[gentoo-user] Horribly off-topic linux distro question...

[gentoo-user] Horribly off-topic linux distro question...

[Steve]

In the context of online banking, where Windows of some flavour is the 
desktop OS, I see a substantial risk arising through spyware and/or 
viruses.  I suspect that a neat way to mitigate this would be to run an 
OS from a CD which offers nothing more fancy than a basic web-browser.

Is there anything like this already available?

-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: Horribly off-topic linux distro question...

[Michael Schmarck]

Steve <Gentoo_sjh@shic.co.uk> wrote:

> In the context of online banking, where Windows of some flavour is the
> desktop OS, I see a substantial risk arising through spyware and/or
> viruses.  I suspect that a neat way to mitigate this would be to run an
> OS from a CD which offers nothing more fancy than a basic web-browser.
> 
> Is there anything like this already available?

DSL should come fairly close.

Michael

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 618 bytes --]

On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote:

> > In the context of online banking, where Windows of some flavour is the
> > desktop OS, I see a substantial risk arising through spyware and/or
> > viruses.  I suspect that a neat way to mitigate this would be to run
> > an OS from a CD which offers nothing more fancy than a basic
> > web-browser.
> > 
> > Is there anything like this already available?  
> 
> DSL should come fairly close.

Dillo doesn't work with the online banking sites, and many others, that I
tried.


-- 
Neil Bothwick

If it ain't broke, wait a day or two!!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 697 bytes --]


On Thu, 2008-02-07 at 15:37 +0000, Neil Bothwick wrote:
> On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote:
> 
> > > In the context of online banking, where Windows of some flavour is the
> > > desktop OS, I see a substantial risk arising through spyware and/or
> > > viruses.  I suspect that a neat way to mitigate this would be to run
> > > an OS from a CD which offers nothing more fancy than a basic
> > > web-browser.
> > > 
> > > Is there anything like this already available?  
> > 
> > DSL should come fairly close.
> 
> Dillo doesn't work with the online banking sites, and many others, that I
> tried.
> 
> 

Last time I tried, DSL came with Firefox 1.5.*

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Horribly off-topic linux distro question...

[Andrey Falko]

On Feb 7, 2008 9:04 AM, Steve <Gentoo_sjh@shic.co.uk> wrote:
> In the context of online banking, where Windows of some flavour is the
> desktop OS, I see a substantial risk arising through spyware and/or
> viruses.  I suspect that a neat way to mitigate this would be to run an
> OS from a CD which offers nothing more fancy than a basic web-browser.
>
> Is there anything like this already available?
>
> --
> gentoo-user@lists.gentoo.org mailing list
>
>

Try Knoppix, it will have everything you need to do you online banking.
-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: Horribly off-topic linux distro question...

[7v5w7go9ub0o]

Steve wrote:
> In the context of online banking, where Windows of some flavour is the 
> desktop OS, I see a substantial risk arising through spyware and/or 
> viruses.  I suspect that a neat way to mitigate this would be to run an 
> OS from a CD which offers nothing more fancy than a basic web-browser.
> 
> Is there anything like this already available?
> 

My preference is using a safe browser (Opera with plugins removed) on a
QEMU/Hardened Gentoo VM - on a USB flash stick. It presents the user
with a window in which the Linux OS boots up and in my case, presents a
Fluxbox desktop.

- The VM (actually, a qemu emulator in "virtual" mode) will start up
without privilege - say, while on the road at a public library.

- At the end of the session, there are no relics that I can find, except
for a single, minor note in the windows registry.

- The SSL connection is established within the Linux VM, so all the
host sees is an encrypted connection to your bank.

- IIUC, today's biggest banking concerns, besides pharming and phishing,
are Trojan/Keyloggers. This kind of VM is  -probably- immune from most
kinds of spyware on the Windows host, though not hardware loggers on the
keyboard or Terminal. Workaround is to have passwords handled
automatically by the browser within the Linux OS - so that passwords are 
neither typed nor displayed.

- Other banking concerns are pharming, DNS poisoning, and XSS attacks.
So I go to my banking site with FireFox first, confirm that the DNS is
correct (or do your own lookup at Sam Spade), and have NoScript confirm
that everything is o.k. Then use Opera (safer browser) to consummate the
transaction.

