft is unique among proprietary software companies: they are the only ones who have actively tried to kill [floss]. it’s not often someone wants to be your friend after trying to kill you for ten years" -- bradley m. kuhn
Back to top
View user's profile Send private message Visit poster's website 
purple379

Joined: 04 Oct 2014
Posts: 128

PostPosted: Tue 10 Sep 2019, 08:29    Post subject: A lot of malware gets up to no good with browsers.
Subject description: Browsers let it in.
 

That is browsers let stuff in that cause problems.

There are all the options of security for Firefox, meaning we should download and install those. I am not knowledgeable about Seamonkey, or some other browsers. Tor anyone? Brave?

Don't let things which snuck in the door of the browser stay.

Frankly, browsers have gotten a lot better in stopping things.

Clear the browser cache, and reboot. Puppy can do that.

Start with a clean version of the OS (reboot) before and after doing something important.

Whether the version of Puppy you use does a lot of root become irrelevant, if one reboots, and places a fresh copy of the OS in use.

I liked an app that works in Apple Mac OS, 'Little Snitch," which allows one to approve/disallow individual outgoing connections. It can be annoying and a huge use of time.

Use a search engine like "duckduckgo." Part of protecting browser.


Get a better definitions on goals; The general public keeps getting confused on the use of the term "computer security" that means different things.

Whether we are stopping malware (malevolent stealing, Messing up our computers)

Seeking Privacy (keeping others- individuals or corporations out of your, my business.)

versus Security.

Security being where people could be hurt, lives could be lost.

Those definitions being for individuals, corporations being somewhat different.

Added later: A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3440

PostPosted: Wed 11 Sep 2019, 21:00    Post subject: Re: A lot of malware gets up to no good with browsers.
Subject description: Browsers let it in.
 

purple379 wrote:

Clear the browser cache, and reboot. Puppy can do that.

Start with a clean version of the OS (reboot) before and after doing something important.

Whether the version of Puppy you use does a lot of root become irrelevant, if one reboots, and places a fresh copy of the OS in use.

... providing the likes of your MBR/bootloader/kernel are physically isolated. In other words boot from usb, where the usb is removed once booted. With the OS running fully in ram then only that session can be cracked. Any data is also at risk so good disconnected backup practice is required.

For online security just use a clean boot to do secure stuff (banking) and close/reboot again afterwards. For the rest you just have to accept the risks (such as your Puppy Forum userid/password). They might equally be cracked via penetration of the web site itself.

For obscuring local state/government monitoring you can route everything through ssh to a remote server, or use something like Tor. But that can introduce other risks (circle of trust).

I boot the same known clean system every time, store data separately outside of the OS space. Booting from usb loading everything into ram and they the usb is disconnected once booted. If I do want to make a change then I just boot, make the change, save, unplug usb. Recently I've been using wiaks scripts to build the system/setup completely afresh quite regularly - following voidlinux --current. 20 minute or so task that I just kick off and leave running in the background whilst I do other things.

For larger tasks, video editing etc. that can blow ram limit, I have a encrypted swap file that I can activate. Encrypted using a random session key so if my laptop were stolen/confiscated then pretty much impossible to get to the clear text (decrypted) content that might have been stored in ram ... and nobody, not even I, know the 'passwords' (keys) that were used for the encryption.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
nosystemdthanks


Joined: 03 May 2018
Posts: 686

PostPosted: Thu 12 Sep 2019, 12:59    Post subject: Re: A lot of malware gets up to no good with browsers.
Subject description: Browsers let it in.
 

purple379 wrote:
A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.


imo talking about security while using an os hosted on microsoft github... well, you know what im going to say and i know what people are going to respond, but im going to say it because lots of people do, and their concerns are being ignored or (after deliberation that some would deem fair or sufficient) put aside and unmitigated.

_________________
"microsoft is unique among proprietary software companies: they are the only ones who have actively tried to kill [floss]. it’s not often someone wants to be your friend after trying to kill you for ten years" -- bradley m. kuhn
Back to top
View user's profile Send private message Visit poster's website 
belham2

Joined: 15 Aug 2016
Posts: 1671

PostPosted: Thu 12 Sep 2019, 15:24    Post subject: Re: A lot of malware gets up to no good with browsers.
Subject description: Browsers let it in.
 

purple379 wrote:


Added later: A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.



Hey Purple,

Been using Yubikeys for over 3 years now. And using them with Google's Advanced Protection Program (means if I lose the Yubi keys, I am screwed as neither google nor myself will be able to recover those gmail accounts). . Yes, I do realize it is Mother Spy Google, but in this regard, yubico-locked email has brought me great peace of mind over the years. For anything sensitive done on one's life, well I think you know what I mean. I've discussed Yubikeys for nearly three years in this "Security" forum, in many different threads.

