/os/ - Online Security

News, techniques and methods for computer network security.

Posting mode: Reply

Check to confirm you're not a robot
Name
Email
Subject
Comment
Password
Drawing x size canvas
File(s)

Board Rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Magrathea | Catalog | Bottom


Welcome to Online Security the place for internet and computer security, privacy and anonymity.
If you have some helpful tips please feel free to share your ideas. Start a new thread, or contribute to an existing thread.

Expand All Images


Secure OSes Anonymous 05/09/2016 (Mon) 18:21:17 [Preview] No. 37
What is the best OS option for a secure setup?
How do OpenBSD and Linux with patches compare in terms of the security they offer?


Anonymous 05/09/2016 (Mon) 19:16:43 [Preview] No. 38 del
GNU+Linux has more people reviewing the code. That in itself makes it a bit safer.


Anonymous 05/09/2016 (Mon) 23:02:16 [Preview] No. 39 del
>>38
grsecurity doesn't, though.
>>>/tech//2978


Anonymous 05/09/2016 (Mon) 23:03:34 [Preview] No. 40 del


Anonymous 05/10/2016 (Tue) 00:08:35 [Preview] No. 41 del
there is a tradeoff, with less eyes on openbsd code but more security built-in, whereas there are more people looking at the linux code but it is not necessarily from a security perspective. personally i prefer openbsd.


Anonymous 06/09/2016 (Thu) 20:42:53 [Preview] No. 70 del


Anonymous 06/09/2016 (Thu) 20:58:53 [Preview] No. 72 del
>>70
>>71
This website's info is basic and not all that helpful, good only for normies that doesn't want to install TailsOS


Anonymous 08/24/2016 (Wed) 05:46:36 [Preview] No. 376 del
>>38
OpenBSD's code is much smaller


Anonymous 09/15/2016 (Thu) 23:13:43 [Preview] No. 579 del
I've looked at these options a lot this year. There are tradeoffs any way you do this. I like the model of: alpine-linux xen, pci-e passthru to openbsd firewall into hardened gentoo single purpose vm's (music, desktop, reading, web browsing, coding), kind of like a DIY qubes-os.


Anonymous 10/24/2016 (Mon) 00:56:23 [Preview] No. 626 del
Hey Endwall/Endware guy, how would you get LibertyBSD to work on a Librebooted laptop via a USB?


Anonymous 10/24/2016 (Mon) 00:58:20 [Preview] No. 627 del
>>626
*Preferably with some disk encryption but not FDE


Encrypted BSD + Libreboot Endwall 10/25/2016 (Tue) 06:51:22 [Preview] No. 629 del
>>626

This is on my to do list as well.

http://libertybsd.net/
https://libreboot.org/docs/bsd/openbsd.html

If anyone finds a guide/walkthrough for this post below.


Anonymous 10/27/2016 (Thu) 22:17:52 [Preview] No. 631 del
Does QubesOS use systemd just like Whonix uses systemd? Also, if systemd was so bad, why is there grsec kernel patches that works with systemd? Is TrueOS and FreeBSD going to swallow the d? Why are most init systems aren't as easy to configure like systemd?


systemd Endwall 10/29/2016 (Sat) 23:26:39 [Preview] No. 634 del
>>631
Qubes defaults to Fedora on Xen, which is systemd. I don't trust anything related to the Government/Corporate system known as Red Hat, including that distro (Fedora) on which I've been pwnd while using. Redhat's rpm packages are well put together and the default config files that ship with them are very well designed and documented/commented. It rarely crashes, is super stable, and the packages are default working and have good configs. However I can tell you from personal experience that I won't get into that CentOS,Fedora and Redhat are not to be trusted at all.

Systemd is very easy to use, but again read the above about Redhat. Redhat and all of it's derivatives have implants that are virtually undetectable. I don't trust systemd, although I use it on Parabola GNU/linux, and I use openRC on Gentoo.

I have 6 computers running parabola on systemd (2 servers, 3 workstations, and a laptop). I have 1 computer running on Gentoo which I work on every once and a while. Also another laptop running Debian. I have 4 computers running OpenBSD 6.0 1xamd64 2xSparc64, and 1xAlpha. I also have an experimental computer running openIndiana on amd64. I'm sticking mostly wth parabola for day to day and server stuff, due to ease of maintainence. For me minimalism is the key to a solid foundation. Systemd's expansion in taking over other system components is a cause for concern.

