How secure is Puppy?

[someSven]

@greengeek
I'm getting (sometimes) tired of answering the misleading arguments here in this thread, but you won't get away with it.

> I do not agree with your belief that newer software is always more secure.

If you are arguing against security updates, then it's like arguing against physics or vaccinations. It's not some 'opinion'. There are updates for errors which make attacks possible, which have been proofed by exploits, so what are we arguing here?

I don't want to discuss the rest you've wrote above. It's alway the same here: distractions, distractions, distractions. Whatever else you do, you'd be safer installing updates.

The other thing you should ask yourself: How many Puppy users are using it your way? How many of those who think "Oh, it's Linux, it's secure but easier to use than other distros"?

@Galbi

¿How secure it's to do online banking with Puppy but ínside a virtual machine running over a Windows host¿

The browser in a Puppy distro is not secure, but if you are not visiting other websites before going to your banks website then this shouldn't be a problem. On the other hand you shouldn't overestimate the security of virtual machines. It also depends on what windows you have installed, how you're using it and if you have installed all your updates on your windows machine. I'd recommend at least to use a live CD of Puppy instead of running it in a VM, and don't visit other websites with your browser in Puppy before or while you are doing online banking.

[mikeb]

Wow busy thread while I have been blasted by gales

You just need to open a link to a malicious website with your old crappy browser and Flash, and your are done.

please give me a sample link for me and others to test.... though I am a bit disappointed with your backdown on making some puppy tests... whenever i ask for concrete evidence/tests for security on here all I get is silence......

Don't use windows for internet banking should read don't use IE for internet banking. 10 years of internet banking on windows without a problem....how long should i test it for?...by the way thats using firefox of course.

mike

[James C]

please give me a sample link for me and others to test....

I'd like a link to test as well.....

With all of these gloom-and doom threads that periodically appear I don't recall anything being provided to test, by anyone.

Don't use windows for internet banking should read don't use IE for internet banking. 10 years of internet banking on windows without a problem....how long should i test it for?...by the way thats using firefox of course.

Same here, I don't use Internet Explorer, Outlook Express or Windows Media Player......by not using the Microsoft malware-magnet apps Windows can be fairly secure.

Computer security still mainly depends on the person behing the keyboard.

[mikeb]

Computer security still mainly depends on the person behing the keyboard.

Yes thats the one factor thats out of the control of the system.... I guess running as a user is the best option for those cases...

Later windows have improved and it seems the human factor is the main problem....hence all those questions before being allowed to anything....not sure if they still make you admin with a fresh setup since I have never done one.

Funny really NT4 was inherently secure on the internet as it lacked all the nasties.... still works with such as opera 12

mike

[jamesbond]

@greengeek
I'm getting (sometimes) tired of answering the misleading arguments here in this thread, but you won't get away with it.

> I do not agree with your belief that newer software is always more secure.

If you are arguing against security updates, then it's like arguing against physics or vaccinations. It's not some 'opinion'. There are updates for errors which make attacks possible, which have been proofed by exploits, so what are we arguing here?

I don't want to discuss the rest you've wrote above. It's alway the same here: distractions, distractions, distractions. Whatever else you do, you'd be safer installing updates.

Not speaking on behalf of greengeek, but I'm inclined to reply to your statement.

greengeek isn't arguing against security updates. He's arguing against your tenet that "must always run latest software or otherwise it is not secure." (or, written in another way, "you'd always be safer installing updates"). I would say that arguing against *that* is *not* the same as arguing against the law of gravity or vaccinations (btw I'm a supporter of both), because it can easily be proven wrong.

I would just present three examples:
a) I'm sure you're are familiar with OpenSSL Heartbleed fiasco. Do you know which version is affected (answer: 1.0.1 - 1.0.1f) ? Do you know that some of the older puppies are not affected because they still use openssl 0.9.8 or 1.0.0?

b) In worlds outside Puppy (=Windows world) how many times we read in the news that Windows "security" updates do:
b1) install more than just security updates, and
b2) crash the system so badly so it can't boot until you wipe it out and reinstall Windows?

c) In fact, b) is so bad that in many large organisations, people perform the updates ("security" or otherwise) on test machines first, confirm that everything is okay, before applying them on production systems.

