How secure is Puppy?

[popcorn]

Hi

Before asking a question if the puppy could be used as a primary OS, but I wonder about the safety of the puppy, it is safe enough to be used as a main distribution interrogation

[ardvark]

Hi

Before asking a question if the puppy could be used as a primary OS, but I wonder about the safety of the puppy, it is safe enough to be used as a main distribution interrogation

Hi...

It's safer than Windows XP right now, partly because very little in the way of malware is written for Linux. However, Puppy does not release security updates for the OS or other software that other distributions do, such as Ubuntu.

Regards...

[mikeb]

partly because very little in the way of malware is written for Linux.

sorry to quote but that's a common myth. rm -rf / is a virus

Linux lacks the mechanisms included in windows that can be used to propagate viruses (IE, outlook, msn, WMP Auto updates and other active x based software ) In other words Linux is inherently secure and you would have to make it otherwise. Even puppy which is a little slack in some areas is magnitudes safer than standard windows. 8 years plus of pup and similar systems and not a sniff of a problem. Paranoia does not actually infect anything except the person suffering it

mike

[nic007]

partly because very little in the way of malware is written for Linux.

sorry to quote but that's a common myth. rm -rf / is a virus

Linux lacks the mechanisms included in windows that can be used to propagate viruses (IE, outlook, msn, WMP Auto updates and other active x based software ) In other words Linux is inherently secure and you would have to make it otherwise. Even puppy which is a little slack in some areas is magnitudes safer than standard windows. 8 years plus of pup and similar systems and not a sniff of a problem. Paranoia does not actually infect anything except the person suffering it

mike

rm -rf / affectionately referred to as cleansweep.

[wimpy]

Recently there were some problems, which could have been interpreted as a virus. The received wisdom was that it was just a coincidence. In my case my Lucid installation could not run X. It set me thinking about puppy's root user and how X(say) could be disabled. Am I right in thinking that a mere change in the permissions or ownership of a critical file in the boot chain could disable X.

[mikeb]

Hmm running as root basically means the system can be damaged.... by the user and his/her actions or crappy installers/software.

What it does not really change is the lack of mechanisms to cause damage via the internet... ie if a virus cannot get it self downloaded, made executable and then run without user intervention then its has no potential to cause damage root or not.

If you were at the roadside it would be hard for you to cause a car to crash.... being able to grab hold of the steering wheel is required.... hope you like my dodgy parable..
The driver is root... you would be sudo as a passenger ....the roadside is the internet....I think...help ....!

mike

[Latitude]

A loss of Pinboard and Drive icons affected several people, myself included, at around the time wimpy lost the ability to run X. The only common denominator seems to be that we were all running ext2 Savefiles. How hard would it be for a Troll with Linux command-line skills to "nobble" someone with an ext2 Savefile?

[ardvark]

sorry to quote but that's a common myth. rm -rf / is a virus

Were you joking? If not, are you sure? Even though Wikipedia only calls it a partial list, that's still only a tiny drop compared to the number of Windows viruses.

8 years plus of pup and similar systems and not a sniff of a problem.

Since Puppy always runs in root, I guess the above would be the main reason why.

Regards...

[mikeb]

How hard would it be for a Troll with Linux command-line skills to "nobble" someone with an ext2 Savefile?

hmm sounds paranoid...we are talking about weaknesses in the system.... such weaknesses have nothing to do with said system's vunerability to the internet. And why nobble if its going to break anyway.


Not joking aadvark...security by obscurity is a myth based on a lack of understanding of why millions of computers get infected daily.

If there are a lack of linux viruses then its more to do with its not worth it since getting those viruses onto a machine is too hard compared to the easy peasy methods freely available on standard windows based systems.

No infections on linux here because ...well its too hard to do so...

I also get NO infections on windows either ..ie ZERO...NON... by removing the aforementioned software and NOTHING else...now don't tell me I am running an obscure system then...windows 2000 and XP mainly.
Oh by the way I always run as administrator. So I am the no.1 target and still OK simply bt removing bad software bundled with the system..hmmm curious.

The difference between the 2 is that on Linux I did not have to do anything to get that level of security.

Non of this is my problem...we have been surfing for 10 years with no restrictions or problems.... its very relaxing and we are free to enjoy whats out there with machines that are not bogged down with antivirus. If no one takes any notice thats fine... we will carry on enjoying the benefits....they can carry on wasting large amounts of time, money and machines.....

mike

[ardvark]

Not joking aadvark...security by obscurity is a myth based on a lack of understanding of why millions of computers get infected daily.

If there are a lack of linux viruses then its more to do with its not worth it since getting those viruses onto a machine is too hard compared to the easy peasy methods freely available on standard windows based systems.

No infections on linux here because ...well its too hard to do so...

Hi...

But wouldn't the methods of infection be the same, in some cases? Such as e-mail, installing an infected program, USB drive, etc?

