how to secure my computer

Hi everyone.

I have been using Linux since nearly 3 years and recently, during a
reading on computer security i came up on the following question: Is my
computer and my private life really secure ?

Indeed not. my private life isn't 100 % secure and I wish I could make
it a little safer from intruders.

Considering I am running Linux, what would you do at first to make my
system safer from intruders ? I mean by intruders: ad wares, personal
infos gathered by web servers and so on... I am currently using 2
e-mails addresses (1 used for MSN, websites, forum, etc and another one
used to send and receive important mails). I consider that PGP would be
a great choice as a encryption program (mail). Mercury is absolutely
necessary when chatting on MSN. Using it allows to encrypt conversations.

If you know any way or hints to get aware from threats on Internet or
tools to encrypt my data, write me back. There are so much information
gathered about users on the WWW.

So. If you have any tutorials/links about security concerning Linux,
please post them :)

Cheers,

And... Sorry for my awful English.
--
/*
* This function is used through-out the kernel (includeinh mm and fs)
* to indicate a major problem.
*/
#include <linux/kernel.h>

volatile void panic(const char * s)
{
printk("Kernel panic: %s\n\r",s);
for(;;);
}


-=[Penguin_X]=-

> So. If you have any tutorials/links about security concerning Linux,
> please post them :)
>

http://tldp.org/HOWTO/Security-HOWTO/index.html

Penguin_X <email@nospam.com> (06-04-09 21:06:01):

> I have been using Linux since nearly 3 years and recently, during a
> reading on computer security i came up on the following question: Is
> my computer and my private life really secure ?
>
> Indeed not. my private life isn't 100 % secure and I wish I could make
> it a little safer from intruders.

What makes you think that it isn't 100% secure?


> Considering I am running Linux, what would you do at first to make my
> system safer from intruders ? I mean by intruders: ad wares, personal
> infos gathered by web servers and so on... I am currently using 2
> e-mails addresses (1 used for MSN, websites, forum, etc and another
> one used to send and receive important mails). I consider that PGP
> would be a great choice as a encryption program (mail). Mercury is
> absolutely necessary when chatting on MSN. Using it allows to encrypt
> conversations.

First: Drop all proprietary products, including their protocols. For
example, use IRC or some other free standard protocol for live
conversations, instead of MSN. You can encrypt everything in IRC as
well as in MSN, and there are ways to guarantee authenticity. Use GnuPG
instead of PGP, because PGP is constantly losing trustfulness, and it's
not free. GnuPG is a free alternative.

Next, don't do things you don't understand.


> If you know any way or hints to get aware from threats on Internet or
> tools to encrypt my data, write me back. There are so much information
> gathered about users on the WWW.

In Linux there are several ways in which you can encrypt your data. I
have an encrypted hard-disk (via dm-crypt), encrypted email traffic (via
GnuPG) and of course encrypted remote shell sessions (via OpenSSH). To
keep it short, I encrypt everything, where encryption is appropriate.

To the threats on the internet, look that you have recent software
versions, so they don't possibly have some ancient security problem.
Keep your system up to date. That doesn't include the kernel, unless
some security problem is found, which affects you. You might also be
interested in various kernel patches. I use the 'grsecurity' patch.


Regards.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Ertugrul Soeylemez wrote:
> What makes you think that it isn't 100% secure?

That's simple: nothing is 100 % secure.

> First: Drop all proprietary products, including their protocols. For
> example, use IRC or some other free standard protocol for live
> conversations, instead of MSN. You can encrypt everything in IRC as
> well as in MSN, and there are ways to guarantee authenticity. Use GnuPG
> instead of PGP, because PGP is constantly losing trustfulness, and it's
> not free. GnuPG is a free alternative.

Where is the sense in that? If you use encryption properly it doesn't matter
which protocol you use to transmit your data. Changing the protocol would
just mean a lot of work. Where is the problem in MSN anyway? Just because
it was developed by Microsoft it doesn't mean it is bad.

> Next, don't do things you don't understand.

That's always a good thing :)

> To the threats on the internet, look that you have recent software
> versions, so they don't possibly have some ancient security problem.
> Keep your system up to date. That doesn't include the kernel, unless
> some security problem is found, which affects you. You might also be
> interested in various kernel patches. I use the 'grsecurity' patch.