Note that this is not an argument against security updates - I think nobody around here disagrees that updating a component with known security bug is a bad idea.

What I'm disagreeing is the statement that "if your computer isn't running the latest available software then it is not secure."

Anyway, I know that nobody around here is going to change your mind, so let's just agree to disagree. To that point, for you (and anyone) who hold "must run latest updates" as your security criteria, then Puppy is obviously not secure enough for you. You'd probably feel safer running Arch with its rolling release model.

[James C]

http://technet.microsoft.com/en-us/libr ... s.10).aspx

In Windows® 7, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.
An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows 7.

[mikeb]

My boat / windows metaphor for such is don't worry about a few holes in the cabin roof ...just make sure there is not great big one below the waterline.

Agreed if Puppy...the FREE distro is not to your liking then simply use something else.

mike

[greengeek]

I'm sure you're are familiar with OpenSSL Heartbleed fiasco. Do you know which version is affected (answer: 1.0.1 - 1.0.1f) ? Do you know that some of the older puppies are not affected because they still use openssl 0.9.8 or 1.0.0?

Very good example, thanks.

If you are arguing against security updates, then it's like arguing against physics or vaccinations.

Ok, now you have pushed my hot button
My daughter cannot have vaccinations as the first one nearly killed her.
Also - some vaccinations contribute to autism when given to the children of mothers who have rhesus negative blood types. (Like my mum was).

And before anyone starts telling me that the autism/mercury link has been disproven - do more research and look at it with an open mind. If you are a rhesus positive female you can probably trust most vaccinations. If you are rhesus negative you need to look very very very carefully at whose statistics and information you risk your kiddies future health with.

It's all about who you trust...

[jamesbond]

My boat / windows metaphor for such is don't worry about a few holes in the cabin roof ...just make sure there is not great big one below the waterline.

Very apt. I couldn't say better myself.

[gcmartin]

In a Linux course, this is taught:

When security problems in either the Linux kernel or applications and libraries are discovered, Linux distributions have a good record of reacting quickly and pushing out fixes to all systems by updating their software repositories and sending notifications to update immediately. The same thing is true with bug fixes and performance improvements that are not security related.

However, it is well known that many systems do not get updated frequently enough and problems which have already been cured are allowed to remain on computers for a long time; this is particularly true with proprietary operating systems where users are either uninformed or distrustful of the patching policy as sometimes updates do cause new problems and break existing operations. Many of the most successful attack vectors come from exploiting security holes for which fixes are already known but not universally deployed.

Judge as you will. Over last 20 years this has been a source of debate.

I personally have NO position. But, I am aware that Puppy Linux distros are a lot of individual distros without a common, agreed to, mechanism to address some of this.

"Keeping it real."

[Moat]

With all of these gloom-and doom threads that periodically appear I don't recall anything being provided to test, by anyone.

Or, for that matter, much in the way of anything provided regarding problems with actual system infection/intrusion/etc. With 27,455 members here on the Puppy forum, you'd think if Puppy was inherently insecure, you'd sure be hearing about it. I don't, and never have (up until Sylvander's post earlier in this thread) - but that's certainly not the case when perusing Windows forums, in my experience...

Proof is in the pudding, as they say - and a ruthlessly infected/compromised Puppy system would be nothing but a 5 minute savefile-swap away from being restored back to normal, anyways.

Me - I'm not too worried about such things. But then again - I'm impoverished enough that I've not much to lose in the first place...

Bob

[wimpy]

My boat / windows metaphor for such is don't worry about a few holes in the cabin roof ...just make sure there is not great big one below the waterline.

Very apt. I couldn't say better myself.

