LightweightPortableSecurity vs Puppy - Puppy wins

For discussions about security.
Message
Author
CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#41 Post by CLAM01 »

dru5k1,

I don't know if the server that auto-connected, or if where the pinging was directed from was .gov. I assumed the pinging was of WikiLeaks, since it was being attacked then. I assumed a government or enforcement entity directing, but would assume that whoever it was they were .com, since the most common is the best cover, and DoS attacking is not something I would do from home if I was a .gov. When paypal and others who irritated wikileaks supporters were attacked by radicals I booted the same system again and had no activity, except the "testing", which I assume to be notifying, or merely recording for statistics, if I had no flags, that my MAC was connected to the web.

The Lighthouse I used was not remastered. On this computer I run all sorts of puppies, whatever I download to try. I launch to net through open networks, some I know to be nosey, some of whose noses I sometimes deliberately tweak, to see who, or what, try what to roust data, operate something, run a program or proposition the computer. I do this for fun, to see how insecure the web can be for a normal user using puppy. I am not interested in stopping things, I am interested in what can get in, how and by what means. My interest is if there is any way for the common user to be secure and connected to the web. I give government and law enforcement a hard time when I see them part of the problem, because they are supposed to be protecting the innocent, not victimizing them, too.

In the DoS incident I did three evolutions to define generally where the exploiting was from. he first was when I noticed, with the existing pup-save. I then wiped the pup-save, which was then built new by the main sfs. Then I booted in ram with no pup-save. I then grabbed my bag of start disks and booted other puppies I had frugal-installed on the machine, to see if they did the same. I suspect a hole in Firefox, and I suspect a government connected entity because of the browser was writing out to a web location. Stock browsers that do this tend to write to "Colonel Hassan", or "Major Harris" or some or another such for "connection test", the site being one "every browser uses to test" because it is "left over from DARPA", has "a 99.999% up-time (and so is always there), or some such, I suspect to record there the MAC and time and place. A browser really needs test only to the computer's router, since it's the router, not the browser that connects beyond. As about any air-cracking addict can tell you, there ain't many routers that are any how secure.

Nooby and dru5k1,

Note that my recipe for "securing" root by moving it into spot is a puppy-virus recipe. It is fun in puppy because it does no serious harm (though you should do it on a frugal-installed puppy you don't have personal files in, just in case). It isn't a cure for anything, except maybe acute boredom. Computer programs find things they need by following paths to them. Putting root in spot removes root from the path programs follow to find it. Coming to a dead-end a program stalls. This effectively kills the running puppy. This does no harm with puppy because the running puppy is a copy. It is a clone of the puppy main sfs modified per white and black lists and additional instructions, and files, in the pup-save, and additional sfs's added on startup.

Basically all my "puppy-virus" does is illustrate and demonstrate the puppy structure that makes puppy root secure and provides puppy's first-line of security against infections. To bring in LPS into the discussion, for a nod to the thread, this first-line defense is the same that LPS uses (which LPS almost certainly has from puppy, which is famous for it, via GPL).

The means to "propagate" the "virus", moving root to spot to make root secure, is for fun. It is one of those "too good to be true" things, "so easy why didn't the experts ever think of it?" Because they are fun I like to think of these things.

Caveats: Because I have never full-install installed a puppy I don't know if the virus works the same, or messes things up in a full install. Also, I don't know if a puppy that saves to USB periodically will always fail to save the root-in-spot configuration to its pup-save. If your puppy does not restart normally, reboot in ram, mount the pup-save, move personal files out to /mnt/home, then mouse draw to compass all files in the pup-save, quiet-delete all, close the empty window, unmount the pup-save (by left-clicking on it), then reboot the computer, not saving your ram session. When the puppy main sfs re-populates the pup-save you can customize it again and move your personal files from /mnt/home back in.

