/os/ - Online Security

Hello endwall, Is there any documented instance of Fedora,RHEL,or system.d being intentionally backdoored? May be off topic sorry,but you have mentioned it a few times.

 >>/766/

As in a documented case of an audit being performed on systemd uncovering a backdoor?  
No I haven't seen anything about this on any website or about it or in any talks or in any literature.

As in what happend to me?  Yeah I was gang raped on those systems. I had port 53 crowbarred open so that I couldn't shut it off, couldn't turn of bind9 or rebind the port, I had targeted feedback from my terminal and desktop relayed to me through third parties,  I don't want to go into it tin foil style, but don't use it, if you have to use it, use it in text mode with no gui.  My estimate was that the attacks were from the inside out, but I wasn't using jails and used firefox regularly so I don't know. 

From a process standpoint installing it to text mode (CentOS 6.6) (minimal) releases the shell to you at pid 4100, on a fresh install parabola releases the shell to you at ~ pid 650. So there are more background processes running on centos 6.6 then on parabola.  With a full gui install this is much higher. The anaconda installer is really simple and gives you encrypted partitions without much work.  CentOS never really crashed, parabola with grsec kernel locks up all the time, on CentOS gnome was smooth never crashed, never locked up, on parabola startx with blackbox or openbox starts getting the jitters and locks up hard at least once a day.  The rpm packages always worked, and had good configs on centos, the packages on parabola/arch often have empty configs that don't allow the services to start. 

I'd run centos if I didn't care about being spied on, but I do so I don't.  Red Hat are the Microsoft of the linux world, and they are definitely in bed with the NSA and the Government.  

My personal opinion is to install the minimum number of packages to get the job done, compile from source, get the source code directly from the upstream vendor. Gentoo is your best shot for this approach.  The more packages you install the bigger your attack surface and the sooner you will install a malware backdoored "Free software" package. Using binary packages is giving trust to the person that compiled the package that they didn't insert their own backdoor into the code before packaging it. 

Someone should do tcpdump and wireshark packet capture analysis on fresh installs for each distribution for a 1 week capture period and see what turns up.  Also there are probably secret protocols that won't be captured by tcpdump or wireshark. But maybe you can do this? So if you do it tell us about it or make a tutorial and link it.

 >>/766/

Also from memory centos with the gui was making calls out to Verisign and Neustar every 30 mins, to weird websites with no content on them.  I put these ips into my original block lists for endwall (before it was endwall).  Strange repetitive calls out on ports 80, 443, 53 to companies like these mainly in Virginia, Maryland, and some on the west coast in California.  A lot of malicious looking interactions with Akami technologies, constantly sending out packets, and probing my ports. I banned these as well, same with stuff from Amazon AWS.  I can't remember it all, I had a large block list but still recieved indicators that my desktop was being monitored and survielled remotely.  Probable keylogging, and screen capturing from framebuffer being encoded and sent out through port 53.  It was pretty sophisticated looking. Fedora and Centos and RHEL are no go for me.  

I'm suspicious about Debian as well, but it has a good reputation.  However, Julian Assange made comments indicating that he thought that Debian was compromised as an OS, so maybe he knows something, or did some technical analysis on outgoing packets that gave him this impression.  I put Debian on my mom's laptop because it has drivers for wifi that just work without fiddling.  But I'm suspicious, I haven't had any bad experiences with it but Julian Assange's comments make me suspicious.   

I prefer wired only interactions with the internet, and only behind 2 firewalls, 1 hardware + 1 endwall software, with blacklisting of wide ranges of ports and ips. 3 firewalls is better.

I "trust" the base install of parabola, but I don't trust the package repository. 

I ran packet captures for a week in text mode on the base install and saw nothing crazy.  My servers have stood up to some intense attacks, DDOS, brute force, bot net junk mail phishing, etc.  However I have had some strange probable surviellance experiences using xorg on parabola. 

I don't have the time right now to get everything working on Gentoo the way it works on my parabola installs, but one day I will completely switch. 

I also like OpenBSD, the base install has only 45-50 running processes as reported by ps. It looks clean but I haven't done any analysis.  OpenBSD package repositories are ~ 6 months old packages. I can't speak to their trustworthiness.

Parabola with full disk encryption with tor and firejail on everything is probably the best that a non computer science person can do.  Gentoo has me reading compile error logs, and running around in circles spending hours finding out which flags messed up the emerge installation, and which missing packages caused errors, it takes too much of my time, pacman on arch is simple but comes with the aforementioned "trust" problems with the packages.  I basically don't trust computers anymore.

 >>/766/
Here is an informed opinion on the subject matter:
Julian Assange: Debian Is Owned By The NSA « IgnorantGuru's Blog
https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

https://youtube.com/watch?v=UFFTYRWB0Tk

" and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised."

