How secure is booting from internal SD card?

[rufwoof]

my usual way with puppy is to run using tmpfs and create a save sfs at shutdown which gets loaded at the next boot back into tmpfs.... if I want to i can choose not to save at shutdown so will revert to the last save on the next boot.

Sounds interesting, but over my head. Is that creating a sfs of /initrd/pup_rw using something like mksquashsfs at shutdown and then loading that sfs at bootup?

If so my /initrd/pup_rw is 1750MB total with 125MB used - I would have thought that it could take quite a while to 'shutdown' (create sfs) ???

One thing that's bothered me is that despite having 1.5GB of RAM, my 'savefile' icon in the tray always shows that 1.7GB in total available. Is it just assigning 200MB out of the 2GB swap partition space I've created/allocated? At the time I just created swap to be larger than the amount of actual memory, thinking that was a reasonable choice. But perhaps 200MB might have been a better choice ?

[mikeb]

Yes the tmpfs layer must be adding swap space to calculate its size and can therefore be larger than your actual ram.

No harm in having a larger swap although its obviously going to use some of your hard drive. As you can see you have plenty of room though without the swap the tmpfs has to be shared with software ram usage and /tmp, shm etc if used.... eg in your case a figure of ~900MB is more likely for pup_rw without swap. I quite like having room to spare as its handy for such as printing and some flash video.

In your case the 125MB of data would be saved (such as /tmp are not which may be in that 125mb).... I normally use it uncompressed so its the time it takes to write 125mb... about 2 seconds on my crusty olde systems. To usb would be slower I expect and light compression might be worth considering...there are some builds of mksquashfs using low compression for sfs which adds aroud 20% but gives a major speed increase and of course reduces the file to be saved compared to uncompressed...something I have toyed with. (originally I used tar but puppies initrd only supported a crappy version of it)

Another one to consider are things like browser caches being saved so always worth looking at ways to keep trim. My saves are usually between 30 and 60MB which only takes half a second to create and load.

All good stuff

Mike

[rufwoof]

Thanks.

I'll stick with just running in ram - with the option to create a savefile as and when needed (until another remastered puppy sfs is performed).

One thing I've just noticed is that under load/stress testing, running with ram uses a lot less of memory space than when running with a savefile. Loaded up Openshot running blender to create a 3D animated title, mplayer watching a video, firefox with one window running a youtube, another watching BBC news video, a range of others on other web sites; abiword, gnumeric, galculator, leafpad, mtpaint all running; audacity loaded, xvidcap running to capture the desktop video (screencast) - and in total got up to using just over 700MB of memory according to HTOP - with all of 4MB of swap having been used.

From what I remember, running with a savefile and memory usage was higher when loaded up to a similar heavy load.

More a case of the single CPU being the bottleneck (100% loaded), memory much less of a issue.

[mikeb]

Cant remember if this was a usb or hard drive save file in your case.

Tmpfs/pup_rw does not show up in memory usage but the kernel still accounts for it.... soo if you are running in ram only, that which is free for applications will be reduced and such apps will normally request less memory or the kernel will make it so (watch for example how firefox usage drops if something else fills yer ram. ) With a save file and no tmpfs (hard drive) then more ram is available therefore apps can take more cos they can....so it can appear as if more is being USED but really more is being ALLOCATED because more is available.

That's just a simplistic view but you get the idea, I hope, of why there appears to be a variance... the demands of aufs will be pretty much the same and usually amounts to only a few MB.

Hope that makes some sense.

mike

[rufwoof]

Thanks Mike. Get the idea, thanks.

[greengeek]

I wish to know if booting from a SD card is as secure as booting from a live CD. .

I do remember reading on another thread of one puppy member who used the SD card with it's write lockout switch set as you suggested and he said he had no problems booting or running. That might mean that some puppies WOULD allow you to run like that.

I wonder if it is possible to boot the PC and then REMOVE the SD card, just as it is sometimes possible to remove the Live CD after booting.

533t_vesa_mesa.iso (or 533t_nvidia.iso for systems with Nvidia graphics card) weighs in at 250MB (260MB), but only around 100MB for the Puppy ISO part (rest is extra's i.e. SFS's that can be loaded for flash, abi/gnumeric, openshot/audacity). https://drive.google.com/folderview?id= ... sp=sharing

Thanks for the link. I will be giving that a try to see if it handles my older nvidia card.

built in SD slot seen as an internal drive seen as sdb1 not USB.

