I’m about to break a cardinal rule regarding security, I’m about to reveal my whole security scheme for anyone who cares to take a look.
I do this in holding to my philosophy that information which is beneficial to the advancement of humanity should be shared, perhaps bartered or sold, but definitely not kept to one’s self (the smallest minority). I wrote about this personal belief in an earlier post entitled, “We Are All RETARDED.” I believe that humanity advances or fails based upon how much we are willing to help each other, mutual cooperation for mutual benefit. Our most perfect state as fallible beings. With this thought in mind, I impart what I have learned in hopes that it will be of use to someone in need.
Computer security, somewhat of an oxymoron, since such a thing will intrinsically be forever elusive. It’s just when you feel totally secure that you are most at risk, we are never secure, never safe. To think so is to become a fool. We can however, do as best as one can and a great place to start on the road to that goal is with the operating system, the foundation that all other tech activity is built upon. I’m talking about old fashioned desktop boxes and laptops of course, I don’t even own a Smart-phone nor any other mobile device. To me, these things by design are impossible to secure in any meaningful way, their dependence on networks and all.
Bored yet? Good. Then let’s begin.
The most perfect, well thought out, bug free and just plain works operating system for the common man or woman ever designed in the whole wide world is… PUPPY LINUX! YEAAAA! Here’s why;
- It’s Linux, duh. Need I really say more?
- Is totally free under the GNU license.
- Has a strong community of knowledgeable users willing to pitch in and help when you get stuck.
- Is incredibly useful in repairing broken boxes and breathing new life into old ones. The operating system is one of the few that loads totally into RAM memory and can be fully functional in a computer that has no hard drive at all. A HUGE plus for security as well as performance. For example, once the power is cut, EVERYTHING VANISHES WITHOUT A TRACE.
- Depending upon the distribution that you choose, Puppy has many repositories available to it full of all sorts of useful and free software.
- Has an excellent GUI with many different window managers and themes to choose from. Puppy is a fully functional operating system either with or without a GUI. As with any UNIX variant, it is native to the command line. Did I mention that many UNIX utilities and apps (both command line and GUI based) are ported and portable to Puppy too?
- Is a single user operating system which means that only one person can be logged on at a time. This virtually eliminates privilege escalation attacks.
- Is extremely portable, just pop CD or DVD into optical drive and boot. Can also be installed on a bootable USB flash drive with or without encryption. Can be stored in a “pupsave” file either encrypted or not, which contains all personal files (needing only the original CD to boot). Can network boot using PXELinux and finally, can run live off a CD/DVD (the last method being absolutely hack proof).
- You can custom tailor Puppy to your liking with it’s native package manager and then save the build in a pupsave file, ISO image, bootable USB drive or live CD/DVD.
- Can dynamically load and unload programs on the fly using the .sfs package system. These packages are self contained with all necessary dependencies, no installation necessary. Big, resource intensive programs can be loaded or unloaded so as not to hog resources. Trouble free.
- Can run Windoze .exes and programs of many other Os’s with emulators such as Wine, Virtualbox (for total guest OS emulation) and many others. Run one at a time or all at once if your machine is strong enough. All network resources can be shared too.
- Can mount or unmount both local and network drives, an extra measure of security and safety.
- Understands and can read and write to many other OS’s filesystems such as fat, vfat, ntfs, ext, etc.,
- Boots very fast and eliminates constant writing to drives, thereby extending their service life.
- Is in continual development and testing the world over. Bugs are fixed quickly and the OS just keeps getting more and more robust with contributions from the Puppy Linux community.
- Finally, is the perfect, unbreakable, fully customizable and safe operating system for kids. Just pop in the CD and if the little angels break something, simply reboot. All brand new again. (Just make sure they don’t have the mount command available, any connected hard drive might not survive their playful keystrokes).
By no means is this list all that Puppy can do, these are just some of the things that I like best. I’m no Geek nor Guru, just a “power user” who values his privacy and appreciates things that work and don’t break all the time. There are many people out there much smarter than me that can make Puppy Linux do some amazing things that I can’t even imagine. So is the wonderful world of Linux (as well as other UNIX variants). for a better explanation, check out the official HOWTO at http://puppylinux.com/development/howpuppyworks.html
Thank you so, so much Mr. Barry Kauler, for giving us this fantastic gift. Barry is a master programmer and computer scientist who invented Puppy Linux and named it after his now departed Chihuahua. He lives in Australia.
Now for the security stuff.
Truecrypt is also a free, open-source (meaning the source code is available to anyone) program that encrypts whole drives, partitions, individual files, creates encrypted archives and can also make hidden encrypted partitions.
Truecrypt enables the user to choose between three different types of encryption (AES, Serpent and Twofish) and has the ability to use all at the same time to encrypt (this is called cascading). Cascading doesn’t increase hardness very much however, but does increase overhead. This means you’ll make your machine work harder to decrypt while reaping minimal gain. Just stick with either AES or Serpent, these two seem to be the best.
