How secure is Puppy?

[Smithy]

You are a true Gentleman Anikin.

And I appreciate that you were very annoyed about the ican fiasco.
And your input is vital about flags and any other stuff.
But you still use Puppy I guess? Hope you do.

Anyways after ripping out that bit, putting in no script, bark bark bark's xpi specials tips (ask him) and a few firewall presets that won't even let you get on the internet if you go to extremes, what's left?

The rest of the internet and other weak systems I would say.

I would hazard a guess the billion or so password harvests didn't come from Puppy.

Mike B, have you managed to grab that text file from Garibielli's computer yet?
And yes, it is always a bit daft when an erroneous click brings up three (or more) instances of the same program. Just a quirk, liveable.

Back to the Question. How secure is Puppy?

[mikeb]

Mike B, have you managed to grab that text file from Garibielli's computer yet?

ah I just realised what you were asking and no... I would not have a clue about how to do that and suspect it borders on the impossible... emailing viruses is much much easier.
I might grumble about puppy but never on the grounds of insecurity.


plug and play...thats the hardware detection...
no this is the bit where it whizzes past you going through every file on a usb stick to see if it can run anything and will give it a go while you sit there and watch your system melt...turning it of is obscure but a bit of googling will find the answers.... you can have it auto open the folder but not try and run anything or simply not respond at all and you click on the drive to get access.

mike

[stray_dog]

no this is the bit where it whizzes past you going through every file on a usb stick to see if it can run anything and will give it a go while you sit there and watch your system melt

Oh! *That!!* Yes I've experienced that! Man I hate that! That darned thing used to drive me nuts! Yes, I get you. Such a relief to turn it off. I still remember the earlier days when I plugged something into windows xp and it would *only* ask me oh, would you like to run this, open this with windows explorer, save this, show you a picture, or what? And I thought well that's nice, it's trying to be helpful, But uugghhh - the running through every folder? No thank you.. It's nice to have options to turn it off. I just want it there so in a minute or two I can go find something on it or save something to it, thank you. One of the things I like about Puppy security is that it doesn't automatically mount drives, unless you specifically ask it to, but it will show you that they are there. Of course in my first month I couldn't figure out if a drive was mounted or not, but that was because I was ignorant, right?

Back when xp was ending support, both my gf & I were looking around. She liked LPS, especially at work because her work folks were like not even noticing that um, yea, support ending, hello! She was able to do a lot. A *lot* of what she needed to do. But when we were working with Puppy, she liked it more. Because LPS didn't give her the choice to mount a harddrive or not, and how and when. It wouldn't display hard drives at all. But once she knew what she was doing with Puppy, the control was in her hands, and she knew what she was doing. It was perfect. Learning, and control.

Mike B, have you managed to grab that text file from Garibielli's computer yet?

Actually I think the real question is have "Smithy" and "anakin" been able to yet. This *is* an open source do-ocracy, after all. Right? I've been touching this for 6 months, but I see those guys have been around longer than me. Okay. Cool, I like that. And there's always someone around longer than oneself. At the same time, I already know what Attack Pup is, and I've seen that there are youtube tutorials on how to use nmap, metasploit, and several other things in Attack Pup that I sure as hell don't know how to use. Yes I see Backtrack exists, and I see Kali exists & people are working with them. Awesome. That being said, I have not seen anywhere on the internet where two people offered up their machines to be audited by anybody and everybody, until now right here. That being said, I kind of thought folks would be jumping at the chance to try to audit these machines, especially the folks bringing up the topic of worries about security. Not seeing that yet, though.

micko did really put a switch in. But let's not take it as an act of generosity - it is not. As a matter of fact, it makes things much, much worse. What was previously hidden as a crappy, little secret (and for a good reason), now has become an embarrassment for Puppy Linux and the community. An ugly genital wart exposed for everyone to see.

