Steps for enhancing security I can take in Puppy 5.2?

[Leaena]

There is a way to easily encrypt and hide torrent transmissions, unfortunately you cannot do it with Transmission as far as I know however I intentionally left the bit-torrent client in PuppyCrypt unsecured in order to divert illegal intentions.

What do you mean by "unsecured"? I'm getting ready to test Crypt in a VM, so I'm sure I'll find out - but I assume you mean the transmission isn't encrypted? And I assume securing it wouldn't be all that difficult (although I understand why you wouldn't do so be default)? I don't have any illegal intentions, but I *do* prefer to have as much encryption as is reasonable. If 2048-bit was reasonable for everything, you can bet I'd be using it.

I trust that Puppy lovers are so used to being root that then have no inner motivation to give this too much effort. So maybe you
are that person then?

Heh. I might be - I'll see how securing my own distro goes, and if all is well, I wouldn't have any qualms about contributing back to the community in one way or another. Computer Security (I'm a full-blown geek in every possible way, and I've been lucky enough to be paid to break into a system or two legally) also happens to be a passion of mine, so the possibility is definitely there.

Back to your topic. Them the Devs of Puppy made an attempt to give somewhat to the worried Linux users that are used to
be in a multi user environ where one only are root when one
need to do serious admin things.

That seems to be the more traditional way of doing things. Did they ever succeed? I have no problem running as root, myself, but there are just some things I'd rather do in a virtual sandbox. Running as Spot seems a decent enough solution for most things, though (so long as I'm not missing a leak of some sort).

Fatdog had a great policy of only downloading to 'Downloads', that might have helped . . . ?

I wonder how that'd be accomplished in Puppy 5.2. Unless I'm mistaken, running an application as Spot limits it's activity to that user's folder only, correct? Should achieve relatively the same end, but still - I'm interested in how I could incorporate something like that on my box.

[rcrsn51]

Fatdog had a great policy of only downloading to 'Downloads', that might have helped . . . ?

I wonder how that'd be accomplished in Puppy 5.2. Unless I'm mistaken, running an application as Spot limits it's activity to that user's folder only, correct? Should achieve relatively the same end, but still - I'm interested in how I could incorporate something like that on my box.

Code: Select all

su -c "path to firefox" spot

[Lobster]

Just enough time to build a hardened Linux supercluster to use it on (and then try and break into it, dodging lasers and retina scanners galore).

Keep us informed with pics (sent by carrier pigeon if need be) . . .
If you have any old obsolete computers, maybe an Archimedes, Amiga or Atari, maybe you could include them in the random rotating loop, just for the chaos option.

[nooby]

oops I trust I really stressed them trusted more in Fido than in Spot.

So now you guys seems to have get stuck in Spot while Fido is
the official solution

Which one is best then? What features is unique for each of them?
I know nothing. But it is obvious that the inner motivation to get
either of them popular simply is lacking. No activity in the Fido
thread and none in the spot thread either.

[CLAM01]

All This Talk About Running Puppy As root... *growl*

In puppy linux your user account is called root, but is not root. In puppy root is user.

Root in puppy root is the underlying ramdisk. the main "PUPversion.sfs" is, or contains (actually, installs again each startup), the root file system. When you start your puppy the real root filesystem gets copied to ram, or swap. You use the copies of the root files in ram or swap. When you shut down your ram/swap copy of your main sfs root is deleted. Next time you start the main sfs installs another copy of itself to ram/swap. Real roots don't get any more secure than that, especially if the real root is on non-writable CD.

Running puppy frugal from a CD there is no way your main sfs root files can be altered. Running frugal with the main sfs copied to HD, the main sfs is copied from HD to ram/swap, then is not touched again. It can be altered by someone mounting it and opening it with another puppy, since HDs allow writing and erasing. But if anyone roots you during a session they root your user-root account for the session only. If they install a rootkit it installs to your pup-save and can install from there again next session. You can prevent that by erasing the contents of your pup-save, so your ramdisk root writes fresh files to it when you start your next session. You need to move files you want to save out to a back-up save file before you wipe your pup-save contents (don't wipe the whole pup-save, only all files in it).

