Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 01 Sep 2014, 04:20
All times are UTC - 4
 Forum index » Off-Topic Area » Security
How secure is Puppy?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 7 [105 Posts]   Goto page: 1, 2, 3, 4, 5, 6, 7 Next
Author Message
popcorn

Joined: 26 Jul 2014
Posts: 22

PostPosted: Thu 14 Aug 2014, 19:48    Post subject:  How secure is Puppy?  

Hi

Before asking a question if the puppy could be used as a primary OS, but I wonder about the safety of the puppy, it is safe enough to be used as a main distribution interrogation
Back to top
View user's profile Send private message 
ardvark


Joined: 01 Jul 2013
Posts: 949
Location: USA

PostPosted: Thu 14 Aug 2014, 23:54    Post subject: Re: Security Puppy Linux  

popcorn wrote:
Hi

Before asking a question if the puppy could be used as a primary OS, but I wonder about the safety of the puppy, it is safe enough to be used as a main distribution interrogation


Hi...

It's safer than Windows XP right now, partly because very little in the way of malware is written for Linux. However, Puppy does not release security updates for the OS or other software that other distributions do, such as Ubuntu. Wink

Regards...

_________________
Our Lord and Savior Jesus Christ loves and cares about you most of all!

PLEASE READ! You don't have to end up here!

Last edited by ardvark on Fri 15 Aug 2014, 12:03; edited 1 time in total
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8223

PostPosted: Fri 15 Aug 2014, 06:43    Post subject:  

Quote:
partly because very little in the way of malware is written for Linux.

sorry to quote but that's a common myth. rm -rf / is a virus Wink

Linux lacks the mechanisms included in windows that can be used to propagate viruses (IE, outlook, msn, WMP Auto updates and other active x based software ) In other words Linux is inherently secure and you would have to make it otherwise. Even puppy which is a little slack in some areas is magnitudes safer than standard windows. 8 years plus of pup and similar systems and not a sniff of a problem. Paranoia does not actually infect anything except the person suffering it Smile

mike
Back to top
View user's profile Send private message 
nic007

Joined: 13 Nov 2011
Posts: 677

PostPosted: Fri 15 Aug 2014, 07:40    Post subject:  

mikeb wrote:
Quote:
partly because very little in the way of malware is written for Linux.

sorry to quote but that's a common myth. rm -rf / is a virus Wink

Linux lacks the mechanisms included in windows that can be used to propagate viruses (IE, outlook, msn, WMP Auto updates and other active x based software ) In other words Linux is inherently secure and you would have to make it otherwise. Even puppy which is a little slack in some areas is magnitudes safer than standard windows. 8 years plus of pup and similar systems and not a sniff of a problem. Paranoia does not actually infect anything except the person suffering it Smile

mike

rm -rf / affectionately referred to as cleansweep. Laughing
Back to top
View user's profile Send private message 
wimpy


Joined: 22 Aug 2012
Posts: 284
Location: Essex, UK

PostPosted: Fri 15 Aug 2014, 09:21    Post subject:  

Recently there were some problems, which could have been interpreted as a virus. The received wisdom was that it was just a coincidence. In my case my Lucid installation could not run X. It set me thinking about puppy's root user and how X(say) could be disabled. Am I right in thinking that a mere change in the permissions or ownership of a critical file in the boot chain could disable X.
_________________
Lucid ,Precise, Carolina, Shiba_inu, Lx_pup - all frugal
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8223

PostPosted: Fri 15 Aug 2014, 09:57    Post subject:  

Hmm running as root basically means the system can be damaged.... by the user and his/her actions or crappy installers/software.

What it does not really change is the lack of mechanisms to cause damage via the internet... ie if a virus cannot get it self downloaded, made executable and then run without user intervention then its has no potential to cause damage root or not.

