How secure is Puppy?

[ardvark]

Take for example an email with an image in it

outlook express displays that image using an active x control that is from the Internet Explorer fileset...mshtml.dll and related.
Part of that control's function is to run any scripts/software included in that image.... the gateway opens ...run what you like..infection complete.

No other email client can/would do this.... thunderbird treats an image as just that ...an image ... it would never try and run anything.

Ahhhhhhhh, ok, I didn't know this, thank you.

I mentioned samba/rpc... those ports are wide open and a fresh install of windows XP can be exploited in less than 2 minutes of connecting to the net...I should know it happened to me.

I thought the Windows XP firewall was supposed to stop things like this?

Regards...

[mikeb]

I thought the Windows XP firewall was supposed to stop things like this?

yeah...make it insecure then add software to protect it cos they are the good guys

Bit like selling a door with no lock and then selling you a burglar alarm.

mike

[mikeb]

Hey greengeek missed yer post...so that's why I don't have a web cam and mic ..... they would get a nice shock seeing me in the morning.

I suppose I always maintained vehicles myself as I did not trust garages.....

mike

[Galbi]

And what if we make a real life experiment?

Supose that I say: my Lucid 5.28 with public IP 200.45.89.xx will be online from 9 am to 9 pm.
Your mission Jim, if you dicide to accept it, is to get the content of a .txt file that I put in /root
Of course the firewall will be on.

How easy/difficult could be to get that file?

I can offer my PC to do the experiment if there are skilled enough people interested in.

The prize? A big push to the winner ego.

[greengeek]

...so that's why I don't have a web cam and mic ..... they would get a nice shock seeing me in the morning.

Oh, by the way - if you happen to be doing something interesting in your bedroom at night, please make sure your Android smartphone is locked inside a lead lined box. Hate to find those pics and wavs all over the internet

Disclosure: I only suffer from a mild case of paranoia. Anyway it's not my fault. My brain gets affected by all those people following me.

[greengeek]

How easy/difficult could be to get that file?
.

Do you have teamviewer installed?

[Galbi]

How easy/difficult could be to get that file?
.

Do you have teamviewer installed?

No. no, the idea it's to break a standard Puppy's security.

Something like ethical hacking (don´t know if this is the correct name).

[mikeb]

Yes that would be a great test...another test be would be to download and run a file.... something that just popped up and said 'hi its me' you know like happens on windows all the time...ok not MY windows but you get the idea. If we are equally secure/insecure it should be no problem.

Or make a webpage to do it...don;t care really. Javascript popups don't count...has to actually get properly into the system.


No smartphone either greengeek.... I am not thee inspector gadget of hardware users unfortunately....perhaps my subconcious is in charge of such things.

mike

[someSven]

All I hear is you re-iterating information from sensationalist internet magazines and other 'news' sites as if journalists have the handle on computer security.

I got this specific information about Windows becoming much more secure while the last years, from a interview in a security podcast with a security specialist. I don't care if it is a bit more or less secure, it clearly makes some stuff better than Puppy Linux. User behavior is also very important, and how the OS and it's community influences it, and Puppy with it's community here is doing bad work in this sense. At least Win keeps your browser and Flash up to date.

> email client ... activeX ...

That MS does something bad is an excuse for Puppy to do something else bad? You just need to open a link to a malicious website with your old crappy browser and Flash, and your are done. And again, we are not talking Windows vs. Linux-Software here, but Puppy vs. more secure Systems.

I also condemn your kind of answers like 'if you don't like Puppy Linux then go and use Windows', like you did in another thread. And again: Puppy Linux is not just Linux, it's Puppy Linux. Linux is the core (kernel), but the way how the distro is designed is also important. I'm using old computers, so if I change my OS I'll change the Linux distro.

It also tell a lot that this discussion here has been moved to a Off Topic area, to prevent this whole issue becoming more widely recognized and discussed. You better start talking about how we inform users that Puppy is not for everyone and how it can be made more secure, instead of misleading users and answering criticism with personal attacks.

@greengeek: You are speculating about security updates with backdoors and mentioning a lot of other stuff, while regular Puppy is open for everyone. Old browsers with old Flash aren't secure, period. Everyone who tells something else has not clue or has other bad reasons.

@Galbi: It's about users which are using this distro to surf the net, also on questionable websites, watching videos and playing games online, receiving phishing mails, and links to malicious websites.


> mikeb wrote: Yes that would be a great test...

No, it's obviously not. Who is using his computer this way? And what would some test like that prove if no one here had the knowledge to hack into it, but others have.

