The Official Release of Lucid 5.25 (Lucid Five Twenty-Five)
Re "bad steak", a good critic (at least the ones I respect) will either say the restaurant bought poor quality meat, the cook overcooked it, or the spicing was inappropriate and state what must be done in detail to correct it, etc.
So, criticizing the security of Puppy without delineating the steps required in concrete detail to upgrade puppy without degrading performance is the real challenge. Whining about security is not.
I repeat what I said before: come up with a security-enhanced puppy w/o degraded performance and we will all d/l and try it out. That I promise you. If you can't do it yourself, then volunteer to assist a dev. I believe Jemimah is a sys admin, who must deal with security issues on an ongoing basis; why don you PM her?
myke
So, criticizing the security of Puppy without delineating the steps required in concrete detail to upgrade puppy without degrading performance is the real challenge. Whining about security is not.
I repeat what I said before: come up with a security-enhanced puppy w/o degraded performance and we will all d/l and try it out. That I promise you. If you can't do it yourself, then volunteer to assist a dev. I believe Jemimah is a sys admin, who must deal with security issues on an ongoing basis; why don you PM her?
myke
AA1 D255E-keucr slacko 5.3;luci;mijnpup; tw-os; with:Emacs,gawk,noteboxmismanager,treesheets, freeplane, libreoffice, tkoutline, Sigil, calibre, calendar. magic&Noteliner(wine), kamas (DOS)
-2wuwei wrote:Luluc wrote:
+1PROVE what you're saying. If you can't do it yourself, fine, just point us to any page that describes the necessary steps to achieve this kind of magic of which you speak so often. Is that asking too much? Just prove it, dammit!
Yes, pleeeeaaaase. One concrete example. ONE only!
Examples of weakness are the PROVEN WRONG approach to security. To have even one is to realize that the system really was weak, after all, even when it was considered strong. But finding a weakness and patching that will not create security. In practice, all large, complex systems will always have exploitable errors or flaws, no matter how much patching is done.
To attain security, it is necessary to work in ways which PROVABLY PREVENT insecurity. My approach has been to prevent "infection": the ability of maware to get itself restarted on subsequent sessions. Infection is the largest danger, because an infected system may run a hidden bot for hundreds of sessions. Systems which flush malware and start out clean on each session may run malware, but only if and when acquired, and then only for half a session, on average.
To the extent that anything is ever new, this is a new and original approach to security. Puppy supports this, and nothing else does (as far as I know). It seems a shame for Puppy to not recognize its strengths and build upon them.
"Whining" about a bad steak is how we avoid going back for the same thing again. It is unnecessary to analyze how it was bad or who caused it, because what matters is the going back.myke wrote:Re "bad steak", a good critic (at least the ones I respect) will either say the restaurant bought poor quality meat, the cook overcooked it, or the spicing was inappropriate and state what must be done in detail to correct it, etc.
So, criticizing the security of Puppy without delineating the steps required in concrete detail to upgrade puppy without degrading performance is the real challenge. Whining about security is not.
I have presented security issues in more than enough detail to consider for implementation. For me to propose solution code would involve me knowing more than I do, or ever will. Sufficient information has been presented for the designers to use, or not.
Improving security almost always involves some cost. Having a door means it must be opened, instead of just walking through. Having a lock means fumbling for the key. Having a firewall means that firewall code must run, instead of just accepting everything. Using a LiveDVD may be somewhat inconvenient, but as a path to security that inconvenience can pay off.I repeat what I said before: come up with a security-enhanced puppy w/o degraded performance and we will all d/l and try it out. That I promise you. If you can't do it yourself, then volunteer to assist a dev. I believe Jemimah is a sys admin, who must deal with security issues on an ongoing basis; why don you PM her?
myke
We have what we have, and Puppy is what it is, because current designers allowed that to happen. They were satisfied; I am not. Just finding a designer to talk to is not going to solve that problem.
