Lighthouse 64 5.14.2 Beta 4

For talk and support relating specifically to Puppy derivatives
Message
Author
gcmartin

#211 Post by gcmartin »

Q5sys wrote:...
gcmartin wrote: There is NO SUCH THING AS WHEN YOU NEED IT. WE Need it.
I really hope you're exaggerating when you say that. If you aren't... well I'm not even going to comment.
I agree with that last sentence. Let's move on to helping as best we can.

OK.

Here to help

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#212 Post by meeki »

Hey lhpup team.

Awsome ideas about automation and java.

Sorry i was sick all last week. And today is my las day of midterms for my jr fall term.

I took a look at the java music server and it kinda cool. Its not really secure but imo that comes down to your router settings and if it can handle up to layer 5 inspection.

As for needing it now ive been trying to finish up lhpup record so i and other can make some more howtoo stuff. I think that there are enough of us packagers around to handel compiling pets for the needs of lhpupers.

You may have to wait a few weeks but for somthing that is free and works well thats not much to ask.

I like the fact that puppy is small and lhpup is small. We have fewer goals but they tend to be community driven. We have a fast os that is understandable and tweekable

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

LHPUP Record

#213 Post by meeki »

LHPUP Record is ready for beta!

Hey every one I got it done.

LHPUP Record is a Video Screen Recorder (Record desktop)

I made a video of it in use here.
http://youtu.be/4WFUcZiRKFA

LHPUP Record pet

http://dl.dropbox.com/u/12968946/lighth ... d-0.09.pet


md5 check
http://dl.dropbox.com/u/12968946/lighth ... 09.pet.md5

Thanks for the support and help to every one below.

**********************
tazoc
**********************
http://www.lhpup.org/
http://www.murga-linux.com/puppy/viewto ... &start=195

Basic LHPUP (puppy) help. Support of his OS let me write and compile all code in his OS with ease.
He has been there for me and the rest of his users supporting the os we love.


**********************
smokey01
**********************
http://www.smokey01.com/
http://www.murga-linux.com/puppy/
http://www.smokey01.com/software/Fatdog ... 64-1.0.pet

For support of his code found in his pet recorder-fd64-1.0.pet and giving me a good look at what works to solve sync issues of video and sound.

**********************
Lobster
**********************
http://www.youtube.com/watch?v=gUwMCMjVXL8
http://www.murga-linux.com/puppy/viewto ... 519#613319

For inspiring me to start the project in the first place. I happend upon his program first... then ran with it. The recording gui for the stop and start stuff came from borrowing ideas from his code.

**********************
zigbert
**********************
http://www.murga-linux.com/puppy/viewtopic.php?t=38608

For his GtkDialog tips (more like a manuel) I was able to learn how to make a gui for LHPUPRecord


**********************
others
**********************
every one in the LHPUP thread that PM'ed me or wrote suport in the thread kept me going. Even when the code got messed up and I thought id never get it done your support kept me going.
Last edited by meeki on Sat 27 Oct 2012, 19:43, edited 1 time in total.

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

free time

#214 Post by meeki »

Hey LHPUP fans

My teacher canceled class today so I now have 8am to 1pm of unexpected free time.

I'll check back here every 30 min.

What this means for you ?

If you need a pet or have a fix you want looked into now is the time to ask. I'm donating my time for any issues you have for the next 5hrs solving them.

Meeki

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#215 Post by Puppyt »

Hi meeki,
actually PMing you at the moment on other matters, but just spotted your notice here. With regard to gcmartin's and Q5sys' recent postings on java in this thread re security policies, I noticed that I couldn't find a sfs, only a pet, for java in LH64. Do you think it would be feasible to fill that gap (if I have completely overlooked a compatible SFS somewheres)?
Cheers
PS Sorry haven't tested LHPUP Record yet - good work :)
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#216 Post by Q5sys »

Puppyt wrote:Hi meeki,
actually PMing you at the moment on other matters, but just spotted your notice here. With regard to gcmartin's and Q5sys' recent postings on java in this thread re security policies, I noticed that I couldn't find a sfs, only a pet, for java in LH64. Do you think it would be feasible to fill that gap (if I have completely overlooked a compatible SFS somewheres)?
Cheers
PS Sorry haven't tested LHPUP Record yet - good work :)
http://lhpup.org/sfs/514-x86_64/JavaRE-7u7-x86_64.sfs