PC WORLD
http://www.pcworld.com/article/2841873/meet-systemd-the-controversial-project-taking-over-a-linux-distro-near-you.html
"Critics say it’s not Unix-like Many of the complaints to systemd stem from a feeling that this huge project is increasing in scope and taking over too much of the Linux system. Not surprisingly, the Boycott systemd site starts with this exact complaint: “Systemd flies in the face of the Unix philosophy: ‘do one thing and do it well,’ representing a complex collection of dozens of tightly coupled binaries. Its responsibilities grossly exceed that of an init system, as it goes on to handle power management, device management, mount points, cron, disk encryption, socket API/inetd, syslog, network configuration, login/session management, readahead, GPT partition discovery, container registration, hostname/locale/time management, mDNS/DNS-SD, the Linux console and other things all wrapped into one.” Ubuntu’s Mark Shuttleworth originally called systemd “hugely invasive and hardly justified” when Ubuntu was sticking with their own “upstart” init system. Ubuntu eventually gave up that fight and is switching to systemd. The change will show up in the Ubuntu Desktop Next images starting in the 15.04 update cycle."
##############

I'm very suspicious about it. And when I have free time i'm going to eradicate it and other questionable system components from off of any mission critical systems.

I hope that answers your question. I'm no expert and those are just my feelings on the subject.
Edited last time by Endwall on 10/30/2016 (Sun) 00:28:14.


Endwall 10/30/2016 (Sun) 00:09:29 [Preview] No. 635 del
Linux distributions to avoid:

RedHat RHEL, CentOS, Fedora, Ubuntu, Mint, SUSE,OpenSUSE.

Avoid any GNU/Linux distributions based on the above systems if security is your thing. They're all good and useable, like Windows is, but if security is your goal stay away.
Edited last time by Endwall on 10/30/2016 (Sun) 00:34:24.


Anonymous 11/03/2016 (Thu) 05:28:21 [Preview] No. 643 del
>>634
What's a good GNU/linux alternative init system out there that has better support and security than sysvinit? OpenRC if I recall correctly, doesn't have much support or something on Parabola.


Anonymous 11/03/2016 (Thu) 05:42:54 [Preview] No. 644 del
>>643
>better security than sysvinit
keep dreaming


Endwall 11/03/2016 (Thu) 05:56:49 [Preview] No. 645 del
>>643

Yeah there wasn't a package for a script for dovecot, so I can't use it on my mail servers.

Also I couldn't use weston when I switched over, you can only use xorg. So I switched back to systemd. Eventually this will be fixed and I'll switch for good.


Endwall 11/03/2016 (Thu) 06:02:53 [Preview] No. 646 del
>>634

I have openindiana on a sun ultra 20 amd system and I'm going to load it onto a Sun Ultra 40 when I get some time. There aren't many packages in the hipster repo, and they're old package builds. I played with it for a weekend a few months ago... I need to read some manuals and stuff, but I like that Solaris is still around in an opensource format.


Anonymous 11/03/2016 (Thu) 09:43:32 [Preview] No. 648 del
>>646
so what is design principle of openindiana?


Endwall 11/03/2016 (Thu) 18:38:31 [Preview] No. 649 del
>>646
Its a fork of opensolaris, which is a fork of solaris 10 by Sun Microsystems, it's Unix system V. OpenIndiana is the x86-64 only branch of opensolaris/ IllumOS, and comes with a GUI which is Gnome, I'm sure you can load it in text mode as well.

https://www.openindiana.org/
https://en.wikipedia.org/wiki/OpenIndiana
https://distrowatch.com/openindiana
https://wiki.openindiana.org/oi/OpenIndiana+Wiki+Home


Endwall 11/03/2016 (Thu) 18:43:25 [Preview] No. 650 del
Its on MATE now as well. Uses ZFS.


Anonymous 11/05/2016 (Sat) 04:00:17 [Preview] No. 651 del
>SysTemD

don't make this mistake anon


Anonymous 11/05/2016 (Sat) 04:03:24 [Preview] No. 652 del
>>651
S.T.D. yes exactly. The thing is a virus trying to spread Red Hat government spy cancer to the rest of the linux distros. Lennart Pottering is an evil little nerd working for the NSA.


Anonymous 11/06/2016 (Sun) 14:07:32 [Preview] No. 661 del
has anyone tried something like puppylinux or tinhat linux along with whonix?


Anonymous 11/06/2016 (Sun) 14:17:13 [Preview] No. 662 del
https://sourceforge.net/projects/tinhat/files/images/

It's outdated by a year, who knows if there's going to ever be a new one in the future.