I don't think the sdxx tag indicates an inbuilt drive - my understanding is that the SD interface will still be via a usb port, just as other external ports are. (The SD is physically built into the case, but still seen as an external drive attached via usb interface Ithink)


With regard to the general risks of using the internet, as James pointed out it is often the person behind the keyboard who creates the vulnerabilities, but there are also factors beyond our control that allow security breaches. eg: Heartbleed and Target:
http://thesovereigninvestor.com/2014/04 ... eartbleed/

Basically, nothing on the internet is truly secure.

[greengeek]

"pupsgreat" also initially had the boot problems when using write-protected SD cards but made some very useful comments about how he got his SD cards to boot when write-protected here:
http://www.murga-linux.com/puppy/viewtopic.php?t=87004

(Basically sound like he had to go to ext 2 instead of ext 3 formatting)


I had a thread concerning trying to set up an HDD based puppy as read-only (never quite got there...). Forum member JRB had some interesting ideas about using startup scripts instead of a savefile. ETP had some suggestions too. Might be worth a read for ideas.
http://www.murga-linux.com/puppy/viewtopic.php?t=87004
.

[rufwoof]

In your case the 125MB of data would be saved (such as /tmp are not which may be in that 125mb).... I normally use it uncompressed so its the time it takes to write 125mb... about 2 seconds on my crusty olde systems.

Copying /initrd/pup_rw to Hard Disk /mnt/sda4/1/pup_rw = 95MB and a few seconds (save). That includes /root/cache and /root/.mozilla directory changes, so browser has all of its prior history etc. after rebooting.

After booting, merging that HD saved copy back into /initrd/pup_rw - around a second.

Really neat idea. Thanks Mike, very interesting. Not something I'll be adopting myself however as all my email is in the cloud and for general/casual browsing I use portable firefox that retains all of its bookmarks, cache etc anyway (outside of savefile). For banking I automatically download the latest copy of firefox and don't add any addon's/extensions to that. As such my inside savefile space doesn't really change, so I have little need to save/restore those files/content.

[rufwoof]

533t_vesa_mesa.iso (or 533t_nvidia.iso for systems with Nvidia graphics card) weighs in at 250MB (260MB), but only around 100MB for the Puppy ISO part (rest is extra's i.e. SFS's that can be loaded for flash, abi/gnumeric, openshot/audacity). https://drive.google.com/folderview?id= ... sp=sharing

Thanks for the link. I will be giving that a try to see if it handles my older nvidia card.

I believe that Nvidia drivers are fully backward compatible (the reason why their driver files are so big), so in concept I suspect it would be OK. Will be interesting to see if you can confirm that however. I'd appreciate it if you would keep me posted on your findings. Thanks GreenGeek.

[mikeb]

For Nvidia each new Xorg and video card drivers are merged into the binary blob up to a cutoff when they start over with newer hardware...so yes indeed thats why it grows...also can mean an older smaller build will normally be fine if your card/xorg is somewhere back in time.

As for the pup_rw save... yes does it nicely to give a 'normal' alternative to the save file. You just add the opration into the boot and shutdown to automate it. Also mksquashfs is used excluding some folders in the same manner as multisession eg no /mnt, /dev, /tmp and so on.
If you have a decent amount of ram than its nice and does leave you floating in ram which is handy for say netbooks to spin down the drive but stiil retaining the convenience of a full save. Also means boot media (USB) can be removed.
Doing a one off save would mean there is a preconfigured sfs and then subsequently never save.... if we are talking about security purposes.

I found most SD card slots appear as usb devices rather than true mmc ones which does make life simpler.


mike

[Py]

Thanks for this thread folks.

Rufwoof, wondering what system you use when online shopping with debit or credit card?

[rufwoof]

Rufwoof, wondering what system you use when online shopping with debit or credit card?

I'm a relatively new Puppy convert from XP. My HD still has XP on it, boot with no CD - loads XP. I kept it thinking I'd use it more often, but haven't touched it for a month or so now.

