| View previous topic :: View next topic |
| Author |
Message |
farmer.ro
Apprentice
Joined: 20 Aug 2016
Posts: 179
|
 Posted: Fri Nov 11, 2016 8:20 am Post subject: paranoide |
 |
|
i watched speeches of Jacob Appelbaum exposing the NSA and it left me a few questions regarding Gentoo security;
Question: how can we know for sure that the NSA is not spying on us while using Gentoo, when the NSA seems to have the power to pwn tools like AIDE or Wireshark
Question: it seems to me when using for example Debian it is much easier to wipe the entire disk and do a fresh install within 30 minutes, in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA
Question: is it possible that the NSA got employees in the GNU/Linux software development team and might program software with malicious tools
how can i maintain anonymity ? |
|
| Back to top |
|
 |
Maxxx
Guru
Joined: 12 Jan 2016
Posts: 595
Location: Italia
|
| Posted: Fri Nov 11, 2016 9:15 am Post subject: Re: paranoide |
|
|
| farmer.ro wrote: | | ... in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA... |
Excuse me but i don't understand why Gentoo is more vulnerable than others linux distro only because for install it might take 1 or 2 days.
Could you explain it to me? |
|
| Back to top |
|
|
farmer.ro
Apprentice
Joined: 20 Aug 2016
Posts: 179
|
| Posted: Fri Nov 11, 2016 9:24 am Post subject: |
|
|
if there are 10 vulnerabilities that we know of there might actually be 15, so lets reduce it to 5
what i am trying to say is if you get a possible webkit exploit or any other kind of attack then wiping the disk and do a fresh install lets say once a week which only takes about 30 minutes, reduces the chances of a compromised box, in contrast where the installation takes 2 days and wiping the disk once a week is not really worth the installation time
i hope someone can answer my other questions |
|
| Back to top |
|
|
Maxxx
Guru
Joined: 12 Jan 2016
Posts: 595
Location: Italia
|
| Posted: Fri Nov 11, 2016 9:32 am Post subject: |
|
|
Ah ok...
For your question i can't answer... i don't know. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54821
Location: 56N 3W
|
| Posted: Fri Nov 11, 2016 11:47 am Post subject: |
|
|
farmer.ro,
Its no comfort but we can't be sure. Gentoo is no worse that any other distro in this regard.
Consider the following Gentoo comprises only Portage and the Gentoo ebuild repository.
All the applications that you choose to install are $UPSTREAM. Wit a few patches here and there, $UPSTREAM is the same for everyone.
That's a little bit of a simplification - in Gentoo you get to choose ow your packages are built, so you might get lucky and configure security problems out.
As for wiping the HDD and reinstalling, do you really need to rebuild everything?
You only need rebuild vunerable packages. The rest can be reinstalled from your saved binaries, unless you believe that they have been compromised too.
Can you trust $UPSTREAM not to include exploits?
Absolutely not. That's why security is like the layers of an onion. You make it difficult for an attacker to get in, difficult to do anything useful if they do got in and difficult to phone home.
Your firewall makes it harder for things to get in. You know why you are running listening services and on what ports. Everything else is blocked
You don't run a half open firewall either. Only things you want to use are allowed out.
You may run a hardend system (not SELinux). That will stop several classes of exploits.
You can try Tinhat Linux. That runs entirely from DVD. No hdd access at all.
You monitor your logs for nasty things.
Add in tripwire to keep checksums of installed files (on RO media)
The more layers you add to your security onion, the more the security intrudes into your day to day use of your install.
You have to determine the threats you want to defend against and deploy security you are happy to work with.
Oh, you won't be targeted by a government.
Its much easier for a government to extract your pass phrases from you directly by sending the boys round.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Maxxx
Guru
Joined: 12 Jan 2016
Posts: 595
Location: Italia
|
| Posted: Fri Nov 11, 2016 2:55 pm Post subject: |
|
|
| NeddySeagoon wrote: | | ...You may run a hardend system (not SELinux). That will stop several classes of exploits... |
Execuse me, why not SELinux? Maybe because SELinux is developed directly by NSA?
And then, what alternative? |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31460
Location: here
|
|
| Back to top |
|
|
Maxxx
Guru
Joined: 12 Jan 2016
Posts: 595
Location: Italia
|
| Posted: Fri Nov 11, 2016 3:29 pm Post subject: |
|
|
Android smartphone has Dirty Cow bug, SELinux isn't secure...
It will be that the safest is the "old" Windows?  |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Nov 11, 2016 5:48 pm Post subject: Re: paranoide |
|
|
| farmer.ro wrote: | | how can i maintain anonymity ? |
When you've defined the threat model as an omnipotent, omniscient entity out to get everyone?
Don't make enough noise to be noticed. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Nov 12, 2016 2:10 am Post subject: |
|
|
| Maxxx wrote: | | NeddySeagoon wrote: | | ...You may run a hardend system (not SELinux). That will stop several classes of exploits... |
Execuse me, why not SELinux? Maybe because SELinux is developed directly by NSA?
