Tinfoil Puppy

[Lobster]

Some people believe this is Puppys security policy:




others prefer this method


Are some people interested in a new approach? No doubt..


Grafpup implemented a 'sign in' option, that could be used?
Muppy I feel would need to be secure?
John Murga I believe may have some understanding of how this works?

Would Dingo be a good basis?
Ideas (in code) to the usual drop sites . . .

[MU]

I described somewhere else (in the thread about puppylinux.com compromized) already how a signing mechanism could work.
We plan to set up a repository especially for Muppy with tested and signed packages.
This will however just offer a very limited amount of software.
They will be offered on a dedicated rootserver we rent just for this purpose (which is pretty expensive compared to servage).
The main-reason for this server however are the traffic-problems with servage.
The signatures are just an addon to satisfy paranoid customers.

I also explained there, that in practice, there should be no fear regarding existing packages for several reasons.
Another reason not to get paranoid is:
Someone who is really paranoid concerning security, could boot a Puppy to Ram or using an encrypted savefile without additional software for online-banking or similar security-critical tasks.

I get the impression, that this topic gets somewhat overstressed, also because people often do not understand that in case of compromized websites not "Linux" is the problem, but Apache or better incompetent admins. Using cheap services you cannot expect well paid, competent professionals working there.
I once had a website with PHP on a shared hosting account, where I as simple customer could read the whole server log and configuration (of all users) using a short, selfwritten PHP-script (10 lines of code).
Such a badly set up system is like going to work without closing the door of your appartment.
In addition, PHP has no sandbox mechanisms.
Minisys (which offers a webserver in Muppy) uses an inbuilt sandbox to check the integrity of the applications running in it.
We see in the logs of productive sites, that minisys is attaced, too, but the malicious code simply cannot pass through

There just was an article in german, that reported that most compromized webservers use very weak passwords, or wrong Apache/PHP-configurations.
http://www.pro-linux.de/news/2008/12467.html

A webserver IS critical software, as it opens an active interface to the internet.
Puppy does NOT run a webserver by default!


Mark

[Lobster]

Puppy does NOT run a webserver by default!

Thanks Mark

Back to the important stuff now
like can a robot play a violin . . .
http://www.snotr.com/video/707

[MU]

I just telefoned with Stefan, the minisys leaddeveloper.
In may, minisys and documentation will be completely available in english.

We use it in companies already since quite a while now (though it still is a RC).
Just some small final fixes will be added, that we determine in the productive use. Minisys is "usable" already, we just tried out in practice further requirements, that need to be added for the final release.

With the final, international version everyone can take advantage of the advanced security mechanisms, that are currently used only by a small group of professionals in critical environments (e.g. to control robots in inventories via webbrowser).

This however requires a root-server or a custom server at home reachable via dyndns or similar services, if you want to use it to publish your websites using the integrated website-builder and forum-system (until we find first providers that will offer Minisys pre-installed for shared hosting).

Mark

[prehistoric]

MU, you just made an important point I have been trying to get across.

I get the impression, that this topic gets somewhat overstressed, also because people often do not understand that in case of compromized websites not "Linux" is the problem, but Apache or better incompetent admins.

The problem here is the perception of security vs. reality. Being totally secure inside your own system doesn't do a thing about the rest of the web, which really is being worked over these days.

However, saying that "Linux" is not the problem is a kind of strawman argument. I do not make such a claim. I would simply note that being "Linux" no longer makes you immune. Any system which handles protocols in general use is vulnerable to exploits based on those protocols. You might download the pdf reports on Finjan's malicious page of the month for January and February 2008. Malicious Page of the Month

Someone who is really paranoid concerning security, could boot a Puppy to Ram or using an encrypted savefile without additional software for online-banking or similar security-critical tasks.

The problem here is, once again, a false sense that one form of extreme security will carry over to other dimensions of security. If your browser is redirected to a site running a Trojan, and you don't notice, you can enter critical personal information directly into a program run by criminals. The networks for exploiting this information have become so efficient credit card data is often exploited within seconds.

Another link in the chain from Barry, or you, to the rest of the world is the server supplying the ISO image. Here is a relevant discovery. ftp password database
Puppy is not simply a program put together by a few people. It is also an on-line community. A weak link in that chain can be exploited.
Here is another kind of attack, currently targeted on Windows systems. Password Stealing
The stolen data is transmitted on line, so running in RAM makes no difference. Our main protection has been that Puppy was not a target.