User avatar
dru5k1
Posts: 72
Joined: Mon 12 Apr 2010, 01:15

#42 Post by dru5k1 »

oh ok

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#43 Post by Lobster »

i don't trust the web
:)
For the last week I have been using a version of Linux
called Gangroid or Googledroid (wait Android)
that is it . . . :wink:
Basically when you install an app (from the web)
you agree to:
  • 1. Allow total access to all your files
    2. Access to your grandmother for resale
    3. They can fry your brain at a time of their convenience
To put it more realistically
you invite them in, you allow them access
you sign over your rights to YOUR data
They then charge for ad-bombing you

I don't want a blackberry (I hear they are more secure)
I want to use Puppy on a phone - or at least a tablet
and I do not want pics of naked sardines
unless in the seclusion of my own aquarium.

So I won't be continuing the use of my Android phone?
Oh no - too much fun :oops:
and who can resist a hot kipper with melted butter . . . 8)

Trust Puppy
. . . to be cute . . .
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#44 Post by nooby »

I know too little but I have heard that Debian can do ARM. Maybe not every ARM that have been made but could be realistic to check up if them maybe can do exactly the small cheap pad that sell round the corner.

Hahah I could owned one some two weeks ago if I had known them had them on total sell out Sales. 50% on the or even a third on the first unrealistic price them had. So for less than some 500SEK maybe 77USD
which is a very low price. Not a good pad but the firm that imported them assured me that it could use both USB Mouse and USB keyboard but no Swedish keyboard. Only resistive screen and low resolution but no fan that whine in the background. So that is my kind of gear.

I wonder if LPS placed something on my HDD. A lot to read through before them allowed one to get LPS going.

Yes I know that Android is set up like that too :) I guess I should join the Church of Google so I get forgiveness for using Puppy.
I use Google Search on Puppy Forum
not an ideal solution though

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#45 Post by CLAM01 »

I've decided I'm not a fan of LPS. It is too opaque. Not easy enough to see inside and for the casual user to monitor. It doesn't appear to be significantly more secure than a puppy and is less serviceable. Puppies are, for the most part, not easily enough transparent (but nothing can be), are decently transparent, slicker, smoother, amazingly versatile and easy to keep up--to-date.

In addition, I don't think the LPS advertisement that using it one can get along with only one computer (and do everything on it in different operating systems) is reliable: Physical separation is the only reliable separation in the electronic data world.

User avatar
d4p
Posts: 439
Joined: Tue 13 Mar 2007, 02:30

#46 Post by d4p »

LPS v1.2.2 is released

"And the advice given in the FAQs and manual, telling the user how to maintain security, as, for example, for making secure banking transactions to start up, "

Ctbankix is designed specifically for secure online banking
Base on ubuntu
multi-session CD possible
read/write access to ufd only

Bitbox is designed for secure online also
base on ubuntu and run in virtual
need big ram memory

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#47 Post by CLAM01 »

The perennial problem with doing banking, or anything else you want sure security for, from anywhere out and about is router insecurity. Router insecurity can be "router security", and is in most provided wifi settings. This because "for security", meaning for defense against being caught in a legal tangle for "culpably allowing" one's facilities to be used for an illegal purpose, providers engage in "monitoring" traffic through their wifi routers, so they may claim to have "attempted to prevent", which establishes them a victim, not a participant.

In publicly available situations the monitoring is not done by security-cleared individuals. Essentially, the monitoring soft-ware is there. For this everyone with access to the router (onsite and off) has access to monitored data, and anyone of those with access to decoding and decrypting programming can mine, even back in time, since it is always safer to save, in case someone (or agency) should ask. This means, in hotels, restaurants, coffee-shops, kiosks, etc., any tech-savvy waiter, busboy, janitor, counterperson, temporary, contractor, etc., or "friend of" any one can real-time monitor, or mine back. The router-in-the-middle is is a weak link.