"Assange mentions how Debian famously botched the SSH random number generator for years (which was clearly sabotaged). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious – updated comments on how a defense contractor in Finland outed the NSA here?) It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys, including of providers, were potentially compromised, and much private info of service users. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference.) From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option. A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned. As Assange observed: “The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].” UPDATE: Wikileaks is officially denying that Julian Assange literally said “Debian Is Owned By The NSA”. For people who are choking on the mere summary title of this article, please see definition of Owned/Pwn (and get some hip!)"


https://trisquel.info/en/forum/julian-assange-debian-owned-nsa

http://forums.debian.net/viewtopic.php?f=3&t=115121

If you search around you'll find more articles.  It makes sense, they have a $20 Billion / year budget, and hire the top Bachelor and Masters degree computer science students from computer science programs from around the country, and post them as developers in these open source communities and in linux distribution projects.  In the case of Red Hat the link is clearer and more direct.   

There needs to be an audited version of GNU/linux that is audited by at least 3 professional auditing teams each signing the final source packages in tar files.  There needs to be an audit distribution even if it lags behind rolling release distributions. Audited Source GNU/linux.

 >>/773/
> audited unix
> AKA OpenBSD

I don't mind using linux when I have to use hipster bleeding edge software. And the hackish nature flowing through the kernel itself is never ending inspiration (for both offensive and creative nature).

but seriously, there's no excuse of not using openbsd on exotic platform here and there for making life of NSA employee bit more harder or use gentoo/arch like distribution to learn how the fuck software that we all hate but ultimately become the part of actually works under those filthy piping.

You don't have to be programmer or professional pen testing auditor to make impact. just walking into seemingly random bug, obscure documentation. the never ending experiment is what brought us here, not some IYI crackpot compsci nerd who happily spend his time jizzing over algorithm that works better than quick sort on astronomical scale.

I won't ask you to write compiler or bootstrap your own operating system from language specification or anything. 

Just stop before executing that command or shell script. read it and dump the elf header, see what it wants, how it's doing stuffs. 

Don't visit website with web browser all the time. use nc to see what's actually pouring through.

list goes on and suddenly you realize you don't want nor need questionable developers to dictate your disto nor daily drivers.

I am now also aware of the existence of a potential heir to Tails called Kodachi. It might be worth trying out, but I haven't tried it out yet so I can only recommend people to try it out, not recommending people to use it all the time.

https://www.digi77.com/linux-kodachi/

 >>/776/
> Debian 8.6
> dnscrypt
> virtual box
> tor + transmission

NSA approved

 >>/777/
I think you've ignored the context, and how one can use Transmission without using Tor, how one can configure Kodachi to use a VPN, how one can configure DNScrypt to not use the default of using CISCO servers (you can even use a dns server in Iceland of all places), how it's a customized OS that deletes fucking everything at shutdown, etc, so it's marginally better than Tails but not yet perfect.

 >>/778/
> deletes every time 

and user patiently reconfigures everything as he anxiously plugs in usb stick to computer. indeed nice situation to be in as prey.

I thought whole point of this pleb tier usb stick distros were to provide non technical personnel with 'secure by default one time beacon' to be disposed of asap.

 >>/779/
I haven't tried it yet, but I still think it got better defaults than Tails.

http://fuguita.org/index.php?FuguIta

What's this?

FuguIta is the Live System which was based on OpenBSD operating system and has following features;

Similar to HDD installation
    This Live System is intended to be similar to HDD installation as much as possible.
    After bootstrap completed, you can login to the environment like the one which was just installed on HDD.
    In this environment, many ordinary files have replaced to symbolic links. So you can replace or modify them by yourself.
Portable workplace
    You can save your own environment into Floppy Disk and/or USB flashdrive. Then you will be able to retrieve it at next boot time.
Low hardware requirements
    Unless you will use X, this Live System requires 48MB of memory to run.
Following stable version
    We're trying to track the OpenBSD-stable version, and to apply all errata patches.

Note: FuguIta (fuguita.gif) stands for "Blowfish Disk" in Japanese. Fugu means blowfish, and Ita means something flat such as a plate, a disk or a board etc...
Some Japanese might associate those who cook when hearing Ita. For them, so FuguIta also means "Blowfish Cook" as double meaning.

I've had great luck with Alpine on my servers. Yeah, binary packages but it's been amazingly stable for me over a few years.

Alpine is getting pretty popular though, for awhile ncopa was threatening to shut down development for lack of time (he couldn't afford to work on it after losing a sponsor). I used to donate to him.

