(old)Puppy Linux Discussion Forum

LPS v1.2.2 is released

"And the advice given in the FAQs and manual, telling the user how to maintain security, as, for example, for making secure banking transactions to start up, "

Ctbankix is designed specifically for secure online banking
Base on ubuntu
multi-session CD possible
read/write access to ufd only

Bitbox is designed for secure online also
base on ubuntu and run in virtual
need big ram memory

The perennial problem with doing banking, or anything else you want sure security for, from anywhere out and about is router insecurity. Router insecurity can be "router security", and is in most provided wifi settings. This because "for security", meaning for defense against being caught in a legal tangle for "culpably allowing" one's facilities to be used for an illegal purpose, providers engage in "monitoring" traffic through their wifi routers, so they may claim to have "attempted to prevent", which establishes them a victim, not a participant.

In publicly available situations the monitoring is not done by security-cleared individuals. Essentially, the monitoring soft-ware is there. For this everyone with access to the router (onsite and off) has access to monitored data, and anyone of those with access to decoding and decrypting programming can mine, even back in time, since it is always safer to save, in case someone (or agency) should ask. This means, in hotels, restaurants, coffee-shops, kiosks, etc., any tech-savvy waiter, busboy, janitor, counterperson, temporary, contractor, etc., or "friend of" any one can real-time monitor, or mine back. The router-in-the-middle is is a weak link.

So, if you are public even with LPS you are depending mostly on anonymity for security, that is, on your transmissions being lost in the flow of traffic. The best alternative is to make a tunnel to a secure router first, then transmit data through to that and on from there. This is what the CAC-secured connect-to-your-government-system capability that LPS developers will set up for government clients does for them.

LPS is bound to have a backdoor installed for the control-freak spooks somewhere.

some observations

» one thing that makes it safer is lack of tools to mess with the hard disks as well as no ability to mount the partitions

» it is easy to install on the hdd

» one could easily modify init (the file with the programs) to personalize it

~

dawg wrote:LPS is bound to have a backdoor installed for the control-freak spooks somewhere.

in general, one might say the same thing about "The Internet".

Bruce B wrote:some observations

» one thing that makes it safer is lack of tools to mess with the hard disks as well as no ability to mount the partitions

~

Good thought. Recently worried about some thread on BarryK's blog where a few folks mentioned adding in auto-mounting as a feature. LPS security, like that of Puppy, seems to involve a couple of simple ideas - no automounting of drives, and non-persistence of the operating system. LPS forces non-persistence.

The initrd is a squashfs version 3

I can't mount it in Lupu 5.20 because it is an earlier version 3 than the one Lupu supports. Which brings me to this question. Which Puppies used the earlier squashfs version 3?

My idea is to modify, personalize, initrd.

~

I think earlier than p431.

Bruce B,

Under "Utilities" in the puppy menu there is an "SFSConverter" utility. It should be able to make 4-series sfs files 3-series. If not you unsquash a 4-series and resquash it a 3.

You would also have to install puppy's sfs mounting at startup system, in the boot-manager section of the set-up system, or the add sfs-files on the fly pet.

I don't think LPS allows user modification, though. It is part of the system's attacks-prevention hardening. See the documentation html file with the download, which lets you open pdfs of LPS documents, also provided with the download. These are also available in LPS when it is installed.

The hardening, preventing ANY modification is good for in-organization general use and users, who can trust the system as provided by fellow members of their organization. The problem for non-members (like us of the general public, around the world) is that we are not U.S. DoD, and need to be able to assure ourselves there is no DoD monitoring of our non-DoD systems. Once it would have been normal to assume the U.S. Dod would simply make a secure system and provide it for anyone to use. But nowadays spying and intruding have become so ubiquitous even those who one would normally trust one needs to confirm one can trust.

Puppies you can get into and look around in and remove what you don't trust from. That, with a vigilant community, active at programming levels, is about the best anyone can hope today for base system security.

Security....why concern yourself? Someone, earlier commented, that they used LPS and "no drones ...." Well, here are the drones and the spy planes you asked for.

Firstly, Try to be a little conscious of finding some tool which is useful and offers resonable protection for what you envision your need(s) to be. There is no "perfect" solution. But, there are many useful ones.

Secondly, I've got to get me one of those "flying machines". Maybe I can convert its use to be a router or something....maybe.

I enjoyed the wasp link

Puppies you can get into and look around in and remove what you don't trust from. That, with a vigilant community, active at programming levels, is about the best anyone can hope today for base system security.

On the whole I think in terms of using what is insecure, securely.
As always the biggest liability is me.
I am using Android on my phone and realising that most apps request permission to spy on me, tweet on my behalf and empty my bank account at their discretion . . . it is a security nightmare

I would be quite happy using LPS, apart from transferring my billions of Ugandan dollars (have not heard from them for a while) from my favourite phishing expedition . . .
I would be happy using any wooflet and a few puplets that I keep an eye on . . .
Many people manage real money with their phones or with MS Windows (strange but true)

I tend to trust individual penguins and secure quantum tunneling (not yet available) but how about using an updated Onebone?
http://puppylinux.org/wikka/OneBone

A command line Puppy might be secure enough?

And for a next generation of drone-craft... A combination of the hacking and cracking capabilities of the WASP project with the Flying Ball the Japanese Defense Tech people have developed, demonstrated in a youtube video at: http://www.youtube.com/watch?v=7mUNIvlgYKk&feature .