And then, what alternative? |
No, not because NSA employees worked on it. SELinux is primarily focused on defining new and detailed ways to define which entities may access which resources. Relative to other hardening systems, SELinux spends comparatively little effort dealing with the possibility that the kernel has exploitable defects, so unless you can assume that your kernel functions exactly as its authors intend, SELinux cannot protect against certain classes of threat.
| Maxxx wrote: | Android smartphone has Dirty Cow bug, SELinux isn't secure...
It will be that the safest is the "old" Windows? |
Windows has so many security problems people no longer really recognize them as such. Even worse, the vast majority of Windows' problems are in programs that you cannot reasonably expect to be able to fix, even once you know the defect is there. |
|
| Back to top |
|
|
59729
Apprentice
Joined: 21 Jun 2004
Posts: 279
|
| Posted: Sat Nov 12, 2016 10:56 am Post subject: |
|
|
| farmer.ro wrote: | i watched speeches of Jacob Appelbaum exposing the NSA and it left me a few questions regarding Gentoo security;
Question: how can we know for sure that the NSA is not spying on us while using Gentoo, when the NSA seems to have the power to pwn tools like AIDE or Wireshark
Question: it seems to me when using for example Debian it is much easier to wipe the entire disk and do a fresh install within 30 minutes, in contrast Gentoo install might take 1 or 2 days. does this leaves Gentoo more vulnerable to attacks from the NSA
Question: is it possible that the NSA got employees in the GNU/Linux software development team and might program software with malicious tools
how can i maintain anonymity ? |
| NeddySeagoon wrote: | farmer.ro,
Its no comfort but we can't be sure. Gentoo is no worse that any other distro in this regard.
Consider the following Gentoo comprises only Portage and the Gentoo ebuild repository.
All the applications that you choose to install are $UPSTREAM. Wit a few patches here and there, $UPSTREAM is the same for everyone.
That's a little bit of a simplification - in Gentoo you get to choose ow your packages are built, so you might get lucky and configure security problems out.
As for wiping the HDD and reinstalling, do you really need to rebuild everything?
You only need rebuild vunerable packages. The rest can be reinstalled from your saved binaries, unless you believe that they have been compromised too.
Can you trust $UPSTREAM not to include exploits?
Absolutely not. That's why security is like the layers of an onion. You make it difficult for an attacker to get in, difficult to do anything useful if they do got in and difficult to phone home.
Your firewall makes it harder for things to get in. You know why you are running listening services and on what ports. Everything else is blocked
You don't run a half open firewall either. Only things you want to use are allowed out.
You may run a hardend system (not SELinux). That will stop several classes of exploits.
You can try Tinhat Linux. That runs entirely from DVD. No hdd access at all.
You monitor your logs for nasty things.
Add in tripwire to keep checksums of installed files (on RO media)
The more layers you add to your security onion, the more the security intrudes into your day to day use of your install.
You have to determine the threats you want to defend against and deploy security you are happy to work with.
Oh, you won't be targeted by a government.
Its much easier for a government to extract your pass phrases from you directly by sending the boys round. |
I think this is a good point, install the nesessary software, and add the checks that you can work with / and keep up and running without interferring with day to day use, add layers when applicable/meaning it's not a 24/7 job to keep 'a' private server or workstation up and running. In my case I had to disable the firewall as my current knowledge and health made it impossible to keep everything working / up and running. I have started to add that layer again but it will be a slow process documenting what i need/why and understanding what I need to do to maintain it so it works for me/and my situation.
If that is not enough, the next step would be to audit the source code for every package installed, and even then something might be missed so that's not really applicable in real life. |
|
| Back to top |
|
|
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Sat Nov 12, 2016 12:26 pm Post subject: Re: paranoide |
|
|
| farmer.ro wrote: | | how can i maintain anonymity ? |
use tails |
|
| Back to top |
|
|
Maxxx
Guru
Joined: 12 Jan 2016
Posts: 595
Location: Italia
|
| Posted: Sat Nov 12, 2016 4:19 pm Post subject: |
|
|
| Hu wrote: | | ...SELinux spends comparatively little effort dealing with the possibility that the kernel has exploitable defects, so unless you can assume that your kernel functions exactly as its authors intend, SELinux cannot protect against certain classes of threat... |
Ah, ok... i understand.
About Windows, i think that with Windows 10 it is a total end of privacy... i have windows 10 too, but i use it only for some games; minimal internet navigation, no e-mail, and no remote desktop; for example i use VNC only with linux and android smartphone (but maybe it's the same thing than with windows).
Regarding e-mail there are various crypto locker or similar virus and i think that must be careful with linux too, but with windows it's easier to take. |
|
| Back to top |
|
|
|
Networking & Security