That's right, but if really want to secure your system that won't be enough.
Bare in mind that security is a process and not a state that you can
achieve. You always have to analyse your system and think about steps to
further improve its security. Updates can only be one of those steps.

Further steps to improve security could be:
- - data backups
- - not to safe data on the computer but on a CD and cut off the internet
connection while working with them.
- - configure a firewall
- - put a NAT-Router between your system and the internet to hide your PC to
the outside world.
- - ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQIVAwUBRDoz3tqtd8S+cgRiAQO7+RAAqGJyR3h4DUFUUthPUX 1nnzI9P+KvMIYT
bCS8PVvWzioDjjLRh5+RrZWnnnB5XEA9RqJebP1r/EnQLcXcUb0EBqhwJHfZ/XGK
otovC4qVKZNtFikPW8rWefMaS6vduiy+VGbAJdmeB2YWSz+xKm Aug94gOKv54Gad
ld4zlin7YeDtywq6EJLdg/+lv52ohgKzefxJzfzi8wX/HJO/Ru+YGc1+mV+piJr4
cUEhLisfCWlX629i7zxAH3C10mlpGha08TbiQvJXinfOCeKNc0 um7oRH3NLnpK3s
I33m9EnYV/1DjNwNJCc4RdlEEGkITkscGRM500bOOv92WDCEzzoiNmx5qh3N KbdU
VTRE28feziGNM4P/Dk08v6joAJBYCwzOaMIlVGyulTyhx4hC9oY3UxXxop67PnOP
obmHgQP+/lwlE9I1bC6WnqEcbnaO34ByQO1TJlWZKoDz97ykiLGbZxLfPuK 7nUJt
eQP0GoDl5pr6fSid0DM2lpnMXeezKyKvSa77EywMKmeLhoAimM 9w8fSnFYadJrNN
hBrQp+KSwKOVQMfsPOKU10d9godGGKJuFagUTyWzxdDMZnLVL8 3HUHzbn/L8BJFQ
3rNmTzpRnJxrQxyLKo6XUKEjmDkM7WwLDkkIo397QsIaFXIzqK JngSW7QbD3wCLz
SbJaOSCluqc=
=Q+ms
-----END PGP SIGNATURE-----

Ertugrul Soeylemez wrote:
> Penguin_X <email@nospam.com> (06-04-09 21:06:01):
> > I have been using Linux since nearly 3 years and recently, during a
> > reading on computer security i came up on the following question: Is
> > my computer and my private life really secure ?
> >
> > Indeed not. my private life isn't 100 % secure and I wish I could make
> > it a little safer from intruders.
>
> What makes you think that it isn't 100% secure?

Perhaps, because of this post:

http://groups.google.com/group/comp....bfb9329991ba7b

or maybe that one:

http://groups.google.com/group/comp....116b8754ce3d2d

;^)

--
Mikhail

Ertugrul Soeylemez wrote:
>
> In Linux there are several ways in which you can encrypt your data. I
> have an encrypted hard-disk (via dm-crypt), encrypted email traffic (via
> GnuPG) and of course encrypted remote shell sessions (via OpenSSH). To
> keep it short, I encrypt everything, where encryption is appropriate.
When I was in the military I noticed that everything transmitted from my
Air Base was first encrypted. I mean everything from the dinning hall
menu to the laundry list. I asked some of our crypto guys why they
wasted time encrypting such worthless junk. Their answer was a
revelation: If you encrypt only sensitive information then the enemy
only has to work on the encrypted stuff, but if you encrypt everything
the enemy has to spend enormous amounts of them decrypting junk. It is
the needle in the haystack theory. If you have millions of billions of
bytes of funk it will be pretty hard to find that 16 digit credit card
number in the noise.

But then again you have to be pretty paranoid -- but for this group?
--
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com

Ertugrul Soeylemez <never@drwxr-xr-x.org> wrote:

> To the threats on the internet, look that you have recent software
> versions, so they don't possibly have some ancient security problem.
> Keep your system up to date. That doesn't include the kernel, unless
> some security problem is found, which affects you. You might also be
> interested in various kernel patches. I use the 'grsecurity' patch.

I considered the grsecurity patch quite effective, in its day. My
understanding, though, is that their kernel support has always been more
than a little bit behind, sometimes more than others. (At least,
friends who used to track grsecurity had been regretfully lamenting that
they might need to abandon it.)