Anonymous 11/06/2016 (Sun) 19:10:14 [Preview] No. 663 del
>>661
idk use this to pick a distro anything on this list is usable

http://without-systemd.org/wiki/index.php/Main_Page


security stuffs Anonymous 11/08/2016 (Tue) 02:38:29 [Preview] No. 666 del
Hardened Gentoo with no doubt, GRSec, SELinux, fstack-protector-all, hardened toolchain, your binaries are different than everyone elses (USE flags), uClibc-ng/Musl support (uClibc-ng is stable in Gentoo while musl is experimental) which are quite far ahead in terms of security than glibc.


CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"

Is the default build in Hardened Gentoo, memory based attacks can't do shit on this. Many people reported Dirty COW didn't even work on Hardened Gentoo.

Hardened Gentoo is the king of security atop a Linux Kernel.


Anonymous 11/08/2016 (Tue) 03:11:30 [Preview] No. 667 del
>>666 (checked)
>LDFLAGS="-Wl,-z,now -Wl,-z,relro"
That's sloppy code, you only need the one -Wl.

Here's what mine currently has:
LDFLAGS="-Wl,-O1,--sort-common,--hash-style=gnu,--as-needed,-z,combreloc,-z,relro,-z,now"


Ayy lmao 11/08/2016 (Tue) 14:58:53 [Preview] No. 668 del
Nonshit country > Nonshit ISP > A libre router setup > Shitty Tor Relay server > Libreboot > LiveUSB > Hardened Gentoo > Encrypted LVM > grsec-xen kernel > SELinux > User > QEMU > Hardened Gentoo > Encrypted LVM > grsec kernel > SELinux > User > Tor > Links2 > http://s6424n4x4bsmqs27.onion/os/res/37.html#q668


i lold sage 11/08/2016 (Tue) 15:04:36 [Preview] No. 669 del


Anonymous 12/22/2016 (Thu) 11:44:38 [Preview] No. 737 del
Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on hardened building?
No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically through GCC's built-in spec and using the specfiles to disable them which is a more proper solution. For older hardened-gcc users the best approach is switch to the hardened profile and then upgrade following the steps on the "How do I switch to the hardened profile?"

https://wiki.gentoo.org/wiki/Hardened/FAQ#Do_I_need_to_pass_any_flags_to_LDFLAGS.2FCFLAGS_in_order_to_turn_on_hardened_building.3F


Anonymous 12/30/2016 (Fri) 12:00:09 [Preview] No. 756 del
Hardened Gentoo
OpenBSD


Anonymous 01/02/2017 (Mon) 12:41:13 [Preview] No. 758 del
I'm now made aware of the existence of ecryptfs but I'm afraid that I might fuck up the setup process.


Endwall 01/02/2017 (Mon) 12:54:05 [Preview] No. 759 del
>>758
Post some links to the setup procedure and if you try it out and succeed, then post some steps / pitfalls to avoid.


Endwall 01/03/2017 (Tue) 07:36:55 [Preview] No. 762 del
I'm using LUKS on lvm as specified here:
https://libreboot.org/docs/gnulinux/encrypted_parabola.html

# dd if=/dev/urandom of=/dev/sda; sync
# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1
# cryptsetup luksOpen /dev/sda1 lvm
# pvcreate /dev/mapper/lvm
# vgcreate matrix /dev/mapper/lvm
etc.
It's a well written guide, I use it with the parabola/arch guide when I setup a new parabola install.

I'll look into ecryptfs this summer, thanks for the tip.

http://ecryptfs.org/
https://en.wikipedia.org/wiki/ECryptfs
https://wiki.archlinux.org/index.php/ECryptfs


Anonymous 01/03/2017 (Tue) 15:56:55 [Preview] No. 763 del
Here's some copypasta from the archwiki:
>Before starting, check the eCryptfs documentation. It is distributed with a very good and complete set of manual pages.
>eCryptfs has been included in Linux since version 2.6.19. Start by loading the ecryptfs module:
># modprobe ecryptfs
>Tip: If you use linux-grsec, auto-loading of cryptographic modules may fail when executing the ecryptfs-mount-private wrapper (as of November 2014). As a work-around, load the mentioned module manually; for example modprobe md5 as root and configure the system to load it at next boot.
Not sure what this means but it's a bit spooky.
>Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it.[1] [2] [3] [4] If you experience this problem, you can test it by commenting out -session optional pam_systemd.so in /etc/pam.d/system-login. However, this is no solution because commenting out will break other systemd functionalities.
>https://bugs.freedesktop.org/show_bug.cgi?id=72759
>https://nwrickert2.wordpress.com/2013/12/16/systemd-user-manager-ecryptfs-and-opensuse-13-1/
>https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/313812/comments/43
>https://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-October/004088.html
Seems like automounting is dangerous on systemd.

