LightweightPortableSecurity vs Puppy - Puppy wins

For discussions about security.
Message
Author
CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#31 Post by CLAM01 »

Lobster,

Carried away in my paranoid hallucinations, I forgot to address the serious issue you raised, about diving behind the sofa. I have found that this works very well, provided you have a nice tin-foil sham on the back of the sofa. In my experience, drawn from experimentation, I have found that the dust-critters, the dust-bunnies, dust-kittens, dust-puppies, etc., under my sofa, suitably shammed, are saner than I am.

I am thinking to move forward from tin-foil to mylar now, though, since NASA uses mylar extensively and seems to be doing very well with it: They are sane enough they are suggesting starting a new web, one to be secure and for secure communicating entirely. At least abandoning the present web entirely to the animals, bugs and vermin, letting it be a jungle-playland for everyone mad enough to brave its perils, seems a sane idea to me.

It's what I do with puppies, running them with no securities but what is native through public wifis of all the least secure sorts, the kinds whose operators deliberately run them as man-in-the-middle, to see who is able to poke into what, and outload how and where. This is how most users use their computers. Those with ability and expertise to monitor and shield themselves are about one in a hundred-thousand, so the security of no security is where security has to begin. :)

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#32 Post by CLAM01 »

Lobster,

Carried away in my paranoid hallucinations, I forgot to address the serious issue you raised, about diving behind the sofa. I have found that this works very well, provided you have a nice tin-foil sham on the back of the sofa. In my experience, drawn from experimentation, I have found that the dust-critters, the dust-bunnies, dust-kittens, dust-puppies, etc., under my sofa, suitably shammed, are saner than I am.

I am thinking to move forward from tin-foil to mylar now, though, since NASA uses mylar extensively and seems to be doing very well with it: They are sane enough they are suggesting starting a new web, one to be secure and for secure communicating entirely. At least abandoning the present web entirely to the animals, bugs and vermin, letting it be a jungle-playland for everyone mad enough to brave its perils, seems a sane idea to me.

It's what I do with puppies, running them with no securities but what is native through public wifis of all the least secure sorts, the kinds whose operators deliberately run them as man-in-the-middle, to see who is able to poke into what, and outload how and where. This is how most users use their computers. Those with ability and expertise to monitor and shield themselves are about one in a hundred-thousand, so the security of no security is where security has to begin.

User avatar
dru5k1
Posts: 72
Joined: Mon 12 Apr 2010, 01:15

#33 Post by dru5k1 »

CLAM01 wrote: For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used).
can I ask you to elaborate on what you said here please?

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#34 Post by nooby »

dru5k1 wrote:
CLAM01 wrote: For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used).
can I ask you to elaborate on what you said here please?
Yes look for IP address of that one so we can check it up.

More likely it is the test with the server in MountainView google employee consult something. The guy everybody use because his server has a good uptime 99.999 or something. Him watching over it like a Hawk.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
tazoc
Posts: 1157
Joined: Mon 11 Dec 2006, 08:07
Location: Lower Columbia Basin WA US
Contact:

How is Lighthouse Pup compromised?

#35 Post by tazoc »

CLAM01 wrote:For this, puppy users' real dangers come from inclusions in things that are user-saved and let accumulate and things a builder may wittingly or unwittingly include in a build, or that may be in a program he's used in a build.

For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used). Open source, of course, means one may freely add spyware, too, if one wants to.
I have no idea what compromise you've found, and I did not include any spyware or web bots in LHP. The only 'writing home' it does is to check for available updates to Lighthouse shortly after login by downloading this small package list and comparing it with the previous one. Only does this once per day. Displays a brief pop-up with gtkdialog-splash if there are any new updates available. The actual updates, e.g., bug fixes or browser updates, are only transferred if user selects them in Lighthouse Update. This behavior can be disabled by deleting or moving /root/Startup/lhp-update-notifier into DisabledItems. This is described in the Lighthouse Update | Help dialog. The notifier script is at /usr/sbin/lhp-update-notifier.

