back to article Linux Foundation releases PARANOID internal infosec guide

Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations. The baseline hardening recommendations are designed that balance security and convenience for its …

  1. Ole Juul

    Privacy Badger Privacy

    I'm curious about the recommendation of Privacy Badger. Since it has a learning heuristic based on the sites you visit surely it can be turned into a privacy vulnerability if someone hasn't already done so.

    1. Anonymous Coward
      Anonymous Coward

      Re: PrivacyBadger Privacy

      Yes, a lot of the 'privacy' enhancers can/could 'accidentally' steal/profile all your data

      eg Ghostery - run by Evidon (advertiser) mostly OK if you never share the Ghostrank data

      & TrackMeNot - a great RSS driven background search anti-profiler, but allegedly can see all your surfing

      & OpenDNS - gets you away from your ISP DNS, but can be subverted & is based in the USA/NSA, probably.

      (I *think* I was attacked once through OpenDNS. I know I was attacked and the best fit is that my DNS was being observed during the attack, but I'm a paranoid security type)

      these tools are all local client defense things - server side tracking is harder to defeat, other than more TMN style tools? anyone have the wget code to test the far end of the RPC?

      summary is that I very much LIKE PrivacyBadger, I have proved price differences from PeasyJet, averaging a twenty percent saving, when dumping as many tracking elements as possible

  2. Charles 9

    Why all the magnetic treatment if you're gonna burn a hard drive, given that heat (especially intense heat like a thermite fire) affects magnetics, too?

    1. Ole Juul

      burn a hard drive?

      I don't think physics is front and centre in the common discussion of secure hard drive destruction. Rather, this is part of a culture with a long history of mythology and unproven beliefs.

      1. frank ly

        Re: burn a hard drive?

        I'd have thought that a few passes with an oxy-acetylene torch would make any hard drive unreadable. Your local car repair shop could run this service at a low marginal cost to themselves and make a nice profit from it.

        1. keithpeter Silver badge
          Windows

          Re: burn a hard drive?

          Quote from OA

          "Zoz in his DEF CON talk showcases oxygen, copper, and thermate injection, and custom-made explosives."

          UK based participants in these projects had better be careful with this particular suggestion. Try explaining to an SO-13 incident response team (or whoever it is these days) that you are actually practising good data security when they arrive through your windows at 4am. Isn't it Thermite?

          Seriously: if a hard drive was encrypted using LUKS as recommended - especially if you take the Debian default setting of writing random numbers to the whole drive during installation so that it is harder to find the section of the drive where your encrypted data resides - is there any need for actual physical destruction?

          1. Crazy Operations Guy

            Thermite vs. Thermate

            They are different chemical compounds with the same effects:

            https://en.wikipedia.org/wiki/Thermate

          2. Anonymous Coward
            Anonymous Coward

            Re: burn a hard drive?

            is there any need for actual physical destruction?

            SSD (solid-state disk drive) says , Y E S - burn me! (remember that GCHQ/NSA/5-eyes took out various cache-chips, keyboard controllers, BT chips etc on the mobo's that had but slightly touched Snowden)

            for the rotary HDDs, a month in the garden in a plastic bucket with ten-pence worth (2.2lbs) of Natrium Chloride ionised in a gallon of natural universal solvent maintained at ambient temperature has so far been my chosen method.

            MOD-Plod would find it hard to make an accusation of terrizm for this, other than my reading subversive literature online, such as El'Reg.

      2. GrumpenKraut
        Boffin

        Re: burn a hard drive?

        Burnung is overkill. Once the platters are accessible use a strong enough solvent to remove the "rust". I am pretty sure that acetone(*) will do. No need to destruct and/or "remove" platters as well.

        (*) nail polish removal fluid should do.

      3. Wzrd1 Silver badge

        Re: burn a hard drive?

        Well, I *have* made thermite to burn a tack of hard drives.

  3. Tim99 Silver badge
    Coat

    Hardening requirements?

    Here you are: OpenBSD download link.

    Thank you, thank you, Is that the door over there?

    1. Ole Juul

      Re: Hardening requirements?

      "Is that the door over there?"

      No. Those are Windows.

      1. Tim99 Silver badge
        Pint

        Re: Hardening requirements?

        @Ole Juul

        Well played sir.

        Have an Upvote, and a beer >>==============>

    2. Anonymous Coward
      Anonymous Coward

      Re: Hardening requirements?

      Yep. That'd be my first choice as well. Look up the entry for 'Paranoid' and there's Theo.

      Me? One signature and they own my ass, again irrelevant of whatever I'm doing or not doing. I play the security game to prevent blowback where I've been living for the last fifteen years.

    3. asdf

      Re: Hardening requirements?

      The problem with OpenBSD is to use it as more than very minimal desktop you ended up bringing in so much of the same hardly audited desktop crap from Linux that your attack surface goes through the roof regardless. I love OpenBSD but lets be honest and say their hardware support can be spotty and its probably not the OS you want to be running on say a laptop (sleep functionality or 3D drivers are not always where they need to be).

      1. Crazy Operations Guy

        OpenBSD / Laptops

        I have a lot of luck running it on older Lenovo laptops the (S)L410 runs like a dream with all hardware supported (My company just surplussed a couple thousand of the bastards, so you can probably pick them up for 50-100 buck depending on specs).

        As for security, I've found that OpenBSD + XFCE + Firefox (With the recommended extensions) is much more resistant to Metasploit than a Debian install with the same software.

        1. asdf

          Re: OpenBSD / Laptops

          I can believe that as OpenBSD uses significantly less system resources than Linux and does tend to run better on older hardware (it tends to be newer hardware the support can be missing). I just wish installing Firefox didn't bring in near as many packages as it does but this isn't the OpenBSD folks fault.