> Or make a webpage to do it..

Not OR, this would at least make a little more sense. However there are exploits for old browsers and Flash, why should there be tests extra for Puppy?

[Sylvander]

You just need to open a link to a malicious website with your old crappy browser and Flash, and your are done.

The only time I ever saw something dodgy happen in Puppy:
I had gone to a website...
And strange things began to happen...
Windows were opening displaying the content of the Puppy optical disk.
It was obviously unable to change any of those files.
So I began closing windows...
And as fast as I closed them, more were opening.
So I hit "Ctrl+Alt+backspace" to drop to a command prompt, and rebooted.
Once back into Puppy, the problem was still there, SO...
I shut down, and rebooted using a different "live" Puppy CD, and deleted the pupsave file for the 1st Puppy and replaced it with a recent backup copy.
Rebooted back to the 1st Puppy, and the problem was GONE.

I thought that was a good outcome.

[jamesbond]

someSven, if your criteria for security is "must run latest software" and "must auto-update whenever someone publishes a CVE" then yes, by that definition, Puppy is not secure.

However the titular question is "how secure" ... (and not "is it secure or not?"), thus the answer would be a range. And whether puppy would lean towards "secure" or "insecure" end of the range, would depend on the criteria (and weights) one uses for evaluation.

It's more interesting that the "popcorn" guy/gal who started this thread never says anything back; he's probably enjoying the mud-slinging shows we're doing for him/her (while eating his/her popcorn ).

[darry1966]

Quote "It also tell a lot that this discussion here has been moved to a Off Topic area, to prevent this whole issue becoming more widely recognized and discussed. You better start talking about how we inform users that Puppy is not for everyone and how it can be made more secure, instead of misleading users and answering criticism with personal attacks. "


It is filed under security - which is the way the discussion has been going, Seems a perfectly logical place to put it. It is there for everybody to see and probably come up in google search anyway I hardly think anybody is trying to hide anything - so no conspiracies there.

[anikin]

Do you trust your wife, is she honest with you?
Absolutely!
We've been married for 3 years and she hasn't stolen a dollar from me.

[wimpy]

It is filed under security - which is the way the discussion has been going, Seems a perfectly logical place to put it. It is there for everybody to see and probably come up in google search anyway I hardly think anybody is trying to hide anything - so no conspiracies there.

This whole sector is labeled as Off-Topic i.e Topics that are not puppy related. I expect to see in Off Topic Security, discussions of a general nature on rootkits, trojans etc. But this thread was decidedly on-Topic, since it specifically asked the question "How secure is puppy?" and it should not be treated as not-puppy-related.
There are questions one could ask about puppy
1. Would you use puppy to do on-line banking? Would your bank let you?
2. Why do most linux distros insist on you not logging in as root, but instead use sudo to do most housekeeping?
3. Linux distros regard wine as a major security risk, and try to discourage its use. I think there is at least one puppy distro which has it pre-installed.
So while most of the faithful here take solace in the fact that they are not (as yet) a target, it is possible that in future disgruntled trolls may decide to take advantage of the open door. Any institution which advertises itself as 100% secure is inviting people to rise to the challenge.

[darry1966]

Flash is the moderator take it up with him again I have no problem with where it is. It has not been removed, Alien abducted whatever.

[dancytron]

I think the answer to the OP's question is it depends how you use it.

I use Windows XP for lots of stuff and Puppy (and lately Debian Dog) just on the side.

But if I am going to do something dodgy, like go to a site that I think might have viruses, opening email attachments that just got me too curious to delete, or be clicking unknown links on Twitter etc, I use Puppy. Why? Because with a Frugal Install set up with no save file or so only save changes when I tell it to, there is no way anything can hurt me. It can download all the viruses it wants, when I reboot, nothing gets saved. Or, almost as good, you can back up your save file and if you have any problems delete the virus'ed save file and replace it with the back up. (edit-also no script in the browsers)

If you so a full install or don't backup your save file, install java to run in your browser, and run straight off the internet with no router or firewall is Puppy secure. Hell no. But if you set it up with security in mind, it is totally safe.

[dancytron]

meant to edit and replied to myself, admin pls delete

[greengeek]

You are speculating about security updates with backdoors and mentioning a lot of other stuff, while regular Puppy is open for everyone. Old browsers with old Flash aren't secure, period. Everyone who tells something else has not clue or has other bad reasons.

You are raising good points. This is an important discussion. However, I do not agree with your belief that newer software is always more secure. That way of thinking is the same one that has led countless Windows users to apply thousands of 'security updates' to all manner of software over the last 15 years, without ever once reading what they were installing.