Most of the optical media we would use are in fact writable, although the writing process is both longer and more visible than a hard drive or even flash drive write. I assume that malware cannot write to my DVD+RW disc without that becoming apparent. But we could certainly remove the boot DVD immediately after booting, thus PROVABLY eliminating new infection as long as the computer was not yet online (or getting an infected USB drive plugged in). So we need an option for Puppy to not immediately connect online.nooby wrote:That would work for non-writeable CD and such DVD? But only on USB and HDD if them could be set to nonwriteable or how else to do it?
Our current computer systems are designed with an inherent lack of hardware to prevent malware from changing boot code and data. Fortunately, good security is largely already available in a LiveDVD approach. Unfortunately, many modern computers do not have a DVD drive, which in any case will be slow and, in my experience, error-prone. Still, one alternative is to use an external DVD-writer (provided the computer would boot from it), ideally with no hard drive at all.
When we do a LiveDVD boot with a hard drive present, such as an existing Windows drive, we have to consider the security consequences of malware creating or infecting a Puppy save file. That could be avoided with a configuration where Puppy would not search for or read that file. That should actually improve startup performance.
In non-LiveDVD systems, what counts is hardware "air gap" or "power off" security. To achieve that, we can boot from an external USB hard drive or flash drive--provided we can remove that USB plug prior to any risky operation. We need to allow a careful manual update from well-trusted sites, a manual save, and then removal of the USB connector, thus isolating the USB drive.
When I boot from flash, Puppy says that flash must not be removed. Even worse, it writes to the flash periodically. How could anyone imagine that would protect against malware infection? I have also acquired and used a flash with write-protect, which then becomes insecure forever after as soon as writing is enabled for browser updates. So for a secure HDD or flash boot, I think we are forced into waiting for changes to the Puppy design.
We need to be able to remove the flash once the system has been loaded into RAM and is running. We know that can be done, because the LiveDVD system can do it. We can remove the DVD after boot, to play a music CD, or to write a new .ISO. So gaining the ability to unplug the boot drive is not an unreasonable request. But unless and until Puppy changes, I cannot see a way for a USB flash boot drive to be both secure and offer practical support for browser security updates.
Keep the latest version of your browser on the flash drive as a PET. That's easy to do with Firefox. Boot off the flash drive with NO savefile. Mount the flash drive and install the PET. Unmount and remove the flash drive.RandSec wrote: But unless and until Puppy changes, I cannot see a way for a USB flash boot drive to be both secure and offer practical support for browser security updates.
Hmm, to secure the puppy first we should close all the backdoors which are build in puppies.
http://murga-linux.com/puppy/viewtopic.php?t=37317
Easter bunny told me so.......
http://murga-linux.com/puppy/viewtopic.php?t=37317
Easter bunny told me so.......
- MinHundHettePerro
- Posts: 852
- Joined: Thu 05 Feb 2009, 22:22
- Location: SE
Playdayz, my apologies for taking part in the derailment of your thread . Forgive me for my noobish post.
RandSec, maybe, just maybe, Puppy might not be the ultimate security tool that you pursue, root and all. Perhaps, one of the the following distributions would offer some enhanced security against the malware you're fighting off so vigorously:
RandSec, maybe, just maybe, Puppy might not be the ultimate security tool that you pursue, root and all. Perhaps, one of the the following distributions would offer some enhanced security against the malware you're fighting off so vigorously:
Or, perhaps, one of these live derivatives of OpenBSD - ran quite well on my ageing gear when I last tried them:*. Incognito Live System
The (Amnesic) Incognito Live System is a Debian-based live CD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.
*. NetSecL
NetSecL is a security-focused distribution and live DVD based on openSUSE (starting from version 3.0, previous versions were based on Slackware Linux). To improve the security aspect of the distribution, servers have been removed, incoming ports closed and services turned off. Additionally, several penetration tools have been included.