It may have seemed to be Firefox because the notifier sleeps for 20 seconds and waits until an Internet connection is active before continuing. The connection is tested by pinging google or icanhazip.com with /usr/sbin/ifactive. The notifier tries the connection occasionally for 90 seconds and then exits. This is because WiFi connections can take a while to connect. LHP 5.03's browsers run as root, however Lighthouse 64 (in development) follows the prudent Fatdog 64 approach and runs the browsers as the unprivileged user spot by default.

Please PM the appropriate developer directly if you observe unusual behavior in any Pup. I think they will all be happy to clarify and/or improve security where necessary.
-TazOC
[url=http://www.lhpup.org/][b][size=100]lhpup.org[/size][/b] [img]http://www.lhpup.org/gallery/images/favicon.png[/img][/url] [url=http://www.lhpup.org/release-lhp.htm#602]Lighthouse 64 6.02[/url]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#36 Post by Lobster »

Its purpose is probably the installation of a keylogger in your Windows partition.
I think this is a legitimate concern and may well have occurred to me. :oops:
If visiting dubious sites (for example downloading from prawn sites) you are giving the site permission to upload to your site.
So a keylogger or other malware to compromise Windows (chances are it will target Windows) in the same place is a tempting possibility for the malwarians.
I have vids of naked prawns and Windows on the same drive. Recently I booted into Windows and it was sluggish. Not sure If I have any protection on that Windows. So it could be very badly compromised.
So I should delete Windows (always a good plan). :)
I must admit I hardly ever boot into the Windows drive. Booting from it has to be enabled from the BIOS.
So it is possible to inadvertently download nastiness with LPS or Puppy for other OS.

Another possibility is an installed add on app for Firefox or Seamonkey.
Such an app may be clean (I am not sure how well they are checked but let us assume they are) but may have an auto-update facility that runs a new version of the program for some unlucky recipients.
Such an app would have access to XUL (the Firefox and Seamonkey language) and javascript and therefore could work across different operating systems.

:roll:
I must admit this scenario fills me with no sense of fear or foreboding.
I just don't have the right head for tin foil millinery.

PS
the prawn stays. :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#37 Post by CLAM01 »

Oooh, looks like I hit a three for one sale on posts on Sunday. Unless the post bounced off the walls and hit the board in three ricochets. Three for the price of one is too good a deal to pass up, even when the one is free...

About the Firefox browser problem I met in Lighthouse: First, I should have used past tense. Using present I suggested it ongoing. I don't use Lighthouse on the net, for other reasons, so as far as I know it isn't (if it was I'm sure others would be noticing). The Firefox involved was a 3-series, the "test" opportunity came from the DoS attack against WikiLeaks. I re-started three times, clean (once ram) and the browser returned to full-time pinging each time. The server address written to googled to be in Dallas Texas. I did not document, I went on to try Opera and Seamonkey and then the three in other puppies. None did anything odd, so I deducted the problem was that Firefox in Lighthouse. I assume it was compromised, or compromisable and had its signature targeted.

The backside of the GPL's allowance for free modification is that it isn't only good-guys allowed to modify, which is another reason for checking and re-checking, even what comes from reliable sources, in case they have been slipped into.

As I said, the problem seemed to be in Firefox, which has updated extensively since then. I like Lighthouse and use it regularly when I want a full-feature puppy. I don't use it on the web, not because I don't trust lighthouse, but because i don't trust the web. I use simpler puppies on the web. Ones with fewer convenience features and systems. Those are great in a secure environment, but are more to have to have to keep track of and to have to look in, around and behind, and to have to search in and sweep around when looking for flies and fleas and other vermin that have, or might have, got in.

Auto-updating I prefer to not have. I don't even like auto-connect to the web. Even puppy's pet-fetch features make me nervous and paranoid. I go to ibiblio to manually download my pet package and even cross my fingers installing them just by clicking. It makes me feel manly when I'm told dependencies are needed, so I can say, "yes dear." and go find and fetch them. But if I find anything weird about a package I've installed I can go to where I have it stored and look in.