And regarding Barry's Easy, been using it since he first started it (and was using almost everything else before that he was creating and fooling around with). I like the direction Barry has taken with Easy. He's actively trying to address security-concerns, among several other things. Easy may be nowhere near rufwoof's level of lockdown, but Barry is doing things that I agree wholeheartedly with. Things that are promising, imho.
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3440

PostPosted: Fri 13 Sep 2019, 08:55    Post subject:  

Re:yubico

Suppose I'm a cracker and seeing someone visit or linking to my web site I note that they're running a OS/browser combination with a known flaw that can be exploited to provide remote command execution and I (system) deploys that attack. Perhaps dropping straight into root cli (or if not, using other known methods to elevate to root).

With root access my next port of call is to noting that the target system is using a frugal boot, I update the MBR to first load my own installed bootloader that sets up my own unseen micro OS running beneath the main OS. Looks to the target like a perfectly normal boot session, but where they don't see that they're actually running a chroot instead of switch_root. Neither do they see any of the processes that the micro OS is running, to the casual eye nothing is wrong.

With that I can monitor sites visited and mostly just remain hidden, but upon seeing the target requesting to go to a banks web site it redirects instead to my own pre-prepared web site address that replicates the banks web site. When they enter their username, password and YubiKey I use that to actually connect to their bank and empty the bank account, whilst returning a 'sorry the site is down at present and our engineers are working as quickly as possible to resolve the issue' type message. With the account cleared I reset the MBR back to as before and leave it for the target to argue with their bank that it wasn't them that actually made the money transfer to buy bitcoins or whatever. By then of course the money has been transferred multiple times to the extent of being untraceable and the fake bank web site is a dead link.

A simplistic example of what could occur i.e. viable man-in-middle attack despite using Yubikey. The saving grace however is that that's a relatively low reward attack for crackers, as in practice most banks will do other checks when more than $5000 or so is being transferred. But if simple enough and given potentially high volumes of multiple $4000 hits/day across a wide range of targets then the appeal to crackers rises.

Simple mitigation is to use a usb boot that is removed immediately after booting, so it's physically isolated and remains clean. When a clean boot of that is used to go directly to a banks web site, nowhere else before, then there's a very high probability that that session will be clean.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 2044
Location: N.E. USA

PostPosted: Fri 13 Sep 2019, 15:11    Post subject:  

Have to say that example of MITM has had a recent, nasty showing with Bluetooth. And, the concept directly applies to your example.

nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack. Thats how AtomicPup-XIX was spun... toss out ALL the servers and shares. Even FreeOffice had a server binary to "Check for updates". Trash-binned.

YMMV/YRMV
8Geee

_________________
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3440

PostPosted: Fri 13 Sep 2019, 16:14    Post subject:  

8Geee wrote:
nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack.

systemD has over a million lines of code. Voidlinux's runit has around 1000 lines of code. If so inclined, I've a far better prospect of being able to look over runit code and understand what it is doing compared to systemD's code.

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
nosystemdthanks


Joined: 03 May 2018
Posts: 686

PostPosted: Fri 13 Sep 2019, 23:13    Post subject:  

rufwoof wrote:
8Geee wrote:
nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack.

systemD has over a million lines of code. Voidlinux's runit has around 1000 lines of code.


so void vs devuan is an interesting comparison. ive got void running right now-- they do a FAR better job of cleaning out systemd than devuan does.

(devuans job is harder, as theyre starting with debian and it has more of a mess to clean up. and its a moving target.)

ive been very critical of devuan since ascii, but beowulf is at least a step forward again. they did the best with jessie:

(8) jessie (9) ascii (10) beowulf

but theyre making progress again.

worth mentioning is that although void is much cleaner of systemd, systemd is developed on microsoft code servers-- and so is all of void as well. so thats a point for devuan, they dont use github.

its sad that so many things (5 years in!) are still catching up.

i got someone from the board of the fsf to talk about this today, i feel we are getting closer (a bit) to some progress there. too soon to be sure, of course. we need a name for these setbacks, collectively.

oh and 8geee: thanks!

_________________
"microsoft is unique among proprietary software companies: they are the only ones who have actively tried to kill [floss]. it’s not often someone wants to be your friend after trying to kill you for ten years" -- bradley m. kuhn
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 1 [15 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0703s ][ Queries: 12 (0.0075s) ][ GZIP on ]