At the moment, I see that they have a patchset for 2.6.14.6 (and 2.4.32)
-- but the head kernel version at the same time is 2.6.15.6. Hmm, that
actually looks pretty close to current!

(Please understand that I'm trying to assess the situation on the fly,
while writing this post.) Hmm, it still looks pretty well maintained,
well thought out, and "tasty", to me. PaX alone would seem to make it
worth the trouble.

Out of curiosity, have you encountered any drawbacks worth mentioning?

--
Cheers, "Orthodoxy is my doxy. Heterodoxy is someone else's doxy."
Rick Moen -- William Warburton, Bishop of Gloucester (1698-1779)
rick@linuxmafia.com

Barton L. Phillips <barton@applitec.com> wrote:

> But then again you have to be pretty paranoid -- but for this group?

"Paranoid", he said. (I wonder what he _means_ by that! ;-> )

--
Cheers, "Orthodoxy is my doxy. Heterodoxy is someone else's doxy."
Rick Moen -- William Warburton, Bishop of Gloucester (1698-1779)
rick@linuxmafia.com

On Mon, 10 Apr 2006 09:08:24 -0700, Mikhail Zotov wrote:

> Ertugrul Soeylemez wrote:
>> Penguin_X <email@nospam.com> (06-04-09 21:06:01):
>> > I have been using Linux since nearly 3 years and recently, during a
>> > reading on computer security i came up on the following question: Is
>> > my computer and my private life really secure ?
>> >
>> > Indeed not. my private life isn't 100 % secure and I wish I could
>> > make it a little safer from intruders.
>>
>> What makes you think that it isn't 100% secure?
>
> Perhaps, because of this post:
>
> http://groups.google.com/group/comp....bfb9329991ba7b
>
Don't be misrepresenting what I said, which was only to answer this one
specific question in the affirmative, and truthfully. For anyone who can
actually keep a secret it is very possible to approach 100% security. The
unfortunate fact is that most people prefer convenience to the work and
inconvenience involved with maintaining (and securely distributing)
"secrets".

"Absolute" 100% is of course a difficult expectation to meet. But the
security levels actually achieved by even many of those who consider
themselves informed and prudent could be, on balance, improved orders of
magnitude for relatively thrifty costs and by known methods. Many of
those exact methods have been specifically discussed here.

If OP in the referenced thread (you!) is in the top percentile in
diligence he can be reasonably assured that his ISP will not routinely be
able to decrypt his traffic. In most cases and for most of us (and I
suspect in your case as well), the answer to this question is still yes.
And if he or we choose to not take the proper diligence then those are
obviously his and our choices.

I and others here have repeatedly outlined some of the methods needed to
achieve that level. The gentleman who wrote the below-referenced message
has done so and also gone to considerable detail in kind and well-written
explanations, as you know. So he certainly has the right to ask what he
did: (What makes you think that it isn't 100% secure?) Maybe this OP
thinks there is some easier way to get secure, like getting a new windows
program or something. How else would anyone know this OP's thoughts
without asking?

Perhaps the OP in this thread thinks he is the first to think of that
question, and thinks therefore there is no need to read all the other
security things that are being written here. And we can all just write
everything all over again just for him (as we have for you and others).

Maybe he actually read a security HOWTO and came across something
specific, but just didn't ask his specific question very well. If he
already knows how to set up a firewall, maybe we all can skip over that
part this time? It's worth asking What part don't you understand?

There was once a web document that people used to link to in situations
like this. But I seem to have forgotten the link. It was something about
"How to ask a smart question", or such. Perhaps if you have a few moments
free, you might be kind enough to google it up for us all and post a link
to it back here for us all. Many thanks.

Best wishes. :>


> or maybe that one:
>
> http://groups.google.com/group/comp....116b8754ce3d2d
>
> ;^)

On Mon, 10 Apr 2006 17:02:47 -0400, Newsbox wrote:

>
> There was once a web document that people used to link to in situations
> like this. But I seem to have forgotten the link. It was something about
> "How to ask a smart question", or such. Perhaps if you have a few moments
> free, you might be kind enough to google it up for us all and post a link
> to it back here for us all. Many thanks.
>

Oh, here. I found this nice updated version. :)

.... And with some familiar names right up top, too !

Enjoy.

http://www.catb.org/~esr/faqs/smart-questions.html