Is a Frugal install as secure as...

For discussions about security.
Post Reply
Message
Author
puma5000
Posts: 2
Joined: Thu 17 Apr 2014, 01:38

Is a Frugal install as secure as...

#1 Post by puma5000 »

Hi

I'm a novice linux user. while on the internet, is using a frugal install of puppy linux with an encrypted pup save file as secure as running puppy off of a CD as a live session and saving to a flash drive? Is it more secure than a conventional, full, install. This would be for internet banking and regular net surfing, no risky online behaviour or anything. Thanks in advance for the help. Happy Easter!

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#3 Post by Sylvander »

I use Frugal Installs, a few of which are set up so I can choose to NOT SAVE any changes made during the session.
I rate those as pretty secure.
BUT...

I rate the [multi-session DVD-RW] arrangement suggested by Flash as even better.
I have 2 of those, but lost the best one recently [suddenly it won't boot :( ].

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#4 Post by rufwoof »

I try to keep all data/files/music etc completely outside of Puppy. That way I don't need a savefile at all, nor do I need to install anything on the PC's HD.

I boot from a CD/DVD and run everything in memory (RAM). That way I have a fixed pristine version of the operating system and desktop/GUI and don't even need to open up (mount) the HD unless I want to read or write something from/to the HD (my data area).

For online banking I boot up and load a brand new Firefox, go only to my banks web site and power-down (reboot) afterwards.

For other 'normal' sessions I just boot up and do whatever, maybe adding to or using some HD access (data) and browse the net etc.

If puppy trashes, my data is secure, intact and accessible (I back that data up periodically).

For the above purpose, I have a trimmed down puppy slacko (trimmed version of mick0's 5.3.3t) that has a 67MB Puppy SFS file size (small). But I also have another 193MB of 'extras' in a EXTRA sub-directory/folder on that CD/DVD. Total ISO size is 290MB (would be around 97MB without the EXTRA folder content).

It's UK specific i.e. the onscreen keyboard is set to be UK and AbiWord is set to use a en-GB dictionary, but if you like you can download it from here :

Filename s_5.3.3t-v3.1-en-GB.iso located at https://drive.google.com/folderview?id= ... sp=sharing

Its fully functional, but in layers. Initially at the first boot you'll have to enter locale details etc, connect to the network, set up firewall (SET UP/FIREWALL), set up sound (SET UP/ALSA SOUND/ALSA WIZARD). Then you'll have a basic desktop, play/burn CD's, MPEG's, basic text editor and calculator etc.

If you go to the HOME directory there's a couple of firefox icons, Firefox and Firefox_Bank. The only difference is the first starts up with some extensions/add-ons being loaded (NoScript, Flash Block, Zoom) whilst the other doesn't. In both cases the first time either is run it auto downloads the latest version of firefox from Mozilla. Typically the download is around 30MB which on my 50Mb internet connection speed takes just seconds.

Within the SFS's subdirectory there are loadxxx files, which I use to load either/any of flash, abiword/gnumeric (word processor and spreadsheet) and a Multi-Media (MM) - which contains Openshot (video editor), xvidcap (screen video capture) and Audacity (sound editor), together with inkscape (draw program), blender (3D animation).

Whilst Openshot will work in a limited way without graphics acceleration, for 3D/animated titles you do need graphics acceleration. That varies according to the type of graphics card you have and accordingly there are two choices in the EXTRA graphics-card sub-directory - one for nvidia, another for mesa. I have a nvidia graphics card so I use that (which involves having to restart X after loading and selecting the NVIDIA choice from within xorgwizard).

You could perhaps use the above as a template/guide to remaster your own version. A nice thing about running entirely from CD/RAM is that it doesn't really matter what you do during a session. Foul up Puppy, be exposed to virus etc. as you can just shutdown and reboot afresh.

Im running a single core 1.5GB RAM setup, and find it flies. 3D rendering can be a little slow, especially compared to when I run on a quad core, but otherwise OK. The approach also forces you to compartmentalise, CD = op sys and GUI, HD = data. So if puppy does trash you don't have data intermixed in with the system files.