One could either encrypt their /home/$USER dir, or some other dir or ~/.Private ON TOP OF AN ENCRYPTED SYSTEM. It may not be as secure as mounting an encrypted hardrive and unlocking it without an active internet connection, but you can have a dir encrypted even after decrypting your storage via dm-crypt and choose to have it decrypted manually or automatically. One needs to trust their USB or SATA ports isn't physically tampered with if one tries to decrypt an external storage connected to your system, one or more hardware variables are gone because ecryptfs works on top of an existing filesystem without the need of making a separate storage space to mount it on, but on the downside, ecryptfs doesn't use super secure encryption protocols and is buggy for systemd and maybe linux-grsec based kernels. I think it is a better alternative than say putting your stuff in a compresssed package with a password on it but that's just me.


Anonymous 01/06/2017 (Fri) 08:59:58 [Preview] No. 766 del
Hello endwall, Is there any documented instance of Fedora,RHEL,or system.d being intentionally backdoored? May be off topic sorry,but you have mentioned it a few times.


Endwall 01/06/2017 (Fri) 13:55:55 [Preview] No. 767 del
>>766

As in a documented case of an audit being performed on systemd uncovering a backdoor?
No I haven't seen anything about this on any website or about it or in any talks or in any literature.

As in what happend to me? Yeah I was gang raped on those systems. I had port 53 crowbarred open so that I couldn't shut it off, couldn't turn of bind9 or rebind the port, I had targeted feedback from my terminal and desktop relayed to me through third parties, I don't want to go into it tin foil style, but don't use it, if you have to use it, use it in text mode with no gui. My estimate was that the attacks were from the inside out, but I wasn't using jails and used firefox regularly so I don't know.

From a process standpoint installing it to text mode (CentOS 6.6) (minimal) releases the shell to you at pid 4100, on a fresh install parabola releases the shell to you at ~ pid 650. So there are more background processes running on centos 6.6 then on parabola. With a full gui install this is much higher. The anaconda installer is really simple and gives you encrypted partitions without much work. CentOS never really crashed, parabola with grsec kernel locks up all the time, on CentOS gnome was smooth never crashed, never locked up, on parabola startx with blackbox or openbox starts getting the jitters and locks up hard at least once a day. The rpm packages always worked, and had good configs on centos, the packages on parabola/arch often have empty configs that don't allow the services to start.

I'd run centos if I didn't care about being spied on, but I do so I don't. Red Hat are the Microsoft of the linux world, and they are definitely in bed with the NSA and the Government.

My personal opinion is to install the minimum number of packages to get the job done, compile from source, get the source code directly from the upstream vendor. Gentoo is your best shot for this approach. The more packages you install the bigger your attack surface and the sooner you will install a malware backdoored "Free software" package. Using binary packages is giving trust to the person that compiled the package that they didn't insert their own backdoor into the code before packaging it.

Someone should do tcpdump and wireshark packet capture analysis on fresh installs for each distribution for a 1 week capture period and see what turns up. Also there are probably secret protocols that won't be captured by tcpdump or wireshark. But maybe you can do this? So if you do it tell us about it or make a tutorial and link it.
Edited last time by Endwall on 01/15/2017 (Sun) 16:55:44.


Endwall 01/06/2017 (Fri) 14:23:56 [Preview] No. 768 del
>>766

Also from memory centos with the gui was making calls out to Verisign and Neustar every 30 mins, to weird websites with no content on them. I put these ips into my original block lists for endwall (before it was endwall). Strange repetitive calls out on ports 80, 443, 53 to companies like these mainly in Virginia, Maryland, and some on the west coast in California. A lot of malicious looking interactions with Akami technologies, constantly sending out packets, and probing my ports. I banned these as well, same with stuff from Amazon AWS. I can't remember it all, I had a large block list but still recieved indicators that my desktop was being monitored and survielled remotely. Probable keylogging, and screen capturing from framebuffer being encoded and sent out through port 53. It was pretty sophisticated looking. Fedora and Centos and RHEL are no go for me.

I'm suspicious about Debian as well, but it has a good reputation. However, Julian Assange made comments indicating that he thought that Debian was compromised as an OS, so maybe he knows something, or did some technical analysis on outgoing packets that gave him this impression. I put Debian on my mom's laptop because it has drivers for wifi that just work without fiddling. But I'm suspicious, I haven't had any bad experiences with it but Julian Assange's comments make me suspicious.

I prefer wired only interactions with the internet, and only behind 2 firewalls, 1 hardware + 1 endwall software, with blacklisting of wide ranges of ports and ips. 3 firewalls is better.
Edited last time by Endwall on 01/15/2017 (Sun) 17:02:52.