To modify your real root system in puppy you have to run the "remaster puppy live-CD" program from the setup menu. That's how you " su " in puppy. You have to make your modifications in your user-root puppy first, adding and subtracting what you want. You make your new root account when you do the remaster of what you have set up..

I check the integrity of my main sfs files when I copy them to HD for frugal installs (I don' t full install, so I don' t know if files are secure in those) by making hashes of my main SFS files when I first copy, then re-hashing hem and checking against the first hash from time to time. So far I have not found a main puppy sfs file to change.

Renaming puppy root isn't a good option because lots of files look for "/root" and don't find it if it's named something else. Those who have set up multi-user puuppies have found that finding and changing every pathname instance is tedious and frustrating.

Puppy Linux is single-user per session and pup-save. It's the way it works. Each user launches his own ramdisk-root from the same main sfs root and modifies his or her own session from his or her pup-save store of preferences. For personal files each using the same computer has to make his or her own password protected encrypted save-file, or have his or her own flash-drive.

[nooby]

CLAM01 thanks that was very interesting to read.
Sadly I am not really on that level but as far as I get it
that seems to be the way it does work.

That could also explain why some have decided to never have
a pupsave file. Them either remaster until them get a puppy that
works as them wanted and then never have to use a pupsave file again.

Them use sfs files to have flexibility of choices without needing
to load all of these at once. So them can load them on fly when needed.

[Lobster]

CLAM01 thanks that was very interesting to read.

Have added it here to replace Nathans comments which were getting a little long in the tooth [so to speak]
http://puppylinux.org/wikka/security

. . . there are new ways to strengthen security . . .
Yes you can compile a firewall for obsolete hardware
but even better for barely released hardware
Will your cluster of rotating firewalls have the power of Pi?
http://puppylinux.org/wikka/PARM

Expect some ultra security devices to emerge for RPi.
I may have to build a fire wail . . .
Basically this is a call out device for anyone trying to quantum hack
from another dimension . . . allowing them access
http://tmxxine.tumblr.com/post/11569525 ... algorithms
[My imaginary psychiatric team have been notified - virtual medication expected shortly . . .]

[CLAM01]

Lobster,

Oh, No! I was just spraying thoughts around when I wrote the above explanation of puppy-root. Had I imagined it might become engraved in electronic stone I would have tried to organize myself, be coherent, write real sentences, try to maybe make better sense...

I will try to do that, as soon as I can get to it. When I manage to I will post you the organized version to put wherever it may be helpful.

[russoodle]

I wouldn't worry, Clam01.....seems perfectly articulate to me and an excellent, helpful explanation, thank you

[nooby]

CLAM01 I agree with Russ that it is rather easy to follow your thoughts.

But being as deep into Nooby Land as I am I still wonder about this:

When I am booting in frugal on NTFS hdd then that HDD also has a lot of
Win7 Registry and such. Okay them gave it another name. Anyway.

Most likely the intruder don't expect to find Puppy but either WinXP or WinVista or Win7 or soon Win8. or maybe Ubuntu or Linux Mint.

So what is most likely them do? Download a thing that key log what I write so them can get my login to the bank? Log in to email and forums and
that way them get to know as many password patterns as possible
that I make use of. Then them set up some kind of hidden things.

But as you point out. As soon as I shut down or reboot all that is lost
unless I do something that makes it go into pupsave?

But while I am active them have plenty of time to record every password that I use?

So if Puppy was not root then them had to use Sudo or Su or
some other trick to get into the computer?

How much more effective are that protection?

Now to something related. dpup5520 wants to build a puppy rescue
CD that is as hardened as possible so that could be worth lookin into.

Do a search for him and his puprescue

[postfs1]

To reedit up to date.

[str4y]

There is a way to easily encrypt and hide torrent transmissions, unfortunately you cannot do it with Transmission as far as I know however I intentionally left the bit-torrent client in PuppyCrypt unsecured in order to divert illegal intentions.