Nowadays I rarely do. I am avoiding CLI almost entirely. Almost no one in the computer-using world knows CLI, so if anything is to be secure for all users, instead of a unique few, it has to be idiot-proof secure or user-securable through GUI.

For this I can't even spread my favorite puppy-virus using a script. I have to spread by suggesting others try it for fun. Here is the recipe:

Our object is to make our puppy (any breed or cross) more secure. As we all know, our puppies are not secure because we run as root. To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally. Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root. Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer. What is really cool and real virus like is the way all our open programs continues to work until we try to do something with one, whereupon it immediately freezes up. It's proper virus-infection behavior.

To recover demonstrates the first-most security feature of puppy. We have to hard-reboot, since root being lost makes everything stop (including, fortunately, writing the move of root to the pup-save file). When our puppy reboots it reboots through a normal restart to a normal puppy rebuilt from the main sfs, pup-save and additional sfs files. A healthy puppy, all recovered, no longer sick. Puppy is, indeed, virus-proof, and idiot-proof! Not, however, that pup-saves can collect malware and should be cleaned every now and again. For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs, then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save (mouse a frame around all contents and quiet-delete).

User avatar
dru5k1
Posts: 72
Joined: Mon 12 Apr 2010, 01:15

#38 Post by dru5k1 »

So you say your firefox 3 series was pinging a .gov (us government) address repeatedly from a clean .iso -interesting- but you also say that you like to remaster too, this means your clean .iso may not have actually been a clean one I guess.. It's great to hear from Tazoc that a seperate connect-script may have made it 'seem' like it was firefox doing this

Was it actually a .gov address?

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#39 Post by nooby »

Clam01

I wish I was more computer savvy, I am an absolute computer challenged guy but what you say in my quote below is interesting.

I wish somebody geeky could test it and explain how to use it for us Noobs.
Clam01 wrote
Our object is to make our puppy (any breed or cross) more secure. As we all know, our puppies are not secure because we run as root. To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally. Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root. Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer. What is really cool and real virus like is the way all our open programs continues to work until we try to do something with one, whereupon it immediately freezes up. It's proper virus-infection behavior.

To recover demonstrates the first-most security feature of puppy. We have to hard-reboot, since root being lost makes everything stop (including, fortunately, writing the move of root to the pup-save file). When our puppy reboots it reboots through a normal restart to a normal puppy rebuilt from the main sfs, pup-save and additional sfs files. A healthy puppy, all recovered, no longer sick. Puppy is, indeed, virus-proof, and idiot-proof! Not, however, that pup-saves can collect malware and should be cleaned every now and again. For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs, then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save (mouse a frame around all contents and quiet-delete).
This being the LPS vs Puppy thread maybe one have to start a new thread. I think I do that in Security.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
dru5k1
Posts: 72
Joined: Mon 12 Apr 2010, 01:15

#40 Post by dru5k1 »

I agree with nooby

It looks so simple, so almost too good to be true

Please explain as you've obviously done it.. and what (if any) are the 'consequences'?

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#41 Post by CLAM01 »

dru5k1,

I don't know if the server that auto-connected, or if where the pinging was directed from was .gov. I assumed the pinging was of WikiLeaks, since it was being attacked then. I assumed a government or enforcement entity directing, but would assume that whoever it was they were .com, since the most common is the best cover, and DoS attacking is not something I would do from home if I was a .gov. When paypal and others who irritated wikileaks supporters were attacked by radicals I booted the same system again and had no activity, except the "testing", which I assume to be notifying, or merely recording for statistics, if I had no flags, that my MAC was connected to the web.