Endwall 01/06/2017 (Fri) 14:43:42 [Preview] No. 769 del
I "trust" the base install of parabola, but I don't trust the package repository.

I ran packet captures for a week in text mode on the base install and saw nothing crazy. My servers have stood up to some intense attacks, DDOS, brute force, bot net junk mail phishing, etc. However I have had some strange probable surviellance experiences using xorg on parabola.

I don't have the time right now to get everything working on Gentoo the way it works on my parabola installs, but one day I will completely switch.

I also like OpenBSD, the base install has only 45-50 running processes as reported by ps. It looks clean but I haven't done any analysis. OpenBSD package repositories are ~ 6 months old packages. I can't speak to their trustworthiness.

Parabola with full disk encryption with tor and firejail on everything is probably the best that a non computer science person can do. Gentoo has me reading compile error logs, and running around in circles spending hours finding out which flags messed up the emerge installation, and which missing packages caused errors, it takes too much of my time, pacman on arch is simple but comes with the aforementioned "trust" problems with the packages. I basically don't trust computers anymore.
Edited last time by Endwall on 01/15/2017 (Sun) 16:59:29.


Endwall 01/07/2017 (Sat) 18:11:41 [Preview] No. 773 del
>>766
Here is an informed opinion on the subject matter:
Julian Assange: Debian Is Owned By The NSA « IgnorantGuru's Blog
https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

https://youtube.com/watch?v=UFFTYRWB0Tk [Embed]

" and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised."

"Assange mentions how Debian famously botched the SSH random number generator for years (which was clearly sabotaged). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious – updated comments on how a defense contractor in Finland outed the NSA here?) It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys, including of providers, were potentially compromised, and much private info of service users. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference.) From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option. A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned. As Assange observed: “The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].” UPDATE: Wikileaks is officially denying that Julian Assange literally said “Debian Is Owned By The NSA”. For people who are choking on the mere summary title of this article, please see definition of Owned/Pwn (and get some hip!)"


https://trisquel.info/en/forum/julian-assange-debian-owned-nsa

http://forums.debian.net/viewtopic.php?f=3&t=115121

If you search around you'll find more articles. It makes sense, they have a $20 Billion / year budget, and hire the top Bachelor and Masters degree computer science students from computer science programs from around the country, and post them as developers in these open source communities and in linux distribution projects. In the case of Red Hat the link is clearer and more direct.

There needs to be an audited version of GNU/linux that is audited by at least 3 professional auditing teams each signing the final source packages in tar files. There needs to be an audit distribution even if it lags behind rolling release distributions. Audited Source GNU/linux.


Anonymous 01/07/2017 (Sat) 20:59:54 [Preview] No. 775 del
>>773
>audited unix
>AKA OpenBSD

I don't mind using linux when I have to use hipster bleeding edge software. And the hackish nature flowing through the kernel itself is never ending inspiration (for both offensive and creative nature).

but seriously, there's no excuse of not using openbsd on exotic platform here and there for making life of NSA employee bit more harder or use gentoo/arch like distribution to learn how the fuck software that we all hate but ultimately become the part of actually works under those filthy piping.

You don't have to be programmer or professional pen testing auditor to make impact. just walking into seemingly random bug, obscure documentation. the never ending experiment is what brought us here, not some IYI crackpot compsci nerd who happily spend his time jizzing over algorithm that works better than quick sort on astronomical scale.

I won't ask you to write compiler or bootstrap your own operating system from language specification or anything.

Just stop before executing that command or shell script. read it and dump the elf header, see what it wants, how it's doing stuffs.

Don't visit website with web browser all the time. use nc to see what's actually pouring through.

list goes on and suddenly you realize you don't want nor need questionable developers to dictate your disto nor daily drivers.


Anonymous 01/07/2017 (Sat) 21:05:21 [Preview] No. 776 del
I am now also aware of the existence of a potential heir to Tails called Kodachi. It might be worth trying out, but I haven't tried it out yet so I can only recommend people to try it out, not recommending people to use it all the time.

https://www.digi77.com/linux-kodachi/


Anonymous 01/07/2017 (Sat) 21:20:38 [Preview] No. 777 del
>>776
>Debian 8.6
>dnscrypt
>virtual box
>tor + transmission

NSA approved


Anonymous 01/07/2017 (Sat) 21:50:39 [Preview] No. 778 del
>>777
I think you've ignored the context, and how one can use Transmission without using Tor, how one can configure Kodachi to use a VPN, how one can configure DNScrypt to not use the default of using CISCO servers (you can even use a dns server in Iceland of all places), how it's a customized OS that deletes fucking everything at shutdown, etc, so it's marginally better than Tails but not yet perfect.


