Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 30 Sep 2014, 18:09
All times are UTC - 4
 Forum index » Off-Topic Area » Security
LightweightPortableSecurity vs Puppy - Puppy wins
Post new topic   Reply to topic View previous topic :: View next topic
Page 3 of 5 [69 Posts]   Goto page: Previous 1, 2, 3, 4, 5 Next
Author Message
CLAM01

Joined: 22 May 2010
Posts: 79

PostPosted: Sun 10 Jul 2011, 20:35    Post subject:  

Lobster,

Carried away in my paranoid hallucinations, I forgot to address the serious issue you raised, about diving behind the sofa. I have found that this works very well, provided you have a nice tin-foil sham on the back of the sofa. In my experience, drawn from experimentation, I have found that the dust-critters, the dust-bunnies, dust-kittens, dust-puppies, etc., under my sofa, suitably shammed, are saner than I am.

I am thinking to move forward from tin-foil to mylar now, though, since NASA uses mylar extensively and seems to be doing very well with it: They are sane enough they are suggesting starting a new web, one to be secure and for secure communicating entirely. At least abandoning the present web entirely to the animals, bugs and vermin, letting it be a jungle-playland for everyone mad enough to brave its perils, seems a sane idea to me.

It's what I do with puppies, running them with no securities but what is native through public wifis of all the least secure sorts, the kinds whose operators deliberately run them as man-in-the-middle, to see who is able to poke into what, and outload how and where. This is how most users use their computers. Those with ability and expertise to monitor and shield themselves are about one in a hundred-thousand, so the security of no security is where security has to begin. Smile
Back to top
View user's profile Send private message 
CLAM01

Joined: 22 May 2010
Posts: 79

PostPosted: Sun 10 Jul 2011, 20:35    Post subject:  

Lobster,

Carried away in my paranoid hallucinations, I forgot to address the serious issue you raised, about diving behind the sofa. I have found that this works very well, provided you have a nice tin-foil sham on the back of the sofa. In my experience, drawn from experimentation, I have found that the dust-critters, the dust-bunnies, dust-kittens, dust-puppies, etc., under my sofa, suitably shammed, are saner than I am.

I am thinking to move forward from tin-foil to mylar now, though, since NASA uses mylar extensively and seems to be doing very well with it: They are sane enough they are suggesting starting a new web, one to be secure and for secure communicating entirely. At least abandoning the present web entirely to the animals, bugs and vermin, letting it be a jungle-playland for everyone mad enough to brave its perils, seems a sane idea to me.

It's what I do with puppies, running them with no securities but what is native through public wifis of all the least secure sorts, the kinds whose operators deliberately run them as man-in-the-middle, to see who is able to poke into what, and outload how and where. This is how most users use their computers. Those with ability and expertise to monitor and shield themselves are about one in a hundred-thousand, so the security of no security is where security has to begin.
Back to top
View user's profile Send private message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Mon 11 Jul 2011, 09:01    Post subject:  

CLAM01 wrote:

For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used).


can I ask you to elaborate on what you said here please?
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Mon 11 Jul 2011, 10:17    Post subject:  

dru5k1 wrote:
CLAM01 wrote:

For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used).


can I ask you to elaborate on what you said here please?


Yes look for IP address of that one so we can check it up.

More likely it is the test with the server in MountainView google employee consult something. The guy everybody use because his server has a good uptime 99.999 or something. Him watching over it like a Hawk.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
tazoc


Joined: 11 Dec 2006
Posts: 1157
Location: Lower Columbia Basin WA US

PostPosted: Mon 11 Jul 2011, 23:17    Post subject: How is Lighthouse Pup compromised?
Subject description: The update notifier can be disabled.
 

CLAM01 wrote:
For this, puppy users' real dangers come from inclusions in things that are user-saved and let accumulate and things a builder may wittingly or unwittingly include in a build, or that may be in a program he's used in a build.

For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used). Open source, of course, means one may freely add spyware, too, if one wants to.
I have no idea what compromise you've found, and I did not include any spyware or web bots in LHP. The only 'writing home' it does is to check for available updates to Lighthouse shortly after login by downloading this small package list and comparing it with the previous one. Only does this once per day. Displays a brief pop-up with gtkdialog-splash if there are any new updates available. The actual updates, e.g., bug fixes or browser updates, are only transferred if user selects them in Lighthouse Update. This behavior can be disabled by deleting or moving /root/Startup/lhp-update-notifier into DisabledItems. This is described in the Lighthouse Update | Help dialog. The notifier script is at /usr/sbin/lhp-update-notifier.