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#217 Post by Puppyt »

Many Thanks indeed, Q5sys -
I didn't see it in the LH64 PPM - but a closer look shows only fd64 there - will uninstall the java pet and download the sfs forthwith,
:oops:

[EDIT: what about an sfs of the other "evil twin", Flash-XX.X.etc? https://www.owasp.org/index.php/Categor ... ty_Project I haven't got the tinfoil hat out yet, but I would like to sleep a little easier, knowing that Puppy is safer by design, than that of the MS and OSX models...]
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#218 Post by Q5sys »

Puppyt wrote:Many Thanks indeed, Q5sys -
I didn't see it in the LH64 PPM - but a closer look shows only fd64 there - will uninstall the java pet and download the sfs forthwith,
:oops:

[EDIT: what about an sfs of the other "evil twin", Flash-XX.X.etc? https://www.owasp.org/index.php/Categor ... ty_Project I haven't got the tinfoil hat out yet, but I would like to sleep a little easier, knowing that Puppy is safer by design, than that of the MS and OSX models...]
http://puppy-linux.org/lhp514/Flash-11. ... x86_64.sfs

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#219 Post by Puppyt »

:oops: :oops: Thanks! for the Flash link - I'm buttoned up now...
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#220 Post by Q5sys »

Puppyt wrote::oops: :oops: Thanks! for the Flash link - I'm buttoned up now...
No need to be embarrassed. The Flash SFS is something I made for my system it wasnt on any of the LHP sites until I uploaded it to my backup site. :)
Enjoy.

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

LHPUPRECORD & Subsonic

#221 Post by meeki »

thanks to smokey01 beta testing I worked out a few buggs in LHPUP Record

new build notes:

# Fixes
- Smokey01 noted return to menu no explination if dir is false. Changed initial start dir to "/" to not risk this.
- Smokey01 noted lack of audio. Turns out that some audio cards lack chann selection in ffmpeg with alsa. now hw:0,0 also gives option for only card as hw:0

# Inprovments
- added check for dir selected. if not found tells user to pick a propper dir. then sends them back to main selection

_________________________________________________________________

****** to solve you audio prob select alsa hw:0 and not the defualt of hw:0,0
_____________________________________________________________________

LHPUPRecord-0.09

PET
http://dl.dropbox.com/u/12968946/lighth ... d-0.09.pet
MD5
http://dl.dropbox.com/u/12968946/lighth ... 09.pet.md5


:)

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#222 Post by meeki »

puppyt says:
Here's perhaps a project for you meeki - a java-based media server http://www.subsonic.org/pages/index.jsp. Would it be feasible to compile this in a 64-bit environment, or would a suite of lighter applications for media serving in Puppy do, instead? More nooby-friendly GUI's for Monkey- and Samba- servers perhaps, already in LH64?
Subsonic
Well got it done. Took some figuring on killing the PID process.
used the code found for Samba-Server and tweeked it for my uses. no author at the top of file in the bin folder so I dont know who to credit?
added java version checks to it so if user does not have java hes not left hanging wondering why it does not work.

Subsonic

(req java 6.x.x or higher)

PET
http://dl.dropbox.com/u/12968946/lighth ... ic-4.7.pet

MD5
http://dl.dropbox.com/u/12968946/lighth ... .7.pet.md5


I think I'm going to become the matainer of java pets in LHPUP this now makes #3

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#223 Post by meeki »

LHPUPJAVA

All the java sfs's / pet's for LHPUP can now be found at:
http://lhpupjava.puppytune.org/

I will keep it uptodate and place any new pet's / sfs's here for now on.

this way people don't have to scroll through the threads any more looking for them.

gcmartin

FLASH and JAVA in LH64

#224 Post by gcmartin »

A CLARIFICATION!!! I WRITE THIS AS IT SHOULD BE PUT INTO FOCUS!

There is NO experienced or reported exposures in LH64 in its presentation of JAVA or FLASH....NONE!

I am not suggesting that anyone who "percieves" a threat should not take steps to protect themselves.

But, it is TOTALLLY ERRONEOUS to suggest that because Microsoft/Apple may have exposures, that it THEREFORE CARRIES OVER TO Puppyland.

This is inaccurate.