Um, not to discourage folks from coming up with Puppy versions, but I don't think I'll be adding yours to the longish list of ones I try out-- based on this logic you put forth re "order to divert illegal intentions".. I moreso concur with the sentiment of another post, whereby my default is to use encryption wherever possible. It's just a matter of principle-- entities just don't need to be sniffing my crap, though yes, it's all legal. (I really like the HTTPS-Everywhere campaign https://www.eff.org/https-everywhere , and am glad to see it catching on (Goog being the tipping point I suppose, but why do I want to connect securely to Goog when I don't trust them? I remember yelling at my Big Name stockbroker years ago, 'WTF is with the "Some Elements Unencrypted" on pageload??') It's especially key for me as I only have net access over public wifi's!
I haven't time to find/give all the links to discussions about how bittorrent is practically impossible to do anonymously (torproject.org somewhere, certainly), as I just happened upon this thread while searching for a newish release of Transmission.. but gave up after being long out of Spare Time whilst reading threads like this one. So here's a snap from my version 2.30b for which I had a .pet laying around. The encryption referred to is of the data between peers.. I don't think communication with the tracker is generally encrypted (depends on the tracker.. run Azureus for a dizzying array of config options) but absolutely, your IP is never hideable, and the MPAA or whoever can and does send well-paid posers out to build up their databases with whomever connects with them as peer. But please, elaborate on this "easily encrypt and hide".. especially the latter.

http://imageshack.us/photo/my-images/510/trans23.png

In this process, I'm reminded of never having succeeded in searching for a good blocklist source. Any ideas?

EDIT: image doesnt seem to work, trying it as a Url for you to click..

[DPUP5520]

str4y It matters not to me whether people test anything I put out or not, I do it for myself and share with others if they want to try it. Encryption doesn't really do anything for you at all anymore when it comes to most service providers due to methods that have come out to detect bit-torrent traffic even while encrypted plus it doesn't hide your IP address from the swarm.

[CLAM01]

nooby,
In puppy, since your puppy-root account is your user account what you have exposed to the internet is your user account only. Your pup-save file is your puppy-user "home" space. Anything that downloads and installs to your pup-save installs to your /home/user account. If something installs to your /mnt/home it installs outside of puppy. /mnt/home is the disk partition you run your puppy system in. If you run your puppy system in /sda1 (or sda2 if you have a manufacturer's partition first) where your MicroSoft system resides your MicroSoft system files are around your puppy folder (if you isolate your puppy system in its own folder) or around your puppy files (pup-save, puppy-sfs and z-sfs, or woof-build-number folder).

Normally nothing should download to, or install, to your /mnt/home, outside of your puppy ram/swap-system and your pup-save file. On regular HD frugal install puppy systems files land in, install in and add changes in your pup-save as you browse or work, so when your system saves at the end it only checks for loose ends, erases /tmp files and so forth. With SDHDs and flash-drive puppies the files hold in ram and modify your pup-save only periodically (like early linux systems normally did). Thus, it should be impossible for any more on your computer than your pup-save files to be messed with or messed up.

But do not count on this. Assume it should be so, but expect that someone may find a way to get around it. The "development" of intrusion techniques today is like the rabbit in the famous race story, with the tortoise being Moore's Law's development of chip power and speed. And we seem to be in a period right now when the intruder-rabbit is up and running.

The nearest there is to a 'su' or 'sudo', to get to a puppy's root is the update white and black (and sometimes pink and maybe other color) listing system. This system adds information to your pup-save. The information is mostly switch info. It is read at start-up, use A. before B, ignore C etc.

Until you remaster your puppy the not used and ignored remains in your pup-main-sfs. If you change your mind you can bring ones back, and, if you clear out your pup-save the original pup-main content files will be written into it. You will get rid of what you don't want, but you will have to re-customize, add again pets you had added, etc. You can get around doing all of this by setting your puppy up to suit yourself, saving it and before exposing it, copy all the files to a back-up file in your /mnt/home, or another partition. Then when you wipe your pup-save file's contents, if you think something might have been added, or become corrupted, you can copy your back-up files and start again mostly where you were.

