How secure is Puppy?

[someSven]

Here some lists of vulnerabilities your system has, if you don't update your Software:

Browser & Mails
https://www.mozilla.org/security/known- ... onkey.html
https://www.mozilla.org/security/known- ... refox.html
https://www.mozilla.org/security/known- ... rbird.html

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/

Every vulnerability has been successfully proofed, by some attacking software or procedure.
(exploit: https://en.wikipedia.org/wiki/Exploit_% ... ecurity%29)
This is why there are fixes for these vulnerabilities. Better download them, if you can... Oh, you have to check it all few days on your own, cause your OS won't tell you they exist.
Incantation may be a alternative: Just say "I'm not using Microsoft software, and I hate them, so I am secure!" or "Everything is insecure, but I trust in Puppy!" 10 times a day, and never anything happens to you! Even if you are a political activist in a repressive country, or if you open all the links in your mails or in FB, or if you surf on porn sites, illegal streaming or hacking sites! The incantation will protect you almost perfectly!

[mikeb]

The mechanism may have been prooved... bit like feeding rats petrol and recording the effects. Not disputing the existance of hypothetical exploits. Note its software developers investigating these directly or other devs at their request NOT those who which to exploit who would see such exploits as too complicated and already patched.

But there seems to be a total lack of any recorded actual cases of (puppy) systems being exploited... the missing link...if I google for instances of Windows being exploited the hits are way beyond one persons ability to read them all in a lifetime...its just taken as 'normal' that computers get infected in some way. I see it as something totally unacceptable and a major hindrance for the vast majority of computer users....Microsoft...well they ARE guilty of creating this situation thorugh reckless design decisions and only started to clear up their mess years later...that's criminal negligence in my book.

Its not about blind faith but ways of effectively safeguarding oneself on the internet... sorry of our approach appears too easy but sometimes the answers to a problem are. I did my research... took action and enjoy the results.

mike

[mikeb]

By the way still waiting for some test links.... no good saying something is insecure....need some hard evidence if you want the jury to listen.

mike

[mikeb]

Just to get a bit technical you will find many of the 'exploits' to be of the form of
'causes a buffer overrun which could potentially allow a malicious attacker to run some arbitrary code'

Ok to expand on that... they have not created a virus in a lab ready to do harm. In a language such as C and C++ variable handling is extremely primitive... the coder has to literally account for every byte and clock them in and out of the stack. if they do not do their house keeping well, then bytes can end up outside of the known variable area and indeed can overrun into another variable (string/number)

Thats it. Now that overrun data usually causes a segmentation fault...the system/kernel says all is corrupted and getting out of hand stop now and that's it.
In order to do anything other than that, someone would have to arrange for the overflowed bytes to be in the form of executable code to do harm and to have it overflow in a place that would cause it to actually do something rather than crash the program. That's not exactly easy to put it mildly and the only person usually capable of that would be the person who wrote the original program and knew it intimately and i believe they would not want to be slotting in a virus into their pride and joy.
If some genius (who could not get a decent coding job??!!) managed this then perhaps there is a potential problem.... that is unless the recipient is running as a user and is not using that specific build of a particular program which probably gets updated all the time anyway..and of course all done remotely so the attacker has little idea whats at the other end...a minority hit to say the least.

When I say this is the hard route for an attacker I am not kidding... Microsoft made it a no brainer by adding bad software in a really insecure way..a far cry from this overrun stuff... an attacker does not even have to know how to code to spread exploits. Indeed sadly I do notice peeps suffering virii that was floating around years ago.

Ok I am off to faith heal my left toe...

mike

[stray_dog]

Thank you guys, for your bringing the knowledge.

ie secure until you decide to do otherwise.