Again, I, as well as many others applaud the persentation of LH64 and what is has done in the 64bit community of Puppyland. It produces a simple and easy to use distro that is secure, flexible, and tremendously functional for any/all new users and experienced users as well. The experiences one in the community know how to manipulate and change whatever they feel necessary. Newbies and lessor experienced users can use this distro OOTB without the need to install ANYTHING to do everything they can do from the top 10 Linuxes as well as Microsoft and Apple. This is an incredibly safe, stable, and effective distro for anyone who is in this community. LH64 is one of the, if not the, easiest as a full featured PUP as is offered in the Puppyland. Well positioned, and well thought-thru.

NOT ONE OF US CAN PRODUCE ANY...I REPEAT..."ANY" EXPOSURE THAT HAS CAUSE FOR SECURITY LOSS.

And, until someone shows an exposure, to "ALLUDE" that LH64 is somehow compromising our use is inaccurate and wrongly positioned in this thread!!!!!

Again, said differently, NEITHER, JAVA NOR FLASH COMPROMISES LH64,OOTB! Not in the past, not now!

Here to help

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#225 Post by Q5sys »

gcmartin wrote:A CLARIFICATION!!! I WRITE THIS AS IT SHOULD BE PUT INTO FOCUS!

There is NO experienced or reported exposures in LH64 in its presentation of JAVA or FLASH....NONE!

I am not suggesting that anyone who "percieves" a threat should not take steps to protect themselves.

But, it is TOTALLLY ERRONEOUS to suggest that because Microsoft/Apple may have exposures, that it THEREFORE CARRIES OVER TO Puppyland.

This is inaccurate.

Again, I, as well as many others applaud the persentation of LH64 and what is has done in the 64bit community of Puppyland. It produces a simple and easy to use distro that is secure, flexible, and tremendously functional for any/all new users and experienced users as well. The experiences one in the community know how to manipulate and change whatever they feel necessary. Newbies and lessor experienced users can use this distro OOTB without the need to install ANYTHING to do everything they can do from the top 10 Linuxes as well as Microsoft and Apple. This is an incredibly safe, stable, and effective distro for anyone who is in this community. LH64 is one of the, if not the, easiest as a full featured PUP as is offered in the Puppyland. Well positioned, and well thought-thru.

NOT ONE OF US CAN PRODUCE ANY...I REPEAT..."ANY" EXPOSURE THAT HAS CAUSE FOR SECURITY LOSS.

And, until someone shows an exposure, to "ALLUDE" that LH64 is somehow compromising our use is inaccurate and wrongly positioned in this thread!!!!!

Again, said differently, NEITHER, JAVA NOR FLASH COMPROMISES LH64,OOTB! Not in the past, not now!

Here to help
gcmartin,
I'm approaching this comment as someone who works in the computer security field to someone who is not as knowledgeable in the IT security field. So please dont take this as a person attack against you becuase ITS NOT!!!! However, Im going to take a guess that computer security isnt what you do for a living. The reason I say that is because you're statement is factually false.

An exploit in a software program, such as flash is independant of OS. The exploit within the program itself is the vulnerability. If you're argument was valid then there would be no reason to ever update Firefox or Opera or any other progrem just because an exloit has been found in a windows version of whatever program.
Computer exploits do NOT always boil down to what OS you are using. Example: Cross Site scripting attacks have nothing to do with what OS you are using. They will work on any incorrectly coded browser. Whether than browser is on Windows, Mac, or LInux. This is the very reason that when an exploit is released Firefox (for example), updates ALL of their versions across every OS platform.

An exploit in Firefox (for example) is just that. AN EXPLOIT IN FIREFOX. It doesnt matter what OS its running on, the browser has the exploit. The same holds true for Flash and Java. An exploit in Java can be completely OS independent.

example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.
Image

Also see: http://www.metasploit.com/modules/explo ... ned_applet For systems that another java exploit works against.
Metasploit project wrote:Exploit Targets
0 - Generic (Java Payload)
1 - Windows x86 (Native Payload) (default)
2 - Linux x86 (Native Payload)
3 - Mac OS X PPC (Native Payload)
4 - Mac OS X x86 (Native Payload)
Would this attack work against LHP running an older verison of java? Yes absolutely. *Why do you think TazOC released an update java package as soon as it was out?* Has it been done by anyone in this small community, probably not becuase there's not point wasting time and effort on something that will work because its program based and not OS based. We simply update our software and move on with our lives.

