I have specific needs for a live OS

For discussions about security.
Message
Author
Sideshow Todd
Posts: 6
Joined: Sun 14 Nov 2010, 20:43

Steping back

#21 Post by Sideshow Todd »

You've raised some good point in the last post, pizzasgood. You've been helpful all in all, and now I think I have to step back and take all in and reflect and make a decision on what the hell I'm going do.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#22 Post by Lobster »

schemes for world domination
If planning world domination, you need to think about security in a different way. For example generating spurious noise for librarians watching your activities as you browse as some systems are designed to do . . .

Operating from a trusted and secure cloud based system. These probably exist but cost money - maybe someone will know of penguin run alternatives?
For world domination set up your own and divert and monitor traffic. [practice evil laugh]

Security is inconvenient. It needs specialized knowledge.
You might for example use, modify and add to
my GROWL program.
http://www.murga-linux.com/puppy/viewto ... 216#335216

My favourite technique is to practice
Uttana Shishosana (extended Puppy pose)
and other techniques
http://www.yogajournal.com/poses/2476
which helps me to worship my fears, sleep soundly at night and not need to use the GROWL program.

Hope that helps :D

Puppy Linux
Vigilant penguins
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#23 Post by Pizzasgood »

nooby wrote:But would the software installed allow one to run that virtual puppy at all?
The computers in question would almost certainly not have programs like VirtualBox or Qemu installed. However, that is a non-issue. You can install programs onto a flash drive and then run them on any computer with a compatible OS that you plug it into.

Of course there are programs that are not cooperative with such behavior. Some programs require registry entries or having support files in specific locations and other nonsense. It depends on the program. Programs that are happy being run from any location are often called "portable", and I believe there are actually a pretty good number of quite useful programs that support this. I think people even sell flash drives with a bunch of such programs preinstalled and configured on them, and I'm fairly sure there are "bundles" you can download and easily install as well.

Virtual Box and Qemu can both be installed to a flash drive, as far as I am aware.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#24 Post by nooby »

I guess it is different for each Library or Internet Cafe one visit.

Many of our Public Library have free access to computers but you have to write down your true name and true mobilenumber and you get access to a screen and a mouse and a keyboard. The computer itself is hidden under a wood work or in a locked box and you have no USB slot access on it.

And if you try to download a program to do a Vbox install then they ask for Amin rights to do such thigns and only the IT department are allowed to do such things.

So sure when it works it works but in many places it is a big NoNo to even attempt it.

But one can sometimes use their open wifi wireless hot spot but then one are open to being sniffed at by others there too. So is it as easy as some say?

I guess one have to copy and paste passwords instead of using the keyboard on the smartphone to be fairly safe? Or copy and and paste also sent in plain text? I know too little but they did show on TV how easy it was to spy on others passwords.
I use Google Search on Puppy Forum
not an ideal solution though

2lss
Posts: 225
Joined: Sun 20 Sep 2009, 23:54

#25 Post by 2lss »

I'm not sure what your constraints are for using a laptop but if its size you could look into a small handheld like a nokia n810/n900, open pandora, or even a smartphone that runs android.

Or if your only worried about email and facebook, set up a temporary gmail account that if someone was to 'break' into, wouldn't jeopardize any personal info. I'm sure the same could be done with a facebook account; just use it for the summer and delete it when you are done.

You could also check out this http://distrowatch.com/table.php?distribution=incognito

(Its a debian live system that ships with tor and some other goodies. It's goal is to provide "Internet anonymity for the user", which I'm sure is debatable.)

But you would be in the same boat as if you used Puppy, aka have to reboot the machine and/or issues with protected bios's

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#26 Post by Pizzasgood »

nooby wrote:I guess it is different for each Library or Internet Cafe one visit.

Many of our Public Library have free access to computers but you have to write down your true name and true mobilenumber and you get access to a screen and a mouse and a keyboard. The computer itself is hidden under a wood work or in a locked box and you have no USB slot access on it.
Oh, I see what you meant now. Yeah, if you can't reach the USB slots, then you're out of luck. I haven't seen many instances of that here in the USA. Granted, I haven't gone to very many areas with public computers either. But of the ones I've gone to, all had the computers right out in the open.

You mentioned open wireless. Copy-past won't make any difference for wireless. Using copy-paste for inputting passwords was suggested for when using an untrusted computer, in order to bypass keyloggers. It does nothing to address people snooping on the network.

