how to secure my computer

Penguin_X wrote:

Penguin_X wrote:

> Hi everyone.
>
> I have been using Linux since nearly 3 years and recently, during a
> reading on computer security i came up on the following question: Is my
> computer and my private life really secure ?
>
> Indeed not. my private life isn't 100 % secure and I wish I could make
> it a little safer from intruders.
>
> Considering I am running Linux, what would you do at first to make my
> system safer from intruders ? I mean by intruders: ad wares, personal
> infos gathered by web servers and so on... I am currently using 2
> e-mails addresses (1 used for MSN, websites, forum, etc and another one
> used to send and receive important mails). I consider that PGP would be
> a great choice as a encryption program (mail). Mercury is absolutely
> necessary when chatting on MSN. Using it allows to encrypt conversations.
>
> If you know any way or hints to get aware from threats on Internet or
> tools to encrypt my data, write me back. There are so much information
> gathered about users on the WWW.
>
> So. If you have any tutorials/links about security concerning Linux,
> please post them :)
>
> Cheers,
>

In response to the OP:
Read the story below and the links. When you become sufficiently
concerned or alarmed as the case might be, and you are a United States
citizen, contact your local, state and federal government representatives
and explain your concerns to them.

Ask them to tell you what their position would be concerning these issues.

AT&T Seeks to Hide Spy Docs

By Ryan Singel| Also by this reporter 11:00 AM Apr, 12, 2006

AT&T is seeking the return of technical documents presented in a lawsuit
that allegedly detail how the telecom giant helped the government set up a
massive internet wiretap operation in its San Francisco facilities.

In papers filed late Monday, AT&T argued that confidential technical
documents provided by an ex-AT&T technician to the Electronic Frontier
Foundation shouldn't be used as evidence in the case and should be
returned.

The documents, which the EFF filed under a temporary seal last Wednesday,
purportedly detail how AT&T diverts internet traffic to the National
Security Agency via a secret room in San Francisco and allege that such
rooms exist in other AT&T switching centers.

The EFF filed the class-action lawsuit in U.S. District Court in Northern
California in January, seeking damages from AT&T on behalf of AT&T
customers for alleged violation of state and federal laws.

Mark Klein, a former technician who worked for AT&T for 22 years, provided
three technical documents, totaling 140 pages, to the EFF and to The New
York Times, which first reported last December that the Bush
administration was eavesdropping on citizens' phone calls without
obtaining warrants.

Klein issued a detailed public statement last week, saying he came forward
because he believes the government's extrajudicial spying extended beyond
wiretapping of phone calls between Americans and a party with suspected
ties to terrorists, and included wholesale monitoring of the nation's
internet communications.

http://wired.com/news/technology/0,70650-0.html

--
colloquy_no_9 {at-sign} spam-mailingaddress.org
eliminate the spam-

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

responder wrote:
[...]
> The documents, which the EFF filed under a temporary seal last Wednesday,
> purportedly detail how AT&T diverts internet traffic to the National
> Security Agency via a secret room in San Francisco and allege that such
> rooms exist in other AT&T switching centers.
[...]
> Mark Klein, a former technician who worked for AT&T for 22 years, provided
> three technical documents, totaling 140 pages, to the EFF and to The New
> York Times, which first reported last December that the Bush
> administration was eavesdropping on citizens' phone calls without
> obtaining warrants.
>
> Klein issued a detailed public statement last week, saying he came forward
> because he believes the government's extrajudicial spying extended beyond
> wiretapping of phone calls between Americans and a party with suspected
> ties to terrorists, and included wholesale monitoring of the nation's
> internet communications.

