From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZFJD-00041t-Lo for garchives@archives.gentoo.org; Tue, 17 Feb 2009 02:03:39 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4512DE02C7; Tue, 17 Feb 2009 02:03:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id F41DCE02C7 for ; Tue, 17 Feb 2009 02:03:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id A367AB525A for ; Tue, 17 Feb 2009 02:03:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 required=5.5 tests=[AWL=-2.000, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuFYKa3kPoaL for ; Tue, 17 Feb 2009 02:03:28 +0000 (UTC) Received: from qw-out-1920.google.com (qw-out-1920.google.com [74.125.92.144]) by smtp.gentoo.org (Postfix) with ESMTP id A2357B5261 for ; Tue, 17 Feb 2009 02:03:28 +0000 (UTC) Received: by qw-out-1920.google.com with SMTP id 9so654516qwj.6 for ; Mon, 16 Feb 2009 18:03:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=nu7pb7UI9A+aIcKjgHE0xCyriRHNxzEXmqdl0FJmPRA=; b=kiXstVQ4C+LLeVi5DR8/gZ5WPmP54w52eaMzkNfbTBrnw9hMRUSbg/J5cq42SvNwWn 6JQvHrLxXlo3pOFHDL1QGz5bND0TcyLrsqzDlF0fG/EwBUuTKfZtu1FVbMbdU7fjLWu6 D8jvGOKyzdQE2COk5lgP7urkP3EGBcgDHWrB0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=CC+1go3AXOaqsXiCJg3zkQnEO2UNvesbYbHBW7NgNepLdeqk/z1YetxcyC/vr+1bKu lhTUC8lw2ZbNJ2UDxzdfK7+0QE2jmN08Oh1acBzi7CZHjNmszFGMZ3MCgtFJztXmLHRw 4H+w4frUSott3AQ9PzyXn2rYNWhlNHvPEtnTQ= Received: by 10.224.47.16 with SMTP id l16mr1942334qaf.188.1234836207843; Mon, 16 Feb 2009 18:03:27 -0800 (PST) Received: from ?127.0.0.1? (tor-anonymizer.ipx-n.datenspuren.org [212.112.226.14]) by mx.google.com with ESMTPS id 5sm924830qwg.54.2009.02.16.18.03.16 (version=SSLv3 cipher=RC4-MD5); Mon, 16 Feb 2009 18:03:27 -0800 (PST) Message-ID: <499A1AB5.6020604@gmail.com> Date: Mon, 16 Feb 2009 21:02:29 -0500 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> User-Agent: Thunderbird 2.0.0.19 (X11/20090208) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Re: Which laptop compatible with hardened-workstation ? References: <522bae60902160104u5c37edc8n823126763778ae84@mail.gmail.com> <4999A7FA.4010601@gmail.com> <4999F176.1060302@edgehp.net> In-Reply-To: <4999F176.1060302@edgehp.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 010e8cbd-d2d0-4dc2-a912-ac72642b1061 X-Archives-Hash: 6da76687758e4bc3cd6ce3a296ef9115 Dale Pontius wrote: > 7v5w7go9ub0o wrote: >> Romain BERGE wrote: >>> Hey list, >>> >>> I am planning buying a laptop. I would like to install a hardened >>> (workstation) profile on it. >>> >>> Which hardware features/components should I take care of ? (to be >>> the most compatible with hardened) In the opposite, are there >>> some hardware components/brand to avoid ? >>> >>> Thanks >>> >>> >> Went through a similar exercise a few years ago; concluded that >> one: >> >> - first chooses the laptop that meets his needs (I wanted a 2 >> pounder with good screen and graphics to carry about in a back >> pack, with frequent stops at hotspots) >> >> - second googles about for linux success/failure stories about that >> laptop. Gentoo has some great documentation and explanations >> concerning Linux; Ubuntu has some great user lists regarding >> specific hardware. My Sony was 95% Linux good to go, with detailed >> Ubuntu discussions about xorg.conf. >> >> - third if it works on Linux, it'll likely work for hardened. (this >> was true for 32bit on my laptop; 64 may be different; I'll know >> shortly ) >> >> FWIW, IMHO a hardened profile, along with other precautions, makes >> a lot of sense on a laptop as there is all sorts of mischief >> occurring at anonymous, college and Saturday-afternoon hotspots - >> some of it quite sophisticated due to "pen test" software. It's a >> wild west that you'll not experience on your firewalled desktop. >> > Just a side comment on this... I have scripts that figure out where > the heck I am when networking comes up, and based on that decide > what, if any, service(s) to bring up. When the current network is on > "other", NO services are started at all - even X is started with > "-tcp nolisten" so there are no open ports. Scratch that - dnsmasq > is listening on loopback, but that's it. > > Maybe it's not all that's necessary, but it's a good first line of > defense. > > Dale Pontius Heh.....clever idea; makes good sense to me. :-) (Some might argue for a VPN so as to avoid DNS poisoning or an attack against Mara directly - guess that would depend upon the nature of one's business at the hotspot. FWIW, I run unbound (DNS) in its own jail. I'll shut it down and use a VPN when doing banking/other sensitive stuff) (Given I use individual, hardened (grsecurity) jails for anything that connects outside, I can't totally block X - but I do firewall it; and also confine it through xhost to local host only. As far as running services - nope! Heh.... mindful of poisoning or buffer-overflow attacks, I'll passively monitor the place with kismet for a minute or two before announcing my presence, and then bring up DHCPCD in a hardened jail for 3 seconds - long enough to set the network assignments - then automatically kill it. Arpon can passively monitor external ARP activity.)