Holing a ship below the waterline was a no-no - if you wanted to keep it as a prize. The real nasty viruses don't draw attention to themselves. A captain who was secure in the knowledge that his boat/ship was sound would do well to check his compass to make sure he wasn't headed for the rocks.

[mikeb]

With 27,455 members here on the Puppy forum, you'd think if Puppy was inherently insecure, you'd sure be hearing about it

Perhaps not scientific enough for some but I am definitely not alone with reports of YEARS of usage without a problem. Having discovered what made Windows fail miserably and knowing that Linux lacks such things I do get a sense of security...perhaps that does make us lax and in the future Windows with an improved security model might make bad people look at new ways of infecting users.... That actually WHY I want examples of possible threats to test out. If there is a problem I want to know about it. When securing windows I deliberately went to bad sites and opens email links to see how safe I was.

Like with anything ... once a problem has been exposed then a fix is possible.

Vaccinations especially for extinct diseases need reexamining and bring up to date with the current situation....just like security. Nothing should ever be set in stone...life changes. If the risk of problems from the vaccination is higher than that of the disease then that needs looking into rather than 'well it helped then so it will help now' attitude.

Doctors used to treat constipation with mercury drinking !

Wow he topic slides out of view.

mike

[nic007]

If the choice is between taking a free ticket with Malaysian Airways and not flying due to the slight possibility
of the plane vanishing or getting shot down, I'll take the free ride. I'm happy to use Puppy with older software without fear of security issues..

[Latitude]

@nic007
but you do take "precautions" . . . . . . like running without a Savefile.

[anikin]

I personally have NO position...

To have NO position is already a position ... and a convenient one, I'd say. Although, I too find it hard to have a clear position on this particular discussion. There's not a single person with whom I'd totally disagree - everyone has a point. A tempest in a teapot. Was it Linus Torvalds, who said, that "bashing Microsoft now is like kicking a puppy." Security wise Puppy should be compared to Linux distros, not Windows. For example, which one is more secure - Porteus, Debian, or Puppy? How do we define security - only flash and updates? How about Puppy's online behavior - does it connect to any sites without the user's knowledge? If it does, should that be considered a security implication?

[Smithy]

I personally have NO position...

How about Puppy's online behavior - does it connect to any sites without the user's knowledge? If it does, should that be considered a security implication?

Well if geolocation data is considered so, then yes it could be. But micko put a switch in, and others remove the line out of firewall state and pup control panel.

But the Seven Poster was suggesting that puppy linux could be used as a zombie to attack, possibly without the user's knowledge.

And poster also considered that Puppy Linux users are a bit complacent about these things.

Well that is not the case, all the bits and the brains are here on the forum to get a fairly robust system that doesn't get in the way.

Until we are all done with ones and noughts and move on to telepathy or something.

[darry1966]

At least with Puppy you can edit config files and make improvements much more easily than Windows eg windows registry I won't touch that.

Go Puppy and other good distros.

jamesbond wrote:
I'm sure you're are familiar with OpenSSL Heartbleed fiasco. Do you know which version is affected (answer: 1.0.1 - 1.0.1f) ? Do you know that some of the older puppies are not affected because they still use openssl 0.9.8 or 1.0.0?


True.

[mikeb]

Oh you should.... hecking around th eregistry is fun...its amazing what can be done in there.

Hacking windows generally...I got a 17GB install of 7 down to under 4. One bonus of windows is millions of users which means a huge pool of smart people contributing improvements and fixes to microsofts bunnies and then a massive pool of funky software to run on it. Non of this waiting for some demi-god to approve some minor adjustment.

mike

[Fossil]

@ mikeb

Doctors used to treat constipation with mercury drinking !

Ah, Mercury! Let's not forget it's other use; the curing of men's self-induced 'social' condition: "One night with Venus, five with Mercury!" Or, the 'Mad-Hatter' syndrome; treating felt hat's with a mercury compound. Or, sensitizing old-fashioned photographic plates with mercury vapour. What better way to get a good dose of doolally tap - to go with the clap!