*. Network Security Toolkit
Network Security Toolkit (NST) is a bootable live CD based on Fedora Core. The toolkit was designed to provide easy access to best-of-breed open source network security applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of open source network security tools. What we find rather fascinating with NST is that we can transform most x86 systems (Pentium II and above) into a system designed for network traffic analysis, intrusion detection, network packet generation, wireless network monitoring, a virtual system service server, or a sophisticated network/host scanner.
*. OpenBSD
The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX. OpenBSD is freely available from our FTP sites, and also available in an inexpensive 3-CD set.
hth , and again, sorry for the derailment, Playdayz / MHHP*. FuguIta
FuguIta is an OpenBSD live CD featuring portable workplace, low hardware requirements, additional software, and partial support for Japanese. This live CD is intended to be as close as possible to the default OpenBSD when installed on a hard disk.
*. GNOBSD
GNOBSD is an OpenBSD-based live DVD which boots into a GNOME desktop and which includes a graphical system installer (written in Ruby) for transferring the system to a hard disk or a USB storage device. The system includes some popular desktop applications, such as Mozilla Firefox and MPlayer.
[color=green]Celeron 2.8 GHz, 1 GB, i82845, many ptns, modes 12, 13
Dual Xeon 3.2 GHz, 1 GB, nvidia quadro nvs 285[/color]
Slackos & 214X, ... and Q6xx
[color=darkred]Nämen, vaf....[/color] [color=green]ln -s /dev/null MHHP[/color]
Dual Xeon 3.2 GHz, 1 GB, nvidia quadro nvs 285[/color]
Slackos & 214X, ... and Q6xx
[color=darkred]Nämen, vaf....[/color] [color=green]ln -s /dev/null MHHP[/color]
Does that work? Have you tried it?rcrsn51 wrote:Keep the latest version of your browser on the flash drive as a PET. That's easy to do with Firefox. Boot off the flash drive with NO savefile. Mount the flash drive and install the PET. Unmount and remove the flash drive.RandSec wrote: But unless and until Puppy changes, I cannot see a way for a USB flash boot drive to be both secure and offer practical support for browser security updates.
While I have various questions about making Firefox plus add-ons a .PET, and then updating those and making a new .PET, that is not the problem. Nor is my understanding that Puppy looks for a save file, whether created by user or malware. Nor is the idea that the booted system goes online immediately and by default with no firewall. No, the real problem is not being allowed to remove the boot drive after boot:
As of my repeated experience with flash-drive Puppy as of about 2 months ago, Puppy insists that the boot drive NOT be unmounted and removed. As far as I know, using normal desktop operations, Puppy simply DOES NOT ALLOW unmounting the boot drive, which is the basis for most of this problem. If that has changed so one can boot from flash then unmount it, I would be glad to know.
Yes and yes.RandSec wrote:Does that work? Have you tried it?
You only see the message about not removing the flash drive if Puppy loads a savefile. If you start without one, the flash drive is not mounted and there is no problem removing it. At little testing on your part will confirm this.As of my repeated experience with flash-drive Puppy as of about 2 months ago, Puppy insists that the boot drive NOT be unmounted and removed. As far as I know, using normal desktop operations, Puppy simply DOES NOT ALLOW unmounting the boot drive, which is the basis for most of this problem. If that has changed so one can boot from flash then unmount it, I would be glad to know.
First of all, we cannot trust software write-protect permissions to prevent malware from writing after malware has subverted the OS.nooby wrote:Seaside described him first making a pupsave with his personal preferences and then making an .sfs file out of it that is not writeable too.
Would not that allow us to make a more save version of puppy?
It is possible to hardware write-protect a Puppy boot flash. The problem then becomes updates. In my case, I found I was lacking the self-control needed to do the update process: turn write-enable ON, boot, browse, update, close browser, shutdown and power off, turn write-enable OFF. I would usually get distracted, and by the time I realized my error I had wandered far off the reservation. But since the flash had been updating in real time, it was impossible to go back. This is a completely different situation from the desktop Save button, where one can realize that one has gone too far, and then NOT DO THE SAVE. Automatic real-time flash updates remove that option. So then the flash is insecure, with the only cure being to re-install Puppy on the flash, all over again.