Able to fly in closed spaces, to hover, to dodge around obstacles and into close spaces, to bounce off walls, to send back navigation and data video both, while it is cracking your encryption (or just reading your passwords from your fingers as you enter them, looking over your shoulder), it will be able to follow us over field and through forest, around rock and under tree, through thickets and culverts, right into our shelters! Perhaps even bouncing its signals off of our tin-foil hats, turning what has been our ultimate protection into its auxiliary aerial to use it against us!

Of course, the military's needs for security are the same as ours and everyone's (Who was first to recognize the wisdom of wearing tin-hats, after all?), they will have to watch out for the same things we do.

This means they have to watch out for alterations being made to their secure Light Personal Security operating system out in the field. Enemies or spies making altered forms and substituting them, swapping USB sticks on agents or service-members in the field, so their reports back would go the wrong way, or two ways instead of one. For this we can be pretty sure the LPS system does, or soon will, have a write-home as soon as a net connection is established, to send at least a hash to security check the field install, to make sure it hasn't been altered. The check will be a needed security for those of the DoD system, but it will be an insecurity for the rest of us, since the nature of spying is to use available resources.

For this nature, once it is known in bureaucratic circles that there is a civilian following using LPS for its security, and that there is a doorway, some agency will inevitably arrange to use that doorway "for security". Especially since, with the system closed, no one will ever know...

It's another reason the keys to personal security are simpicity and transparency, so wee can see where leaks might occur and how they might occur. Then we can patch as we go along, swapping info abut what leaks and what seems to work to patch in each case.

I really like LPS, but couldn't get my onboard via82xx ac97 sound to work.

Out of my 4 wireless cards only 1 didn't work.

Everything works fine in puppy though.

I liked it and the oo version would be a quick easy way to have oo when I need it. For online, I can just dis-able the hdd and run Puppy.
Cheers

I think Puppy is basically better for normal user security (like online banking) than LPS.

For one thing, LPS does not (in the version I tried) have an ability to update the boot disc with browser patches. (Puppy supports DVD updates as new "sessions" on a multi-session boot DVD.) Not allowing updates is a problem because we know from Microsoft Windows that attackers do in fact reverse-engineer patches in hours or days, to find and exploit those faults. So this is a security hole waiting to be used, even in Linux.

Another LPS security issue is Java. Currently, almost all malware will not run under Linux (except for systems with Wine), because Linux is not Microsoft Windows. But Java holds the possibility of a single platform covering both Windows and non-Windows systems, which may be fairly attractive to some attackers.

The advantage of an optical disc is that it is "difficult or impossible" to infect (especially in Puppy, where the boot DVD can be removed). To some extent, Puppy discards the DVD advantage by checking for and using existing Puppy files as it comes up. Thus, it may be possible for Puppy malware to write such a file to a hard drive, thus infecting even a DVD boot (not the DVD, but all subsequent sessions) on that system. This would imply that any Puppy system with a hard drive (or flash drive) has a security hole, even with a DVD boot.

Some (probably futile) malware advice for the government:

http://www.ciphersbyritter.com/COMPSEC/ADVISING.HTM

Hi
I didn't want to start a new topic for this LPS related question but where is the firewall in LPS??, I tried to write iptables -L and ipchains -L but the result was nothing or not found, I'm new to Linux written commands but looking at that result makes me think that there's no firewall at all in LPS and I suppose that is a backdoor no mater how many times you reboot your OS, isn't it?, with all ports open, it's not important how secure are your browser settings as anyone can spy what you are doing typing or whatever, is that correct??, I read somewhere that Linux has the firewall built in its kernel, is this correct for the LPS distro too??, if so, is there a way to install iptables or any other GUI for adding or changing firewall settings??.
One last question, I was trying both LPS 1.3.6 and 1.3.5 and found that strangely the 1.3.5 you can still download at the LPS site has a different md5 than the md5 value I found in another site which kept the 1.3.5 hashes data (LPS site doesn't keep an archive of md5 sums), can anybody confirm the correct md5 for LPS 1.3.5 Public iso??
Thanks in advance for any answer and sorry for my poor English.

Open a terminal and type That may tell you if the firewall is already running.

[Edit] I looked in LPS and it does not appear to have the kernel modules for the firewall, which sounds counter-intuitive for a security Linux.

But if LPS is not running any services and has no open ports, then maybe it's smart enough to know that it doesn't need a firewall.

this being for the Military personal of US Army or Navy or any Military
would it not be logical to expect them monitor each usage for to find out
if anything bad is going on among themselves?

So sure the OS is very safe but maybe also very nosy to find out
whom are doing what?

Just me wild guessing.

Thanks rcrsn51 for your fast reply, then I suppose it's impossible or very difficult to install those missing kernel modules for the firewall?
LPS has Java, Flash and others and those are "running services" so a firewall is mandatory, correct?, how do I know if LPS has all ports closed except the one/ones needed for Internet?, is it possible to create a distro with all ports closed without the need for a firewall?, I thought the task for opening or closing ports was done by the firewall.
Is there any online test for checking ports like the acid tests for the browser?
Thanks

nooby:
LPS Public it's just that, a public version just made by the U. S. Air Force, anyways, there's nothing suspicious in its licence agreement, in fact, it's a short and clear licence agreement, but if LPS has no firewall means that anyone can see what you are doing, correct?.

mollo wrote:Is there any online test for checking ports like the acid tests for the browser?

I booted LPS on Machine A and Puppy on Machine B. From B, I ran PeasyPort and scanned all 65535 ports of A. There were no open ports.