Even with a perfectly good CD and no stored data at start up, it is possible to install plugins and codecs while running in RAM. Again, the list of fake codecs currently targets Windows systems. Danchev portfolio We are constantly hearing complaints about some kind of format which works on Windows systems, but not under Puppy. As we get better at using plugins and codecs originally designed for other systems we increase our vulnerability.

There is a general perception that the Puppy community is not a worthwhile target for serious exploitation. Somebody disagrees; they could be simply mistaken, or they could know some vulnerability we have not considered. Either way, simply saying there isn't enough interest by black hats is no longer enough. The time to prepare is now, not after we end up in the news for the wrong reasons.

Regards,

prehistoric

p.s. As far as I'm concerned the case for direct human involvement in Barry's problems is overwhelming. If you want to blame Servage, you certainly can. Who do you blame for this exploit? Trend Micro Hacked

There are power tools for hacking sites in the wild. Someone with access to these has caused us problems.

[Lobster]

We need to keep our eyes open


Excellent post prehistoric and thank you for you PM's which prompted this thread . . .

I turn on the Firewall with the wizard. That's it.

I am using the latest Firefox and it has a security feature that warns of potential fake and phishing websites.

What is a potential course of action for those concerned with max security?

I would suggest Opera or FIrefox are more secure browsers and javascript should be turned off and no Java?

The cache should be flushed on each shutdown?
A thread (this or another) should be started if people wish for explanations of processes running (which they can check with 'kp running processes')

Perhaps a guideline for safe browsing / safe practice on the wiki?
http://puppylinux.org/wikka/Security

[MU]

Someone who is really paranoid concerning security, could boot a Puppy to Ram or using an encrypted savefile without additional software for online-banking or similar security-critical tasks.

You relly just should do this:

online-banking or similar security-critical tasks

There is of course no sense to boot to Ram, then visit some pornsites and "how to crack computers" sites, then do banking afterwards.

Boot to Ram, do your banking. Nothing else.
Then reboot, and visit whatever you like.

This IS safe.

Mark

[prehistoric]

@Lobster,

I'm not ready to produce a wiki page. Still dealing with current threat and response and short on solid information.

The recommendation I would give you is to use the noscript plugin with Firefox, it should work with beta versions of 3. Noscript allows you more control over the execution of scripts. With javascript off you lose an awful lot of the web. Having degrees of scripting allowed for different sites makes things usable.

When I'm wearing my tinfoil hat, I use a special machine with a lot of RAM and no hard drive on a dynamic IP address. I always install a different browser from the one originally distributed.

@MU,

Not visiting porn sites or hacker havens before banking is good advice. The catch comes when you may not recognise a malicious site. I believe one reason our sites were hacked was to abuse our good name. A link there turned up by a search engine would not be blacklisted. If you look at the list of sites hacked in the current wave of attacks you will see many highly respectable sites. And, some Trojans are convincing replicas of the site you expected. (Another problem comes from what are known as "fast flux networks". If you block all IPs they might use your Internet is full of holes.)

One scam directly involving on-line banking involves a warning about the dangerous nature of today's Internet and a link to get a new certificate for secure connections. You can guess what the "certificate" does.

My aim here is not to induce paranoia, just to point out that the Internet's threat landscape is changing, particularly at this moment. There was a time when mention of computer crime from Nigeria was about the silliest thing you could think of - not any more. Nigerians might be behind on many fronts, but when it comes to scheming and exploitation they have have had a great deal of painful experience. The same thing is true for many people around the world.

Basing probabilities on past experience always leaves you susceptible to this changing landscape and intelligent opponents exploit such misjudgements.

BTW: I like the idea of building a special, secure network on top of the Internet. This would be very good for people administering sites. It would require more than the rather loose disclosure requirements we have for ordinary users, but a legitimate administrator should have no problem about disclosing the necessary information to well-known and highly-trusted people already running sites.

[alienjeff]

Another seemingly archaic though secure method is to forego the dubious convenience of on-line banking and only do so in person at a physical banking facility.

The same goes for shopping.

Freaking hominids ...

[prehistoric]

Ah, yes, AJ. The quaint, old bricks-and-mortar kind of bank where you deal with real flesh and blood people, who then enter the transaction in a computer.