I have a 2GB HD swap partition setup, but that hardly ever seems to get used. Not sure why, but despite having 1.5GB or RAM, my 'savefile' space is shown to be 1.7GB (when you boot without a savefile, all of memory becomes your savefile space - but of course that's not saved - unless you opt to create a savefile when you logoff/shutdown (I usually just click Don't Save)).

Booting a fresh opsys/GUI and using a freshly downloaded browser to only directly go to your banks web site, and then shutting down afterwards, all run from within RAM and from a read only device - collectively (IMO) provides comfort that you've implemented a safe practice from your end of things. If that same CD can also be used to do other things (as outlined above), then so much the better.

PS : In the EXTRA sub-directory on the CD, there are also a couple of bootable ISO burner programs, one for 32 bit Windows machines, another for 64 bit Windows machines. You can open the ISO using 7-Zip or WinRar or whatever and drag the appropriate choice out to a Windows directory and then run that in order to burn the ISO to a new/blank CD/DVD.
Attachments
dt.jpg
(61.69 KiB) Downloaded 751 times

Py
Posts: 70
Joined: Fri 12 Aug 2005, 05:18

#5 Post by Py »

Flash wrote:An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.
Won't a virus saved to the cd be just as much of a problem as it would be if saved to the flash drive?

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#6 Post by Flash »

Yes, but. Each session on a multisession CD or DVD is a separate folder or directory, so malware is isolated to one of the saved sessions. Multisession Puppy can skip one or more (or all of the) saved sessions when it boots. You can then mount the DVD which contains the skipped session(s) and look in those sessions to try to find what happened.

Saving to a save file on a hard disk or flash drive overwrites whatever file(s) were changed, so there's no going back unless you've backed up the Save file. Multisession Puppy inherently provides the option to go back to a known good configuration by isolating each saved session, combining them only at boot time.

I think Ted Dog was working on somehow making USB Puppy save sessions separately in the same way as multisession Puppy does on a DVD or CD. I don't know how successful he was.

Py
Posts: 70
Joined: Fri 12 Aug 2005, 05:18

#7 Post by Py »

Thanks for that info Flash. I suppose if you suspect that there is a virus you can scan the DVD and then, if detected, can then scan the individual saved sessions to see which one it is in.

puma5000
Posts: 2
Joined: Thu 17 Apr 2014, 01:38

thanks for all the information, very helpful.

#8 Post by puma5000 »

thanks for all the information, very helpful.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#9 Post by rufwoof »

Py wrote:
Flash wrote:An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.
Won't a virus saved to the cd be just as much of a problem as it would be if saved to the flash drive?
The safest way when banking is to boot from a read only LiveCD, have no read/write partitions mounted, and use the pristine Puppy opsys/desktop and a pristine browser all running in clean memory (RAM) to only go to your banks web site, no where else either before or after. Puppy is #1 when it comes to being able to do that IMO.

More generally, a good practice is to fake your browsers USER-AGENT, as otherwise that gives a potential hacker too much detail about what to specifically target (op sys, browser and version etc.).

Consider a simple virus

pupmessage hello

Firstly the hacker would need to get that command onto your PC. Which in reading this posting has already been achieved.

The trickier next stage is getting that code executed. The easiest way is to exploit a vulnerability. Very few bits of code (programs such as browser) are totally secure, most have flaws. If you know the op sys and browser being used then you can target such flaws. A common one is overrunning a buffer. A particular sequence and size of bytes that is larger than expected resulting in 'spurious' behaviour (program doing something due to encountering something that was not normally expected), which can result in some 'odd' program behaviour - but if the hacker knows how that odd thing runs they can get their virus (pupmessage hello in this case) to be executed.