Yea, that right there, that's like my experience. Like, early on, one day I rode around the internet with a mounted hard drive, because I thought an "X" on the icon must mean it was *un*mounted. Sigh. Then I freaked out. Omg omg! Yea no it was fine. Then later, I freak out about omg xyz! Yeah no, that's fine. Then later I freak out about omg abcdefg! Yeah no, it's fine. I *was* very worried about my security. Having gone through that cycle, I don't have to freak out so much, I can relax and learn some.

autoscan...thats real good fun with a crammed full 1TB drive

uuuggggghhhhhhhhh

I would have a bash at it, but I wouldn't know how to hack in, would need a howto

That's okay, man, I am right there with you! that's alright! I am wayyy too ignorant to be able to do that stuff. I had to spend an hour looking up what those programs even were. Using them? Not a clue. I love the idea, in my imagination, but it would take me foreverrrrr to get up to speed. So I had to go back to basics, refocus on my own goals, and start to try to follow the best practices guidelines and start learning there. And hey, for me, some of it *is* boring. Sometimes I feel like I'm waiting for the other shoe to drop, waiting for the next big one. And when it doesn't happen, I'm like ohhh kay, I'm bored now. Then I can get on with whatever the point of me even doing a computer thing even was in the first place.

point was that with Puppy as the system, one wouldn't have to do a lot of that

Yea, I have very limited experience, but I agree 100%. For me, it's safer in ways that I didn't know, & haven't understood yet. Like, when I thought oh man, I'm surely screwed now, no it's alright. I actually had to put effort in to messing up my pup. And yea, fast! I like fast.

I'll try to digest the stuff you guys are talking about - thank you. I really need to get some sleep though now, I am wiped. And oh wait! This -

By the way still waiting for some test links

Ya know, this afternoon I had this thought. What if we had a thread on the forum where people who were really into hacking, penetration testing & auditing could say hey, I'm into that. And then people who were worried about their security could say hey, let's get together. Now sure, if we're worried about a particular xyz we can ask on the forum about it, sure. But what if we had a thread where folks could just arrange to meet to have their mutual interests benefit each other by getting to test their fears of security and someone else also getting to have fun if they like to have fun trying intrusion? And then letting us all know how it worked out? In a consensual way? Like a dating service, except for folks who're really concerned about security, and folks who love pentesting. Maybe I'm too tired / can't think & there's too much out of my understanding of this context. But if anybody would like that, well, there's the idea anyway, for what it's worth.

[stray_dog]

Oh wait - mikeb - good luck with that big toe. Uh, I mean left toe.

[darry1966]

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/


Puppy is neither Ubuntu nor slackware nor Redhat or Arch or T2 based. Puppies based on Puppy is Puppy based using either Unleashed build system for older Versions or Woof/Woof CE building system for newer.

Puppy uses packages from those Distro's. It would be correct to say Puppy was built using those packages but is not based on them. It is an independent breed. It has it's own kernels.

[stray_dog]

Oh no, I swear this has *got* to be the last thought of my night. I have to get off the internet toute suite and sleep sooo bad. But. i was just thinking. Like, outside of Puppy in general, just thinking structurally. If someone hacks my live cd session, my whole os is in ram, is it possible to hack the ram to then hack the cpu or the bios? Is it possible to use ram to hack something that will persist and try to intrude upon ram at next boot, even without a harddrive? I have no idea. I was just thinking, man, if someone hacked my cpu or bios in a persistent manner that did that, I would be totally suckered by it. Is it possible to do such a thing? I have no idea. The bios on this laptop is locked by the former corporate owners who dumped it on the used market, so I have no idea even what the hell is in there. Anyway. The other thought was ... how secure are we, when we have packages that have dependencies upon dependencies upon dependencies? Just thinking of links in a chain, that would be a possible concern or area of risk. Not a puppy thing, but a linux thing. I could see how that could be an angle of attack, to compromise a dependency that led to access to lots of machines. I don't know anything about how that registers with anybody in a *practical* manner, but it was just popping up in my mind in the overall scheme of how this seems to work. Ok eyes barely open anymore, I have to sign off. Goodnight all.

Ok waking up with my coffee, I really don't write well when tired. Thought instead of asking, I should do some searching myself & see there's plenty to read about hacking cpu and bios. Now it seems just from skimming articles, the exploits tend to be highly specific & difficult. More to learn, I guess. Thank you guys for having the conversation about these specific things. Like you guys talking about updates, then the exploits, buffer overflows, that work like x but not like y. Or an insecure windows system being that way because of specific things abcd, then specifically turning them off, preventing these certain kinds of threats hijklmnop. For me anyway, it takes the mystery out of it & makes things realistic & practical. Very nice, so thank you.

