Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 27 Apr 2018, 05:10
All times are UTC - 4
 Forum index » Off-Topic Area » Security
How secure is Puppy?
Post new topic   Reply to topic View previous topic :: View next topic
Page 8 of 8 [118 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8
Author Message
stray_dog

Joined: 18 Mar 2014
Posts: 66

PostPosted: Mon 08 Sep 2014, 20:33    Post subject:  

Actually the more I think about it is YES, please! Our universities and city have been hit really hard by bedbugs in the last couple years. And some students have taken them from building to building because they hid inside pc cases, then students take them from dormitory to dormitory. If you want to stop that you can put the pc case in a sealed bag with a strip of dvvp insecticide & leave it for a while. Heat works faster, but that's not so good for a computer tower.

I really liked what the guy said earlier about using Puppy inside a virtual machine. I am at work a lot and really like the idea of keeping Puppy running in that way so I can keep my email open all day in it & talk to my gf more securely, and still do my work in a windows environment. Thank you. I will try it.
Back to top
View user's profile Send private message 
Teh Agnostic Anarco

Joined: 17 Sep 2014
Posts: 34

PostPosted: Sat 04 Oct 2014, 12:14    Post subject:  

Im no security expert here but no matter what OS, you can have best security and AVs but if you are a "target" it doesnt matter.... They will get in.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11110

PostPosted: Sat 04 Oct 2014, 13:56    Post subject:  

Quote:
Im no security expert

so why are you making sweeping statements about security then?

curious

mike
Back to top
View user's profile Send private message 
Teh Agnostic Anarco

Joined: 17 Sep 2014
Posts: 34

PostPosted: Sat 04 Oct 2014, 14:21    Post subject:  

mikeb wrote:
Quote:
Im no security expert

so why are you making sweeping statements about security then?

curious

mike


Sweeping? Just cause im green doesnt mean I dont know enough after investigating let alone forensics experts I have talked too that have confirmed this.

There is no such thing is 100% security, even on air gapped rigs, thats all I can tell you.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11110

PostPosted: Sat 04 Oct 2014, 14:28    Post subject:  

no mention of the relative ease that some systems have when it comes to insecurity compared to others.

No point in having people worry for no reason is there?

mike
Back to top
View user's profile Send private message 
Teh Agnostic Anarco

Joined: 17 Sep 2014
Posts: 34

PostPosted: Sun 05 Oct 2014, 11:52    Post subject:  

mikeb wrote:
no mention of the relative ease that some systems have when it comes to insecurity compared to others.

No point in having people worry for no reason is there?

mike


I see you responded in my security thread, Please go read and you will see reasons......
Back to top
View user's profile Send private message 
gjuhasz


Joined: 29 Sep 2008
Posts: 362

PostPosted: Thu 16 Oct 2014, 05:40    Post subject: Poodle muzzled
Subject description: New vulnerability fixed in Puli
 

Hi,

Just muzzled the Poodle vulnerability for Puli:

http://www.murga-linux.com/puppy/viewtopic.php?t=88691

Concerning security, see how Puli fights again hackers:

    * Runs in memory while the boot device (USB pendrive) is unplugged
    * Skype, (sandboxed) Chrome, etc., opens by spot user
    * Detects typical intrusion patterns then acts based on user profile
    * Prevents hacker attacks thru known browser exploitation frameworks (e.g., BeEF)
    * Applies other "unorthodox" tricks.


Feel free to try it out.


Have fun!

gjuhasz
Back to top
View user's profile Send private message 
Iguleder


Joined: 11 Aug 2009
Posts: 2031
Location: Israel, somewhere in the beautiful desert

PostPosted: Thu 16 Oct 2014, 06:26    Post subject: Re: Poodle muzzled
Subject description: New vulnerability fixed in Puli
 

gjuhasz wrote:
* Runs in memory while the boot device (USB pendrive) is unplugged


How does this improve security? The root file system is still there and fully writable.

gjuhasz wrote:
* Skype, (sandboxed) Chrome, etc., opens by spot user


How do you deal with privilege escalation from spot to root? I'm pretty sure there are some setuid binaries in /usr/bin - it shouldn't be too hard for an attacker to run one of them with LD_PRELOAD to gain root privileges.

gjuhasz wrote:
* Detects typical intrusion patterns then acts based on user profile


How does this work?

gjuhasz wrote:

* Prevents hacker attacks thru known browser exploitation frameworks (e.g., BeEF)


How do you deal with other attack vectors (non-browser ones, e.g buffer overflows in servers)?