It may have seemed to be Firefox because the notifier sleeps for 20 seconds and waits until an Internet connection is active before continuing. The connection is tested by pinging google or icanhazip.com with /usr/sbin/ifactive. The notifier tries the connection occasionally for 90 seconds and then exits. This is because WiFi connections can take a while to connect. LHP 5.03's browsers run as root, however Lighthouse 64 (in development) follows the prudent Fatdog 64 approach and runs the browsers as the unprivileged user spot by default.

Please PM the appropriate developer directly if you observe unusual behavior in any Pup. I think they will all be happy to clarify and/or improve security where necessary.
-TazOC

_________________
lhpup.org Lighthouse 64 6.02
Back to top
View user's profile Send private message Visit poster's website 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Tue 12 Jul 2011, 00:55    Post subject:  

Quote:
Its purpose is probably the installation of a keylogger in your Windows partition.


I think this is a legitimate concern and may well have occurred to me. Embarassed
If visiting dubious sites (for example downloading from prawn sites) you are giving the site permission to upload to your site.
So a keylogger or other malware to compromise Windows (chances are it will target Windows) in the same place is a tempting possibility for the malwarians.
I have vids of naked prawns and Windows on the same drive. Recently I booted into Windows and it was sluggish. Not sure If I have any protection on that Windows. So it could be very badly compromised.
So I should delete Windows (always a good plan). Smile
I must admit I hardly ever boot into the Windows drive. Booting from it has to be enabled from the BIOS.
So it is possible to inadvertently download nastiness with LPS or Puppy for other OS.

Another possibility is an installed add on app for Firefox or Seamonkey.
Such an app may be clean (I am not sure how well they are checked but let us assume they are) but may have an auto-update facility that runs a new version of the program for some unlucky recipients.
Such an app would have access to XUL (the Firefox and Seamonkey language) and javascript and therefore could work across different operating systems.

Rolling Eyes
I must admit this scenario fills me with no sense of fear or foreboding.
I just don't have the right head for tin foil millinery.

PS
the prawn stays. Wink

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
CLAM01

Joined: 22 May 2010
Posts: 79

PostPosted: Tue 12 Jul 2011, 20:38    Post subject:  

Oooh, looks like I hit a three for one sale on posts on Sunday. Unless the post bounced off the walls and hit the board in three ricochets. Three for the price of one is too good a deal to pass up, even when the one is free...

About the Firefox browser problem I met in Lighthouse: First, I should have used past tense. Using present I suggested it ongoing. I don't use Lighthouse on the net, for other reasons, so as far as I know it isn't (if it was I'm sure others would be noticing). The Firefox involved was a 3-series, the "test" opportunity came from the DoS attack against WikiLeaks. I re-started three times, clean (once ram) and the browser returned to full-time pinging each time. The server address written to googled to be in Dallas Texas. I did not document, I went on to try Opera and Seamonkey and then the three in other puppies. None did anything odd, so I deducted the problem was that Firefox in Lighthouse. I assume it was compromised, or compromisable and had its signature targeted.

The backside of the GPL's allowance for free modification is that it isn't only good-guys allowed to modify, which is another reason for checking and re-checking, even what comes from reliable sources, in case they have been slipped into.

As I said, the problem seemed to be in Firefox, which has updated extensively since then. I like Lighthouse and use it regularly when I want a full-feature puppy. I don't use it on the web, not because I don't trust lighthouse, but because i don't trust the web. I use simpler puppies on the web. Ones with fewer convenience features and systems. Those are great in a secure environment, but are more to have to have to keep track of and to have to look in, around and behind, and to have to search in and sweep around when looking for flies and fleas and other vermin that have, or might have, got in.

Auto-updating I prefer to not have. I don't even like auto-connect to the web. Even puppy's pet-fetch features make me nervous and paranoid. I go to ibiblio to manually download my pet package and even cross my fingers installing them just by clicking. It makes me feel manly when I'm told dependencies are needed, so I can say, "yes dear." and go find and fetch them. But if I find anything weird about a package I've installed I can go to where I have it stored and look in.

Nowadays I rarely do. I am avoiding CLI almost entirely. Almost no one in the computer-using world knows CLI, so if anything is to be secure for all users, instead of a unique few, it has to be idiot-proof secure or user-securable through GUI.

For this I can't even spread my favorite puppy-virus using a script. I have to spread by suggesting others try it for fun. Here is the recipe:

Our object is to make our puppy (any breed or cross) more secure. As we all know, our puppies are not secure because we run as root. To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally. Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root. Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer. What is really cool and real virus like is the way all our open programs continues to work until we try to do something with one, whereupon it immediately freezes up. It's proper virus-infection behavior.

