How secure is Puppy?
I think the answer to the OP's question is it depends how you use it.
I use Windows XP for lots of stuff and Puppy (and lately Debian Dog) just on the side.
But if I am going to do something dodgy, like go to a site that I think might have viruses, opening email attachments that just got me too curious to delete, or be clicking unknown links on Twitter etc, I use Puppy. Why? Because with a Frugal Install set up with no save file or so only save changes when I tell it to, there is no way anything can hurt me. It can download all the viruses it wants, when I reboot, nothing gets saved. Or, almost as good, you can back up your save file and if you have any problems delete the virus'ed save file and replace it with the back up. (edit-also no script in the browsers)
If you so a full install or don't backup your save file, install java to run in your browser, and run straight off the internet with no router or firewall is Puppy secure. Hell no. But if you set it up with security in mind, it is totally safe.
I use Windows XP for lots of stuff and Puppy (and lately Debian Dog) just on the side.
But if I am going to do something dodgy, like go to a site that I think might have viruses, opening email attachments that just got me too curious to delete, or be clicking unknown links on Twitter etc, I use Puppy. Why? Because with a Frugal Install set up with no save file or so only save changes when I tell it to, there is no way anything can hurt me. It can download all the viruses it wants, when I reboot, nothing gets saved. Or, almost as good, you can back up your save file and if you have any problems delete the virus'ed save file and replace it with the back up. (edit-also no script in the browsers)
If you so a full install or don't backup your save file, install java to run in your browser, and run straight off the internet with no router or firewall is Puppy secure. Hell no. But if you set it up with security in mind, it is totally safe.
Last edited by dancytron on Sat 16 Aug 2014, 20:40, edited 2 times in total.
You are raising good points. This is an important discussion. However, I do not agree with your belief that newer software is always more secure. That way of thinking is the same one that has led countless Windows users to apply thousands of 'security updates' to all manner of software over the last 15 years, without ever once reading what they were installing.someSven wrote: You are speculating about security updates with backdoors and mentioning a lot of other stuff, while regular Puppy is open for everyone. Old browsers with old Flash aren't secure, period. Everyone who tells something else has not clue or has other bad reasons.
Trust=Laziness=Stupidity.
There is a reason that Steve Jobs would not permit Flash to be used on Apple products - he knew that it could not be made secure. He was very clear about that. So the question is - if Steve Jobs rejected Flash as inherently insecure why should we falsely believe that newer versions are safe? It is better in my opinion to treat all versions of flash as faulty and insecure.
The only people who are at risk from insecure Flash versions are those who are using computers in the belief that they are safe. Those of us who KNOW that Flash is unsafe can take other measures to keep our operating systems secure. The problem is when people PRETEND that newer=safer.
Is HTML5 any safer than Flash? Depends on your point of view. HTML5 contains code that allows the vendor of the webpage to control what your PC does with the data. Do you feel secure that your PC is controlled by the DRM policy of the webpage vendor? Do you feel happy that the webpage reports your data usage patterns? I don't.
The next questions are - if the internet is a bad place then:
1) Who can you trust?
Answer: Nobody. There is no corporation in the world who you can trust to put your own security first. Each computer user must make their own decision about how much of their data they are exposing, and what steps they take to control the security of the operating code in their computer.
2) How can you best ensure your safety?
Answers:
- Keep your data offline when using the internet. ie: do not mount your data drives. Do not plug them in.
- Disconnect your webcam and microphone when browsing.
- Use an operating system that is read only. ie: boot your operating system from a 'closed', read only CD or DVD
- Reboot frequently. Understand that ANY operating system can be deliberately or accidentally corrupted while running in RAM. In other words, your code could be hijacked during an online session and the behaviour of your machine can be altered for bad purposes, without your bootable code having been altered. At least this malicious code will be deleted upon the next reboot.
- Avoid buying usb sticks and SD/microSD cards of the brand that was used for the Stuxnet virus.
- Check any new usb stick for hidden partitions.
It is important to recognise that some governments REQUIRE that software manufacturers and ISPs etc create and maintain spyware backdoors in the hardware, operating system, programs, websites or data streams for the purposes of tracking the behaviour of citizens. These corporations are often uncomfortable about keeping such things secret, but nevertheless they HAVE to permit this level of spying by law.