Trust=Laziness=Stupidity.

There is a reason that Steve Jobs would not permit Flash to be used on Apple products - he knew that it could not be made secure. He was very clear about that. So the question is - if Steve Jobs rejected Flash as inherently insecure why should we falsely believe that newer versions are safe? It is better in my opinion to treat all versions of flash as faulty and insecure.

The only people who are at risk from insecure Flash versions are those who are using computers in the belief that they are safe. Those of us who KNOW that Flash is unsafe can take other measures to keep our operating systems secure. The problem is when people PRETEND that newer=safer.

Is HTML5 any safer than Flash? Depends on your point of view. HTML5 contains code that allows the vendor of the webpage to control what your PC does with the data. Do you feel secure that your PC is controlled by the DRM policy of the webpage vendor? Do you feel happy that the webpage reports your data usage patterns? I don't.

The next questions are - if the internet is a bad place then:
1) Who can you trust?
Answer: Nobody. There is no corporation in the world who you can trust to put your own security first. Each computer user must make their own decision about how much of their data they are exposing, and what steps they take to control the security of the operating code in their computer.

2) How can you best ensure your safety?
Answers:
- Keep your data offline when using the internet. ie: do not mount your data drives. Do not plug them in.
- Disconnect your webcam and microphone when browsing.
- Use an operating system that is read only. ie: boot your operating system from a 'closed', read only CD or DVD
- Reboot frequently. Understand that ANY operating system can be deliberately or accidentally corrupted while running in RAM. In other words, your code could be hijacked during an online session and the behaviour of your machine can be altered for bad purposes, without your bootable code having been altered. At least this malicious code will be deleted upon the next reboot.
- Avoid buying usb sticks and SD/microSD cards of the brand that was used for the Stuxnet virus.
- Check any new usb stick for hidden partitions.

It is important to recognise that some governments REQUIRE that software manufacturers and ISPs etc create and maintain spyware backdoors in the hardware, operating system, programs, websites or data streams for the purposes of tracking the behaviour of citizens. These corporations are often uncomfortable about keeping such things secret, but nevertheless they HAVE to permit this level of spying by law.

I recall many years ago I was taught how to use an early unix based CAD system and the tutor explained to us that the person who designed the systems' security had added a backdoor to allow them to regain control of the system if something went wrong with the login module. So we all had to remember "MPXGOD" as the over-riding system password to give full administrator access to everything. I remember reading that Windows 98 had similar code grafted into many of it's modules too. No doubt the Windows of today is much more secure but there will still be such backdoors.

The reason I feel puppy is secure is that it allows me to make the decisions about who I trust, and who I don't trust. I can trim out code that I don't like - and I can choose to use a really old puppy if I want basic functionality without overblown code. How can other Linuxes take up an entire DVD? What the heck is in that code????

[someSven]

> Sylvander

And you think malware is always doing this kind of funny stuff, just to get some attention? Files can be accessed without opening windows, and browser data can be stolen.

> jamesbond

I suppose it was me writing a P.M. to popcorn, not to use Puppy as main distro, which made him opening this thread.

> darry1966

Sorry, messed something up. There was a area which I couldn't read while not logged in. I thought the thread was moved there, and so not accessible by visitors and search engines.

> wimpy

1. Banks are not checking your OS, but maybe your browser. I never saw that.
2. For the root thing there is an good explanation, you may search for it. I don't see this as a problem, but I'm also not saying I'm an expert on security or Gnu/Linux. I'm using most Internet programs as spot.
3. Having Wine installed should not be a problem, and using it also not if it is done with carefulness. There are many Pupplets for special purposes, and not in every case the need for high security is important.
> in future disgruntled trolls may decide to take advantage of the open door.
Actually it wouldn't be a troll thing but a business opportunity. The thing is, only a small amount of users is registered here, and I wouldn't know another way to find them. In some point the naively fraction is right, you can't easily differ Puppy users from the Linux herd and so Windows users would still be a more attractive target.

@all
Is there a way to use Puppy Package Manager (PPM) with the shell, and script it? Or is there another shell tool to search the packages like PPM? If some people wanna address the mentioned problems, then we'll need something like that to write some scripts. On the other hand, if only access to ubuntu-precise-main is needed, then good old apt should do it? Would it be that simple?

[darry1966]

[quote="someSven"]> Sylvander


> darry1966

"Sorry, messed something up. There was a area which I couldn't read while not logged in. I thought the thread was moved there, and so not accessible by visitors and search engines. "



I can confirm I have read the thread logged in and out.