I think that this is nothing new. For more on this topic have a look at:

http://en.wikipedia.org/wiki/ECHELON
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQIVAwUBRD+Ab9qtd8S+cgRiAQOJpw//QgPU/Cf+FdQxWuFYWu3A9mAYFy0zLun+
OO9eipefj8OU7r34q1QBEaqC0xd96KLmSj31WGkNnEV5+j4IXF cyfokcWAlZpH+e
IC3xX5GNaJCJrTaRFb2sXSiM+xr1oja1coZmaOcEI0AOBVNOlH HJAasjle0q0Awy
dcR1vFIeKbimxSPqf4lHlOp6j0e2JsMzzj6TtMUQy9CWvfaacq r89u4FQXWa5uUm
7ADGl7pADMe9zuNvoR6P5BxsX4PS3io4tmh6Rei891N60Oe1lu WhuJblxVsPsszU
mHFvWfuSqh8034hjlsyWFGrIi+NRBeQpXu+++wR2bI62tNguAU u5ykpT3bOJTh6l
/O8KJfjVs5lc9kZsXkVaL0SbdXQIc5/OVlu7ZxlfEVgA9A9g0BO18b2QnR6RE2tH
y3GwmZGHwCnVqZ2mE2FR7OheukNJwKrTGGkEXNJeRlijawS5e6 soQ/Yog6yFc3eD
aA6abC3k+/fgIP70/EotfA6QtCZxT8jevBFQzTJdhYWotIZTtP9uMqWJD+AjxxBI
iqqK6uLAzdM+jhUt8DJHqCFEqzcjIr+UY9Lv9KIe4srnLQkacc 8IyEFvf3F0pX5V
I2kLy4f3acv8R2hMPrDyTGX46LInkaw5+QNqEQTRs5IWgicAtI 6PrjxsTPPRJRT3
S8J0Up2d9Bc=
=6zn/
-----END PGP SIGNATURE-----

Matthias Kirchhart wrote:

>responder wrote:
>[...]
>> The documents, which the EFF filed under a temporary seal last
>> Wednesday,
>> purportedly detail how AT&T diverts internet traffic to the National
>> Security Agency via a secret room in San Francisco and allege that such
>> rooms exist in other AT&T switching centers.
>[...]
>> Mark Klein, a former technician who worked for AT&T for 22 years,
>> provided three technical documents, totaling 140 pages, to the EFF and
>> to The New York Times, which first reported last December that the Bush
>> administration was eavesdropping on citizens' phone calls without
>> obtaining warrants.
>>
>> Klein issued a detailed public statement last week, saying he came
>> forward because he believes the government's extrajudicial spying
>> extended beyond wiretapping of phone calls between Americans and a
> party
>> with suspected ties to terrorists, and included wholesale monitoring of
>> the nation's internet communications.

> I think that this is nothing new. For more on this topic have a look at:

ECHELON has been widely acknowledged to have been eavesdropping *outside
of* the US. US Courts and US Congress have variously and repeatedly
required specific oversight and specific authorization for any similar
Executive activities *within the US*. Until this point in time there has
always been at least a pretense that the powers of the Government and
particularly the Executive were constrained by the will and whatever sense
of fairness of the Electorate, and by the US Constitution, the
Institutions of Government and a system of "checks and balances". We are
now seeing (at least) two critical differences.

1. The Executive is now (apparently) claiming *exclusive authority* to act
in these previously prohibited ways unfettered by _any_ further
constraints from the US Congress _or_ US Courts. Importantly, the
Executive now seems to want to claim the right to conceal its acts from
the public *and from other Institutions of Government*, acts which until
now have always been considered prohibited.

2. An entirely new generation of vastly more powerful monitoring equipment
is being installed within the Continental US with the clear intention of
long-term eavesdropping on communications *within* the US. This new
equipment far exceeds even ECHELON. With no possible realistic
expectation of effective long-term concealment of existence of these
facilities or their purposes, the Executive appears to have presented us
with a "fait acomplis", or as he might say "Mission Accomplished".

The unfolding Perjury/Obstruction case surrounding I. Lewis "Scooter"
Libby serves to amplify concerns about these above developments. There
"appear to be" credible bases for questions that have already been raised,
concerning whether the Executive and his administration have already
misused their access to secret information. The "appearance" is that
he/they (may have) misused secret information for personal or political
purposes and to the detriment of private US citizens who were not
themselves accused or suspected of any wrongdoing.