Well, one might perceive things that way, but for me, that is just ... ummm ... not so much that way, as it is a service to me, and my girlfriend too. Personally I'm grateful to mick01 for his extensive work and expertise - I and my girl are benefiting from him every day. So. At this time in my life, I like to use open wifi networks, and I like them to be stable. Sometimes if it's good, I'm fine. But if it's not good, I can establish a static IP address, and that helps. What's the first step in doing that, when I'm on an unsecured open wifi network, like a coffee shop or a market or a pubic university network? Find out what the external IP address is of whatever the hell network I've connected to. Please take note, that's not "my" IP address, that's the IP address of the network and router I have voluntarily accessed. Then, I need to find out more information, like my subnet mask, etc. Never mind the mac address of my wifi card or whatever that actually *is* local to this particular machine I'm typing on now. If I've offered up my machine to be audited, would you prefer to audit a machine with a static ip address, or a dynamic one? If my ip address details changed in the middle of a hack because I was walking between buildings or a rainstorm happened and a different ap was more available, how would that affect an attack or audit in progress?

I would hazard a guess the billion or so password harvests didn't come from Puppy.

Yea exactly - each and every day, when we hear of xyz being breached, it's not Mr. John Smith in Austin Texas USA, it's not not Ms. Austri Toivonnen in Finland or Norway. It's the stores and the banks that are being breached. Hacks to their credit card reader machines, hacks to this or that, etc. A *lot* is going on.

When you look at it structurally, from a practical design perspective, there is no use in expending a lot of energy to hack one single persons system, unless you're after what is only on their system and no where else. The vast majority of hacks now aren't to individuals, but are to overarching systems. But. Some users fall victim to stuff that makes them vulnerable to being used in attacks on resource-rich targets. As individual users, we still have a responsibility to care for ourselves & stuff in general. So part of me doing my job is to make it as hard as I can for criminals or anybody else to use my stuff to make trouble. So, I'm learning about that. I have a lot to learn.

At the same time, I went to work today with my Puppy usb and on my lunch hour helped my network guys to delete stuff from our system that was really irritating them for about four days now. That may seem ho-hum boring to some people, it might not smell right to some folk, but it wasn't to the guy next to me or my boss.

[mikeb]

I think my simplistic comparison is that Windows is /was inherently insecure by default and has to be made secure and linux is the opposite...ie secure until you decide to do otherwise.

As for autoscan...thats real good fun with a crammed full 1TB drive....unless you need a sleep. I also noticed a nice slowdown in booting when one is attached compared to linux. Indeed.... nothing mounted until asked I used to dislike but then realised the protective beauty of such. Especially on say a laptop where the drive can snooze away saving itself and the battery.
When booting pup for example the window's partition is effectively absent....just feels better that way.


As for the topic.... I believe a large percentage of puppy users are BECAUSE of security...and have enjoyed it ever since... it comes free with the free OS.... thats a bargain in anyones book

mike

[Smithy]

Mike B, have you managed to grab that text file from Garibielli's computer yet?

Actually I think the real question is have "Smithy" and "anakin" been able to yet. This *is* an open source do-ocracy, after all. Right? I've been touching this for 6 months, but I see those guys have been around longer than me.

Apologies to forum member Galbi (not Garbielli lol).
You're quite right Stray Dog, I would have a bash at it, but I wouldn't know how to hack in, would need a howto, so I deferred to Mike B and possibly other seasoned linux experts who could possibly do it. I guess it is very hard and not woith the effort. Impossible is an encouraging word Tick.

At the same time, I went to work today with my Puppy usb and on my lunch hour helped my network guys to delete stuff from our system that was really irritating them for about four days now. That may seem ho-hum boring to some people, it might not smell right to some folk, but it wasn't to the guy next to me or my boss.

Well it sounds like you have got a good little system for cleaning up, which is Puppy as a Swiss Army Knife is great at, but my point was that with Puppy as the system, one wouldn't have to do a lot of that.
Of course it depends on the types of databases being computed and whether that system could be ported, imported or otherwise. And that is a risk for some companies.
I do love speeding up comps tho' Windows is good, but for certain things Puppy just absolutely flies. Especially 'dem bones 'dem customised barebones.

