How secure is Puppy?
Thanks for the link, it took me quite a while to read all the way through that thread Now I am better informed and can make my decisions accordingly.anikin wrote:
Les Kerf,
Sorry, I overlooked your question.
Right click on the network icon, select network status information. See the arrow in the attached image - it points to what Smithy calls a "switch". That is, "icanhazip", the unwanted connection is on by default, but you can "switch" it off. The screenshot was made in Slacko-5.7. Have a look at this thread for more details ==>http://murga-linux.com/puppy/viewtopic.php?t=90151
Les
Thanks for the input, folks. I appreciate it. Will definitely look up more on these things from your input, all.
Yea I must say, my first criteria too wasn't security, but just ... does it work? My girl got her LPS to work on her machine at first boot from live cd, & let me try it on my older model, and it wouldn't work. It tried, though. And I wondered, now why on earth does it work on hers but not mine? I didn't even know what pae was. I think that was one of the first steps of us getting more acquainted with what our machines actually *were*. What it meant. Fast forward through figuring that out, through making some live cds of current knoppix and puppy, and putting them in & finding out what happened. Ohhhh, so *this* is what a website looks like when flash is disabled and noscript is on. Oh my. Where do I log in?!? Oh wait, it must be over here. Learning a little more. It works, and I can get on the internet and do banking, but I can't watch a youtube clip of The Avengers. Okay. Right. Then if I get the most current version of Flash, I can barely watch it not because it isn't fast - because it is - it's just that now I have an army of those darned annotations and boxes popping up all over the clip I wished I could just watch. Just Tony Stark saying "don't take my stuff". And I realize, I'm already down the rabbit hole. What do I want to use, what is that affected by and why, etc. Yea, it becomes an intimate affair, totally! I remember at a certain point along that road, I saw an article - I think it was on wired - about Snowden using Tails, and I had to look it up. Like, here's this guy, and if there's anybody that needs to have his stuff locked down, it's that guy, right? So we learn more.
For me, what that meant was, looking at who am I, and what do I need or want to do? And what do I need to do/install/use that lets me do that in an alright way? Like for me, I'm not an activist, I just want to do my own thing and have that be safe as I can, while not falling victim to being a zombie in some botnet that ends up hacking the store I bought these cheap-ass shoes from. So it really turned me on to looking at identity, context, purpose, tasks, all of that. I don't have any advice, I guess all I'm saying is that by understanding the different kinds of security & choices other people have made and why, I could at least *start* to understand where I fit in that now, and go from there. Like Les said, we get informed better, and then can make better decisions.
Although, mikeb I have to say, I chuckled at your post about family & kids, because when my bff at work had her laptop not working at home, I gave her my puppy cd to try out, and then a couple weeks later she was like we can't get on! And I was like what do you mean? And it turned out her pre-teen son had somehow managed to create a password protected save file and had then naturally forgotten what the password was! And man, did I have a *big* chuckle over that situation! Hats off to finding out what happens in real world contexts and then fixing it, big time.
Alright, guys - thank you. I have to sign off now, gotta get ready for the pesticide people tomorrow. This might sound ridiculous to you all wherever you are, but my concern right now is how to keep bedbugs from laying eggs in my laptop. Alright. Good wishes to you all.
Yea I must say, my first criteria too wasn't security, but just ... does it work? My girl got her LPS to work on her machine at first boot from live cd, & let me try it on my older model, and it wouldn't work. It tried, though. And I wondered, now why on earth does it work on hers but not mine? I didn't even know what pae was. I think that was one of the first steps of us getting more acquainted with what our machines actually *were*. What it meant. Fast forward through figuring that out, through making some live cds of current knoppix and puppy, and putting them in & finding out what happened. Ohhhh, so *this* is what a website looks like when flash is disabled and noscript is on. Oh my. Where do I log in?!? Oh wait, it must be over here. Learning a little more. It works, and I can get on the internet and do banking, but I can't watch a youtube clip of The Avengers. Okay. Right. Then if I get the most current version of Flash, I can barely watch it not because it isn't fast - because it is - it's just that now I have an army of those darned annotations and boxes popping up all over the clip I wished I could just watch. Just Tony Stark saying "don't take my stuff". And I realize, I'm already down the rabbit hole. What do I want to use, what is that affected by and why, etc. Yea, it becomes an intimate affair, totally! I remember at a certain point along that road, I saw an article - I think it was on wired - about Snowden using Tails, and I had to look it up. Like, here's this guy, and if there's anybody that needs to have his stuff locked down, it's that guy, right? So we learn more.