- If you go this route, do a little research and get a fast and quick
USB flash.

HTH




-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]

On Thursday 07 February 2008, Neil Bothwick wrote:
> On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote:
> > > In the context of online banking, where Windows of some flavour is the
> > > desktop OS, I see a substantial risk arising through spyware and/or
> > > viruses.  I suspect that a neat way to mitigate this would be to run
> > > an OS from a CD which offers nothing more fancy than a basic
> > > web-browser.
> > >
> > > Is there anything like this already available?
> >
> > DSL should come fairly close.
>
> Dillo doesn't work with the online banking sites, and many others, that I
> tried.

Basic web browsers do not have the javascript, Java (and soon enough flash?) 
functionality that the majority of banking sites require.  Wouldn't Knoppix 
with its Firefox and equivalents do the job for you, after you set root and 
knoppix passwds?  BTW, Konqueror will also work with many banking sites, but 
you may need to change the browser agent identification, treatment of cookies 
and so on.  YMMV.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Jan Seeger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 07. Feb, 7v5w7go9ub0o spammed my inbox with 
<snip insane security paranoia>

Actually, at that stage, you should be more worried about the hardware. Slip a little hardware
keylogger in there and all that is for nothing. And try to do online banking without entering
anything... If your bank doesn't require something like a TAN (transaction number) or ITAN (indexed
transaction number), I wouldn't use it at all. So it would probably wiser to get a laptop and take
good care of it.
Regards
Jan Seeger
- -- 
thenybble.de/blog/ -- four bits at a time
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHq1tTMmLQdC6jvocRAjmJAKCeg5QqD7386NTmbHN4gnACjYiCcACeIVmI
ecAYIlfgyzbNN6xCG5OrP5M=
=9/oh
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: Horribly off-topic linux distro question...

[7v5w7go9ub0o]

Jan Seeger wrote:

> <snip insane security paranoia>

insane? What's insane: Presuming the windows host is compromised? or 
having your computer on a USB flash drive? or using two browsers to 
confirm the integrity of a site? The procedure is quite easy, once 
you've done it once or twice.

But go ahead and do something less; it's easy to do something less cautious.

> 
> Actually, at that stage, you should be more worried about the hardware. Slip a little hardware
> keylogger in there and all that is for nothing. And try to do online banking without entering
> anything... If your bank doesn't require something like a TAN (transaction number) or ITAN (indexed
> transaction number), I wouldn't use it at all. So it would probably wiser to get a laptop and take
> good care of it.

Definitely agree. Laptop is easily the best choice. (But I still check 
for DNS poisoning and XSS attacks at the destination) :-)

-> However, maybe Steve doesn't have a laptop! At any rate, he is 
discussing a solution for use at a windows pc.

(And I wouldn't mind entering a TAN via a library keyboard if the 
primary authentication (initial phase of a two phase identification) was 
hidden from the hardware - it alone won't compromise my account.)

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Håkon Alstadheim]

Mick wrote:
> On Thursday 07 February 2008, Neil Bothwick wrote:
>   
>> On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote:
>>     
>>>> In the context of online banking, where Windows of some flavour is the
>>>> desktop OS, I see a substantial risk arising through spyware and/or
>>>> viruses.  I suspect that a neat way to mitigate this would be to run
>>>> an OS from a CD which offers nothing more fancy than a basic
>>>> web-browser.
>>>>
>>>> Is there anything like this already available?
>>>>         
>>> DSL should come fairly close.
>>>       
>> Dillo doesn't work with the online banking sites, and many others, that I
>> tried.
>>     
>
> Basic web browsers do not have the javascript, Java (and soon enough flash?) 
> functionality that the majority of banking sites require.  Wouldn't Knoppix 
> with its Firefox and equivalents do the job for you, after you set root and 
> knoppix passwds?  BTW, Konqueror will also work with many banking sites, but 
> you may need to change the browser agent identification, treatment of cookies 
> and so on.  YMMV.
>   
I've had some success (one of two sites) with the opera browser. Free as 
in beer.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Mick]

[-- Attachment #1: Type: text/plain, Size: 986 bytes --]

On Thursday 07 February 2008, Håkon Alstadheim wrote:
> Mick wrote:

> > Basic web browsers do not have the javascript, Java (and soon enough
> > flash?) functionality that the majority of banking sites require. 
> > Wouldn't Knoppix with its Firefox and equivalents do the job for you,
> > after you set root and knoppix passwds?  BTW, Konqueror will also work
> > with many banking sites, but you may need to change the browser agent
> > identification, treatment of cookies and so on.  YMMV.
>
> I've had some success (one of two sites) with the opera browser. Free as
> in beer.

