Hacking data
I agree greengeek. When I got the Puppy ISO a few weeks ago the most important problem was instantly solved from the very first boot. Since that time I've had fun poking around security sites finding out stuff I never knew existed. The savefile is encrypted despite containing nothing except system settings. The memory stick itself never resides in its slot except at boot up.greengeek wrote:I think it is also worth remembering that the internet (and router protocols) were developed to serve the purposes of the American military. Any data you send, encrypted or not, can be saved and decoded by many, many people in a variety of different organisations, everywhere throughout the data chain.
And any operating system can be hacked to include trojans, data echoing software and keyloggers that could trap your info before it even gets encrypted.
If you are wanting to hide data from your neighbour, encryption may be useful, but anything you transfer via the internet is an open book to governments, police and military establishments. If they want your data they will get it.
greengeek I am not concerned with governments etc. More with malicious snoopers, sniffers, hackers and crackers.
This for example: http://blogs.computerworld.com/19551/wi ... re_goodies
It may be that WPS is not disabled on some newer routers after going through the disabling motions. I get the impression even when WPA2-AES is enabled with a strong password on those routers a simple WPS PIN crack is doable. One of my routers has the WPS button on the back. Before reading about this I didn't give it a thought.
Anybody try this out?
https://www.cloudcracker.com/
PS greengeek after some thought are you suggesting these government data chain bodies have found some way to magically shorten crack times from a million years? If so the router may be the culprit. Did they crack bcrypt yet? They appear to have problems with Truecrypt. Maybe this is just publicity, I do not know. Please correct me if wrong. They will of course get the passphrase if they want it badly enough by brute force but not the same kind of brute force we talk about here.
I think I would like a job of some sort in the Wi-Fi Alliance association. The possibilities are endless with their certification of poor design.
A question greengeek. If the ISO download from the repository is good how can the trojans etc be planted on a finalized CD? Do you trust the ISO?
My greatest love is reading history back to the mythology, and there we see the trust factors operating among the great players.
Hi Edwardo, thanks for the link. Very interesting readingEdwardo wrote:This for example: http://blogs.computerworld.com/19551/wi ... re_goodies
I don't have the information to know the answer, but I have read that password cracking software (and the hardware to crunch the numbers) is currently available, especially at a mil level. If a router opens a doorway for the data to be snooped then I feel confident that storage of the data and cracking of the encryption is a real possibility.government data chain bodies have found some way to magically shorten crack times from a million years? If so the router may be the culprit.
Firstly - just because the md5 matches does not mean the iso is "good". It means that the iso matches what the developer intended. So the question becomes - do you trust the developer? Some isos contain fragments of the developers personal data - usually this is a result of inexperience on the part of the person doing the remaaster / reconfigure / recompile or whatever. However it is possible that a developer could deliberately include portions of code that could have an undesirable effect. Who would know?If the ISO download from the repository is good how can the trojans etc be planted on a finalized CD? Do you trust the ISO?
For example: what if a dev accidentally left part of a browsing history file in the .mozilla/profile file? Or something that tracked a previous session? (I've accidentally made that mistake myself - and recorded my Puppy forum activities into a history file that was available to future users...). There could easily be something in a history file that could bring the end user to the attention of authorities. Some would say this is only a remote possibility but anything seems possible when you consider how many agencies are trying to investigate our data streams.
Secondly - after Puppy is loaded from the iso into the memory it runs in RAM and can (theoretically) be infected in RAM. Those infections could theoretically load themselves to any thumbdrives you happened to have plugged at any time during that session. The Wikipedia entry concerning the Stuxnet virus gives a good insight into how removable drives can be a vector for ongoing damage.
I'm not saying Puppy is capable of being infected - I'm just saying I don't know of ways to PREVENT it being infected. I'm certain there are brainboxes out there who would easily have enough skill to create havoc on any operating system - especially where the users are trusting.
The good thing about puppy is that it strives to be small and to include efficient code that doesn't carry any excess fat. That in itself has to contribute somewhat to code safety.
In my opinion it is likely that the smallest iso is likely to carry the least risk - purely because it becomes more difficult to include code that is intentionally dangerous, or code/programs that are unintentionally poor quality and therefore likely to provide "backdoors and sidedoors". (But still - small size is no GUARANTEE of safety)
I avoid puppies that require java for exactly this reason. They seem bloated for no good reason. (some would say that my concern about java is unfounded - but even if my fear is irrational it is one I cannot shake off. No java for me...)
Good points.
Here http://www.belkin.com/us/support-article?rnId=75 take a look at the language used by Belkin wrt WPS.
At the bottom of the page they state:
"You should have successfully disabled the Wi-Fi Protected Setup™ (WPS) feature of your router now".
I may be getting a bit picky here but language is language. Using the subjunctive tense (Condition: future or contrary to fact (§§ 516. b, c, 517) is not exactly inspiring when describing methods to prevent the lock picker picking your locks. I don't think so Mr. Belkin.
I wonder if there's a market for OS Certificates along the lines of factory router Certificates. Say the system authors sign off the distro with a Certificate and distribute it on sealed disks. The authors would be sole distributors, An inexpensive insurance policy backs up the validity of claims made by the Certificate with appropriate terms. If it were proven later to contain harmful code the courts would award punitive damages, costs etc.
A wireless card here: "The card has a small operating system, a CPU, memory, and an SD slot. When inserted into a laptop, it hijacks the TCP/IP stack, so the card can enforce policies" http://www.infoworld.com/d/security-cen ... y-card-546
Could the attacker hijack the highjacked stack I wonder?
Here http://www.belkin.com/us/support-article?rnId=75 take a look at the language used by Belkin wrt WPS.
At the bottom of the page they state:
"You should have successfully disabled the Wi-Fi Protected Setup™ (WPS) feature of your router now".
I may be getting a bit picky here but language is language. Using the subjunctive tense (Condition: future or contrary to fact (§§ 516. b, c, 517) is not exactly inspiring when describing methods to prevent the lock picker picking your locks. I don't think so Mr. Belkin.
I wonder if there's a market for OS Certificates along the lines of factory router Certificates. Say the system authors sign off the distro with a Certificate and distribute it on sealed disks. The authors would be sole distributors, An inexpensive insurance policy backs up the validity of claims made by the Certificate with appropriate terms. If it were proven later to contain harmful code the courts would award punitive damages, costs etc.
A wireless card here: "The card has a small operating system, a CPU, memory, and an SD slot. When inserted into a laptop, it hijacks the TCP/IP stack, so the card can enforce policies" http://www.infoworld.com/d/security-cen ... y-card-546
Could the attacker hijack the highjacked stack I wonder?