[someSven]

Here some lists of vulnerabilities your system has, if you don't update your Software:

Browser & Mails
https://www.mozilla.org/security/known- ... onkey.html
https://www.mozilla.org/security/known- ... refox.html
https://www.mozilla.org/security/known- ... rbird.html

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/

Every vulnerability has been successfully proofed, by some attacking software or procedure.
(exploit: https://en.wikipedia.org/wiki/Exploit_% ... ecurity%29)
This is why there are fixes for these vulnerabilities. Better download them, if you can... Oh, you have to check it all few days on your own, cause your OS won't tell you they exist.
Incantation may be a alternative: Just say "I'm not using Microsoft software, and I hate them, so I am secure!" or "Everything is insecure, but I trust in Puppy!" 10 times a day, and never anything happens to you! Even if you are a political activist in a repressive country, or if you open all the links in your mails or in FB, or if you surf on porn sites, illegal streaming or hacking sites! The incantation will protect you almost perfectly!

[mikeb]

The mechanism may have been prooved... bit like feeding rats petrol and recording the effects. Not disputing the existance of hypothetical exploits. Note its software developers investigating these directly or other devs at their request NOT those who which to exploit who would see such exploits as too complicated and already patched.

But there seems to be a total lack of any recorded actual cases of (puppy) systems being exploited... the missing link...if I google for instances of Windows being exploited the hits are way beyond one persons ability to read them all in a lifetime...its just taken as 'normal' that computers get infected in some way. I see it as something totally unacceptable and a major hindrance for the vast majority of computer users....Microsoft...well they ARE guilty of creating this situation thorugh reckless design decisions and only started to clear up their mess years later...that's criminal negligence in my book.

Its not about blind faith but ways of effectively safeguarding oneself on the internet... sorry of our approach appears too easy but sometimes the answers to a problem are. I did my research... took action and enjoy the results.

mike

[mikeb]

By the way still waiting for some test links.... no good saying something is insecure....need some hard evidence if you want the jury to listen.

mike

[mikeb]

Just to get a bit technical you will find many of the 'exploits' to be of the form of
'causes a buffer overrun which could potentially allow a malicious attacker to run some arbitrary code'

Ok to expand on that... they have not created a virus in a lab ready to do harm. In a language such as C and C++ variable handling is extremely primitive... the coder has to literally account for every byte and clock them in and out of the stack. if they do not do their house keeping well, then bytes can end up outside of the known variable area and indeed can overrun into another variable (string/number)

Thats it. Now that overrun data usually causes a segmentation fault...the system/kernel says all is corrupted and getting out of hand stop now and that's it.
In order to do anything other than that, someone would have to arrange for the overflowed bytes to be in the form of executable code to do harm and to have it overflow in a place that would cause it to actually do something rather than crash the program. That's not exactly easy to put it mildly and the only person usually capable of that would be the person who wrote the original program and knew it intimately and i believe they would not want to be slotting in a virus into their pride and joy.
If some genius (who could not get a decent coding job??!!) managed this then perhaps there is a potential problem.... that is unless the recipient is running as a user and is not using that specific build of a particular program which probably gets updated all the time anyway..and of course all done remotely so the attacker has little idea whats at the other end...a minority hit to say the least.

When I say this is the hard route for an attacker I am not kidding... Microsoft made it a no brainer by adding bad software in a really insecure way..a far cry from this overrun stuff... an attacker does not even have to know how to code to spread exploits. Indeed sadly I do notice peeps suffering virii that was floating around years ago.

Ok I am off to faith heal my left toe...

mike

[stray_dog]

Thank you guys, for your bringing the knowledge.

ie secure until you decide to do otherwise.

Yea, that right there, that's like my experience. Like, early on, one day I rode around the internet with a mounted hard drive, because I thought an "X" on the icon must mean it was *un*mounted. Sigh. Then I freaked out. Omg omg! Yea no it was fine. Then later, I freak out about omg xyz! Yeah no, that's fine. Then later I freak out about omg abcdefg! Yeah no, it's fine. I *was* very worried about my security. Having gone through that cycle, I don't have to freak out so much, I can relax and learn some.

autoscan...thats real good fun with a crammed full 1TB drive

uuuggggghhhhhhhhh

I would have a bash at it, but I wouldn't know how to hack in, would need a howto