The original post was about security rather than browser compatibility, but 
for what it's worth Opera can leave fewer traces behind than other browsers 
do.  I also use Opera to check online banking sites and have similarly had 
success with more than a couple of them.  However, I had to mask the user 
agent as MSIE, or lately Firefox for it to work properly.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Hans-Werner Hilse]

Hi,

On Thu, 07 Feb 2008 13:05:00 -0500 7v5w7go9ub0o
<7v5w7go9ub0o@gmail.com> wrote:

> - The SSL connection is established within the Linux VM, so all the
> host sees is an encrypted connection to your bank.

Wrong: It will also see all the virtual memory the virtualized machine
is using, including those parts containing your precious unencrypted
data. All you win by using a VM is that you don't need to boot into the
OS (which might be impossible on some public terminals while running
qemu might work).

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: Horribly off-topic linux distro question...

[7v5w7go9ub0o]

Hans-Werner Hilse wrote:
> Hi,
> 
> On Thu, 07 Feb 2008 13:05:00 -0500 7v5w7go9ub0o
> <7v5w7go9ub0o@gmail.com> wrote:
> 
>> - The SSL connection is established within the Linux VM, so all the
>> host sees is an encrypted connection to your bank.
> 
> Wrong: It will also see all the virtual memory the virtualized machine
> is using, including those parts containing your precious unencrypted
> data. All you win by using a VM is that you don't need to boot into the
> OS (which might be impossible on some public terminals while running
> qemu might work).


Huh!?   Sure, virtual memory and real memory will together have bits and 
pieces of all executing code and data - paged in and out at various 
times - and if your local library or friend's windows machine is 
actually logging, reconstructing, and effectively parsing all of that, 
you could indeed be compromised. Never heard of such a 
resource-intensive, sophisticated attack; but can see that it could 
-theoretically- be done on a public library or friend's computer; though 
not likely on any computer I'll ever come across.



-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Horribly off-topic linux distro question...

[Dan Farrell]

On Thu, 07 Feb 2008 14:04:27 +0000
Steve <Gentoo_sjh@shic.co.uk> wrote:

> In the context of online banking, where Windows of some flavour is
> the desktop OS, I see a substantial risk arising through spyware
> and/or viruses.  I suspect that a neat way to mitigate this would be
> to run an OS from a CD which offers nothing more fancy than a basic
> web-browser.
> 
> Is there anything like this already available?
> 

Isn't mozilla (not firefox, that is)  ) made for this kind of thing?  I
thought it was the hardened, corporate-ready branch of the browser.  

Incidentally, i think the best solution to spyware/adware worries is to
not run windows.  I have yet to find a substantiated claim of any
malware (real malware, not theoretical, lab-contained stuff) for linux.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Horribly off-topic linux distro question...

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]


On Fri, 2008-02-08 at 20:47 -0600, Dan Farrell wrote:
> On Thu, 07 Feb 2008 14:04:27 +0000
> Steve <Gentoo_sjh@shic.co.uk> wrote:
> 
> > In the context of online banking, where Windows of some flavour is
> > the desktop OS, I see a substantial risk arising through spyware
> > and/or viruses.  I suspect that a neat way to mitigate this would be
> > to run an OS from a CD which offers nothing more fancy than a basic
> > web-browser.
> > 
> > Is there anything like this already available?
> > 
> 
> Isn't mozilla (not firefox, that is)  ) made for this kind of thing?  I
> thought it was the hardened, corporate-ready branch of the browser.  
> 
> Incidentally, i think the best solution to spyware/adware worries is to
> not run windows.  I have yet to find a substantiated claim of any
> malware (real malware, not theoretical, lab-contained stuff) for linux.