So, if you are public even with LPS you are depending mostly on anonymity for security, that is, on your transmissions being lost in the flow of traffic. The best alternative is to make a tunnel to a secure router first, then transmit data through to that and on from there. This is what the CAC-secured connect-to-your-government-system capability that LPS developers will set up for government clients does for them.

dawg
Posts: 116
Joined: Sun 09 Aug 2009, 14:36
Location: still here
Contact:

#48 Post by dawg »

LPS is bound to have a backdoor installed for the control-freak spooks somewhere.
I used to only like Puppy as a friend, but now I think our relationship is starting to develop into something more... :D

Bruce B

#49 Post by Bruce B »

some observations

» one thing that makes it safer is lack of tools to mess with the hard disks as well as no ability to mount the partitions

» it is easy to install on the hdd

» one could easily modify init (the file with the programs) to personalize it

~

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

surely

#50 Post by cowboy »

dawg wrote:LPS is bound to have a backdoor installed for the control-freak spooks somewhere.
in general, one might say the same thing about "The Internet".
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

lps more

#51 Post by cowboy »

Bruce B wrote:some observations

» one thing that makes it safer is lack of tools to mess with the hard disks as well as no ability to mount the partitions

~
Good thought. Recently worried about some thread on BarryK's blog where a few folks mentioned adding in auto-mounting as a feature. LPS security, like that of Puppy, seems to involve a couple of simple ideas - no automounting of drives, and non-persistence of the operating system. LPS forces non-persistence.
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

Bruce B

#52 Post by Bruce B »

The initrd is a squashfs version 3

I can't mount it in Lupu 5.20 because it is an earlier version 3 than the one Lupu supports. Which brings me to this question. Which Puppies used the earlier squashfs version 3?

My idea is to modify, personalize, initrd.

~

muggins
Posts: 6724
Joined: Fri 20 Jan 2006, 10:44
Location: hobart

#53 Post by muggins »

I think earlier than p431.

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#54 Post by CLAM01 »

Bruce B,

Under "Utilities" in the puppy menu there is an "SFSConverter" utility. It should be able to make 4-series sfs files 3-series. If not you unsquash a 4-series and resquash it a 3.

You would also have to install puppy's sfs mounting at startup system, in the boot-manager section of the set-up system, or the add sfs-files on the fly pet.

I don't think LPS allows user modification, though. It is part of the system's attacks-prevention hardening. See the documentation html file with the download, which lets you open pdfs of LPS documents, also provided with the download. These are also available in LPS when it is installed.

The hardening, preventing ANY modification is good for in-organization general use and users, who can trust the system as provided by fellow members of their organization. The problem for non-members (like us of the general public, around the world) is that we are not U.S. DoD, and need to be able to assure ourselves there is no DoD monitoring of our non-DoD systems. Once it would have been normal to assume the U.S. Dod would simply make a secure system and provide it for anyone to use. But nowadays spying and intruding have become so ubiquitous even those who one would normally trust one needs to confirm one can trust.

Puppies you can get into and look around in and remove what you don't trust from. That, with a vigilant community, active at programming levels, is about the best anyone can hope today for base system security.

gcmartin

Drones and Spy-planes you requested

#55 Post by gcmartin »

Security....why concern yourself? Someone, earlier commented, that they used LPS and "no drones ...." Well, here are the drones and the spy planes you asked for.

Firstly, Try to be a little conscious of finding some tool which is useful and offers resonable protection for what you envision your need(s) to be. There is no "perfect" solution. But, there are many useful ones.

Secondly, I've got to get me one of those "flying machines". Maybe I can convert its use to be a router or something....maybe.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#56 Post by Lobster »

I enjoyed the wasp link 8)
Puppies you can get into and look around in and remove what you don't trust from. That, with a vigilant community, active at programming levels, is about the best anyone can hope today for base system security.
On the whole I think in terms of using what is insecure, securely.
As always the biggest liability is me.
I am using Android on my phone and realising that most apps request permission to spy on me, tweet on my behalf and empty my bank account at their discretion . . . it is a security nightmare

I would be quite happy using LPS, apart from transferring my billions of Ugandan dollars (have not heard from them for a while) from my favourite phishing expedition . . .
I would be happy using any wooflet and a few puplets that I keep an eye on . . .
Many people manage real money with their phones or with MS Windows (strange but true)

I tend to trust individual penguins and secure quantum tunneling (not yet available) but how about using an updated Onebone?
http://puppylinux.org/wikka/OneBone

A command line Puppy might be secure enough? :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#57 Post by CLAM01 »

And for a next generation of drone-craft... A combination of the hacking and cracking capabilities of the WASP project with the Flying Ball the Japanese Defense Tech people have developed, demonstrated in a youtube video at: http://www.youtube.com/watch?v=7mUNIvlgYKk&feature .