At least for the known viruses, according to the Wikipedia article, " However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat." Again, that's not counting anything undiscovered but from the small number that are currently known, I don't a large number suddenly being discovered, at least at this point in time.

Regards...

[mikeb]

But wouldn't the methods of infection be the same, in some cases? Such as e-mail, installing an infected program, USB drive, etc?

no and that's the difference.....

Take for example an email with an image in it

outlook express displays that image using an active x control that is from the Internet Explorer fileset...mshtml.dll and related.
Part of that control's function is to run any scripts/software included in that image.... the gateway opens ...run what you like..infection complete.

No other email client can/would do this.... thunderbird treats an image as just that ...an image ... it would never try and run anything.

There are many examples of windows bundled software doing this...mshta, WSH, and anything using the trident rendering engine..... it has improved but some parts of the system are inherently insecure...the zone system for example... it does not protect but actually makes it easier to install viruses.

Mechanisms for auto updates... nice and easy to use...just provide a fake certificate.

All that is left is such as buffer overuns...those security updates that get added regularly all over the place... these are discovered by abusing software and finding if and when it loses the plot which then in theory means it can be used for naughtly purposes.... such things are hard to find.... those looking for it know about a potential problem well before anyone else and fixes are made....a hacker would not ...1.bother to work that hard and 2. would expect that patches are already out there for an exploit that was never known about and its usage is so specific that you only get a minority hit even if you tried it...so why bother when microsoft provided easy gaping holes that can be used to propagate infections written over a decade ago ...mass easy target basically.

I mentioned samba/rpc... those ports are wide open and a fresh install of windows XP can be exploited in less than 2 minutes of connecting to the net...I should know it happened to me.
Fortunately routers firewalls block this gateway nowadays or when I had a modem I disable /hacked both to block the abuse....things is what sort of company puts out software this vunerable?!

mike

[someSven]

Puppy is the worst Linux distro I know, when it comes to security. It has no update mechanism for security updates, it doesn't tell you, and in the forum here you'll find some people with high self-confidence which tell you there is absolutely no need to be in sorrow. Problem is, they are wrong.

Gnu/Linux is NOT inherently secure. It's maybe more secure than others, but it also depends on the distro and the user behavior. Their is also no consent that Gnu/Linux is generally more secure than Win8. MS did a lot to make their system more secure the last years. However, it's much more attractive to attack popular software than outsiders.

Security is highly about the user's behavior, but a good OS or distro helps them. Automatic security updates are a very good example for that. Ubuntu knows that: https://wiki.ubuntu.com/BasicSecurity#T ... t_of_rules
Puppy Linux is not just Linux it's Puppy Linux, Linux is just the core of the system but the stuff around in this case is not build with security in mind.

Security is more and more about browser security. Someone may steal passwords from you, if your browser is not secured. If your browser runs as root and code can be executed on your system using the browser or some plugin then everything can be done. https://www.iseclab.org/people/mlindorf ... poster.pdf (carefull, pdfs in the browser can freeze old machines).

It also depends on your thread model, if you are something like a political activist or journalist, the danger of being attacked is much higher. The number of viruses for Linux are not relevant for that. Attacks are possible, you may be targeted directly, and if you're use old software it will be much easier.

Another point is that you don't know in every case when you've been hacked. Your computer may be part of a botnet ddosing down some websites, sending spam mails every day, private pictures or business data may circling around the net, or your PC may being used by fraudsters to go shopping with stolen credit card data - and you wouldn't recognize. If your computer is newer you even may mining for some crypto-currency without knowing it.

Reasons why criminals are not targeting Desktop Linux on a huge scale yet are not at least cause Gnu/Linux users are normally installing their software from a repository they trust, they are updating their machines, and are generally more careful then many Windows users. If we stop behaving like that, then Gnu/Linux on the desktop will become a more interesting target. The danger of being hacked cause the lack of security in Puppy may be low, if your are not a journalist, activist or some other VIP, but you would help to decrease the 'herd immunity'.
I'm still using it for the moment, but installing some updates manually, at least browser and Flash. However, I plan to switch my main distro away from Puppy. It's not bad for some stuff and maybe really good sometimes, but I personally won't use it as main distro since I know about the problems and the culture behind them.

For very old computers AntiX (http://antix.mepis.org/) may be a alternative. But then you'll need more effort to learn about Gnu/Linux, and using it will be harder (at the beginning). For newer computers their are more alternatives with LXDE or other light desktops, on http://distrowatch.com you'll have plenty of choice.

[rcrsn51]

I have always contended that Puppy should have a "safe browser" desktop icon linked to this script:

Code: Select all

#!/bin/sh
su -l -c "PATH=$PATH LANG=$LANG DISPLAY=$DISPLAY defaultbrowser" spot

[mikeb]

Problem is, they are wrong

perhaps svenSven you are wrong.

