"incognito" puppy (security/privacy)

[Subito Piano]

Hi all --

So, I occasionally use public access wifi and want to keep hackers and tracking and all that away. That said, I'm NOT Edward Snowden, I'm not dealing with government secrets. i just don't want Google, et al, tracking me, and I don't want someone to either get my bank account number or access my personal files. This is what I did:

I have a jump drive with two partitions on it. The first is for all kinds of files I keep, and because I use it with others' computers, it must be the first partition and FAT32. My one critical file is for my passwords; it's a LibreOffice file saved with its own password; the rest of the files on that partition are not critical, but still, I don't want others to have access to them. The second partition has Puppy installed on it with two pupave (4fs) files. One is my "personal" Puppy for when I need it on the road, and it is an encrypted pupsave; the other 4fs file is my "incognito" save file, an unencrypted pupsave file only for use in public hotspots with no significant files stored on it. I may use it with my own laptop or a public computer.

For the "inconito" pupsave file I created a script in my startup folder like so:

Code: Select all

#!/bin/sh
#sleep 3
macchanger -r wlan0

This, of course, to randomize my MAC address and machine vendor.

I installed Tor Browser and made it my default browser. Also, upon startup, Puppy immediately goes into screenlocking via another script. No other partitions are mounted automatically, not even the first partition on the jump drive, and of course, the "personal" pupsave file, although in the same partition (/mnt/home) is encrypted.

Puppy's firewall is also on, set to the default settings.

So -- my question is, is this "pretty good" security against intrusion and tracking, or are there other fairly simple steps I can take when I'm not at home under the protection of my own router?

Thanks!

[mjmikulcik]

I would say there really isn't enough information. You don't want google to track you. Well most of the time, google won't respond to tor requests without giving you a bazillion captchas so youre probably using duckduckgo, which I guess they could be tracking you, but from a tor address they won't get much. But, if you sign into any sites even if you are using tor (or should I say ESPECIALLY if you're using tor) your identity is completely revealed. Now you won't have to worry about google because google doesn't like tor, but say you got an outlook account (which is okay with tor, at least for my brother) microsoft could track you. They already know who you are. Hiding your ip doesn't help. They read your emails. Or they don't, who knows?

You say you're using public wifi. That exposes you to man in the middles. But that is all it exposes you to. Anyone in the vicinity could see all the data transfered over http. They could likely see the sites you go to (I don't know how important it is if they see the sites. Can they determine who you are) (Are you transferring your bank account over http). And supposing a trusted certificate authority owner happens to also be in the middle, they can read everything else you do on those sites (perhaps even over tor). Switching out you MAC address isn't likely to help unless you go to the same public wifi spot over and over again and it never changes. But with that, all they know is you are there and using the internet which they could probably physically see. You seem worried google will follow you. How about your isp? They monitor your home internet if you have it. I guess another thing to be worried about isn't public internet, but public computers. They could have a keylogger on them recording everything you type. So no, public computers are almost certainly not safe to do banking on (or any other sensitive data), but public internet probably is (but not necessarily.) They can take https sites and remove the encryption and give you a http site. Modern browsers will probably catch that, but if you're not careful, you might not. But on the other hand, if its about anonymity, public internet is better.

You mentioned saving passwords in a password protected libreoffice file. I think you can safely say the encryption algorithm is secure, but it says nothing about how secure your password is. For instance, if your password is 'password', a twelve year old could get in. Your other files on the usb, if not encrypted, could be read by anyone with physical access. Partitions don't matter.

I wouldn't say there's anything wrong with what you're doing. But you got to be aware of the security it provides and the security it doesn't provide. There's no sure fire way of knowing if its safe. But there are many common things to avoid. If you're worried about tracking, do you carry a cellphone? Or worse, a smartphone? I think the government, google, whoever, will find more about the average person via monitoring phones than they do with computers. Phones carry location information, microphones, cameras. It's not secret that they only need a warrant to listen to phone calls. So lets break it down.

There is physical security (that is of the device) and virtual security. You have to assess the risk. If they have the device, they can read anything not encrypted by a strong password (try long phrases not single words or a word with numbers). Passwords saved in a browser aren't safe. If you go to a site and you're automatically logged in, that's relying on physical security. But if there is a low risk they get the device, all that encryption is probably not needed especially if its not that valuable.

If they don't have access to the device:
Can they put a virus on it? If they can, it's as if they have the device, and they can watch you use it. How do you know if they can? You can't. Puppy is probably a pretty secure OS. No one has found any problems with it. You can watch your processes for anything suspicious. You probably won't find anything and you're probably pretty safe. Until you start downloading sketchy things.

Now assuming you don't have a virus (you can't assume that on a public computer, but you can confidently hope sometimes) It depends how you use it. Look up phishing scams and you'll see what I mean. If you give the internet personal information, it has it. It's the decision of trust. Some sites you can, others you can. And in my opinion, google is pretty darn good with keeping safe your information. Keeping it safe means they have it. It all comes down to how you use it.

But in the end, I can confidently say, at least it's not Windows. You can see right through them. And once you open them, they're useless.

[perdido]

Using tor your data is ecrypted from your browser to whatever site you are communicating with.
Your traffic can be seen but not read. Linux versions of tor identify as windows.
You should run tor as a limited user so it is sandboxed, not as root.

Anything unencrypted network activity can get intercepted, email passwords, etc. and other site logins.

Put tape over your webcam and microphone. Steve Jobs did and Mark Zuckerberg does.

Consider encrypting your drives or partitions that you don't boot with.

Your smartphone is tracking you if it is turned on.

Just being aware and proactive means you are one in a thousand users.
Remember physical security is important too.

Dont forget to adopt an alias, 007 is already taken

.

[Subito Piano]

mjmikulcik and perdido -- thanks! Much info, some I knew, some new to me. Interesting, the suggestion to use Tor as non-root -- although IDK if that's necessary as I don't save anything on the puppy I use only "on the go" -- ?? But I don't start in pix=ram mode, either, so it's an easy thing to do.

Google, MS, FB -- I avoid like the plague! But am forced to at work (!!!) and sometimes elsewhere My smartphone -- I keep that as "dumb" as possible, such as turning off location. I hope to install Lineage on my next phone.

"Eternal vigilance is the price of liberty." Yiii.....