That's okay, man, I am right there with you! that's alright! I am wayyy too ignorant to be able to do that stuff. I had to spend an hour looking up what those programs even were. Using them? Not a clue. I love the idea, in my imagination, but it would take me foreverrrrr to get up to speed. So I had to go back to basics, refocus on my own goals, and start to try to follow the best practices guidelines and start learning there. And hey, for me, some of it *is* boring. Sometimes I feel like I'm waiting for the other shoe to drop, waiting for the next big one. And when it doesn't happen, I'm like ohhh kay, I'm bored now. Then I can get on with whatever the point of me even doing a computer thing even was in the first place.

point was that with Puppy as the system, one wouldn't have to do a lot of that

Yea, I have very limited experience, but I agree 100%. For me, it's safer in ways that I didn't know, & haven't understood yet. Like, when I thought oh man, I'm surely screwed now, no it's alright. I actually had to put effort in to messing up my pup. And yea, fast! I like fast.

I'll try to digest the stuff you guys are talking about - thank you. I really need to get some sleep though now, I am wiped. And oh wait! This -

By the way still waiting for some test links

Ya know, this afternoon I had this thought. What if we had a thread on the forum where people who were really into hacking, penetration testing & auditing could say hey, I'm into that. And then people who were worried about their security could say hey, let's get together. Now sure, if we're worried about a particular xyz we can ask on the forum about it, sure. But what if we had a thread where folks could just arrange to meet to have their mutual interests benefit each other by getting to test their fears of security and someone else also getting to have fun if they like to have fun trying intrusion? And then letting us all know how it worked out? In a consensual way? Like a dating service, except for folks who're really concerned about security, and folks who love pentesting. Maybe I'm too tired / can't think & there's too much out of my understanding of this context. But if anybody would like that, well, there's the idea anyway, for what it's worth.

[stray_dog]

Oh wait - mikeb - good luck with that big toe. Uh, I mean left toe.

[darry1966]

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/


Puppy is neither Ubuntu nor slackware nor Redhat or Arch or T2 based. Puppies based on Puppy is Puppy based using either Unleashed build system for older Versions or Woof/Woof CE building system for newer.

Puppy uses packages from those Distro's. It would be correct to say Puppy was built using those packages but is not based on them. It is an independent breed. It has it's own kernels.

[stray_dog]

Oh no, I swear this has *got* to be the last thought of my night. I have to get off the internet toute suite and sleep sooo bad. But. i was just thinking. Like, outside of Puppy in general, just thinking structurally. If someone hacks my live cd session, my whole os is in ram, is it possible to hack the ram to then hack the cpu or the bios? Is it possible to use ram to hack something that will persist and try to intrude upon ram at next boot, even without a harddrive? I have no idea. I was just thinking, man, if someone hacked my cpu or bios in a persistent manner that did that, I would be totally suckered by it. Is it possible to do such a thing? I have no idea. The bios on this laptop is locked by the former corporate owners who dumped it on the used market, so I have no idea even what the hell is in there. Anyway. The other thought was ... how secure are we, when we have packages that have dependencies upon dependencies upon dependencies? Just thinking of links in a chain, that would be a possible concern or area of risk. Not a puppy thing, but a linux thing. I could see how that could be an angle of attack, to compromise a dependency that led to access to lots of machines. I don't know anything about how that registers with anybody in a *practical* manner, but it was just popping up in my mind in the overall scheme of how this seems to work. Ok eyes barely open anymore, I have to sign off. Goodnight all.

Ok waking up with my coffee, I really don't write well when tired. Thought instead of asking, I should do some searching myself & see there's plenty to read about hacking cpu and bios. Now it seems just from skimming articles, the exploits tend to be highly specific & difficult. More to learn, I guess. Thank you guys for having the conversation about these specific things. Like you guys talking about updates, then the exploits, buffer overflows, that work like x but not like y. Or an insecure windows system being that way because of specific things abcd, then specifically turning them off, preventing these certain kinds of threats hijklmnop. For me anyway, it takes the mystery out of it & makes things realistic & practical. Very nice, so thank you.