_________________
My homepage
My GitHub profile
Back to top
View user's profile Send private message Visit poster's website 
prehistoric


Joined: 23 Oct 2007
Posts: 1726

PostPosted: Thu 16 Oct 2014, 15:49    Post subject:  

POODLE is not nearly the problem that shellshock was. For one thing users can simply install an app in a browser like Firefox which disables ssl3.0. When Firefox 34 comes out, this will no longer be necessary for those who upgrade.

You can test vulnerability using this page from the University of Michigan. You will also find a list of sites on that page which do not support the later Transport Layer Security, (which remains secure.) Some of these will surprise you. We'll see how fast various banks, etc. are at closing this vulnerability.

Exploiting this requires a man-in-the-middle attack which most kids on keyboards will not be able to pull off. You need to control a server on an intermediate site to begin. You might have as good a shot at cracking those servers on the end of the pipeline that have not kept up with changing security technology over the past 18 years.

If the site at the end of the pipe is compromised nothing you do before your data gets to them is going to matter.
Back to top
View user's profile Send private message 
gjuhasz


Joined: 29 Sep 2008
Posts: 362

PostPosted: Thu 16 Oct 2014, 22:30    Post subject: Re: Poodle muzzled
Subject description: New vulnerability fixed in Puli
 

Dear Iguleder,

Thanks for your questions. Let me answer point by point.

Iguleder wrote:
How does this improve security? The root file system is still there and fully writable.


On the one hand, the hacker cannot access the files on the unplugged pendrive. On the other hand, vulnerabilities like http://murga-linux.com/puppy/viewtopic.php?p=803875#803875 are eliminated.

Iguleder wrote:
How do you deal with privilege escalation from spot to root? I'm pretty sure there are some setuid binaries in /usr/bin - it shouldn't be too hard for an attacker to run one of them with LD_PRELOAD to gain root privileges.


Concerning the attacker's chances for privilege escalation, please see the attached picture. I'm not cheating. This is a real screenshot captured a few minutes ago. I admit that this is not the public version of Puli, however.

Iguleder wrote:
How does this work?


There are some simple intrusion patterns introduced in the defaultbrowser script of the "rigorous" profile, together with specific responses of Puli (as described in the profile name). Again, those user profiles are only examples - and false positive alarms might happen. More sophisticated IDS patterns could also be implemented. Blacklists and whitelists can be populated both manually and automatically in Puli. Of course, I don't think that Puli would ever grow to an IDS system such as Snort.

Iguleder wrote:
How do you deal with other attack vectors (non-browser ones, e.g buffer overflows in servers)?


As I highlighted above, Puli, as a client, includes lots of ideas with examples that can be extended by enthusiasts (see the Crazy profile for details - the trick there can be easily applied outside of Chrome, too).

But, be sure, Puli is not intended to fight against NSA or other Big Brothers. It assumes that a typical hacker gives up if his/her attempts (through an exploitation framework) repetitively fail.

Don't hesitate to install Puli. Note that the next version is on horizon, maybe in a couple of weeks it will bark.

Have fun!

Regards,

gjuhasz

Edit on Oct 17: The originally attached picture has been replaced with a cropped version Shocked (maybe by forum staff due to its large dimensions). So, I re-upload it now in reduced size.
Capture21242-1.jpg
Description  In this screenshot, the spot user runs Chrome; the root user runs urxvt.
jpg

 Download 
Filename  Capture21242-1.jpg 
Filesize  44.94 KB 
Downloaded  218 Time(s) 
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4949
Location: Republic of Novo Zelande

PostPosted: Fri 04 Dec 2015, 02:19    Post subject:  

Barkin wrote:
A 2011 journal article reflects this point of view and described the vaccine-autism connection as "the most damaging medical hoax of the last 100 years".
I didn't respond to this originally because it would have been easy to drift off topic but now the thread is well cold I think it needs to be pointed out that the vaccine-autism connection is NOT a hoax.