You also want to put all your personal files in one or two over-all files in your pup-save root (puppy-root) file, so you can move those out to park in your /mnt/home (or another partition) before you wipe out your pup-save.

Theoretically your intrusion dangers should be less than with other systems. To lessen them more I recommend, rather than downloading to /root/spot or anywhere else, to set your browsers to download to /tmp, or a /tmp/downloads file you make in /tmp. You have to remember to move files you want from /tmp to other folders in before you shut down. Otherwise what you have downloaded will go with your shutting down.

Your most likely sources of infections in puppies are the builds, themselves. Things that may be included by a puppy or puplet builder, or may be in or get into files built in or built with. These include things you may have in your system when you remaster your puppy. Back-doors and remotely controllable programs are among things that can be installed as parts of systems. Monitoring systems, for instance, are everywhere. A common one is a test-ping for net connection, which pings computers a domain connected to the USA's CIA. All the system does, as far as I know, is ping, but every network card having a unique mac address, the system is an available for tracking, if such should be needed. Included in common net-connection programs, the system is incorporated in puppies.

Your next most likely source of infections is what is downloaded with what you download. Intruders seem to be making great progress in this area right now, working out new and better ways to get things into computers and working for them. Putting their own systems on your system appears to be easier than taking over your system, and, if they are in your system, it gives them access to all the files on your system. You don't need to crack passwords and install a rootkit if you can, instead, simply install your own little system and with it open the root files of the host computer's main system. I am chasing what appears to be a new one of these, that puppy seems to be susceptible to, right now.

As they say, you can't ever be too careful, and even being too careful doesn't always work.

[Ray MK]

Hi

"You don't need to crack passwords and install a rootkit if you can, instead, simply install your own little system and with it open the root files of the host computer's main system. I am chasing what appears to be a new one of these, that puppy seems to be susceptible to, right now"

That sounds a little worrying - should we be concerned?

Do we know how to protect against such a method?

Surely Puppy's smallish size, must make it difficult to conceal something
undesireable in the download.

Would we have similar concerns when using Puppy on an Arm Processor?

My questions probably show my ignorance regarding these matters,
however it does beg the question - Are we safe?

Best regards - Ray

[Lobster]

should we be concerned

We should be interested.
Where I live there are crazy people, people with guns, gangs and a police station big enough to house the KGB.

Not everyone is out to get me.

Same with security. Just because Flash is a universal browser programming language or javascript or HTML5. does not mean having to use a Tor browser and wear garlic around my neck for vampires.

Vampires may exist but chances are not worth the cost in silver bullets.

I value the input of black, gray and white hat security experts and even the hat less.
I will also run as root. I will use a major browser and I will be safe.

Thanks guys
Be safe. Feel secure
Use Puppy

[nooby]

Clam thanks for all the know how in that post.
Sadly I am not on the level needed to implement
that know how. I wild guess that I get most of
what you say but not being savvy enough to set it up
in practice. One need to have a talent for to be organized.

[str4y]

str4y It matters not to me whether people test anything I put out or not, I do it for myself and share with others if they want to try it. Encryption doesn't really do anything for you at all anymore when it comes to most service providers due to methods that have come out to detect bit-torrent traffic even while encrypted plus it doesn't hide your IP address from the swarm.

I don't care what you don't care about-- I was simply trying to warn innocent people off your contributions because you aren't making any sense. What you just responded with doesnt fit with what I was responding to initially:

"There is a way to easily encrypt and hide torrent transmissions"

MAYBE YOU LEFT OUT A "no" IN THERE? Makes for a super confusing forum experience. Did you read my post fully? I mean, ok, i type 70wpm so I type more than most folks, but I'm just putting out thoughts completely for a more comprehensible reading experience. Sorrrrrryy!

Pay attention-- you just responded with a defensive tone that ~"gosh, it's impossible to be sneaky with bittorrent" when I just said the same freaking thing in the post you were responding to. And I still dont understand your original statement that set me off-- that disabling encryption on your distro is to "divert illegal intention"?? Quite nonsensical. We should all be pushing for strong encryption for all our communications, even when all the contents are legal (as in my case). Why would you argue against this?