For me, what that meant was, looking at who am I, and what do I need or want to do? And what do I need to do/install/use that lets me do that in an alright way? Like for me, I'm not an activist, I just want to do my own thing and have that be safe as I can, while not falling victim to being a zombie in some botnet that ends up hacking the store I bought these cheap-ass shoes from. So it really turned me on to looking at identity, context, purpose, tasks, all of that. I don't have any advice, I guess all I'm saying is that by understanding the different kinds of security & choices other people have made and why, I could at least *start* to understand where I fit in that now, and go from there. Like Les said, we get informed better, and then can make better decisions.
Although, mikeb I have to say, I chuckled at your post about family & kids, because when my bff at work had her laptop not working at home, I gave her my puppy cd to try out, and then a couple weeks later she was like we can't get on! And I was like what do you mean? And it turned out her pre-teen son had somehow managed to create a password protected save file and had then naturally forgotten what the password was! And man, did I have a *big* chuckle over that situation! Hats off to finding out what happens in real world contexts and then fixing it, big time.
Alright, guys - thank you. I have to sign off now, gotta get ready for the pesticide people tomorrow. This might sound ridiculous to you all wherever you are, but my concern right now is how to keep bedbugs from laying eggs in my laptop. Alright. Good wishes to you all.
Actually the more I think about it is YES, please! Our universities and city have been hit really hard by bedbugs in the last couple years. And some students have taken them from building to building because they hid inside pc cases, then students take them from dormitory to dormitory. If you want to stop that you can put the pc case in a sealed bag with a strip of dvvp insecticide & leave it for a while. Heat works faster, but that's not so good for a computer tower.
I really liked what the guy said earlier about using Puppy inside a virtual machine. I am at work a lot and really like the idea of keeping Puppy running in that way so I can keep my email open all day in it & talk to my gf more securely, and still do my work in a windows environment. Thank you. I will try it.
I really liked what the guy said earlier about using Puppy inside a virtual machine. I am at work a lot and really like the idea of keeping Puppy running in that way so I can keep my email open all day in it & talk to my gf more securely, and still do my work in a windows environment. Thank you. I will try it.
-
- Posts: 34
- Joined: Wed 17 Sep 2014, 21:27
-
- Posts: 34
- Joined: Wed 17 Sep 2014, 21:27
Sweeping? Just cause im green doesnt mean I dont know enough after investigating let alone forensics experts I have talked too that have confirmed this.mikeb wrote:so why are you making sweeping statements about security then?Im no security expert
curious
mike
There is no such thing is 100% security, even on air gapped rigs, thats all I can tell you.
-
- Posts: 34
- Joined: Wed 17 Sep 2014, 21:27
Poodle muzzled
Hi,
Just muzzled the Poodle vulnerability for Puli:
http://www.murga-linux.com/puppy/viewtopic.php?t=88691
Concerning security, see how Puli fights again hackers:
Have fun!
gjuhasz
Just muzzled the Poodle vulnerability for Puli:
http://www.murga-linux.com/puppy/viewtopic.php?t=88691
Concerning security, see how Puli fights again hackers:
- * Runs in memory while the boot device (USB pendrive) is unplugged
* Skype, (sandboxed) Chrome, etc., opens by spot user
* Detects typical intrusion patterns then acts based on user profile
* Prevents hacker attacks thru known browser exploitation frameworks (e.g., BeEF)
* Applies other "unorthodox" tricks.