Then suddenly Docker made its announcement regarding Alpine and everything changed. All mentions of a way to donate on the Alpine website disappeared, development surged, and they get major donations of hardware as well. Has me a little bit worried that it could be sold out. Lots of new names on the contributors list on recent versions.

 >>/786/

yeah alpine is really cool.

they are currently the only major distribution that supports musl as standard c library.

gentoo has musl-hardened/vanilla branch but it still has long way to go for stabilization

why no linux-libre kernel for alpine
what are they trying to hide

 >>/788/

if you don't know how to compile kernel, don't buy hardwares that requre firmwares to work properly in the first place

feels gif
(2.77 MB, 287x191)

 >>/37/
I use a Librebooted laptop with Debian that has FDE enabled. I also have a GRUB password set up. Works well enough. 

If you're going full tinfoil, then use a Librebooted machine with an OS you've made yourself and remove the networking hardware. Encrypt with Twofish to make brute forcing harder for the attacker.

Epic thread doods, thanks for bouncing.

https://youtube.com/watch?v=EjbQ-BDh4PU

 >>/834/
I didn't use GRUB because of the claims behind being easily accessible through hitting backspace a specific number of times to being the password. I don't have 100% FDE also because of that claim. I'm also worried that if I update to a newer version of GRUB some time in the future that it won't be compatible with Libreboot. To ease my paranoia, I made myself use syslinux instead, but of course, it's no real solution either.

http://spi.dod.mil/ This doesn't work for me.

nvm, I had to use a normal firefox profile then accept the unknown certificate manually.

you can load syslinux from  a librebooted grub

 >>/873/
you can't have full disk encryption if you do that.

$ torsocks mpv http://www.hitbox.tv/terrenceandrewdavis

http://www.templeos.org

https://www.hyperbola.info/

It's not ready still, the damn download link doesn't work. I suspect that it's still half baked. That being said, one day it could be a slightly more viable solution than parabola.

 >>/984/
seems like they finally released it

https://wiki.hyperbola.info/doku.php?id=en:get_hyperbola

 >>/668/
you forgot DNSCrypt luser

I've installed Artix Linux and it's okay, just not that great, though still useful and better than regular Archlinux. I can't wait for Hyperbola GNU/Linux-libre installation media comes in OpenRC by default, which when that comes out, I'll use that, but for now, I'd trust a proprietary non-systemd system than a libre systemd system. I'm not willing to install Parabola GNU/Linux-libre and reconfigure everything from scratch to make it work with OpenRC because I already know that there's too much incompatible programs out there with OpenRC. Arch-OpenRC and Manjaro-OpenRC devs are working together to make Artix Linux, which deprecated older OpenRC operating systems. I'm afraid that at this pace, it'll take two months to two years for it to be perfected and become a standalone system no longer dependent on Archlinux as a leech, and if the people behind Hyperbola GNU/Linux-libre don't cooperate with Artix Linux, there won't be a proper OpenRC operating system.


 >>/991/
Until DNScrypt-proxy works with OpenRC, it's junk.

 >>/1019/

# pacstrap /mnt base-openrc

will install the sets for openrc on parabola from a base instalation. Several daemons and packages that I usually use don't have openrc init scripts to install from the repo or just don't work when called. 

I feel that source based distributions, even though they are harder/more work to configure and maintain, are the way to go for security.

Gentoo is the way to go although the recently publicized Source Mage  >>/tech/11021/ seems worth looking into. I've never tried Source Mage but it looks interesting. Linux from scratch is the final frontier for me. I highly distrust Parabola/systemd but I still use it on a desktop and on two servers, I have too much homework keeping me busy for critical infrastructure, like my clearnet web and mail servers, to go offline for days during a wipe and reinstall.  I have two installations of parabola-openrc and one installation of Gentoo.

OpenBSD and compiling from the ports tree is the next best option. Howver I'm using pkg_add for most packages currently and I haven't worked on a proper pf firewall to emulate endwall.sh as of yet, although this is a near term project, once I get my homework load under control.

windows os is the best os

 >>/1023/
fuck off to 8chan or /inta/.

 >>/1021/
tor doesn't work as intended on my Artix linux. OpenRC is going through some shit and I don't get what the people behind Parabola are doing in response to that while some people in Hyperbola (that are also Parabola devs) are seeking to make a stable, nonsystemd OS that might be truly independent from Archlinux entirely. I also have non free software on this machine so I'm forced to not use FSF approved OSes

 >>/1021/
I would say that crux, void linux and alpine linux are still sort of niche enough to be considered. I'm just too lazy to get off of pacman based packages and if I'm going full source compiling, I need a nonshit functional but libre computer which is probably going to be $3k or something else outrageous.

 >>/1026/
Tor sort of works now but there's no official Tor-OpenRC script besides the deprecated AUR version of that script. Also, UseEntryGuardsAsDirGuards is deprecated, Endwall might need to update his endtorrc file.