Anonymous 01/08/2017 (Sun) 00:11:23 [Preview] No. 779 del
>>778
>deletes every time

and user patiently reconfigures everything as he anxiously plugs in usb stick to computer. indeed nice situation to be in as prey.

I thought whole point of this pleb tier usb stick distros were to provide non technical personnel with 'secure by default one time beacon' to be disposed of asap.


Anonymous 01/08/2017 (Sun) 02:16:30 [Preview] No. 780 del
>>779
I haven't tried it yet, but I still think it got better defaults than Tails.


Anonymous 01/09/2017 (Mon) 04:10:39 [Preview] No. 783 del
http://fuguita.org/index.php?FuguIta

What's this?

FuguIta is the Live System which was based on OpenBSD operating system and has following features;

Similar to HDD installation
This Live System is intended to be similar to HDD installation as much as possible.
After bootstrap completed, you can login to the environment like the one which was just installed on HDD.
In this environment, many ordinary files have replaced to symbolic links. So you can replace or modify them by yourself.
Portable workplace
You can save your own environment into Floppy Disk and/or USB flashdrive. Then you will be able to retrieve it at next boot time.
Low hardware requirements
Unless you will use X, this Live System requires 48MB of memory to run.
Following stable version
We're trying to track the OpenBSD-stable version, and to apply all errata patches.

Note: FuguIta (fuguita.gif) stands for "Blowfish Disk" in Japanese. Fugu means blowfish, and Ita means something flat such as a plate, a disk or a board etc...
Some Japanese might associate those who cook when hearing Ita. For them, so FuguIta also means "Blowfish Cook" as double meaning.


Anonymous 01/12/2017 (Thu) 06:40:58 [Preview] No. 786 del
I've had great luck with Alpine on my servers. Yeah, binary packages but it's been amazingly stable for me over a few years.

Alpine is getting pretty popular though, for awhile ncopa was threatening to shut down development for lack of time (he couldn't afford to work on it after losing a sponsor). I used to donate to him.

Then suddenly Docker made its announcement regarding Alpine and everything changed. All mentions of a way to donate on the Alpine website disappeared, development surged, and they get major donations of hardware as well. Has me a little bit worried that it could be sold out. Lots of new names on the contributors list on recent versions.


Anonymous 01/12/2017 (Thu) 11:08:41 [Preview] No. 787 del
>>786

yeah alpine is really cool.

they are currently the only major distribution that supports musl as standard c library.

gentoo has musl-hardened/vanilla branch but it still has long way to go for stabilization


Anonymous 01/12/2017 (Thu) 20:45:27 [Preview] No. 788 del
why no linux-libre kernel for alpine
what are they trying to hide


Anonymous 01/15/2017 (Sun) 22:12:14 [Preview] No. 798 del
>>788

if you don't know how to compile kernel, don't buy hardwares that requre firmwares to work properly in the first place


Anonymous 02/22/2017 (Wed) 05:27:00 [Preview] No. 834 del
(2.77 MB 287x191 feels.gif)
>>37
I use a Librebooted laptop with Debian that has FDE enabled. I also have a GRUB password set up. Works well enough.

If you're going full tinfoil, then use a Librebooted machine with an OS you've made yourself and remove the networking hardware. Encrypt with Twofish to make brute forcing harder for the attacker.


Anonymous 02/22/2017 (Wed) 05:59:54 [Preview] No. 836 del
Epic thread doods, thanks for bouncing.

https://youtube.com/watch?v=EjbQ-BDh4PU [Embed]


Anonymous 02/22/2017 (Wed) 06:08:36 [Preview] No. 837 del
>>834
I didn't use GRUB because of the claims behind being easily accessible through hitting backspace a specific number of times to being the password. I don't have 100% FDE also because of that claim. I'm also worried that if I update to a newer version of GRUB some time in the future that it won't be compatible with Libreboot. To ease my paranoia, I made myself use syslinux instead, but of course, it's no real solution either.


Anonymous 03/24/2017 (Fri) 07:32:18 [Preview] No. 860 del
http://spi.dod.mil/ This doesn't work for me.


Anonymous 03/24/2017 (Fri) 07:38:06 [Preview] No. 861 del
nvm, I had to use a normal firefox profile then accept the unknown certificate manually.


Anonymous 04/03/2017 (Mon) 22:40:37 [Preview] No. 873 del
you can load syslinux from a librebooted grub


Anonymous 04/09/2017 (Sun) 07:45:36 [Preview] No. 877 del
>>873
you can't have full disk encryption if you do that.