To recover demonstrates the first-most security feature of puppy. We have to hard-reboot, since root being lost makes everything stop (including, fortunately, writing the move of root to the pup-save file). When our puppy reboots it reboots through a normal restart to a normal puppy rebuilt from the main sfs, pup-save and additional sfs files. A healthy puppy, all recovered, no longer sick. Puppy is, indeed, virus-proof, and idiot-proof! Not, however, that pup-saves can collect malware and should be cleaned every now and again. For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs, then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save (mouse a frame around all contents and quiet-delete).
Back to top
View user's profile Send private message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Wed 13 Jul 2011, 03:12    Post subject:  

So you say your firefox 3 series was pinging a .gov (us government) address repeatedly from a clean .iso -interesting- but you also say that you like to remaster too, this means your clean .iso may not have actually been a clean one I guess.. It's great to hear from Tazoc that a seperate connect-script may have made it 'seem' like it was firefox doing this

Was it actually a .gov address?
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 13 Jul 2011, 07:13    Post subject:  

Clam01

I wish I was more computer savvy, I am an absolute computer challenged guy but what you say in my quote below is interesting.

I wish somebody geeky could test it and explain how to use it for us Noobs.

Quote:
Clam01 wrote
Our object is to make our puppy (any breed or cross) more secure. As we all know, our puppies are not secure because we run as root. To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally. Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root. Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer. What is really cool and real virus like is the way all our open programs continues to work until we try to do something with one, whereupon it immediately freezes up. It's proper virus-infection behavior.

To recover demonstrates the first-most security feature of puppy. We have to hard-reboot, since root being lost makes everything stop (including, fortunately, writing the move of root to the pup-save file). When our puppy reboots it reboots through a normal restart to a normal puppy rebuilt from the main sfs, pup-save and additional sfs files. A healthy puppy, all recovered, no longer sick. Puppy is, indeed, virus-proof, and idiot-proof! Not, however, that pup-saves can collect malware and should be cleaned every now and again. For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs, then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save (mouse a frame around all contents and quiet-delete).


This being the LPS vs Puppy thread maybe one have to start a new thread. I think I do that in Security.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Wed 13 Jul 2011, 17:55    Post subject:  

I agree with nooby

It looks so simple, so almost too good to be true

Please explain as you've obviously done it.. and what (if any) are the 'consequences'?
Back to top
View user's profile Send private message 
CLAM01

Joined: 22 May 2010
Posts: 79

PostPosted: Wed 13 Jul 2011, 20:09    Post subject:  

dru5k1,

I don't know if the server that auto-connected, or if where the pinging was directed from was .gov. I assumed the pinging was of WikiLeaks, since it was being attacked then. I assumed a government or enforcement entity directing, but would assume that whoever it was they were .com, since the most common is the best cover, and DoS attacking is not something I would do from home if I was a .gov. When paypal and others who irritated wikileaks supporters were attacked by radicals I booted the same system again and had no activity, except the "testing", which I assume to be notifying, or merely recording for statistics, if I had no flags, that my MAC was connected to the web.

The Lighthouse I used was not remastered. On this computer I run all sorts of puppies, whatever I download to try. I launch to net through open networks, some I know to be nosey, some of whose noses I sometimes deliberately tweak, to see who, or what, try what to roust data, operate something, run a program or proposition the computer. I do this for fun, to see how insecure the web can be for a normal user using puppy. I am not interested in stopping things, I am interested in what can get in, how and by what means. My interest is if there is any way for the common user to be secure and connected to the web. I give government and law enforcement a hard time when I see them part of the problem, because they are supposed to be protecting the innocent, not victimizing them, too.

In the DoS incident I did three evolutions to define generally where the exploiting was from. he first was when I noticed, with the existing pup-save. I then wiped the pup-save, which was then built new by the main sfs. Then I booted in ram with no pup-save. I then grabbed my bag of start disks and booted other puppies I had frugal-installed on the machine, to see if they did the same. I suspect a hole in Firefox, and I suspect a government connected entity because of the browser was writing out to a web location. Stock browsers that do this tend to write to "Colonel Hassan", or "Major Harris" or some or another such for "connection test", the site being one "every browser uses to test" because it is "left over from DARPA", has "a 99.999% up-time (and so is always there), or some such, I suspect to record there the MAC and time and place. A browser really needs test only to the computer's router, since it's the router, not the browser that connects beyond. As about any air-cracking addict can tell you, there ain't many routers that are any how secure.