I recall many years ago I was taught how to use an early unix based CAD system and the tutor explained to us that the person who designed the systems' security had added a backdoor to allow them to regain control of the system if something went wrong with the login module. So we all had to remember "MPXGOD" as the over-riding system password to give full administrator access to everything. I remember reading that Windows 98 had similar code grafted into many of it's modules too. No doubt the Windows of today is much more secure but there will still be such backdoors.
The reason I feel puppy is secure is that it allows me to make the decisions about who I trust, and who I don't trust. I can trim out code that I don't like - and I can choose to use a really old puppy if I want basic functionality without overblown code. How can other Linuxes take up an entire DVD? What the heck is in that code????
> Sylvander
And you think malware is always doing this kind of funny stuff, just to get some attention? Files can be accessed without opening windows, and browser data can be stolen.
> jamesbond
I suppose it was me writing a P.M. to popcorn, not to use Puppy as main distro, which made him opening this thread.
> darry1966
Sorry, messed something up. There was a area which I couldn't read while not logged in. I thought the thread was moved there, and so not accessible by visitors and search engines.
> wimpy
1. Banks are not checking your OS, but maybe your browser. I never saw that.
2. For the root thing there is an good explanation, you may search for it. I don't see this as a problem, but I'm also not saying I'm an expert on security or Gnu/Linux. I'm using most Internet programs as spot.
3. Having Wine installed should not be a problem, and using it also not if it is done with carefulness. There are many Pupplets for special purposes, and not in every case the need for high security is important.
> in future disgruntled trolls may decide to take advantage of the open door.
Actually it wouldn't be a troll thing but a business opportunity. The thing is, only a small amount of users is registered here, and I wouldn't know another way to find them. In some point the naively fraction is right, you can't easily differ Puppy users from the Linux herd and so Windows users would still be a more attractive target.
@all
Is there a way to use Puppy Package Manager (PPM) with the shell, and script it? Or is there another shell tool to search the packages like PPM? If some people wanna address the mentioned problems, then we'll need something like that to write some scripts. On the other hand, if only access to ubuntu-precise-main is needed, then good old apt should do it? Would it be that simple?
And you think malware is always doing this kind of funny stuff, just to get some attention? Files can be accessed without opening windows, and browser data can be stolen.
> jamesbond
I suppose it was me writing a P.M. to popcorn, not to use Puppy as main distro, which made him opening this thread.
> darry1966
Sorry, messed something up. There was a area which I couldn't read while not logged in. I thought the thread was moved there, and so not accessible by visitors and search engines.
> wimpy
1. Banks are not checking your OS, but maybe your browser. I never saw that.
2. For the root thing there is an good explanation, you may search for it. I don't see this as a problem, but I'm also not saying I'm an expert on security or Gnu/Linux. I'm using most Internet programs as spot.
3. Having Wine installed should not be a problem, and using it also not if it is done with carefulness. There are many Pupplets for special purposes, and not in every case the need for high security is important.
> in future disgruntled trolls may decide to take advantage of the open door.
Actually it wouldn't be a troll thing but a business opportunity. The thing is, only a small amount of users is registered here, and I wouldn't know another way to find them. In some point the naively fraction is right, you can't easily differ Puppy users from the Linux herd and so Windows users would still be a more attractive target.
@all
Is there a way to use Puppy Package Manager (PPM) with the shell, and script it? Or is there another shell tool to search the packages like PPM? If some people wanna address the mentioned problems, then we'll need something like that to write some scripts. On the other hand, if only access to ubuntu-precise-main is needed, then good old apt should do it? Would it be that simple?
If you are that concerned about security the external drives should be encrypted, just in case you are burgled. Then no-one can read the contents of the stolen hard-drive / USB stick.greengeek wrote:- Keep your data offline when using the internet. ie: do not mount your data drives. Do not plug them in.
TrueCrypt can create encrypted drives and is still available ... https://www.grc.com/misc/truecrypt/truecrypt.htm
[ of course if you ever loose the password for the encrypted drives you'll never see your data again ].