The Lighthouse I used was not remastered. On this computer I run all sorts of puppies, whatever I download to try. I launch to net through open networks, some I know to be nosey, some of whose noses I sometimes deliberately tweak, to see who, or what, try what to roust data, operate something, run a program or proposition the computer. I do this for fun, to see how insecure the web can be for a normal user using puppy. I am not interested in stopping things, I am interested in what can get in, how and by what means. My interest is if there is any way for the common user to be secure and connected to the web. I give government and law enforcement a hard time when I see them part of the problem, because they are supposed to be protecting the innocent, not victimizing them, too.

In the DoS incident I did three evolutions to define generally where the exploiting was from. he first was when I noticed, with the existing pup-save. I then wiped the pup-save, which was then built new by the main sfs. Then I booted in ram with no pup-save. I then grabbed my bag of start disks and booted other puppies I had frugal-installed on the machine, to see if they did the same. I suspect a hole in Firefox, and I suspect a government connected entity because of the browser was writing out to a web location. Stock browsers that do this tend to write to "Colonel Hassan", or "Major Harris" or some or another such for "connection test", the site being one "every browser uses to test" because it is "left over from DARPA", has "a 99.999% up-time (and so is always there), or some such, I suspect to record there the MAC and time and place. A browser really needs test only to the computer's router, since it's the router, not the browser that connects beyond. As about any air-cracking addict can tell you, there ain't many routers that are any how secure.

Nooby and dru5k1,

Note that my recipe for "securing" root by moving it into spot is a puppy-virus recipe. It is fun in puppy because it does no serious harm (though you should do it on a frugal-installed puppy you don't have personal files in, just in case). It isn't a cure for anything, except maybe acute boredom. Computer programs find things they need by following paths to them. Putting root in spot removes root from the path programs follow to find it. Coming to a dead-end a program stalls. This effectively kills the running puppy. This does no harm with puppy because the running puppy is a copy. It is a clone of the puppy main sfs modified per white and black lists and additional instructions, and files, in the pup-save, and additional sfs's added on startup.

Basically all my "puppy-virus" does is illustrate and demonstrate the puppy structure that makes puppy root secure and provides puppy's first-line of security against infections. To bring in LPS into the discussion, for a nod to the thread, this first-line defense is the same that LPS uses (which LPS almost certainly has from puppy, which is famous for it, via GPL).

The means to "propagate" the "virus", moving root to spot to make root secure, is for fun. It is one of those "too good to be true" things, "so easy why didn't the experts ever think of it?" Because they are fun I like to think of these things.

Caveats: Because I have never full-install installed a puppy I don't know if the virus works the same, or messes things up in a full install. Also, I don't know if a puppy that saves to USB periodically will always fail to save the root-in-spot configuration to its pup-save. If your puppy does not restart normally, reboot in ram, mount the pup-save, move personal files out to /mnt/home, then mouse draw to compass all files in the pup-save, quiet-delete all, close the empty window, unmount the pup-save (by left-clicking on it), then reboot the computer, not saving your ram session. When the puppy main sfs re-populates the pup-save you can customize it again and move your personal files from /mnt/home back in.

User avatar
dru5k1
Posts: 72
Joined: Mon 12 Apr 2010, 01:15

#42 Post by dru5k1 »

oh ok

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#43 Post by Lobster »

i don't trust the web
:)
For the last week I have been using a version of Linux
called Gangroid or Googledroid (wait Android)
that is it . . . :wink:
Basically when you install an app (from the web)
you agree to:
  • 1. Allow total access to all your files
    2. Access to your grandmother for resale
    3. They can fry your brain at a time of their convenience
To put it more realistically
you invite them in, you allow them access
you sign over your rights to YOUR data
They then charge for ad-bombing you

I don't want a blackberry (I hear they are more secure)
I want to use Puppy on a phone - or at least a tablet
and I do not want pics of naked sardines
unless in the seclusion of my own aquarium.

So I won't be continuing the use of my Android phone?
Oh no - too much fun :oops:
and who can resist a hot kipper with melted butter . . . 8)

Trust Puppy
. . . to be cute . . .
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#44 Post by nooby »

I know too little but I have heard that Debian can do ARM. Maybe not every ARM that have been made but could be realistic to check up if them maybe can do exactly the small cheap pad that sell round the corner.