I understand your mindset, from a person who doesnt work with these issues day in and day out, you're viewpoint seems completely logical and it seems like its common sense. However sadly in the IT security world, things dont always work as everyone thinks it should. Sometimes the facts are VERY counterintuitive.
I speak for myself, and I believe that everyone else would agree, you're insight into some areas of puppy are fantastic. However I feel this is one area, where your knowledge, or perhaps lack there of, is going to prompt you to make statements which are in correct.

gcmartin

flash-java in LH64

#226 Post by gcmartin »

Understood
example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.
But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#227 Post by James C »

http://krebsonsecurity.com/2012/08/secu ... -released/

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

Jasper

#228 Post by Jasper »

Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards

Jasper

#229 Post by Jasper »

Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: flash-java in LH64

#230 Post by Q5sys »

gcmartin wrote:But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help
It seems that the basis of your agrument is that, since we are unaware of anyone using LHP getting attacked by this vulnerability (in java); we should not worry about it or be proactive.
A) We have no way of knowning if someone HAS been hit by this exploit or not, because not everyone who has Downloaded or used LHP is on this forum and actively reporting all their issues.
B) Even if we knew as an empirical fact that not a single user of LHP was hit by this exploit, it shouldnt matter. Just because something has not happened yet, does not mean that it wont.
Pretty much every security expert on the planet has said that certain programs which are known to be buggy should only be used when needed. This is, in fact, common sense. The same reason we dont have apache software running on our home computers. Yea it could give us some benefits for sharing files on our own local network, but the problems it introduces FAR outweigh the benefits.

Yes, Java can do some pretty cool stuff. But what benefit is a java music player? Is it better playing media files over a program coded in C or C++?
If we have a choice between two programs for playing music, one java and one C++ based. It makes more security sense to use the one that's not based on a horribly exploitable code platform. Unless the java based one offers some amazing feature that users simple cant live without... the cost/benefit analysis would tip in the favor of the non java based program.

This isnt about raising fear level. It's about educating people as to the potential risks involved in certain software packages. Fear Mongoring would be saying "NEVER USE JAVA OR YOUR COMPUTER WILL BE HACKED AND YOUR BANK ACCOUNT DRAINED!"
I dont think anyone who is speaking out about java being used is going to that extreme. We are simply saying (in my mind at least), know the risks you have, and use java only when its needed. Java does not need to be running or active on my machine when Im sleeping or out at the store shopping. For anyone to say, Java is great to use, use it all the time, and dont worry about the vast multitude of exploits for it; is doing nothing but promoting ignorance of the risk involved in using java.


Ignorance is NOT bliss. To argue that, since we dont know absolutely that there is a problem, we should act as if there isnt one; is silly. I'm not in any way advocating that we shouldnt use java at all. On the contrary, I have it on my system. But I install/uninstall it as I need it for certain programs. There is no benefit for me having it active when Im not useing it. All java does when not being used is introduce another attack vector into my system.

Thats why I keep Java and Flash as SFS files. I can load them when I need them, and unload them the rest of the time. A simple shell script coulld be written to load the SFS and activate the program I need, and then at program shutdown unload the SFS from memory. I havent done so because I dont consider it a hassle to mount/unmount the SFS if/when I need it.
Jasper wrote:Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards
To start off I'll quote the mantra "Backup often, backup early"
Second, you should have your backups stored on removable media somewhere other than attached to your computer.
Malware that is set to "explode" can only work if its lying in memory waiting to initiate. If/When it does it can only affect any storage device attached to your computer. A backup harddrive in your drawer wont be touched. So... if you do get popped, you can reload and go.
One reason I use frugral installs is so I can backup my system (my safe file) as often as I want. If one gets corrupted all I need to do is reinstally my system and copy the backedup safe file to my computer and I'm back in business.

As for A/V malware protection for linux. There are some. I personally use ESET Nod32 for linux. But.... its not free. Ironic you asked this, becuase I was working on packaging up an AV program for LHP this weekend and coming week. I was going to package up ClamAV. I prefer Nod32 becuase of its heuristics that actively scan memory. I find that its far superior to other AV products at detecting unknown virii.
That being said though, AV product cant guarantee protection against application exploits. It may be able to detect some through scanning programs in memory and what changes they are attempting to make, but it cant promise much. Once an exploit is known, usually AV companies do add those definitions into their products.
Jasper wrote:Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards
I dont know much about that... but this might be what you're looking for:
https://addons.mozilla.org/en-US/firefo ... word-wrap/

Post Reply