 >>/1028/
Yeah I noticed this a while ago and updated the file in endconf.git but forgot to copy it to the rest of the repo locations. Should be updated now.  I guess the whole idea is that there is a best way to do something, (Tor settings for instance), so lets find that best way and spread it.

I've been off of the ball for a while though. For instance I noticed recently that xtrac-ytpl.sh has stopped working.  I'll look at this next weekend, but I've got homework up the wazoo.  

I strongly believe that binary package based distributions are not the way to go for security.  You're trusting the packager or the packaging team not to insert their own backdoor or malware, and you have no way to check if that has happened.  Everything running on a secure computer has to have been compiled from source that is resident on your computer.  That way if you suspect that something is wrong, you can at least check. I don't have the time or the expertise to do this but there are enough computer security experts out there that will, and will hopefully raise a red flag in a blog post, or in an article, or publicize it in a bug tracker.  Right now, by using parabola (debian, ubuntu,mint,fedora,etc) , I'm trusting the packager that they don't work for an Intelligence agency of some small European country, or for a hacking team operating out of Russia. If they get caught (unlikely) they can just change their fake name and move on to the next distribution of linux (if they're not already doing it to the packages there as well).   

I generally fell off of the wagon when I realized that my computer hardware and operating system were a major point of unreliability, and the probable source of my leak and privacy issues.  

Binary package based distributions are a good place to start for someone learning to use GNU/Linux, but they're not the place to be for secure / private systems.   Those are just my opinions, I'm not an expert in computer security, but by talking about it we'll get to the bottom of this eventually.

About security vulnerabilities on systemd:
https://www.scientificlinux.org/category/sl-errata/slsa-20162610-1/
https://www.phoronix.com/scan.php?page=news_item&px=Systemd-230-FBDEV-Woe

Beware of the combination with Wayland. Also systemd is not the only problem, Avahi has been a problem for a while.

https://github.com/projectatomic/bubblewrap
This is supposedly better than firejail, and it sure is harder to use than firejail from the looks of it.

Interesting talk about OpenBSD security at Chaos Computing Club Congress 36. 

A systematic evaluation of OpenBSD's mitigations 

https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations

https://isopenbsdsecu.re/

"Many times I've heard 'This is fixed in the last Linux kernel, and in OpenBSD 3.2.'" – Michael Warren Lucas

You either want Qubes OS, OpenBSD, or TAILS. Qubes OS would better suit for a desktop use, especially with faster graphics and more packages.

You probably want OpenBSD for a secure-by-default server, that you would update every 6 months, provided that parallelism isn't what you need most.

TAILS is useful as a desktop OS again, if you're an activist. It's what I'm using right now.

Sure, Fedora or Ubuntu would be more secure than Windows. Keep in mind that Fedora is maintained by Red Hat (NSA) and Ubuntu is maintained by Canonical (Five Eyes, GCHQ).

I don't trust any other "security-focused" distro because I don't see why it would be more secure than Debian or RHEL, and I don't see how they are innovative, either.

How does one install Gentoo© without fucking it up multiple times and or taking multiple hours to do so? 
Seems like a very steep learning curve, anywhere I should start reading to actually learn how to into gentoo?

Anon, how secure is an untouched Linux (Mint for example), despite possible integrated security flaws? I am relatively new to Linux and overwhelmed by hardening a system although I found some good hints in this bread. But I am afraid to tear holes in my system. Where do I start learning about Linux security and Linux in general? Do I really have to read a 400p handbook about Linux file system etc? ATM I am using Linux Mint, but looking for a non-systemd distro.

 >>/1518/
https://wiki.gentoo.org/wiki/Handbook:Main_Page

any recs for i686?

 >>/1568/
recs in the vein of TAILS and Whonix. More anonymity focused than security per se.

linux-5-10-employers-... jpg
(69.77 KB, 525x462)

Linux 5.10 Kernel Contributors.

linux-kern... png
(101.98 KB, 313x905)

linux-kern... png
(91.63 KB, 297x878)

https://news.itsfoss.com/huawei-kernel-contribution/

https://fossbytes.com/linux-kernel-development-contributer/

linux_committers jpg
(331.49 KB, 705x825)

https://www.itwire.com/open-source/linux-kernel-report-shows-more-than-20,000-contributors-since-beginning.html

When it comes to the desktop model of computing, Linux and BSD are not as secure as you think:

https://madaidans-insecurities.github.io/linux.html
https://madaidans-insecurities.github.io/openbsd.html

Some valid points raised there. If security is paramount, use Qubes OS. Alternatively, use ChromiumOS with all telemetry disabled and enjoy bottoming for Big G.