Have fun!
gjuhasz
- Iguleder
- Posts: 2026
- Joined: Tue 11 Aug 2009, 09:36
- Location: Israel, somewhere in the beautiful desert
- Contact:
Re: Poodle muzzled
How does this improve security? The root file system is still there and fully writable.gjuhasz wrote:* Runs in memory while the boot device (USB pendrive) is unplugged
How do you deal with privilege escalation from spot to root? I'm pretty sure there are some setuid binaries in /usr/bin - it shouldn't be too hard for an attacker to run one of them with LD_PRELOAD to gain root privileges.gjuhasz wrote:* Skype, (sandboxed) Chrome, etc., opens by spot user
How does this work?gjuhasz wrote:* Detects typical intrusion patterns then acts based on user profile
How do you deal with other attack vectors (non-browser ones, e.g buffer overflows in servers)?gjuhasz wrote: * Prevents hacker attacks thru known browser exploitation frameworks (e.g., BeEF)
[url=http://dimakrasner.com/]My homepage[/url]
[url=https://github.com/dimkr]My GitHub profile[/url]
[url=https://github.com/dimkr]My GitHub profile[/url]
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
POODLE is not nearly the problem that shellshock was. For one thing users can simply install an app in a browser like Firefox which disables ssl3.0. When Firefox 34 comes out, this will no longer be necessary for those who upgrade.
You can test vulnerability using this page from the University of Michigan. You will also find a list of sites on that page which do not support the later Transport Layer Security, (which remains secure.) Some of these will surprise you. We'll see how fast various banks, etc. are at closing this vulnerability.
Exploiting this requires a man-in-the-middle attack which most kids on keyboards will not be able to pull off. You need to control a server on an intermediate site to begin. You might have as good a shot at cracking those servers on the end of the pipeline that have not kept up with changing security technology over the past 18 years.
If the site at the end of the pipe is compromised nothing you do before your data gets to them is going to matter.
You can test vulnerability using this page from the University of Michigan. You will also find a list of sites on that page which do not support the later Transport Layer Security, (which remains secure.) Some of these will surprise you. We'll see how fast various banks, etc. are at closing this vulnerability.
Exploiting this requires a man-in-the-middle attack which most kids on keyboards will not be able to pull off. You need to control a server on an intermediate site to begin. You might have as good a shot at cracking those servers on the end of the pipeline that have not kept up with changing security technology over the past 18 years.
If the site at the end of the pipe is compromised nothing you do before your data gets to them is going to matter.
Re: Poodle muzzled
Dear Iguleder,
Thanks for your questions. Let me answer point by point.
But, be sure, Puli is not intended to fight against NSA or other Big Brothers. It assumes that a typical hacker gives up if his/her attempts (through an exploitation framework) repetitively fail.
Don't hesitate to install Puli. Note that the next version is on horizon, maybe in a couple of weeks it will bark.
Have fun!
Regards,
gjuhasz
Edit on Oct 17: The originally attached picture has been replaced with a cropped version (maybe by forum staff due to its large dimensions). So, I re-upload it now in reduced size.
Thanks for your questions. Let me answer point by point.
On the one hand, the hacker cannot access the files on the unplugged pendrive. On the other hand, vulnerabilities like http://murga-linux.com/puppy/viewtopic. ... 875#803875 are eliminated.Iguleder wrote: How does this improve security? The root file system is still there and fully writable.
Concerning the attacker's chances for privilege escalation, please see the attached picture. I'm not cheating. This is a real screenshot captured a few minutes ago. I admit that this is not the public version of Puli, however.Iguleder wrote: How do you deal with privilege escalation from spot to root? I'm pretty sure there are some setuid binaries in /usr/bin - it shouldn't be too hard for an attacker to run one of them with LD_PRELOAD to gain root privileges.
There are some simple intrusion patterns introduced in the defaultbrowser script of the "rigorous" profile, together with specific responses of Puli (as described in the profile name). Again, those user profiles are only examples - and false positive alarms might happen. More sophisticated IDS patterns could also be implemented. Blacklists and whitelists can be populated both manually and automatically in Puli. Of course, I don't think that Puli would ever grow to an IDS system such as Snort.Iguleder wrote: How does this work?