Taken individually any of these facts or appearances could be extremely
troubling. Taken together they present worldwide implications.

http://en.wikipedia.org/wiki/ECHELON

This is an excellent article and source. Thank you for linking it. Thank
you for writing.

As this thread was originally about computer security, we should try to
avoid going OT, which you did not do. Thanks again.

--
colloquy_no_9 {at-sign} spam-mailingaddress.org
eliminate the spam-

http://yro.slashdot.org/yro/06/04/09/1657258.shtml

http://www.wired.com/news/technology/0,70650-0.html
--
colloquy_no_9 {at-sign} spam-mailingaddress.org
eliminate the spam-

http://www.dailykos.com/storyonly/2006/4/8/14724/28476
http://narus.com/products/index.html

--
colloquy_no_9 {at-sign} spam-mailingaddress.org
eliminate the spam-

Matthias Kirchhart <matthias.kirchhart@freenet.de> (06-04-10 12:30:48):

> > What makes you think that it isn't 100% secure?
>
> That's simple: nothing is 100 % secure.

I didn't ask, because I believe it is. I asked, because the OP wrote
that he's uncertain, and I wanted to know, if his uncertainty is
reasonable.


> > First: Drop all proprietary products, including their protocols.
> > For example, use IRC or some other free standard protocol for live
> > conversations, instead of MSN. You can encrypt everything in IRC as
> > well as in MSN, and there are ways to guarantee authenticity. Use
> > GnuPG instead of PGP, because PGP is constantly losing trustfulness,
> > and it's not free. GnuPG is a free alternative.
>
> Where is the sense in that? If you use encryption properly it doesn't
> matter which protocol you use to transmit your data. Changing the
> protocol would just mean a lot of work. Where is the problem in MSN
> anyway? Just because it was developed by Microsoft it doesn't mean it
> is bad.

It's simple: By supporting proprietary protocols, you make writing free
alternative clients harder. You wouldn't use Microsoft extensions, when
writing a homepage, would you? And that's the same thing. The other
reason: Proprietary protocols get changed often. See the ICQ (OSCAR)
protocol, as the worst case example. I guess, most people will agree
that following standards is the better way.


> > Next, don't do things you don't understand.
>
> That's always a good thing :)

Unfortunately one, which many people don't consider.


> > To the threats on the internet, look that you have recent software
> > versions, so they don't possibly have some ancient security problem.
> > Keep your system up to date. That doesn't include the kernel,
> > unless some security problem is found, which affects you. You might
> > also be interested in various kernel patches. I use the
> > 'grsecurity' patch.
>
> That's right, but if really want to secure your system that won't be
> enough. Bare in mind that security is a process and not a state that
> you can achieve. You always have to analyse your system and think
> about steps to further improve its security. Updates can only be one
> of those steps.

That were the most basic items. Sure, that's not enough to be able to
claim to have a secure system. For me this includes the stuff you
listed as well as cryptographic techniques. One thing, which is very
important: Your system is not secure, if you need to disclose things.
My security system consists of:
* offsite backups
* encrypted hard-disks and swap
* fully hand-written configurations
* security add-ons
* programs with a clean security history


> Further steps to improve security could be:
> - - data backups

That's not enough. Your must check the integrity of your system, before
doing backups. And you must guarantee that nobody could tamper with
your backups.


> - - not to safe data on the computer but on a CD and cut off the
> internet connection while working with them.

Unfeasable in most configurations, as in mine. And remember that CDs
can be stolen. So offsite-backups are in fact the same thing, but much
easier.


> - - configure a firewall

Theoretically a secure system doesn't need a firewall (in terms of
'packet filter', I guess you meant that). But it wouldn't hurt, too.


> - - put a NAT-Router between your system and the internet to hide your
> PC to the outside world.

That's actually the same as configuring a packet filter properly. Just
more expensive and harder to maintain.


Regards.