Nooby and dru5k1,

Note that my recipe for "securing" root by moving it into spot is a puppy-virus recipe. It is fun in puppy because it does no serious harm (though you should do it on a frugal-installed puppy you don't have personal files in, just in case). It isn't a cure for anything, except maybe acute boredom. Computer programs find things they need by following paths to them. Putting root in spot removes root from the path programs follow to find it. Coming to a dead-end a program stalls. This effectively kills the running puppy. This does no harm with puppy because the running puppy is a copy. It is a clone of the puppy main sfs modified per white and black lists and additional instructions, and files, in the pup-save, and additional sfs's added on startup.

Basically all my "puppy-virus" does is illustrate and demonstrate the puppy structure that makes puppy root secure and provides puppy's first-line of security against infections. To bring in LPS into the discussion, for a nod to the thread, this first-line defense is the same that LPS uses (which LPS almost certainly has from puppy, which is famous for it, via GPL).

The means to "propagate" the "virus", moving root to spot to make root secure, is for fun. It is one of those "too good to be true" things, "so easy why didn't the experts ever think of it?" Because they are fun I like to think of these things.

Caveats: Because I have never full-install installed a puppy I don't know if the virus works the same, or messes things up in a full install. Also, I don't know if a puppy that saves to USB periodically will always fail to save the root-in-spot configuration to its pup-save. If your puppy does not restart normally, reboot in ram, mount the pup-save, move personal files out to /mnt/home, then mouse draw to compass all files in the pup-save, quiet-delete all, close the empty window, unmount the pup-save (by left-clicking on it), then reboot the computer, not saving your ram session. When the puppy main sfs re-populates the pup-save you can customize it again and move your personal files from /mnt/home back in.
Back to top
View user's profile Send private message 
dru5k1


Joined: 11 Apr 2010
Posts: 72

PostPosted: Sun 17 Jul 2011, 22:50    Post subject:  

oh ok
Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Mon 18 Jul 2011, 03:37    Post subject:  

Quote:
i don't trust the web


Smile
For the last week I have been using a version of Linux
called Gangroid or Googledroid (wait Android)
that is it . . . Wink
Basically when you install an app (from the web)
you agree to:
    1. Allow total access to all your files
    2. Access to your grandmother for resale
    3. They can fry your brain at a time of their convenience

To put it more realistically
you invite them in, you allow them access
you sign over your rights to YOUR data
They then charge for ad-bombing you

I don't want a blackberry (I hear they are more secure)
I want to use Puppy on a phone - or at least a tablet
and I do not want pics of naked sardines
unless in the seclusion of my own aquarium.

So I won't be continuing the use of my Android phone?
Oh no - too much fun Embarassed
and who can resist a hot kipper with melted butter . . . Cool

Trust Puppy
. . . to be cute . . .

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Mon 18 Jul 2011, 06:30    Post subject:  

I know too little but I have heard that Debian can do ARM. Maybe not every ARM that have been made but could be realistic to check up if them maybe can do exactly the small cheap pad that sell round the corner.

Hahah I could owned one some two weeks ago if I had known them had them on total sell out Sales. 50% on the or even a third on the first unrealistic price them had. So for less than some 500SEK maybe 77USD
which is a very low price. Not a good pad but the firm that imported them assured me that it could use both USB Mouse and USB keyboard but no Swedish keyboard. Only resistive screen and low resolution but no fan that whine in the background. So that is my kind of gear.

I wonder if LPS placed something on my HDD. A lot to read through before them allowed one to get LPS going.

Yes I know that Android is set up like that too Smile I guess I should join the Church of Google so I get forgiveness for using Puppy.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
CLAM01

Joined: 22 May 2010
Posts: 79

PostPosted: Thu 21 Jul 2011, 22:27    Post subject:  

I've decided I'm not a fan of LPS. It is too opaque. Not easy enough to see inside and for the casual user to monitor. It doesn't appear to be significantly more secure than a puppy and is less serviceable. Puppies are, for the most part, not easily enough transparent (but nothing can be), are decently transparent, slicker, smoother, amazingly versatile and easy to keep up--to-date.

In addition, I don't think the LPS advertisement that using it one can get along with only one computer (and do everything on it in different operating systems) is reliable: Physical separation is the only reliable separation in the electronic data world.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 3 of 5 [69 Posts]   Goto page: Previous 1, 2, 3, 4, 5 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1377s ][ Queries: 13 (0.0144s) ][ GZIP on ]