What you mean is Netscape Navigator (basically the Mozilla suite aka
Seahorse). I don't know whether there are any differences to good old
Mozilla other than branding, regular security fixes and customer
service.

Malware for Linux? What about those macro viruses for Open Office? Every
cross platform software such as Mozilla derivatives, java based stuff
like Azureus and so on is a possible target.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Horribly off-topic linux distro question...

[Dale]

Florian Philipp wrote:
> <SNIP>
>
> Malware for Linux? What about those macro viruses for Open Office? Every
> cross platform software such as Mozilla derivatives, java based stuff
> like Azureus and so on is a possible target.
>
>
>   

But can they "infect" a Linux box the way they do a M$ box?  I don't use
Windoze here but since I only use Linux I would like to know just how
secure it is.  I manage my bank account and credit card account from my
Linux box.  I also have java and OOo installed.

Thanks

Dale

:-)  :-) 
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Horribly off-topic linux distro question...

[Dan Farrell]

On Sat, 09 Feb 2008 04:10:56 -0600
Dale <dalek1967@bellsouth.net> wrote:

> Florian Philipp wrote:
> > <SNIP>
> >
> > Malware for Linux? What about those macro viruses for Open Office?
> > Every cross platform software such as Mozilla derivatives, java
> > based stuff like Azureus and so on is a possible target.

> But can they "infect" a Linux box the way they do a M$ box?  I don't
> use Windoze here but since I only use Linux I would like to know just
> how secure it is.  I manage my bank account and credit card account
> from my Linux box.  I also have java and OOo installed.

openoffice macro virus: 

http://www.securityfocus.com/brief/218 (proof of concept)
http://www.zdnet.com.au/news/security/soa/OpenOffice-macro-worm-exposes-bad-bunny/0,130061744,339277689,00.htm
and finally,
http://www.linux.com/feature/54824 (quoted:)
Lynch is perhaps overstating the case, but the general agreement is
that the Kaspersky Lab claim is an exaggeration. At best, it serves as
a warning against trusting files from unknown sources. Clearly, it is
neither new nor cause for anything more than standard caution. 
======-----------------------
It could be debated whether a macro of this kind is really a virus - the
question is, would openoffice have let it mess with the filesystem?

as for firefox, I have yet to find any security concerns targeting
recent releases.  

I definitely _don't_ trust java apps in general, but think the best
course of action is to run the very most recent version.  Thanks,
gentoo.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Horribly off-topic linux distro question...

[Alan McKinnon]

On Saturday 09 February 2008, Dale wrote:

> But can they "infect" a Linux box the way they do a M$ box?  I don't
> use Windoze here but since I only use Linux I would like to know just
> how secure it is.  I manage my bank account and credit card account
> from my Linux box.  I also have java and OOo installed.

It's a bit of a loaded question, but here goes anyway:

It's extremely hard to quantify just secure or insecure a machine and/or 
OS is. Some try and count number of bugs found - well, total number of 
bugs per 1000 lines of code seems to mostly fall in a standard range 
regardless of programmer or team (!) Strange but true - I've read 
studies that show it. So Firefox gets about as many bugs as IE by and 
large, as does Office and OpenOffice.org. That much you can measure.

What is much harder to measure is how severe those bugs are. On a 
Windows machine, an account with admin rights that gets compromised can 
be pretty severe. On a Linux machine less so, as long as the machine 
has sane permissions. But in either case, all your user data, photos 
and music can still be trashed. To most users that's more catastrophic 
than being pwned.

What is undeniable is that zombie networks consist almost exclusively of 
Windows machines, not Linux ones. Once the bad guys turn their 
attention to Linux (which will happen it's just a matter of time) I'm 
sure you will see an increase in this stat. I can't give figures, and 
I've never seen someone else who can either.

It's my opinion that right now phishing and good old-fashioned spy 
tricks are more of a risk than Linux spyware, so you should pay 
attention to pros who know Linux well and follow their advice. For 
instance it's a good idea and a good convenience to allow cookies for 
b.g.o. to log you in immediately. You should not be doing this with 
your on-line banking site....


-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list