If you were at the roadside it would be hard for you to cause a car to crash.... being able to grab hold of the steering wheel is required.... hope you like my dodgy parable..
The driver is root... you would be sudo as a passenger ....the roadside is the internet....I think...help ....!

mike
Back to top
View user's profile Send private message 
Latitude

Joined: 12 Jul 2014
Posts: 68
Location: Melbourne, Australia

PostPosted: Fri 15 Aug 2014, 10:27    Post subject:  

A loss of Pinboard and Drive icons affected several people, myself included, at around the time wimpy lost the ability to run X. The only common denominator seems to be that we were all running ext2 Savefiles. How hard would it be for a Troll with Linux command-line skills to "nobble" someone with an ext2 Savefile?
_________________
If it's not Backed-Up, then it isn't really yours.
You just think it is.
Back to top
View user's profile Send private message 
ardvark


Joined: 01 Jul 2013
Posts: 949
Location: USA

PostPosted: Fri 15 Aug 2014, 12:23    Post subject:  

mikeb wrote:
sorry to quote but that's a common myth. rm -rf / is a virus Wink


Were you joking? If not, are you sure? Razz Even though Wikipedia only calls it a partial list, that's still only a tiny drop compared to the number of Windows viruses.

mikeb wrote:
8 years plus of pup and similar systems and not a sniff of a problem.


Since Puppy always runs in root, I guess the above would be the main reason why. Wink

Regards...
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8223

PostPosted: Fri 15 Aug 2014, 12:41    Post subject:  

Quote:
How hard would it be for a Troll with Linux command-line skills to "nobble" someone with an ext2 Savefile?

hmm sounds paranoid...we are talking about weaknesses in the system.... such weaknesses have nothing to do with said system's vunerability to the internet. And why nobble if its going to break anyway.


Not joking aadvark...security by obscurity is a myth based on a lack of understanding of why millions of computers get infected daily.

If there are a lack of linux viruses then its more to do with its not worth it since getting those viruses onto a machine is too hard compared to the easy peasy methods freely available on standard windows based systems.

No infections on linux here because ...well its too hard to do so...

I also get NO infections on windows either ..ie ZERO...NON... by removing the aforementioned software and NOTHING else...now don't tell me I am running an obscure system then...windows 2000 and XP mainly.
Oh by the way I always run as administrator. So I am the no.1 target and still OK simply bt removing bad software bundled with the system..hmmm curious.

The difference between the 2 is that on Linux I did not have to do anything to get that level of security.

Non of this is my problem...we have been surfing for 10 years with no restrictions or problems.... its very relaxing and we are free to enjoy whats out there with machines that are not bogged down with antivirus. If no one takes any notice thats fine... we will carry on enjoying the benefits....they can carry on wasting large amounts of time, money and machines.....

mike
Back to top
View user's profile Send private message 
ardvark


Joined: 01 Jul 2013
Posts: 949
Location: USA

PostPosted: Fri 15 Aug 2014, 12:55    Post subject:  

mikeb wrote:
Not joking aadvark...security by obscurity is a myth based on a lack of understanding of why millions of computers get infected daily.

If there are a lack of linux viruses then its more to do with its not worth it since getting those viruses onto a machine is too hard compared to the easy peasy methods freely available on standard windows based systems.

No infections on linux here because ...well its too hard to do so...


Hi...

But wouldn't the methods of infection be the same, in some cases? Such as e-mail, installing an infected program, USB drive, etc?

At least for the known viruses, according to the Wikipedia article, " However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat." Again, that's not counting anything undiscovered but from the small number that are currently known, I don't a large number suddenly being discovered, at least at this point in time.

Regards...

Last edited by ardvark on Sat 16 Aug 2014, 16:34; edited 1 time in total
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8223

PostPosted: Fri 15 Aug 2014, 13:18    Post subject:  

Quote:
But wouldn't the methods of infection be the same, in some cases? Such as e-mail, installing an infected program, USB drive, etc?

no and that's the difference.....

Take for example an email with an image in it

outlook express displays that image using an active x control that is from the Internet Explorer fileset...mshtml.dll and related.
Part of that control's function is to run any scripts/software included in that image.... the gateway opens ...run what you like..infection complete.