Gnu/Linux is NOT inherently secure. It's maybe more secure than others, but it also depends on the distro and the user behavior. Their is also no consent that Gnu/Linux is generally more secure than Win8. MS did a lot to make their system more secure the last years. However, it's much more attractive to attack popular software than outsiders.

this is full of holes and does not tally with the real situation....that last statement is a painfully common myth for example.
Until you realise and accept what you are dealing with nothing will really change.

All I hear is you re-iterating information from sensationalist internet magazines and other 'news' sites as if journalists have the handle on computer security.

Windows 7/8 have been wrapped in cotton wool thats all... some of the mechanisms are still there.... some now require user intervention....
It could only be 'better' as before it was awful...indeed without microsofts criminally bad approach to security the world of computers may have never got to know what a virus was.... And why did it take them over a decade to clean up their act...these problem were well known about in the late 90's?

mike

[greengeek]

Security is highly about the user's behavior, but a good OS or distro helps them. Automatic security updates are a very good example for that. Ubuntu knows that

It is all about trust. Why would you trust Ubuntu with the security of your computer? Do you believe that the writers of Ubuntu code are all good guys with good intentions? Not a chance.

Take a look at who wrote the Stuxnet virus. Take a look at who writes Google code that allows full disclosure of your personal information. Take a look at who writes Microsoft code and security updates over the last 15 years - these are all trustworthy people? No way.

Ever seen a malware program that masquerades as beneficial "PC cleanup software". Yup. You see that every day. Ever had a phone call from an Indian helpdesk wanting to establish a remote connection to your PC so they can help you "eliminate viruses"? Yup, couple of times a year I get that.

Recent Google Chrome versions even have such a remote control function built into them. Who needs virus protection when the real threat is operator stupidity?

The real question is - what harm can these people do to your computer?

You don't need a virus to destroy your files. All that is required is to permit one of these remote sessions that gives someone else access to your computer. Once you have permitted the remote access session to run there is nothing to stop that person issuing a rm -rf / command. No virus required.

However, if you are running Puppy from a CD or a ROM the person controlling your computer can rm -rf/ all they like - it will get them nowhere.

This is why I am currently focusing on building my Puppies using non-writable personal sfs files running from CD. I know that each boot will restore my code to it's original state.

I will never trust a security update. I will never implicitly trust that "the most recent browser is the most secure" and I will never believe that any data on a writable media like an HDD is completely safe. There is simply no way to ensure total safety.

Don't forget that the mechanisms allowing other people to view and control your PC and data is actually BUILT IN to the hardware in many cases. Some webcams and microphones can be controlled remotely (there is plenty of info about how the NSA hijacks hardware for such purposes).

HP printers and multifunctionals had to be issued with new firmware in order to lock out the inbuilt ability to redirect data to spy agencies. There are many ways that state sponsored spying occurs, and there is only so much the user can do to guard against this. Trusting in security updates that you didn't write yourself is not a reliable method in my opinion.
.

[ardvark]

Take for example an email with an image in it

outlook express displays that image using an active x control that is from the Internet Explorer fileset...mshtml.dll and related.
Part of that control's function is to run any scripts/software included in that image.... the gateway opens ...run what you like..infection complete.

No other email client can/would do this.... thunderbird treats an image as just that ...an image ... it would never try and run anything.

Ahhhhhhhh, ok, I didn't know this, thank you.

I mentioned samba/rpc... those ports are wide open and a fresh install of windows XP can be exploited in less than 2 minutes of connecting to the net...I should know it happened to me.

I thought the Windows XP firewall was supposed to stop things like this?

Regards...

[mikeb]

I thought the Windows XP firewall was supposed to stop things like this?

yeah...make it insecure then add software to protect it cos they are the good guys

Bit like selling a door with no lock and then selling you a burglar alarm.

mike

[mikeb]

Hey greengeek missed yer post...so that's why I don't have a web cam and mic ..... they would get a nice shock seeing me in the morning.

I suppose I always maintained vehicles myself as I did not trust garages.....

mike

[Galbi]

And what if we make a real life experiment?

Supose that I say: my Lucid 5.28 with public IP 200.45.89.xx will be online from 9 am to 9 pm.
Your mission Jim, if you dicide to accept it, is to get the content of a .txt file that I put in /root
Of course the firewall will be on.

How easy/difficult could be to get that file?

I can offer my PC to do the experiment if there are skilled enough people interested in.

The prize? A big push to the winner ego.

[greengeek]

...so that's why I don't have a web cam and mic ..... they would get a nice shock seeing me in the morning.

Oh, by the way - if you happen to be doing something interesting in your bedroom at night, please make sure your Android smartphone is locked inside a lead lined box. Hate to find those pics and wavs all over the internet

Disclosure: I only suffer from a mild case of paranoia. Anyway it's not my fault. My brain gets affected by all those people following me.