[darry1966]

Here some lists of vulnerabilities your system has, if you don't update your Software:

Browser & Mails
https://www.mozilla.org/security/known- ... onkey.html
https://www.mozilla.org/security/known- ... refox.html
https://www.mozilla.org/security/known- ... rbird.html

Ubuntu (Puppy's base)
http://www.linuxsecurity.com/content/bl ... y/172/168/

Every vulnerability has been successfully proofed, by some attacking software or procedure.
(exploit: https://en.wikipedia.org/wiki/Exploit_% ... ecurity%29)
This is why there are fixes for these vulnerabilities. Better download them, if you can... Oh, you have to check it all few days on your own, cause your OS won't tell you they exist.
Incantation may be a alternative: Just say "I'm not using Microsoft software, and I hate them, so I am secure!" or "Everything is insecure, but I trust in Puppy!" 10 times a day, and never anything happens to you! Even if you are a political activist in a repressive country, or if you open all the links in your mails or in FB, or if you surf on porn sites, illegal streaming or hacking sites! The incantation will protect you almost perfectly!

With Windows have all the latest patches - you can have the latest and greatest browser and yet still be infected courtesy of those "free" Toolbars.

Oh the joy of a hard drive full of "little" security patches each one numbered - true bliss,

[anikin]

stray_dog,

Just type my ip in trusty Google search, you'll see your IP on the top of the page. Plus thousands upon thousands other options will become available to you.

This one is my favorite, it will display your IP and also check if you're ipv6 ready. It has lots of mirrors inside - chose the one to your liking.
http://test-ipv6.com
or this
http://www.whatsmyip.org
this one is good for ... sensitive types .
http://www.ipchicken.com

If your browser gets washed away during that rainstorm, while you're hopping between the free hotspots, you can check your IP using the terminal.

Code: Select all

wget -U curl -qO- ifconfig.me

or

Code: Select all

curl ifconfig.me

or

Code: Select all

curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

or ... our old buddy and Puppy partner ... why not, he knows us already, we know him ... and it's just a one time act

Code: Select all

wget -O - -q icanhazip.com

or

Code: Select all

curl -q icanhazip.com

or

Code: Select all

curl ipecho.net/plain

However, the average user will hardly ever need to know his IP for any practical purposes. A normal user will not need it even during a rainstorm. The same stands true for his girlfriend and her relatives, their friends, colleagues and enemies. Your Puppy doesn't need to go to icanhazip every time you boot up your computer - but it goes there even if it's not raining! You call it a service? Hogwash, I say. It's a disservice, or call it a tracking service, which it really is.

[darry1966]

I'm with Anikin on this one. Wasn't in the old Pups which worked fine without this "feature".

[Les Kerf]

...
Not sure it's called geolocation, but yes, you're right, micko did really put a switch in. But let's not take it as an act of generosity - it is not. As a matter of fact, it makes things much, much worse. What was previously hidden as a crappy, little secret (and for a good reason), now has become an embarrassment for Puppy Linux and the community. An ugly genital wart exposed for everyone to see. It doesn't change the fact, that an innocent novice user is being ambushed, trapped, hoodwinked into an web connection of which he has no knowledge. It might take him years before he becomes aware of it and learns how to use the switch...

Would someone please elaborate on this? I am one of those novice users and have no clue as to what this "switch" is all about.
Thanks,
Les

[rcrsn51]

Code: Select all

wget -O - -q icanhazip.com

Here is a little side-effect of this feature. Suppose that you go to a restricted public WiFi site that only gives you access to their content. If you then run Network Status Information, it will permanently hang up because you can never reach icanhazip.com.

[RSH]

Hi.

How secure is Puppy?

From my experience of the appr. last three years, Puppy Linux is secure, if one does follow some rules:

- don't use a save file
- don't download/open files/mails etc. that you don't trust
- don't store personal data to the cloud
- don't save any personal data on the computer

If you don't follow those rules, you will enter a never ending security battle/discussion - which is (imho) a waste of time and effort!

Btw: only an autonomous PC is a secure PC.

RSH

[Burn_IT]

One's computer is VERY secure if you don't use it.

In a personal environment and if you don't leave it on 24/7 you are not very likely to be attacked from outside unless you visit dodgy sites.

I've been to companies that make their computers SO secure and restricted it is a waste of time trying to use them.