No other email client can/would do this.... thunderbird treats an image as just that ...an image ... it would never try and run anything.

There are many examples of windows bundled software doing this...mshta, WSH, and anything using the trident rendering engine..... it has improved but some parts of the system are inherently insecure...the zone system for example... it does not protect but actually makes it easier to install viruses.

Mechanisms for auto updates... nice and easy to use...just provide a fake certificate.

All that is left is such as buffer overuns...those security updates that get added regularly all over the place... these are discovered by abusing software and finding if and when it loses the plot which then in theory means it can be used for naughtly purposes.... such things are hard to find.... those looking for it know about a potential problem well before anyone else and fixes are made....a hacker would not ...1.bother to work that hard and 2. would expect that patches are already out there for an exploit that was never known about and its usage is so specific that you only get a minority hit even if you tried it...so why bother when microsoft provided easy gaping holes that can be used to propagate infections written over a decade ago ...mass easy target basically.

I mentioned samba/rpc... those ports are wide open and a fresh install of windows XP can be exploited in less than 2 minutes of connecting to the net...I should know it happened to me.
Fortunately routers firewalls block this gateway nowadays or when I had a modem I disable /hacked both to block the abuse....things is what sort of company puts out software this vunerable?!

mike
Back to top
View user's profile Send private message 
someSven

Joined: 06 Aug 2014
Posts: 29

PostPosted: Fri 15 Aug 2014, 14:57    Post subject:  

Puppy is the worst Linux distro I know, when it comes to security. It has no update mechanism for security updates, it doesn't tell you, and in the forum here you'll find some people with high self-confidence which tell you there is absolutely no need to be in sorrow. Problem is, they are wrong.

Gnu/Linux is NOT inherently secure. It's maybe more secure than others, but it also depends on the distro and the user behavior. Their is also no consent that Gnu/Linux is generally more secure than Win8. MS did a lot to make their system more secure the last years. However, it's much more attractive to attack popular software than outsiders.

Security is highly about the user's behavior, but a good OS or distro helps them. Automatic security updates are a very good example for that. Ubuntu knows that: https://wiki.ubuntu.com/BasicSecurity#The_most_basic_set_of_rules
Puppy Linux is not just Linux it's Puppy Linux, Linux is just the core of the system but the stuff around in this case is not build with security in mind.

Security is more and more about browser security. Someone may steal passwords from you, if your browser is not secured. If your browser runs as root and code can be executed on your system using the browser or some plugin then everything can be done. https://www.iseclab.org/people/mlindorfer/xplatform_poster.pdf (carefull, pdfs in the browser can freeze old machines).

It also depends on your thread model, if you are something like a political activist or journalist, the danger of being attacked is much higher. The number of viruses for Linux are not relevant for that. Attacks are possible, you may be targeted directly, and if you're use old software it will be much easier.

Another point is that you don't know in every case when you've been hacked. Your computer may be part of a botnet ddosing down some websites, sending spam mails every day, private pictures or business data may circling around the net, or your PC may being used by fraudsters to go shopping with stolen credit card data - and you wouldn't recognize. If your computer is newer you even may mining for some crypto-currency without knowing it.

Reasons why criminals are not targeting Desktop Linux on a huge scale yet are not at least cause Gnu/Linux users are normally installing their software from a repository they trust, they are updating their machines, and are generally more careful then many Windows users. If we stop behaving like that, then Gnu/Linux on the desktop will become a more interesting target. The danger of being hacked cause the lack of security in Puppy may be low, if your are not a journalist, activist or some other VIP, but you would help to decrease the 'herd immunity'.
I'm still using it for the moment, but installing some updates manually, at least browser and Flash. However, I plan to switch my main distro away from Puppy. It's not bad for some stuff and maybe really good sometimes, but I personally won't use it as main distro since I know about the problems and the culture behind them.