A virus is likely to be more harmful or intrusive than just a pupmessage event. Once a small bit of code is run, that can invoke other events - perhaps downloading and installing something deeply into the system. The best frame of mind IMO is to consider any PC that's been used to access the internet for a while is at risk of at some time potentially having been compromised. As such a factory fresh Puppy and Browser loaded into clean RAM is obviously the more secure choice.

This web site provides a indication of what your browser might be telling each and every site that you visit https://www.whatismybrowser.com/ In my case (see attached) sites think I'm running Windows 7 using a outdated Firefox - whilst I'm actually using a Slacko LiveCD with the latest firefox (version 28 even though that web site suggests version 27 is the latest!).

In the modern world however things are reasonably secure. Possible virus sites and threats get jumped on pretty quickly. The greater risk IMO is that of a large-scale theft/vulnerability looking to be side stepped. Again whilst that risk is low if Some-Big-Bank is compromised and looses a lot of money, they might contest that their clients who were using outdated operating systems and/or browsers were at fault and as such refuse to compensate for those losses. If their records showed that you were using XP SP2 and internet explorer to regularly access your Some-Big-Bank online account, then they might say it was your own fault that a loss was endured. Your return argument could be that you were using a LiveCD of a pristine Puppy and latest browser, loaded into clean RAM and going nowhere else before or after other than to the Some-Big-Bank web site, and faking your USER-AGENT - which IMO would be a very strong counter argument (the onus would then be on the bank to prove that casual use of that particular choice of Puppy kernel or browser was the common denominator for the large-scale loss).
Attachments
dt.png
(42.23 KiB) Downloaded 617 times

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#10 Post by mikeb »

Firstly the hacker would need to get that command onto your PC. Which in reading this posting has already been achieved.
HOW exactly???????

What mechanism is downloading, making executable and running software without user intervention? If this was sooo easy why is it not happening every day to millions of linux users?

This is scaremongering based on windows flaky security model from the 90's where the system included software to openly allow a hacker to do just this ... not a buffer overflow in sight.

Such flaws are hypothetical and picked up before anyone even bothered to look... too much like hard work for the average spammer who will simply use readily available tools to do the job rather than wasting time on some convoluted approach.

mike

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#11 Post by rufwoof »

Posted just days ago : http://youtu.be/WMGzVQwA-MM

Have a look through the list of associated video's.

There's a (long) video about buffer overflow exploits here http://youtu.be/8xonDJe3YxI

Certainly not a past thing of the 90's.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#12 Post by mikeb »

Ok lets put it another way... make a web page or an emaill that can pass a virus onto my machine and run it... I would be happy to give it a test. A video is just a video.

Of course it probably would have to be specially crafted to attack me and useless for any other system but spammers have all the time in the world to rewrite the software they use every 2 minutes to target maybe a dozen users as exploits appear and disappear while the old ones carry on being used on millions.

Seriously, give me something to test out...I used to do it when evaluating security measures in the past.

I hope 'security' has not become a cosy bandwagon to jump on when programming becomes less lucrative or inaccesible.

If there is a REAL threat then demonstrate it in action so we can all take suitable measures.

mike

User avatar
ThoriumBlvd
Posts: 159
Joined: Fri 04 Oct 2013, 09:04
Location: N.E. USA

#13 Post by ThoriumBlvd »

Thread is a bit old but would like to opine. IMHO there are two things that generally improve security. The first is the "Live CD" approach on a CD-R (NOT CD-RW). Basically run it and close it as needed. One nuisance noted on frugal installs like Puppy Slacko-5.5XL (there may be others) is the AUTOMATIC wifi-on. Tsk, tsk, Tsk broadcasting "I'm Here!". Manual ON/OFF please. That brings me to point #2, a LAN connection behind "your" router is generally more secure than a wi-fi behind someone else's router (the "Middle-man Exploit" or "Sniffer's Paradise"). Especially for passwords, business transactions, logins, etc. A lot of "free wifi" spots are unencrypted for general surfing: its a tragic mistake to enter any password or conduct any business. So free doesn't really allow one to do work, just surf.

personally, though I use a netbook, I'm nearly always LAN'd. Puppies are a good first step in promoting some security, and I think the CD-R live is a very good idea. Once one gets puppy, the next best thing is using a browser that is migrating away from common-platform applications. These are JAVA and FLASH to name two. Common-Platforms allow Windows, Mac and Linux to do the same thing. Unfortuneately, there are common security risks that make Windows problems MAC and Linux problems. So if one loads a puppy with Firefox (after version 17 IIRC) one is moving away from JAVA. Perhaps in the near-future HTML5 will allow the removal of FLASH for media content.