I boot from CD with no savefile each and every time which loads up a thinned down version of slacko5.3.3t (thin slacko). i.e. browser, abiword, gnumeric, geany ... and others all stripped out. In my home directory I have a quick_firewall_and_sound script, so when I log on its set locale, click CONNECT, click quick_firewall_sound and its more or less ready to go, but with no browser. Also in my home directory I have two firefox scripts, one firefox_bank that downloads (30MB) the latest firefox and nothing else, the other downloads and auto loads firefox with several add-ons (no script, zoom, flash block) - which I use for more general surfing. My connection speed often runs at 75Mb/sec so the dowload is quicker than the time it takes to load firefox - I do however also keep a local copy (SFS) of the latest firefox.

I also have a portable-firefox (and portable libre office) installed on my HD, so that's another choice (even more adds ons, book marks etc) that's used for general surfing.

Email - via online account(s).

I wont enter my credit/debit card details anywhere other than with a site I'm happy with, and after having rebooted into firefox_bank mode. Most sites let you create a basket so you can load that up as desired, but then shutdown/reboot into 'safe' mode before returning to pay the bill (check out).

Currently takes around 2 minutes to reboot into 'safe' (firefox_bank) mode (as it copies puppy sfs from CD into RAM which takes around 20 seconds or so), which for me is acceptable. I suspect I could get that down a lot however with some tweaking (not searching several drives for save files etc.) but so far that sort of time doesn't bother me (put kettle on while initially rebooting).

I absolutely love LiveCD (ram) booted puppy as in normal/general mode I can do whatever I like knowing that if the session get corrupted then a couple of minute later (reboot) its all back to normal again (load/try PET's and SFS's etc to my hearts content). The downside is that your opsys/gui (desktop) configuration is more or less cast in stone - at least until you make another remastered CD to accommodate any changes. Very lean core Puppy, with all other desired/needed things being loaded as PET's, That lean core is generally quite fixed now and I'm remastering much less frequently (more or less have a stable CD that I'm happy with).

I store no data in the savefile space (HOME is empty other than for config stuff).

Most of my shopping is via pre-arranged/established accounts - so just a case of entering userid and other access questions (card details already held by the seller) - which I do using firefox_bank. Generally I'm only entering my credit/debit card freshly for the likes of paying for holiday/trips.

I'm aware of many of the risks having worked in IT security in the past and feel more comfortable using a fresh read only CD opsys with fresh browser, all loaded into clean RAM when exchanging financial data. What some might consider to be inconvenient/excessive doesn't IMO justify the greater exposure to identity/financial theft (having seen the consequences of such endured by others first-hand).

[mikeb]

having seen the consequences of such endured by others first-hand

for reference what setup/systems/software would they have been using when this happened?

mike

[Py]

Thanks muchly for that Rufwoof. And thanks for telling us you used to work in IT security.

I had read about how you do your banking, and that was what prompted my question about credit card use. I see the merits of using a purpose built cd and the fresh cd boot for banking, and now see that you basically use the same setup for credit card use. Sounds good to me.

I did not know that you could reboot just for entering your card details after you had got to that point at a shopping site. I guess you somehow save the URL at that stage of the buying proceedure and then reenter it after reboot.

For myself, wondering if I would really need to download a fresh Firefox for each banking/credit card use? Could there not be some other browser used solely for that? Watching my broadband cap here

I am still using Xp and am currently using Comodo Internet Security with it. Currently I do not do internet banking.

Thanks again.

[rufwoof]

For myself, wondering if I would really need to download a fresh Firefox for each banking/credit card use? Could there not be some other browser used solely for that?

I've only set it up that way as its then a simple wget script (to get firefox from mozilla) which on my internet speed is just a few seconds download time. Storing a SFS of your favourite browser would suffice equally as well. That could be included on the CD and loaded instead of downloading.

The key thing is not to load any plugins/addons, nor go to any other web sites before or after. i.e, reduce/eliminate the risk of being exposed to potential hacks/cracks.

I am still using Xp

A Puppy LiveCD is great for dual running as there's no need to do anything with the normal XP hard disk. Just set BIOS to boot CD before HD and when you want to run Puppy leave the CD in and reboot, oherwise remove the CD and reboot. Puppy can share the HD space (save/read data etc) and be used to store puppy files (SFS's/PET's etc).

Mike

what setup/systems/software would they have been using when this happened?