As I highlighted above, Puli, as a client, includes lots of ideas with examples that can be extended by enthusiasts (see the Crazy profile for details - the trick there can be easily applied outside of Chrome, too).Iguleder wrote: How do you deal with other attack vectors (non-browser ones, e.g buffer overflows in servers)?
But, be sure, Puli is not intended to fight against NSA or other Big Brothers. It assumes that a typical hacker gives up if his/her attempts (through an exploitation framework) repetitively fail.
Don't hesitate to install Puli. Note that the next version is on horizon, maybe in a couple of weeks it will bark.
Have fun!
Regards,
gjuhasz
Edit on Oct 17: The originally attached picture has been replaced with a cropped version (maybe by forum staff due to its large dimensions). So, I re-upload it now in reduced size.
- Attachments
-
- Capture21242-1.jpg
- In this screenshot, the spot user runs Chrome; the root user runs urxvt.
- (44.94 KiB) Downloaded 341 times
I didn't respond to this originally because it would have been easy to drift off topic but now the thread is well cold I think it needs to be pointed out that the vaccine-autism connection is NOT a hoax.Barkin wrote:A 2011 journal article reflects this point of view and described the vaccine-autism connection as "the most damaging medical hoax of the last 100 years".
Sadly many of the "experts" that we trust are not actually worthy of that trust. That goes for some computer security experts as well as some medical professionals:
https://sharylattkisson.com/cdc-scienti ... -documents
Yes, I know it is off topic but it still highlights that we alone are responsible for protecting ourselves. We should never expect that our safety is best left to others. That goes for computer security and our own health.
<end of rant>
I run pfix=ram (pupmode 5). Since the evolution of save folders that's been made even easier assuming you run frugal puppy. Download a pup, boot, configure and rearrange things as you like, create the save folder and reboot pfix=ram again. Then rename puppy sfs to zdrv sfs (you may have to rename the existing zdrv sfs to adrv sfs if that puppy already uses a zdrv), mksquashfs the save folder to puppy sfs and reboot again. i.e. puppy in zdrv, savefolder in puppy sfs, ram booted and not saving has you reboot the exact same image of puppy each and every time, running all in ram (no HDD's mounted). Catch a virus and a reboot eliminates it. Just keep data etc outside of puppy space (as otherwise it wont be saved across reboots).
A factory fresh booted puppy booted each and every time is pretty secure. So much so I even have mine left open - available to be vnc/rdp into from anywhere (remote desktop). To protect data/docs I store those behind a second firewall.
I'm on Virgin Media broadband and their SuperHub router/modem has a firewall. I use that weakly (minor deterent). One of the lan ports from that is connected to a puppy pc (that I can vnc into from anywhere). Another of the lan ports is connected to the wan port of the netgear router I used before having the superhub upgrade, and all other PC's are wired/connected to that netgear (which also has a firewall).
A problem with servers is that for them to be secure you have to lock them down/away. Open up holes (ports) so that they can be accessed from a distance and the vault is no longer secure. At one end you can assume a secure server/system is safe, mix that with other private/confidential systems and risk penetration; At the other end you can leave the system totally open/insecure and treat that with the respect it deserves.
Puppy is great as you can in effect do a factory fresh 'install' (boot) in seconds. Which opens up the potential to do so at each and every reboot. A factory fresh booted system with no persistence (read only) is secure across reboots, just vulnerable for single sessions (virsus persists in memory until a reboot occurs).
If you do confidential/secure stuff using a puppy in the secure lan segment (behind the second (netgear in my case) router/firewall) and more general stuff from a puppy in the insecure lan segment (behind the SuperHub/cable modem router) then provided the traffic from the secure lan segment is encrypted then that's no different to the security of encrypted data being tranmitted across the internet.