Sadly many of the "experts" that we trust are not actually worthy of that trust. That goes for some computer security experts as well as some medical professionals:

https://sharylattkisson.com/cdc-scientist-we-scheduled-meeting-to-destroy-vaccine-autism-study-documents

Yes, I know it is off topic but it still highlights that we alone are responsible for protecting ourselves. We should never expect that our safety is best left to others. That goes for computer security and our own health.
<end of rant>
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2267

PostPosted: Fri 04 Dec 2015, 07:23    Post subject:  

I run pfix=ram (pupmode 5). Since the evolution of save folders that's been made even easier assuming you run frugal puppy. Download a pup, boot, configure and rearrange things as you like, create the save folder and reboot pfix=ram again. Then rename puppy sfs to zdrv sfs (you may have to rename the existing zdrv sfs to adrv sfs if that puppy already uses a zdrv), mksquashfs the save folder to puppy sfs and reboot again. i.e. puppy in zdrv, savefolder in puppy sfs, ram booted and not saving has you reboot the exact same image of puppy each and every time, running all in ram (no HDD's mounted). Catch a virus and a reboot eliminates it. Just keep data etc outside of puppy space (as otherwise it wont be saved across reboots).

A factory fresh booted puppy booted each and every time is pretty secure. So much so I even have mine left open - available to be vnc/rdp into from anywhere (remote desktop). To protect data/docs I store those behind a second firewall.

I'm on Virgin Media broadband and their SuperHub router/modem has a firewall. I use that weakly (minor deterent). One of the lan ports from that is connected to a puppy pc (that I can vnc into from anywhere). Another of the lan ports is connected to the wan port of the netgear router I used before having the superhub upgrade, and all other PC's are wired/connected to that netgear (which also has a firewall).

A problem with servers is that for them to be secure you have to lock them down/away. Open up holes (ports) so that they can be accessed from a distance and the vault is no longer secure. At one end you can assume a secure server/system is safe, mix that with other private/confidential systems and risk penetration; At the other end you can leave the system totally open/insecure and treat that with the respect it deserves.

Puppy is great as you can in effect do a factory fresh 'install' (boot) in seconds. Which opens up the potential to do so at each and every reboot. A factory fresh booted system with no persistence (read only) is secure across reboots, just vulnerable for single sessions (virsus persists in memory until a reboot occurs).

If you do confidential/secure stuff using a puppy in the secure lan segment (behind the second (netgear in my case) router/firewall) and more general stuff from a puppy in the insecure lan segment (behind the SuperHub/cable modem router) then provided the traffic from the secure lan segment is encrypted then that's no different to the security of encrypted data being tranmitted across the internet.

Currently my 'open' puppy is more for home control type functions in mind. Calling home remotely, a few web cams and maybe some power outlet control (on/off switching) etc. That's presently booting via read only CD, but I'm considering using PXE booting it via a port opened into the secure lan segment (tftp is pretty much a one way street). That reduces the kit down to being just a combination of a VGA port to the TV (monitor) and a network card for net booting/internet access (keyboard and mouse type control performed via remote login (smart phone, wireless keyboard, another PC etc)).

Puppy can be as secure if not more secure than the alternatives. It can be as insecure as you like. More often its not system security that matters, but more human (in)security issues. As secure or insecure as how those systems are used. If you use a PC that has been used to browse here-there-everywhere, and perhaps downloads/uninstalled loads of stuff over time without being reset back to factory fresh (newly reinstalled), then there's the potential that at one instant briefly in time something undesirable might have made itself resident in that system, compromising any subsequent secure transactions/actions. Puppy used sensibly circumvents that risk.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 4949
Location: Republic of Novo Zelande

PostPosted: Fri 04 Dec 2015, 15:09    Post subject:  

rufwoof wrote:
If you use a PC that has been used to ....... without being reset back to factory fresh (newly reinstalled), then there's the potential that at one instant briefly in time something undesirable might have made itself resident in that system.
I think that is an important point. There really is no guarantee that any system (even puppy) can remain online forever without some form of compromise - so regular reinstalling to a known safe state should be part of our routine. As you point out Puppy allows us to lock up our personalisations in an sfs or a remaster so that we no longer have to capture every transaction and system change that occurs in our daily sessions. A puppy set up like that means a reboot is as good as a reinstall (and much quicker and simpler).

It is really not safe to have a Puppy running forever without reboots (I know some people do it but I don't think it is safe when used online).
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 8 of 8 [118 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0981s ][ Queries: 12 (0.0391s) ][ GZIP on ]