Able to fly in closed spaces, to hover, to dodge around obstacles and into close spaces, to bounce off walls, to send back navigation and data video both, while it is cracking your encryption (or just reading your passwords from your fingers as you enter them, looking over your shoulder), it will be able to follow us over field and through forest, around rock and under tree, through thickets and culverts, right into our shelters! Perhaps even bouncing its signals off of our tin-foil hats, turning what has been our ultimate protection into its auxiliary aerial to use it against us!

Of course, the military's needs for security are the same as ours and everyone's (Who was first to recognize the wisdom of wearing tin-hats, after all?), they will have to watch out for the same things we do.

This means they have to watch out for alterations being made to their secure Light Personal Security operating system out in the field. Enemies or spies making altered forms and substituting them, swapping USB sticks on agents or service-members in the field, so their reports back would go the wrong way, or two ways instead of one. For this we can be pretty sure the LPS system does, or soon will, have a write-home as soon as a net connection is established, to send at least a hash to security check the field install, to make sure it hasn't been altered. The check will be a needed security for those of the DoD system, but it will be an insecurity for the rest of us, since the nature of spying is to use available resources.

For this nature, once it is known in bureaucratic circles that there is a civilian following using LPS for its security, and that there is a doorway, some agency will inevitably arrange to use that doorway "for security". Especially since, with the system closed, no one will ever know...

It's another reason the keys to personal security are simpicity and transparency, so wee can see where leaks might occur and how they might occur. Then we can patch as we go along, swapping info abut what leaks and what seems to work to patch in each case.

User avatar
AF Branden
Posts: 165
Joined: Tue 15 Sep 2009, 10:17
Location: United States, WA

#58 Post by AF Branden »

I really like LPS, but couldn't get my onboard via82xx ac97 sound to work.

Out of my 4 wireless cards only 1 didn't work.

Everything works fine in puppy though.
[img]http://i56.tinypic.com/nwymax.png[/img]

Bligh
Posts: 480
Joined: Sun 08 Jan 2006, 11:05
Location: California

#59 Post by Bligh »

I liked it and the oo version would be a quick easy way to have oo when I need it. For online, I can just dis-able the hdd and run Puppy.
Cheers

RandSec
Posts: 82
Joined: Mon 10 Aug 2009, 18:33
Location: Austin, Texas
Contact:

LPS v Puppy

#60 Post by RandSec »

I think Puppy is basically better for normal user security (like online banking) than LPS.

For one thing, LPS does not (in the version I tried) have an ability to update the boot disc with browser patches. (Puppy supports DVD updates as new "sessions" on a multi-session boot DVD.) Not allowing updates is a problem because we know from Microsoft Windows that attackers do in fact reverse-engineer patches in hours or days, to find and exploit those faults. So this is a security hole waiting to be used, even in Linux.

Another LPS security issue is Java. Currently, almost all malware will not run under Linux (except for systems with Wine), because Linux is not Microsoft Windows. But Java holds the possibility of a single platform covering both Windows and non-Windows systems, which may be fairly attractive to some attackers.

The advantage of an optical disc is that it is "difficult or impossible" to infect (especially in Puppy, where the boot DVD can be removed). To some extent, Puppy discards the DVD advantage by checking for and using existing Puppy files as it comes up. Thus, it may be possible for Puppy malware to write such a file to a hard drive, thus infecting even a DVD boot (not the DVD, but all subsequent sessions) on that system. This would imply that any Puppy system with a hard drive (or flash drive) has a security hole, even with a DVD boot.

Some (probably futile) malware advice for the government:

http://www.ciphersbyritter.com/COMPSEC/ADVISING.HTM

Post Reply