If the website that you're sending your password to uses SSL (their address starts with "https" instead of "http" and the browser shows a lock or changes colors and such), then the data your computer sends into the internet will be encrypted, so it doesn't matter very much if you use open wireless. Nobody would be able to read what you sent. Most banks and stores and such use SSL. If one doesn't, they need to have complaints sent to them...

On the other hand, many websites and forums (including this forum) that don't deal with money don't bother to use SSL. In those cases, when you send data to them, the data is sent as plaintext. If you're using an open wireless network, or one with weak security, anybody nearby could also find out what data you send in plaintext. (Also, no matter what kind of internet connection you use, anybody who is on the path between your computer and the destination computer could read the text if it is not encrypted. In particular, the ISPs and any unethical network operators who run one of the segments your data passes through.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
d4p
Posts: 439
Joined: Tue 13 Mar 2007, 02:30

#27 Post by d4p »

"Yeah, if you can't reach the USB slots, then you're out of luck."

Maybe using CD/DVD.
On my test Virtualbox can be execute from cd/dvd by using the HDD space for temporary files (thanks to windows that it can execute everything).
After quit from virtualbox, it will left a 16 kb *.tmp file in %temp%.
I guess, a 16 kb file doesnt mean a lot or ?

yordanj94
Posts: 78
Joined: Thu 16 Sep 2010, 15:40
Location: Bulgaria

#28 Post by yordanj94 »

Pizzasgood wrote:

If the website that you're sending your password to uses SSL (their address starts with "https" instead of "http" and the browser shows a lock or changes colors and such), then the data your computer sends into the internet will be encrypted, so it doesn't matter very much if you use open wireless. Nobody would be able to read what you sent. Most banks and stores and such use SSL. If one doesn't, they need to have complaints sent to them

Hi.
Let's say i use Yahoo mail.First i got "https" when i type user and pass,
but then it turns back to "http".
Does this means that they protect only your user and pass and everything else can be captured and your mail can be seen ?
Thanks in advance

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#29 Post by Flash »

yordanj94 wrote:Hi.
Let's say i use Yahoo mail.First i got "https" when i type user and pass,
but then it turns back to "http".
Does this means that they protect only your user and pass and everything else can be captured and your mail can be seen ?
Thanks in advance
That's right, but don't assume that just because your login information is sent over the internet encrypted, someone can't log in to your account by guessing. That's why you should use long random sequences for your password. I don't know how many login tries Yahoo or Gmail allow.

yordanj94
Posts: 78
Joined: Thu 16 Sep 2010, 15:40
Location: Bulgaria

#30 Post by yordanj94 »

Thanks.
Gmail encrypts all its traffic but Yahoo doesn't.
Then what's the point to encrypt only user and pass if someone with enough skills can read all the information in the email ?
In that case one of the ways to be more secure would be to encrypt sensitive information as attached file.
Or am i wrong ?

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#31 Post by Pizzasgood »

Encrypting only the password still leaves emails you send or read open to be sniffed, but it at least prevents people from being able to obtain your password, which would allow them to log into your account and send mail to people that looked like it was sent by you. Also, the person intercepting your traffic would only see the emails that you send or read during that session, whereas if they obtained your login credentials, they could log in later and read all of your saved messages as well. So it does offer some benefits over no encryption at all.

One thing to keep in mind though, in regards to email, is that email is mostly sent between email servers unencrypted. So let's say you use gmail to send an email to somebody who uses hotmail. Even if it's encrypted between your computer and gmail, when it passes from gmail to hotmail, it might not be encrypted. So somebody who is in the same room as you wouldn't be able to read the email by sniffing the wireless packets, but somebody who is able to intercept the traffic passing between gmail and hotmail would be able to read the email. That's harder to do than to just watch the wireless traffic, of course, but it can happen.

As far as manually encrypting your own emails goes, you don't necessarily have to send them as an attachment. It depends on how you encrypt them. GPG can encrypt them in such a way that you can just copy and paste the encrypted text into the email and send it on its way. The recipient can then copy it out and feed it through GPG. I believe there are also plugins for Firefox that can take care of this without all the copying and pasting. If you use an actual email client instead of webmail, some of them have built in support for GPG, and some that don't have it built in do have plugins for it (for Thunderbird there is Enigmail).

Of course the problem with sending an encrypted message is that the recipient needs to know how to (and be willing to) decrypt it, which I imagine could be troublesome if they are not as willing to indulge in paranoia as you are.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

Post Reply