[darry1966]

Here some lists of vulnerabilities your system has, if you don't update your Software:

Browser & Mails
https://www.mozilla.org/security/known- ... onkey.html
https://www.mozilla.org/security/known- ... refox.html
https://www.mozilla.org/security/known- ... rbird.html

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/

Every vulnerability has been successfully proofed, by some attacking software or procedure.
(exploit: https://en.wikipedia.org/wiki/Exploit_% ... ecurity%29)
This is why there are fixes for these vulnerabilities. Better download them, if you can... Oh, you have to check it all few days on your own, cause your OS won't tell you they exist.
Incantation may be a alternative: Just say "I'm not using Microsoft software, and I hate them, so I am secure!" or "Everything is insecure, but I trust in Puppy!" 10 times a day, and never anything happens to you! Even if you are a political activist in a repressive country, or if you open all the links in your mails or in FB, or if you surf on porn sites, illegal streaming or hacking sites! The incantation will protect you almost perfectly!

With Windows have all the latest patches - you can have the latest and greatest browser and yet still be infected courtesy of those "free" Toolbars.

Oh the joy of a hard drive full of "little" security patches each one numbered - true bliss,

[anikin]

stray_dog,

Just type my ip in trusty Google search, you'll see your IP on the top of the page. Plus thousands upon thousands other options will become available to you.

This one is my favorite, it will display your IP and also check if you're ipv6 ready. It has lots of mirrors inside - chose the one to your liking.
http://test-ipv6.com
or this
http://www.whatsmyip.org
this one is good for ... sensitive types .
http://www.ipchicken.com

If your browser gets washed away during that rainstorm, while you're hopping between the free hotspots, you can check your IP using the terminal.

Code: Select all

wget -U curl -qO- ifconfig.me

or

Code: Select all

curl ifconfig.me

or

Code: Select all

curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

or ... our old buddy and Puppy partner ... why not, he knows us already, we know him ... and it's just a one time act

Code: Select all

wget -O - -q icanhazip.com

or

Code: Select all

curl -q icanhazip.com

or

Code: Select all

curl ipecho.net/plain

However, the average user will hardly ever need to know his IP for any practical purposes. A normal user will not need it even during a rainstorm. The same stands true for his girlfriend and her relatives, their friends, colleagues and enemies. Your Puppy doesn't need to go to icanhazip every time you boot up your computer - but it goes there even if it's not raining! You call it a service? Hogwash, I say. It's a disservice, or call it a tracking service, which it really is.

[darry1966]

I'm with Anikin on this one. Wasn't in the old Pups which worked fine without this "feature".

[Les Kerf]

...
Not sure it's called geolocation, but yes, you're right, micko did really put a switch in. But let's not take it as an act of generosity - it is not. As a matter of fact, it makes things much, much worse. What was previously hidden as a crappy, little secret (and for a good reason), now has become an embarrassment for Puppy Linux and the community. An ugly genital wart exposed for everyone to see. It doesn't change the fact, that an innocent novice user is being ambushed, trapped, hoodwinked into an web connection of which he has no knowledge. It might take him years before he becomes aware of it and learns how to use the switch...

Would someone please elaborate on this? I am one of those novice users and have no clue as to what this "switch" is all about.
Thanks,
Les

[rcrsn51]

Code: Select all

wget -O - -q icanhazip.com

Here is a little side-effect of this feature. Suppose that you go to a restricted public WiFi site that only gives you access to their content. If you then run Network Status Information, it will permanently hang up because you can never reach icanhazip.com.

[RSH]

Hi.

How secure is Puppy?

From my experience of the appr. last three years, Puppy Linux is secure, if one does follow some rules:

- don't use a save file
- don't download/open files/mails etc. that you don't trust
- don't store personal data to the cloud
- don't save any personal data on the computer

If you don't follow those rules, you will enter a never ending security battle/discussion - which is (imho) a waste of time and effort!