For very old computers AntiX (http://antix.mepis.org/) may be a alternative. But then you'll need more effort to learn about Gnu/Linux, and using it will be harder (at the beginning). For newer computers their are more alternatives with LXDE or other light desktops, on http://distrowatch.com you'll have plenty of choice.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9061
Location: Stratford, Ontario

PostPosted: Fri 15 Aug 2014, 15:26    Post subject:  

I have always contended that Puppy should have a "safe browser" desktop icon linked to this script:
Code:
#!/bin/sh
su -l -c "PATH=$PATH LANG=$LANG DISPLAY=$DISPLAY defaultbrowser" spot
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8223

PostPosted: Fri 15 Aug 2014, 15:41    Post subject:  

Quote:
Problem is, they are wrong

perhaps svenSven you are wrong.
Quote:

Gnu/Linux is NOT inherently secure. It's maybe more secure than others, but it also depends on the distro and the user behavior. Their is also no consent that Gnu/Linux is generally more secure than Win8. MS did a lot to make their system more secure the last years. However, it's much more attractive to attack popular software than outsiders.

this is full of holes and does not tally with the real situation....that last statement is a painfully common myth for example.
Until you realise and accept what you are dealing with nothing will really change.

All I hear is you re-iterating information from sensationalist internet magazines and other 'news' sites as if journalists have the handle on computer security.

Windows 7/8 have been wrapped in cotton wool thats all... some of the mechanisms are still there.... some now require user intervention....
It could only be 'better' as before it was awful...indeed without microsofts criminally bad approach to security the world of computers may have never got to know what a virus was.... And why did it take them over a decade to clean up their act...these problem were well known about in the late 90's?

mike
Back to top
View user's profile Send private message 
greengeek

Joined: 20 Jul 2010
Posts: 2509
Location: New Zealand

PostPosted: Fri 15 Aug 2014, 15:48    Post subject:  

someSven wrote:
Security is highly about the user's behavior, but a good OS or distro helps them. Automatic security updates are a very good example for that. Ubuntu knows that

It is all about trust. Why would you trust Ubuntu with the security of your computer? Do you believe that the writers of Ubuntu code are all good guys with good intentions? Not a chance.

Take a look at who wrote the Stuxnet virus. Take a look at who writes Google code that allows full disclosure of your personal information. Take a look at who writes Microsoft code and security updates over the last 15 years - these are all trustworthy people? No way.

Ever seen a malware program that masquerades as beneficial "PC cleanup software". Yup. You see that every day. Ever had a phone call from an Indian helpdesk wanting to establish a remote connection to your PC so they can help you "eliminate viruses"? Yup, couple of times a year I get that.

Recent Google Chrome versions even have such a remote control function built into them. Who needs virus protection when the real threat is operator stupidity?

The real question is - what harm can these people do to your computer?

You don't need a virus to destroy your files. All that is required is to permit one of these remote sessions that gives someone else access to your computer. Once you have permitted the remote access session to run there is nothing to stop that person issuing a rm -rf / command. No virus required.

However, if you are running Puppy from a CD or a ROM the person controlling your computer can rm -rf/ all they like - it will get them nowhere.

This is why I am currently focusing on building my Puppies using non-writable personal sfs files running from CD. I know that each boot will restore my code to it's original state.

I will never trust a security update. I will never implicitly trust that "the most recent browser is the most secure" and I will never believe that any data on a writable media like an HDD is completely safe. There is simply no way to ensure total safety.

Don't forget that the mechanisms allowing other people to view and control your PC and data is actually BUILT IN to the hardware in many cases. Some webcams and microphones can be controlled remotely (there is plenty of info about how the NSA hijacks hardware for such purposes).

HP printers and multifunctionals had to be issued with new firmware in order to lock out the inbuilt ability to redirect data to spy agencies. There are many ways that state sponsored spying occurs, and there is only so much the user can do to guard against this. Trusting in security updates that you didn't write yourself is not a reliable method in my opinion.
.

Last edited by greengeek on Fri 15 Aug 2014, 15:53; edited 1 time in total
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 7 [105 Posts]   Goto page: 1, 2, 3, 4, 5, 6, 7 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1436s ][ Queries: 12 (0.0316s) ][ GZIP on ]