I'm afraid the handwriting (also archaic) is on the wall for them. As Servage has discovered, even if 'bots have a few shortcomings, their price/performance ratio is unmatched.

[koolie]

I see the issue of net banking in a similar way to AJ, and it's not a matter of the transaction ending up being done on a computer.

It is about getting off the fckn computer, going outside into the world, getting exercise, seeing things, doing things, going places, interacting with people, breathing fresh air, and experiencing life.
The benefits are enormous, the risks are small.
Doing financial transactions electronically, the benefits are small, the risks enormous.

People see the old-fashioned way of carrying and using cash as risky, afraid of being robbed of a few hundred dollars, but happily expose themselves electronically to potentially losing everything they own.
Illogical.

[prehistoric]

@koolie,

No argument about getting off the computer.

Have you ever estimated the ratio of physical money to money which only exists in computers or as numbers printed on paper? (ordinary paper)

How could businesses and governments function if money was physical?

You must be another antediluvian, like myself.

--------------

Now, after I've retired, Bruce Schneier tells me I have the twisted mind of a good security professional. All those years wasted in the wrong field.

[koolie]

@prehistoric

I know where you are coming from regarding the money supply,
but it's quite remote from an individual's financial prudence
(or lack thereof).

You must be another antediluvian, like myself.

LOL
wash your mouth out.

I'm not anti-alluvium.
Sluicing alluvium is a healthy outdoor activity.

[Lobster]

Firefox security solutions that I will not be installing until my tin hat is back from the dry cleaners:
http://www.tssci-security.com/archives/ ... -browsing/

[John Doe]

On the Effectiveness of Aluminium Foil Helmets:An Empirical Study

http://people.csail.mit.edu/rahimi/helmet/

[oblivious]

Ah, yes, AJ. The quaint, old bricks-and-mortar kind of bank where you deal with real flesh and blood people, who then enter the transaction in a computer.

I prefer to keep payment details off the internet. I once telephoned to buy something, saying I didn't want to use the internet. So, I hear tappity-tap noises and asks what's happening. The guy tell me that HE's entering my details on HIS computer to be sent via the internet to their supplier.

Keep cash in your mattress, and buy nothing, and you might be ok, if burglars don't break in, or rats don't eat it.

[cthisbear]

"On the Effectiveness of Aluminium Foil Helmets:An Empirical Study "

I've worked with people like that.
Chris.

[prehistoric]

I've worked with people like that.
Chris.

Working with one is bad; living with one is impossible.

I still get mail and telephone calls from people looking for that one, years afterward, because having an address or telephone number tied to a real, physical location and identity is a vulnerability. BTW: the one under discussion never lived at this address or shared the number.

(Anyone know where to forward these? I'd have to disguise them as junk mail addressed to "resident" because registered letters are always returned undelivered, even if this gets an impounded car, and all contents, cubed.)

[puppyluvr]

@John Doe
Is this guy the next Dr. Who????
.......... .......... .......... .......... ..........

[dinky]

Hey folks, anyone else aware of the recent internet security meeting held on the gold coast here in Australia? Sorry I'm short of details, but I just heard about it in passing. In any event, from what I recall it was a massive meeting, with representatives from every major bank, the US defence force, Australian defence force, etc. What they focused on was the fundamental lack of security over the internet... basically, no matter how secure a system can be, if it relies on individual people making their own computers and web browsers secure, it's going to fail. THink about this. Most people use Microsoft XP... or soon Vista... how many people run their systems as administrator? Most... how many people actively follow every suggestion about security their browser pops up... or even make their system more secure? Likely not that many... There appears a general thought that a firewall and virus software will make you safe. It won't.

Anyway, the point I recall hearing that most interested me was that at this meeting it was decided that the internet is NOT safe, and cannot be patched to be made so. Banks currently make alot of money (or save it, depending how you look at it) on online banking. They are not about to change that. It seems to be bank policy when if there is a security breach, to reimburse you the money. I can think of a couple instances recently with people I know of where this has happened.... neither of them were being at all careful.

So if you are worried about identity theft, I would agree with alienjeff. If you are worried about losing money, I would suggest looking into it a bit deeper. It's my view that we don't hear very often about security breaches in banks... for a reason. Who would want the general public to know? And yes, I use online banking. I'm not going to change that anytime soon... not until the banks change their security policy. Cheers.