That does sound a little snide, considering I have indeed done testing, and if leaving the save file out is the trick, it really is a trick.rcrsn51 wrote:Yes and yes.RandSec wrote:Does that work? Have you tried it?
You only see the message about not removing the flash drive if Puppy loads a savefile. If you start without one, the flash drive is not mounted and there is no problem removing it. At little testing on your part will confirm this.As of my repeated experience with flash-drive Puppy as of about 2 months ago, Puppy insists that the boot drive NOT be unmounted and removed. As far as I know, using normal desktop operations, Puppy simply DOES NOT ALLOW unmounting the boot drive, which is the basis for most of this problem. If that has changed so one can boot from flash then unmount it, I would be glad to know.
But OK, now how do you know that malware has not given you a malware save file? Presumably this flash is booting on a Windows machine with a hard drive, so how do you know?
My goal is to see Puppy improve to the point where I could recommend it for serous use in online banking. Personally, I have a wide range of options. In contrast, Puppy has a unique market opportunity which will not last and will not come again.MinHundHettePerro wrote:Playdayz, my apologies for taking part in the derailment of your thread :oops:. Forgive me for my noobish post.
RandSec, maybe, just maybe, Puppy might not be the ultimate security tool that you pursue, root and all. Perhaps, one of the the following distributions would offer some enhanced security against the malware you're fighting off so vigorously:
hth :), and again, sorry for the derailment, Playdayz :oops:/ MHHP
in puppy's menu/utilility/gtkhash
hash your files... and check them if you wish
hash your files... and check them if you wish
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331
By adding "pfix=ram" to my syslinux.cfg file. That's something else that you can test.RandSec wrote:But OK, now how do you know that malware has not given you a malware save file? Presumably this flash is booting on a Windows machine with a hard drive, so how do you know?
Or I could simply check the contents of the flash drive from Windows before booting it. But now we are into tin-foil hat territory.
Some more knowledge
Just as a thought about virus, maleware, trojan horses etc... the article at this website is a bit old however... its topic is:
How to write a virus for Linux in 5 easy steps...
Certainly interesting reading!!!!
http://www.geekzone.co.nz/foobar/6229
>>>---Indian------>
How to write a virus for Linux in 5 easy steps...
Certainly interesting reading!!!!
http://www.geekzone.co.nz/foobar/6229
>>>---Indian------>
Rcrsn51 could I ask this:rcrsn51 wrote:By adding "pfix=ram" to my syslinux.cfg file. That's something else that you can test.RandSec wrote:But OK, now how do you know that malware has not given you a malware save file? Presumably this flash is booting on a Windows machine with a hard drive, so how do you know?
Or I could simply check the contents of the flash drive from Windows before booting it. But now we are into tin-foil hat territory.
What about us who are on frugal install on HDD and have grub4dos instead of USB syslinux booting?
And if one make the pupsave.3fs into a zl525332.sfs file instead does that help?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
PupSnap-1.6 (new version)
http://murga-linux.com/puppy/viewtopic.php?t=61361
http://murga-linux.com/puppy/viewtopic.php?t=61361
- Attachments
-
- PS-1.png
- (31.32 KiB) Downloaded 1745 times
PupSnap 1.6 to Lupu PPM
Quickpet -> More Pets -> Update Lupu PPM
-----------------------------------------------------------
In a few days or a week, I will look through this thread since the release of Lucid 5.2.5 and see if there are enough fixes or enhancements to make an Instant Update. The ffconvert front-end seems like a good thing to include.
Quickpet -> More Pets -> Update Lupu PPM
-----------------------------------------------------------
In a few days or a week, I will look through this thread since the release of Lucid 5.2.5 and see if there are enough fixes or enhancements to make an Instant Update. The ffconvert front-end seems like a good thing to include.