Currently my 'open' puppy is more for home control type functions in mind. Calling home remotely, a few web cams and maybe some power outlet control (on/off switching) etc. That's presently booting via read only CD, but I'm considering using PXE booting it via a port opened into the secure lan segment (tftp is pretty much a one way street). That reduces the kit down to being just a combination of a VGA port to the TV (monitor) and a network card for net booting/internet access (keyboard and mouse type control performed via remote login (smart phone, wireless keyboard, another PC etc)).
Puppy can be as secure if not more secure than the alternatives. It can be as insecure as you like. More often its not system security that matters, but more human (in)security issues. As secure or insecure as how those systems are used. If you use a PC that has been used to browse here-there-everywhere, and perhaps downloads/uninstalled loads of stuff over time without being reset back to factory fresh (newly reinstalled), then there's the potential that at one instant briefly in time something undesirable might have made itself resident in that system, compromising any subsequent secure transactions/actions. Puppy used sensibly circumvents that risk.
A factory fresh booted puppy booted each and every time is pretty secure. So much so I even have mine left open - available to be vnc/rdp into from anywhere (remote desktop). To protect data/docs I store those behind a second firewall.
I'm on Virgin Media broadband and their SuperHub router/modem has a firewall. I use that weakly (minor deterent). One of the lan ports from that is connected to a puppy pc (that I can vnc into from anywhere). Another of the lan ports is connected to the wan port of the netgear router I used before having the superhub upgrade, and all other PC's are wired/connected to that netgear (which also has a firewall).
A problem with servers is that for them to be secure you have to lock them down/away. Open up holes (ports) so that they can be accessed from a distance and the vault is no longer secure. At one end you can assume a secure server/system is safe, mix that with other private/confidential systems and risk penetration; At the other end you can leave the system totally open/insecure and treat that with the respect it deserves.
Puppy is great as you can in effect do a factory fresh 'install' (boot) in seconds. Which opens up the potential to do so at each and every reboot. A factory fresh booted system with no persistence (read only) is secure across reboots, just vulnerable for single sessions (virsus persists in memory until a reboot occurs).
If you do confidential/secure stuff using a puppy in the secure lan segment (behind the second (netgear in my case) router/firewall) and more general stuff from a puppy in the insecure lan segment (behind the SuperHub/cable modem router) then provided the traffic from the secure lan segment is encrypted then that's no different to the security of encrypted data being tranmitted across the internet.
Currently my 'open' puppy is more for home control type functions in mind. Calling home remotely, a few web cams and maybe some power outlet control (on/off switching) etc. That's presently booting via read only CD, but I'm considering using PXE booting it via a port opened into the secure lan segment (tftp is pretty much a one way street). That reduces the kit down to being just a combination of a VGA port to the TV (monitor) and a network card for net booting/internet access (keyboard and mouse type control performed via remote login (smart phone, wireless keyboard, another PC etc)).
Puppy can be as secure if not more secure than the alternatives. It can be as insecure as you like. More often its not system security that matters, but more human (in)security issues. As secure or insecure as how those systems are used. If you use a PC that has been used to browse here-there-everywhere, and perhaps downloads/uninstalled loads of stuff over time without being reset back to factory fresh (newly reinstalled), then there's the potential that at one instant briefly in time something undesirable might have made itself resident in that system, compromising any subsequent secure transactions/actions. Puppy used sensibly circumvents that risk.
I think that is an important point. There really is no guarantee that any system (even puppy) can remain online forever without some form of compromise - so regular reinstalling to a known safe state should be part of our routine. As you point out Puppy allows us to lock up our personalisations in an sfs or a remaster so that we no longer have to capture every transaction and system change that occurs in our daily sessions. A puppy set up like that means a reboot is as good as a reinstall (and much quicker and simpler).rufwoof wrote:If you use a PC that has been used to ....... without being reset back to factory fresh (newly reinstalled), then there's the potential that at one instant briefly in time something undesirable might have made itself resident in that system.
It is really not safe to have a Puppy running forever without reboots (I know some people do it but I don't think it is safe when used online).