Anonymous 07/14/2017 (Fri) 11:39:42 [Preview] No. 984 del
https://www.hyperbola.info/

It's not ready still, the damn download link doesn't work. I suspect that it's still half baked. That being said, one day it could be a slightly more viable solution than parabola.


Anonymous 07/16/2017 (Sun) 11:13:38 [Preview] No. 985 del


Anonymous 07/27/2017 (Thu) 21:55:14 [Preview] No. 991 del
>>668
you forgot DNSCrypt luser


Anonymous 09/15/2017 (Fri) 09:12:13 [Preview] No. 1019 del
I've installed Artix Linux and it's okay, just not that great, though still useful and better than regular Archlinux. I can't wait for Hyperbola GNU/Linux-libre installation media comes in OpenRC by default, which when that comes out, I'll use that, but for now, I'd trust a proprietary non-systemd system than a libre systemd system. I'm not willing to install Parabola GNU/Linux-libre and reconfigure everything from scratch to make it work with OpenRC because I already know that there's too much incompatible programs out there with OpenRC. Arch-OpenRC and Manjaro-OpenRC devs are working together to make Artix Linux, which deprecated older OpenRC operating systems. I'm afraid that at this pace, it'll take two months to two years for it to be perfected and become a standalone system no longer dependent on Archlinux as a leech, and if the people behind Hyperbola GNU/Linux-libre don't cooperate with Artix Linux, there won't be a proper OpenRC operating system.


>>991
Until DNScrypt-proxy works with OpenRC, it's junk.


Endwall 09/16/2017 (Sat) 03:29:46 [Preview] No. 1021 del
>>1019

# pacstrap /mnt base-openrc

will install the sets for openrc on parabola from a base instalation. Several daemons and packages that I usually use don't have openrc init scripts to install from the repo or just don't work when called.

I feel that source based distributions, even though they are harder/more work to configure and maintain, are the way to go for security.

Gentoo is the way to go although the recently publicized Source Mage >>>/tech/11021 seems worth looking into. I've never tried Source Mage but it looks interesting. Linux from scratch is the final frontier for me. I highly distrust Parabola/systemd but I still use it on a desktop and on two servers, I have too much homework keeping me busy for critical infrastructure, like my clearnet web and mail servers, to go offline for days during a wipe and reinstall. I have two installations of parabola-openrc and one installation of Gentoo.

OpenBSD and compiling from the ports tree is the next best option. Howver I'm using pkg_add for most packages currently and I haven't worked on a proper pf firewall to emulate endwall.sh as of yet, although this is a near term project, once I get my homework load under control.


windows faggiolifag 09/16/2017 (Sat) 05:52:52 [Preview] No. 1023 del
windows os is the best os


Anonymous 09/16/2017 (Sat) 06:13:59 [Preview] No. 1024 del
>>1023
fuck off to 8chan or /inta/.


Anonymous 09/18/2017 (Mon) 03:47:04 [Preview] No. 1026 del
>>1021
tor doesn't work as intended on my Artix linux. OpenRC is going through some shit and I don't get what the people behind Parabola are doing in response to that while some people in Hyperbola (that are also Parabola devs) are seeking to make a stable, nonsystemd OS that might be truly independent from Archlinux entirely. I also have non free software on this machine so I'm forced to not use FSF approved OSes


Anonymous 09/18/2017 (Mon) 03:53:11 [Preview] No. 1027 del
>>1021
I would say that crux, void linux and alpine linux are still sort of niche enough to be considered. I'm just too lazy to get off of pacman based packages and if I'm going full source compiling, I need a nonshit functional but libre computer which is probably going to be $3k or something else outrageous.


Anonymous 09/18/2017 (Mon) 13:55:34 [Preview] No. 1028 del
>>1026
Tor sort of works now but there's no official Tor-OpenRC script besides the deprecated AUR version of that script. Also, UseEntryGuardsAsDirGuards is deprecated, Endwall might need to update his endtorrc file.


Endwall 09/19/2017 (Tue) 06:29:25 [Preview] No. 1029 del
>>1028
Yeah I noticed this a while ago and updated the file in endconf.git but forgot to copy it to the rest of the repo locations. Should be updated now. I guess the whole idea is that there is a best way to do something, (Tor settings for instance), so lets find that best way and spread it.


Endwall 09/19/2017 (Tue) 06:47:16 [Preview] No. 1030 del
I've been off of the ball for a while though. For instance I noticed recently that xtrac-ytpl.sh has stopped working. I'll look at this next weekend, but I've got homework up the wazoo.