What works for me is Puppy, FireFox, and a LAN connection, what I'd like to change is LibreOffice and JAVA to something more Linux (IIRC SoftOffice makes FreeOffice_2012). Others will find their own comfort-zone.
[img]http://www.am3radio.us/image3.jpg[/img] . [img]http://www.am3radio.us/image4.jpg[/img]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#14 Post by Sylvander »

rufwoof wrote:a good practice is to fake your browsers USER-AGENT
How should I do that?

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#15 Post by Flash »

There's a fairly recent thread somewhere in the forum about spoofing the browser's user agent. You'll have to look for it, as I don't remember where in the forum it is. Seems like it was only a few weeks ago, but time flies when you're getting old. :lol:

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#16 Post by Sylvander »

Here it is. :D

I fail to comprehend the meaning of what I read there. :(

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#17 Post by mikeb »

There's a simple addon for firefox called UAcontrol ...there are others.
A lot of "free wifi" spots are unencrypted for general surfing: its a tragic mistake to enter any password or conduct any business.
You fill find banks and other secure sites use https so even if the wifi is unsecured your information exchange with those sites is.

This all reminds me of the Victorian obsession with cleanliness.
They had found out that there was an invisible world of microscopic organisms and that they were in some way connected with the premature deaths of humans especially in the emerging post industrial revolution cities and towns.
Their fear of the unknown and death meant oodles of servants scrubbing their houses on a 24/7 basis to try and rid them of these miniature killers.

The real cures laid elsewhere...proper sanitation, water treatment, less malnutrition, less coal burning etc etc and a few vaccinations thrown in there... but on the whole humans have built in systems to handle the beasties as long as those humans are looked after and not overwhelmed by infestations.

thats it

mike

gcmartin

#18 Post by gcmartin »

Hi @ThoriumBlvd. Please do not take this as any attack in what you have shared, as you give some good and useful advice. But there are a couple of items I want to provide a little insight for your determining if it is plausible for you to reconsider your stance. First
ThoriumBlvd wrote:...The first is the "Live CD" approach on a CD-R (NOT CD-RW). Basically run it and close it as needed. ...
The implementation in Puppy, I agree is a secure one in how the Puppy system operates. But, the ability (or disability) of CD-RWs is EXACTLY the same when Puppy Linux is run as CD-Rs. There is no difference for the operation of the system and the utilities it contains supporting information to/fro these discs. NONE! CDRW disc offers a single difference! Namely, it can be erased and rewritten many many times. Excepting that feature, there is NO difference in Live CD/DVD use, no matter if the media is -R or -RW.
ThoriumBlvd wrote:... is the AUTOMATIC wifi-on. Tsk, tsk, Tsk broadcasting "I'm Here!". ...
The problem with this statement (and this was covered in depth earlier this year) is that this IS NOT A BROADCAST! In its implementation, this technology works in a similar fashion as your ethenet cable does on your LAN. It simply is using the "air via radio waves" to find a DHCP service (from a WiFi server) for LAN connection and use. This is a similar "broadcast" as is done on your ethernet cable in your home or office. Of course, this can be debated as to whether your LAN services (wired/wireless) is of any good, but, again, that is a debate which has raged for 30 years now (remember AT&T started ethernet for PCs with IBM offering ethernet and tokenring in 1984).

Again, you offer good advice. This is just some information that you might consider as possibly useful to you in the future. Further this post is NOT to take issue, yet, is an attempt to be helpful.

Here to help

Post Reply