The program encrypts and decrypts in duplex mode on the fly, in other words in both read and write mode in real time, instantly. The overhead is very low and not noticeable to the end user. Extremely strong encryption can be achieved without slowing down your machine. An entire hard drive can be dynamically encrypted and decrypted in both read and write modes utilizing strong encryption without ever seeming to bog down. Only on bandwidth demanding tasks such as transcoding (converting one file format to another) can one notice the difference. As for my personal experience me any lag time is unnoticeable. The damn thing just works beautifully, all the time.
Another nice thing about truecrypt is that if you have a sudden power failure before you have a chance to unmount your encrypted media, no harm, no foul. None of your data gets corrupted. Just mount it up again when the power comes back and pick up where you left off. It doesn’t save the previous state but it doesn’t corrupt whatever files you were working with either. If you were in the middle of a project, you will just have to start all over again, thats all.
Something that is kind of weird but totally in keeping with encryption best practices is what Truecrypt uses as it’s random number generator, the heart of any encryption scheme. The random number generator that Truecrypt uses is YOU. That’s right, you are the RNG. After all, what could be more random than nature at it’s finest. Whenever you encrypt something with Truecrypt, whether it be an individual file, partition or an entire hard drive, there is a point in the process where your active input is encouraged. Truecrypt instructs you to take the mouse and jiggle the cursor around on the screen in as random of a manner for as long as possible, at least for thirty (30) seconds. What this does is randomly generate encryption keys that the program them stores and uses to accomplish the encryption. Kind of genius, don’t you think? If I am encrypting an entire hard drive, I sit there for at least an hour and move the cursor around as frantically as I can until my arm burns off. The reason that I do this is because I am being Gangstalked by government sanctioned creeps who probably have access to quantum computers for cracking. I’m going to make their Satanic job as much of a pain in the arse as I can. 🙂
What I like best about Truecrypt though, is that Truecrypt allows the use of Keyfiles.
A Keyfile is pretty much what it sounds like, a file that has been turned into a key of sorts. The file itself isn’t changed however, it is just used as part of (more accurately in addition to) the password.
A Keyfile can be any kind of file. It can be an audio file, a graphic file, a text document, an archive of many different files etc., etc., etc.,… Any file extension known to man can be used, of any length, of any size and quantity. A Keyfile can be on the local drive, a network drive, several different local or network drives if using more than one file or, reside on the Internet itself in a web-page or something. Whatever you can access with your machine can be incorporated into your password in the form of a keyfile and only you know what that is (or are). One word of warning though, lose access to the keyfile and your data is unrecoverable. That is, unless you have your own quantum computer handy. My suggestion is to store several copies of your chosen keyfile or keyfiles in the cloud, locally hidden on the hard drive and finally on some form of non-volatile ram like CD or DVD. Only you have to know what file is what.
I would never store nor upload to the cloud any sensitive data that I wanted to keep private without first encrypting it with Truecrypt, using all of the tricks enumerated in the aforementioned.
I’m partial to Opera although I will use Firefox every now and then. I used to use a stripped down version of Chrome called Iron however, it just doesn’t take care of all of my needs. There are other ones out there too, some exclusive to Linux only. When feeling extra paranoid I switch to one of the more arcane ones. Sometimes I even fire up Virtualbox and run Windoze IE right along with Opera, Firefox or Iron, just to foul up the noses of any packet sniffers smelling my traffic. When I feel even more paranoid I tap into a select set of proxy servers that make it appear as though I’m living in Germany, Columbia or Brazil. This is kind of troublesome though, and kind of slow so I don’t do this much anymore. You also never know when a proxy might go off-line for whatever reason. When I need real privacy (or as close as a mere power user like me can get) I bust out Tor. Seems like overkill as I’m not involved in anything illicit anyway, but with the revelations of Snowden I somehow feel it is my duty to be as in the dark as possible. The only thing that I can think of even more secure than Tor would be a Virtual Private Network or VPN however, the problem with all of these technologies is that they are all vulnerable to end point capture, as in your ISP selling you out. Since I am being Gangstalked by government sanctioned creeps, I assume this near undefinable attack is my very situation. Thanks AT&T and Comcast, for feeding me to your real customer, the guberment.
SYNCHRONICITY UPDATE 06/13/14
Dan Nois of Channel 7 news (I Team) did an investigative report on the TOR browser less than two months (1 month 24 days) after I first wrote about it in the above paragraph…
Smoke signals and Carrier Pidgeons (just kidding)
At long last, physical access to your machine. Don’t ever let anyone have physical access to any machine or device that you want to keep clean and secure. Do all maintenance and repairs yourself, keep the thing in a locked and secure cabinet when not in use (or in the case of a desktop or server, always in a locked cabinet) and never trust anyone. Use software that will render it no better than a brick should it ever get out of your possession.
As for my very last words remember this, human beings make excellent random output generators.