I strongly believe that binary package based distributions are not the way to go for security. You're trusting the packager or the packaging team not to insert their own backdoor or malware, and you have no way to check if that has happened. Everything running on a secure computer has to have been compiled from source that is resident on your computer. That way if you suspect that something is wrong, you can at least check. I don't have the time or the expertise to do this but there are enough computer security experts out there that will, and will hopefully raise a red flag in a blog post, or in an article, or publicize it in a bug tracker. Right now, by using parabola (debian, ubuntu,mint,fedora,etc) , I'm trusting the packager that they don't work for an Intelligence agency of some small European country, or for a hacking team operating out of Russia. If they get caught (unlikely) they can just change their fake name and move on to the next distribution of linux (if they're not already doing it to the packages there as well).

I generally fell off of the wagon when I realized that my computer hardware and operating system were a major point of unreliability, and the probable source of my leak and privacy issues.

Binary package based distributions are a good place to start for someone learning to use GNU/Linux, but they're not the place to be for secure / private systems. Those are just my opinions, I'm not an expert in computer security, but by talking about it we'll get to the bottom of this eventually.


systemd Anonymous 09/27/2017 (Wed) 22:18:38 [Preview] No. 1039 del
About security vulnerabilities on systemd:
https://www.scientificlinux.org/category/sl-errata/slsa-20162610-1/
https://www.phoronix.com/scan.php?page=news_item&px=Systemd-230-FBDEV-Woe

Beware of the combination with Wayland. Also systemd is not the only problem, Avahi has been a problem for a while.


Anonymous 10/03/2017 (Tue) 06:25:47 [Preview] No. 1042 del
https://github.com/projectatomic/bubblewrap
This is supposedly better than firejail, and it sure is harder to use than firejail from the looks of it.


Endwall 01/02/2020 (Thu) 18:20:57 [Preview] No.1512 del
Interesting talk about OpenBSD security at Chaos Computing Club Congress 36.

A systematic evaluation of OpenBSD's mitigations

https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations

https://isopenbsdsecu.re/


Anonymous 01/07/2020 (Tue) 18:01:56 [Preview] No.1513 del
"Many times I've heard 'This is fixed in the last Linux kernel, and in OpenBSD 3.2.'" – Michael Warren Lucas

You either want Qubes OS, OpenBSD, or TAILS. Qubes OS would better suit for a desktop use, especially with faster graphics and more packages.

You probably want OpenBSD for a secure-by-default server, that you would update every 6 months, provided that parallelism isn't what you need most.

TAILS is useful as a desktop OS again, if you're an activist. It's what I'm using right now.

Sure, Fedora or Ubuntu would be more secure than Windows. Keep in mind that Fedora is maintained by Red Hat (NSA) and Ubuntu is maintained by Canonical (Five Eyes, GCHQ).

I don't trust any other "security-focused" distro because I don't see why it would be more secure than Debian or RHEL, and I don't see how they are innovative, either.


Anonymous 02/19/2020 (Wed) 00:45:59 [Preview] No.1518 del
How does one install Gentoo© without fucking it up multiple times and or taking multiple hours to do so?
Seems like a very steep learning curve, anywhere I should start reading to actually learn how to into gentoo?


Anonymous 05/07/2020 (Thu) 16:58:17 [Preview] No.1528 del
Anon, how secure is an untouched Linux (Mint for example), despite possible integrated security flaws? I am relatively new to Linux and overwhelmed by hardening a system although I found some good hints in this bread. But I am afraid to tear holes in my system. Where do I start learning about Linux security and Linux in general? Do I really have to read a 400p handbook about Linux file system etc? ATM I am using Linux Mint, but looking for a non-systemd distro.


Anonymous 08/16/2020 (Sun) 02:46:05 [Preview] No.1568 del
any recs for i686?


Anonymous 08/16/2020 (Sun) 02:48:47 [Preview] No.1569 del
>>1568
recs in the vein of TAILS and Whonix. More anonymity focused than security per se.


Anonymous 08/26/2021 (Thu) 21:58:28 [Preview] No.1742 del
Linux 5.10 Kernel Contributors.


Anonymous 08/30/2021 (Mon) 04:23:56 [Preview] No.1745 del
(316.77 KB 705x825 linux_committers_v3.png)


Anonymous 11/05/2021 (Fri) 21:25:36 [Preview] No.1758 del
When it comes to the desktop model of computing, Linux and BSD are not as secure as you think:

https://madaidans-insecurities.github.io/linux.html
https://madaidans-insecurities.github.io/openbsd.html

Some valid points raised there. If security is paramount, use Qubes OS. Alternatively, use ChromiumOS with all telemetry disabled and enjoy bottoming for Big G.



Top | Catalog | Post a reply | Magrathea | Return