- for individuals mostly your favourite avoid Windows, IE, Outlook etc. I was also involved in both small and large scale, triple layered firewall systems, and systems/protocols spanning a wide range of hardware/software (Honeywell GCOS/DPS's, IBM/Amdahl mainframes, Netware, Unix .. all sorts). More often, most weaknesses/threats/penetrations arose out of practices (human security/error). For instance in one case after spending several million on IT security it took less than half a day to penetrate a corporate system and send a internal memo to the IT director - all because the front desk security staff at one of their offices were too casual. That was however all way-back in a prior millennia.

[rufwoof]

I am still using Xp and am currently using Comodo Internet Security with it. Currently I do not do internet banking.

Increasingly becoming a case of where you have to IME - at least if your later in life (wrong side of 50). High Street savings accounts near 0% interest (lag inflation), online accounts provide better rates (match/exceed inflation).

I had thought that a liveCD would be useful for the relatively infrequent online banking stuff that I do given Windows stopping XP support. A CD that would mostly sit in the draw in readiness for such activity. In practice its become my primary bootup choice now and XP is the one collecting dust.

Light boot CD (no geany, browser, abiword, gnumeric etc), and with Libre Office and Firefox as portable apps on the HD (and email via online accounts) near totally covers what I use the PC for, for daily casual activities (news, message boards, youtubes etc.). Whilst being a 2 minute reboot to use the same CD for banking purposes.

I did not know that you could reboot just for entering your card details after you had got to that point at a shopping site

Most of the sites I use do have a shopping basket/checkout type setup. Where you don't have to fully finish/complete in a single session/visit. Or some other choice of returning later. Some do however use cookies to store your preferences so using a 'different' system/browser obviously loses that 'record'. Generally however I wouldn't trust giving credit card details to such sites (only trust established businesses/sites where more often you have to set up an account with them before being able to make financial transactions).

[mikeb]

Hmm I seem to be using windows even more nowadays.... and migrating to XP is slowly happening ... mainly due to SDK changes forcing out 2000 if new software is desired.
Been playing with windows 7 and its interesting as you can fully hide IE and outlook for example through the control panel...even putting a web address in the file browser no longer works. So files may still be present but avoidance seems to work since the likes of active desktop have been dropped. My feedback from clients when it first appeared seemed to suggest the only problem they had was when when certain employees insisted on grabbing dodgy freebies randomly off the net. So far that view seems about right.

Actually my question was more a case of do you know ANYONE who has had identity theft/banking breaches using say firefox or any other of the alternative browsers? Its a possibility that is often cited but no one has come back to me with any results yet so i figured you were a likely candidate.

Your download firefox seems a bit drastic and not so good on dial up or say 3G.
May I suggest for tin foil purposes a separate profile be created and used...it could be arranged to be volatile using methods described earlier.
running with say firefox --no-remote -P kiosk allows side by side running of firefox with the profile kiosk ... that profile could be anywhere (/tmp for example) by editing profile.ini so providing a separate session without having to reboot that could be dumped easily and revert back to pristine.
I actually use it so I can have 2 ebay accounts up at the same time (they get messy with their cookies sometimes if you use one browser.)
Portable opera is another way... make it discard everything when shutdown. sfs are indeed read only and I would consider thicker foil... great for those brief software encounters.

I internet bank and use a debit card on various sites and have done for a decade so do like to keep abreast of how the net is with regards to money exchange. Since my partner also does the same its nice to be able to run things safely while keeping usage transparently normal for the user.

I am not casual towards security...I hated getting viruses and was determined to stop it happening....and the process was not an overnight quick fix either...it required much research and testing.
Still researching now....

mike

[Sylvander]

I use Acerose Password Vault v1.02 to store all my passwords and stuff.
It's both safe->[multiple auto backups+manual backups] AND secure->[contents encrypted].
Generates random passwords of any length, using various character sets, the user specifies.
Especially useful for banking and buying at Amazon.
It's a portable program that I run using WINE within various Puppies [no longer run it using Win200Pro].
I guess I could use it within WinXP, but probably won't.
It's really good.
I've used it for years without any problems.

[mikeb]

Hmm always curious about this one...I don't store passwords ANYWHERE... I thought that was the idea?

mike

[rufwoof]

Actually my question was more a case of do you know ANYONE who has had identity theft/banking breaches using say firefox or any other of the alternative browsers?

Its been quite a while since I was privy to who had endured losses/theft. I do recall however a number of instances of users who primarily/only used Netscape.