"Barton L. Phillips" <barton@applitec.com> (06-04-10 19:21:21):

> > In Linux there are several ways in which you can encrypt your data.
> > I have an encrypted hard-disk (via dm-crypt), encrypted email
> > traffic (via GnuPG) and of course encrypted remote shell sessions
> > (via OpenSSH). To keep it short, I encrypt everything, where
> > encryption is appropriate.
>
> When I was in the military I noticed that everything transmitted from
> my Air Base was first encrypted. I mean everything from the dinning
> hall menu to the laundry list. I asked some of our crypto guys why
> they wasted time encrypting such worthless junk. Their answer was a
> revelation: If you encrypt only sensitive information then the enemy
> only has to work on the encrypted stuff, but if you encrypt everything
> the enemy has to spend enormous amounts of them decrypting junk. It is
> the needle in the haystack theory. If you have millions of billions of
> bytes of funk it will be pretty hard to find that 16 digit credit card
> number in the noise.

If this level of communication secrecy and authenticity would be
required, then I would use other methods. When I talk with people not
much related to me in IRC, then I don't see the point in encrypting
that. I still do it, but it's pointless. It's not even secure. The
server administrators can still decrypt the traffic, as well as the evil
MITM.


> But then again you have to be pretty paranoid -- but for this group?

I am. =)

Since this group deals with security, paranoid points of view are not
fully inappropriate. It depends on who you would like to defend
against. Personally I like defending against every attacker, if
possible.


Regards.

Rick Moen <rick@linuxmafia.com> (06-04-10 16:15:57):

> > To the threats on the internet, look that you have recent software
> > versions, so they don't possibly have some ancient security problem.
> > Keep your system up to date. That doesn't include the kernel,
> > unless some security problem is found, which affects you. You might
> > also be interested in various kernel patches. I use the
> > 'grsecurity' patch.
>
> I considered the grsecurity patch quite effective, in its day. My
> understanding, though, is that their kernel support has always been
> more than a little bit behind, sometimes more than others. (At least,
> friends who used to track grsecurity had been regretfully lamenting
> that they might need to abandon it.)
>
> At the moment, I see that they have a patchset for 2.6.14.6 (and
> 2.4.32) -- but the head kernel version at the same time is 2.6.15.6.
> Hmm, that actually looks pretty close to current!

Yes, they are always a bit behind. But that's no problem, unless there
is a feature in a newer kernel, which you need. And don't worry: If
there is a security problem in the kernel, then they provide an updated
version pretty fast.

The developers take a bit more time to work on it, and that's not
necessarily bad. I don't remember any security problems with the patch
itself up to now.


> (Please understand that I'm trying to assess the situation on the fly,
> while writing this post.) Hmm, it still looks pretty well maintained,
> well thought out, and "tasty", to me. PaX alone would seem to make it
> worth the trouble.

Yes, it doesn't only provide security, but even beauty. I like it
hiding processes not owned by the user requesting the process list. In
my opinion, that would be security by obscurity, so I wouldn't use it
for security purposes. It's just beautiful, because it makes my 'ps'
output much smaller.


> Out of curiosity, have you encountered any drawbacks worth mentioning?

Yes. You cannot use every PaX feature in every configuration. Some of
them are incompatible with XFree86 and Xorg, and MySQL has problems with
some others.


Regards.

Ertugrul Soeylemez wrote:
> Rick Moen <rick@linuxmafia.com> (06-04-10 16:15:57):
> > (Please understand that I'm trying to assess the situation on the fly,
> > while writing this post.) Hmm, it still looks pretty well maintained,
> > well thought out, and "tasty", to me. PaX alone would seem to make it
> > worth the trouble.
>
> Yes, it doesn't only provide security, but even beauty. I like it
> hiding processes not owned by the user requesting the process list.

Hm. Is this really PaX that allows one to hide user processes?
IIRC, one can disable PaX but still have this feature present
by enabling appropriate settings in "Filesystem Protections"
(Allow special group, GID for special group).

> In
> my opinion, that would be security by obscurity, so I wouldn't use it
> for security purposes. It's just beautiful, because it makes my 'ps'
> output much smaller.

I agree with the point. IMHO, the feature also "improves" privacy
on multi-user machines since users who don't belong to the
"special group" can see only their own processes.

Regards,
Mikhail