Btw: only an autonomous PC is a secure PC.

RSH

[Burn_IT]

One's computer is VERY secure if you don't use it.

In a personal environment and if you don't leave it on 24/7 you are not very likely to be attacked from outside unless you visit dodgy sites.

I've been to companies that make their computers SO secure and restricted it is a waste of time trying to use them.

[technosaurus]

Ok to expand on that... they have not created a virus in a lab ready to do harm. In a language such as C and C++ variable handling is extremely primitive... the coder has to literally account for every byte and clock them in and out of the stack. if they do not do their house keeping well, then bytes can end up outside of the known variable area and indeed can overrun into another variable (string/number)

You don't have to worry about the stack as much as you do memory allocated via malloc (and other *alloc functions) becuase you have to free them yourself. With proper planning you can use the stack to initialize variables inside a function and it will go away when the function returns. You can even do linked lists this way if you use a recursive function (so long as you don't exceed the default 8mb stack limit). I wrote an xml parser that worked this way and it was extremely fast.

[stray_dog]

Thanks for the code lines, folks - I like that stuff. It's like magic words to me, like saying abracadabra and then stuff happens. We'll have fun playing with that later. Yea anikin I'll just say we'll have to agree to disagree on that ip stuff and that's alright. But! I will say this - there's something I've been wanting to ask you and the other guys here too for a while. And that is - when you think about the Puppy versions you like because of their security - what versions are they, and how did you come to like them? Why do you like the versions you like?

[anikin]

That's an interesting question, I've never selected a Puppy from that perspective. PAE vs non-PAE kernel, what's packed in - that's my criteria. They are all supposed to be as secure as Linux is. Linux is more secure than Windows, that's common knowledge. If being tracked and logged by icanhazip doesn't concern you, that's fine, you are safe. Others comfort zone and expectations might be different. Of all the currently available pups/projects, the safest one is DebianDog, just by virtue of Debian's adherence to standards. Besides, it won't connect you to any unwanted sites (except older versions, that had unmodified ipinfo). Although, not without a little wrinkle (http://murga-linux.com/puppy/viewtopic. ... 425#790425), but that's purely a visual thing and an unfortunate reminder, that the "feature" has contaminated the whole scene. To sum it up, you gotta try them all yourself. Don't rely too much on recommendations, choosing the right one is an intimate affair.

edit

Les Kerf,

Sorry, I overlooked your question.
Right click on the network icon, select network status information. See the arrow in the attached image - it points to what Smithy calls a "switch". That is, "icanhazip", the unwanted connection is on by default, but you can "switch" it off. The screenshot was made in Slacko-5.7. Have a look at this thread for more details ==>http://murga-linux.com/puppy/viewtopic.php?t=90151

[mikeb]

Well must make a post or 2 this session.........

- don't use a save file
- don't download/open files/mails etc. that you don't trust
- don't store personal data to the cloud
- don't save any personal data on the computer

hmm use a save sfs or save folder...effectively the same.
always download all emails to see whats in there...used to click on dodgy ecard links to see what happens.
cloud... they might float away
where would I save data to...seems a shame not to used these chunky hard drives.

This is on windows and linux... older browser cos me machines are older etc etc.
Internet bank every day for years on either.
Always as administrator and root... yes I am a bad boy.

No problems...I see an inordinate amount of precautions taken on here for any action related to the internet and it all seems unnecessary. I am not one for taking risks and make sure stuff is as it needs to be whatever the occasion... riding a bike, sailing, surfing the net. I have mentioned many times the preparation for windows use and that on linux its already in a suitably safe condition. In a 'proof of the pudding way' 10 years of relaxed usage by myself, mad woman and 2 offspring must count for something.

I am open to change and if anyone happens to respond to my requests for examples of actual threats that need guarding against I will check them out.

mike

[jamesbond]

... myself, mad woman ...

You're sure she's not reading the forum?
Remember the worst kind of attack (security or otherwise) comes from insiders ... Her wrath can easily undo all your security measures