Hahah I could owned one some two weeks ago if I had known them had them on total sell out Sales. 50% on the or even a third on the first unrealistic price them had. So for less than some 500SEK maybe 77USD
which is a very low price. Not a good pad but the firm that imported them assured me that it could use both USB Mouse and USB keyboard but no Swedish keyboard. Only resistive screen and low resolution but no fan that whine in the background. So that is my kind of gear.

I wonder if LPS placed something on my HDD. A lot to read through before them allowed one to get LPS going.

Yes I know that Android is set up like that too :) I guess I should join the Church of Google so I get forgiveness for using Puppy.
I use Google Search on Puppy Forum
not an ideal solution though

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#45 Post by CLAM01 »

I've decided I'm not a fan of LPS. It is too opaque. Not easy enough to see inside and for the casual user to monitor. It doesn't appear to be significantly more secure than a puppy and is less serviceable. Puppies are, for the most part, not easily enough transparent (but nothing can be), are decently transparent, slicker, smoother, amazingly versatile and easy to keep up--to-date.

In addition, I don't think the LPS advertisement that using it one can get along with only one computer (and do everything on it in different operating systems) is reliable: Physical separation is the only reliable separation in the electronic data world.

User avatar
d4p
Posts: 439
Joined: Tue 13 Mar 2007, 02:30

#46 Post by d4p »

LPS v1.2.2 is released

"And the advice given in the FAQs and manual, telling the user how to maintain security, as, for example, for making secure banking transactions to start up, "

Ctbankix is designed specifically for secure online banking
Base on ubuntu
multi-session CD possible
read/write access to ufd only

Bitbox is designed for secure online also
base on ubuntu and run in virtual
need big ram memory

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#47 Post by CLAM01 »

The perennial problem with doing banking, or anything else you want sure security for, from anywhere out and about is router insecurity. Router insecurity can be "router security", and is in most provided wifi settings. This because "for security", meaning for defense against being caught in a legal tangle for "culpably allowing" one's facilities to be used for an illegal purpose, providers engage in "monitoring" traffic through their wifi routers, so they may claim to have "attempted to prevent", which establishes them a victim, not a participant.

In publicly available situations the monitoring is not done by security-cleared individuals. Essentially, the monitoring soft-ware is there. For this everyone with access to the router (onsite and off) has access to monitored data, and anyone of those with access to decoding and decrypting programming can mine, even back in time, since it is always safer to save, in case someone (or agency) should ask. This means, in hotels, restaurants, coffee-shops, kiosks, etc., any tech-savvy waiter, busboy, janitor, counterperson, temporary, contractor, etc., or "friend of" any one can real-time monitor, or mine back. The router-in-the-middle is is a weak link.

So, if you are public even with LPS you are depending mostly on anonymity for security, that is, on your transmissions being lost in the flow of traffic. The best alternative is to make a tunnel to a secure router first, then transmit data through to that and on from there. This is what the CAC-secured connect-to-your-government-system capability that LPS developers will set up for government clients does for them.

dawg
Posts: 116
Joined: Sun 09 Aug 2009, 14:36
Location: still here
Contact:

#48 Post by dawg »

LPS is bound to have a backdoor installed for the control-freak spooks somewhere.
I used to only like Puppy as a friend, but now I think our relationship is starting to develop into something more... :D

Bruce B

#49 Post by Bruce B »

some observations

» one thing that makes it safer is lack of tools to mess with the hard disks as well as no ability to mount the partitions

» it is easy to install on the hdd

» one could easily modify init (the file with the programs) to personalize it

~

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

surely

#50 Post by cowboy »

dawg wrote:LPS is bound to have a backdoor installed for the control-freak spooks somewhere.
in general, one might say the same thing about "The Internet".
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

Post Reply