- Moose On The Loose
- Posts: 965
- Joined: Thu 24 Feb 2011, 14:54
The puppy side can be extremely secure because it can be booted from virtual CDGalbi wrote:¿How secure it's to do online banking with Puppy but ínside a virtual machine running over a Windows host¿
Virtual Box is very secure being open source etc
Win-7 is somewhat secure because all the packets it sees are the encrypted ones
You still have to worry about tricks that involve keyboard monitoring and screen capturing. The key strokes for your password will still pass through the windows OS.
If your bank uses the random question trick, the situation is better.
If you want to reduce risk:
1) Open a document in the Puppy side
2) Web browse to your bank's sign in page
3) Add some text to the text document
4) sign in on the web browser
This way anything that watches for a likely password entry page gets nothing but your text when as the next 20 key strokes
Thats a great link muggins. There are many perceptive comments below the main article too. One of them mentions the following link:muggins wrote:Banking on a Live CD
http://cryptome.org/2012/07/gent-forum-spies.htm
which I found particularly entertaining. It had links to various CIA documents and general info regarding direct attempts to spy on and infiltrate forums etc. Very intriguing.
@greengeek
I'm getting (sometimes) tired of answering the misleading arguments here in this thread, but you won't get away with it.
> I do not agree with your belief that newer software is always more secure.
If you are arguing against security updates, then it's like arguing against physics or vaccinations. It's not some 'opinion'. There are updates for errors which make attacks possible, which have been proofed by exploits, so what are we arguing here?
I don't want to discuss the rest you've wrote above. It's alway the same here: distractions, distractions, distractions. Whatever else you do, you'd be safer installing updates.
The other thing you should ask yourself: How many Puppy users are using it your way? How many of those who think "Oh, it's Linux, it's secure but easier to use than other distros"?
@Galbi
I'm getting (sometimes) tired of answering the misleading arguments here in this thread, but you won't get away with it.
> I do not agree with your belief that newer software is always more secure.
If you are arguing against security updates, then it's like arguing against physics or vaccinations. It's not some 'opinion'. There are updates for errors which make attacks possible, which have been proofed by exploits, so what are we arguing here?
I don't want to discuss the rest you've wrote above. It's alway the same here: distractions, distractions, distractions. Whatever else you do, you'd be safer installing updates.
The other thing you should ask yourself: How many Puppy users are using it your way? How many of those who think "Oh, it's Linux, it's secure but easier to use than other distros"?
@Galbi
The browser in a Puppy distro is not secure, but if you are not visiting other websites before going to your banks website then this shouldn't be a problem. On the other hand you shouldn't overestimate the security of virtual machines. It also depends on what windows you have installed, how you're using it and if you have installed all your updates on your windows machine. I'd recommend at least to use a live CD of Puppy instead of running it in a VM, and don't visit other websites with your browser in Puppy before or while you are doing online banking.¿How secure it's to do online banking with Puppy but ínside a virtual machine running over a Windows host¿
Wow busy thread while I have been blasted by gales
Don't use windows for internet banking should read don't use IE for internet banking. 10 years of internet banking on windows without a problem....how long should i test it for?...by the way thats using firefox of course.
mike
please give me a sample link for me and others to test.... though I am a bit disappointed with your backdown on making some puppy tests... whenever i ask for concrete evidence/tests for security on here all I get is silence......You just need to open a link to a malicious website with your old crappy browser and Flash, and your are done.
Don't use windows for internet banking should read don't use IE for internet banking. 10 years of internet banking on windows without a problem....how long should i test it for?...by the way thats using firefox of course.
mike
I'd like a link to test as well.....mikeb wrote:please give me a sample link for me and others to test....
With all of these gloom-and doom threads that periodically appear I don't recall anything being provided to test, by anyone.
Same here, I don't use Internet Explorer, Outlook Express or Windows Media Player......by not using the Microsoft malware-magnet apps Windows can be fairly secure.mikeb wrote:Don't use windows for internet banking should read don't use IE for internet banking. 10 years of internet banking on windows without a problem....how long should i test it for?...by the way thats using firefox of course.
Computer security still mainly depends on the person behing the keyboard.
Yes thats the one factor thats out of the control of the system.... I guess running as a user is the best option for those cases...Computer security still mainly depends on the person behing the keyboard.
Later windows have improved and it seems the human factor is the main problem....hence all those questions before being allowed to anything....not sure if they still make you admin with a fresh setup since I have never done one.
Funny really NT4 was inherently secure on the internet as it lacked all the nasties.... still works with such as opera 12
mike
Not speaking on behalf of greengeek, but I'm inclined to reply to your statement.someSven wrote:@greengeek
I'm getting (sometimes) tired of answering the misleading arguments here in this thread, but you won't get away with it.
> I do not agree with your belief that newer software is always more secure.
If you are arguing against security updates, then it's like arguing against physics or vaccinations. It's not some 'opinion'. There are updates for errors which make attacks possible, which have been proofed by exploits, so what are we arguing here?
I don't want to discuss the rest you've wrote above. It's alway the same here: distractions, distractions, distractions. Whatever else you do, you'd be safer installing updates.
greengeek isn't arguing against security updates. He's arguing against your tenet that "must always run latest software or otherwise it is not secure." (or, written in another way, "you'd always be safer installing updates"). I would say that arguing against *that* is *not* the same as arguing against the law of gravity or vaccinations (btw I'm a supporter of both), because it can easily be proven wrong.
I would just present three examples:
a) I'm sure you're are familiar with OpenSSL Heartbleed fiasco. Do you know which version is affected (answer: 1.0.1 - 1.0.1f) ? Do you know that some of the older puppies are not affected because they still use openssl 0.9.8 or 1.0.0?
b) In worlds outside Puppy (=Windows world) how many times we read in the news that Windows "security" updates do:
b1) install more than just security updates, and
b2) crash the system so badly so it can't boot until you wipe it out and reinstall Windows?
c) In fact, b) is so bad that in many large organisations, people perform the updates ("security" or otherwise) on test machines first, confirm that everything is okay, before applying them on production systems.
Note that this is not an argument against security updates - I think nobody around here disagrees that updating a component with known security bug is a bad idea.
What I'm disagreeing is the statement that "if your computer isn't running the latest available software then it is not secure."
Anyway, I know that nobody around here is going to change your mind, so let's just agree to disagree. To that point, for you (and anyone) who hold "must run latest updates" as your security criteria, then Puppy is obviously not secure enough for you. You'd probably feel safer running Arch with its rolling release model.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
http://technet.microsoft.com/en-us/libr ... s.10).aspx
In Windows® 7, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.
An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows 7.
Very good example, thanks.jamesbond wrote: I'm sure you're are familiar with OpenSSL Heartbleed fiasco. Do you know which version is affected (answer: 1.0.1 - 1.0.1f) ? Do you know that some of the older puppies are not affected because they still use openssl 0.9.8 or 1.0.0?
Ok, now you have pushed my hot buttonsomeSven wrote: If you are arguing against security updates, then it's like arguing against physics or vaccinations.
My daughter cannot have vaccinations as the first one nearly killed her.
Also - some vaccinations contribute to autism when given to the children of mothers who have rhesus negative blood types. (Like my mum was).
And before anyone starts telling me that the autism/mercury link has been disproven - do more research and look at it with an open mind. If you are a rhesus positive female you can probably trust most vaccinations. If you are rhesus negative you need to look very very very carefully at whose statistics and information you risk your kiddies future health with.
It's all about who you trust...
Very apt. I couldn't say better myself.mikeb wrote:My boat / windows metaphor for such is don't worry about a few holes in the cabin roof ...just make sure there is not great big one below the waterline.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]
In a Linux course, this is taught:
I personally have NO position. But, I am aware that Puppy Linux distros are a lot of individual distros without a common, agreed to, mechanism to address some of this.
"Keeping it real."
Judge as you will. Over last 20 years this has been a source of debate.Linux Course wrote:When security problems in either the Linux kernel or applications and libraries are discovered, Linux distributions have a good record of reacting quickly and pushing out fixes to all systems by updating their software repositories and sending notifications to update immediately. The same thing is true with bug fixes and performance improvements that are not security related.
However, it is well known that many systems do not get updated frequently enough and problems which have already been cured are allowed to remain on computers for a long time; this is particularly true with proprietary operating systems where users are either uninformed or distrustful of the patching policy as sometimes updates do cause new problems and break existing operations. Many of the most successful attack vectors come from exploiting security holes for which fixes are already known but not universally deployed.
I personally have NO position. But, I am aware that Puppy Linux distros are a lot of individual distros without a common, agreed to, mechanism to address some of this.
"Keeping it real."