          1. Crazy Operations Guy

            Re: OpenBSD / Laptops

            Most of the time, I forgo Firefox in favor of SeaMonkey; uses a lot fewer resources while supporting the same add-ons, plus it has a mail client built into it.

            1. asdf

              Re: OpenBSD / Laptops

              Sadly it looks like the @depends on both packages (seamonkey, firefox) are largely the same including this horseshit. The @wantlibs are very similar as well. Can never get enough Pango.

              @depend multimedia/gstreamer1/plugins-good,-main:gstreamer1-plugins-good-*:gstreamer1-plugins-good-1.4.5p0

  4. Anonymous Coward
    Anonymous Coward

    Speaking of Qubes...

    It's been quite a while since there's been mention of it on El Reg. With Qubes 3 imminent, I've been wondering if there's any chance of something of a timely review/overview from the vultures...

    ?

  5. Anonymous Coward
    Anonymous Coward

    Funny, SecureBoot is nice and "critical"...

    ... now that an LF guy recommends it too, what penguins will think?

    1. Anonymous Coward
      Paris Hilton

      Re: Funny, SecureBoot is nice and "critical"...

      Despite its controversial nature, SecureBoot offers prevention against many attacks targeting workstations (Rootkits, "Evil Maid," etc), without introducing too much extra hassle. It will not stop a truly dedicated attacker, plus there is a pretty high degree of certainty that state security agencies have ways to defeat it (probably by design), but having SecureBoot is better than having nothing at all.

      Alternatively, you may set up Anti Evil Maid which offers a more wholesome protection against the type of attacks that SecureBoot is supposed to prevent, but it will require more effort to set up and maintain.

      Hardly a glowing endorsement.

      1. Anonymous Coward
        Anonymous Coward

        Re: Funny, SecureBoot is nice and "critical"...

        SecureBoot is not the panacea, but still it's more useful than not - and LF thinks this too and regards it "critical" for its hardening procedure.

        While there's a bunch of people that still thinks it's the "mother of all evils"...

        1. GrumpenKraut

          Re: Funny, SecureBoot is nice and "critical"...

          As long as I cannot verify otherwise I treat SecureBoot as a backdoor for three letter agencies, that's what the text suggests to my ears.

          1. Anonymous Coward
            Anonymous Coward

            Re: Funny, SecureBoot is nice and "critical"...

            Yeah, but better a backdoor than a wide open doorway. If the TLAs can subvert the Secure Boot, they've essentially subverted at the hardware level, which is beyond most people's ability to get around, which means you can either bend over or cut the wires and go manual, which for a project such as this means abandoning it. Your choice.

        2. Anonymous Coward
          Anonymous Coward

          @LDS - Re: Funny, SecureBoot is nice and "critical"...

          You mean useful to Microsoft since they hold the keys.

          1. Anonymous Coward
            Anonymous Coward

            Re: @LDS - Funny, SecureBoot is nice and "critical"...

            MS doesn't hold the keys, it's up to the OEM to decide what keys are available in the UEFI firmware for SecureBoot processing. SecureBoot is a UEFI standard, not a MS one.

            MS just requires support for Windows secure boot - just like Apple does on it devices.

            1. Anonymous Coward
              Anonymous Coward

              Re: @LDS - Funny, SecureBoot is nice and "critical"...

              >just like Apple does on it devices.

              Because we have seen how good things turn out when Microsoft starts apeing Apple and Google.

  6. Anonymous Coward
    Trollface

    Please help my nan!

    My nan is now worried her Linux Mint is insecure, after all the promises I made when migrating her PC from Windows too!

  7. Tridac

    Good security starts at the perimeter and if you are using a dedicated hardware based firewall with dpi and other goodies, that should trap a lot of the bad stuff. The rest is common sense use of the internet and things like Adblock and Noscript on Firefox to provide fine grained control over scripts and cross site references that are allowed to run.

    Have never used any antivirus software here, but none of our machines have experienced any bad stuff in > 10 years. There are risks, but there's loads of FUD around on this subject as well...

    1. Paul Crawford Silver badge

      Re: "Good security starts at the perimeter"

      Always assume the enemy is already inside your network, as that sound of someone knocking at your door could be from either side...

      By the way, when did you last patch or audit to code for that network printer of yours?

      1. asdf

        Re: "Good security starts at the perimeter"

        >By the way, when did you last patch or audit to code for that network printer of yours?

        Just be careful with the settings as Nessus can fsck over printers all over your organization lol.

      2. Tridac

        Re: "Good security starts at the perimeter"

        Good point. I work from home mainly, with separate hardware interface subnets for domestic, lab and other services, so the chance of cross corruption is perhaps limited. I've never checked printers, but they are all so old that I doubt if they would be a target.

        One client I worked for had a serious internally generated infection that cost days it not weeks of development time. They bought in a cheap batch of usb memory sticks (with virus installed), didn't check any of them, plugged in and wondered why nearly the whole site became infected. That could have been avoided simply by disabling autoplay using Tweakui, whatever. It's amazing just how many sites don't have unified securiy policies that would cover that sort of thing.

        I'm not obsessive about security, but, for example, would ideally like all internet facing systems to be none Intel architecture, though that is getting more difficult to do as the cpu arch gene pool continues to shrink...

  8. Crazy Operations Guy

    Safe data destruction

    That is why I made friends with a deep-sea fisher. Every few months I go out on a trip with them and throw my old disks (sans top covers) into the Pacific beyond the continental shelf. I challenge anyone to get to my information once its been subjected to 10 million Pascals of pressure and the salinity of the ocean, let alone recover that 20 cubic inch object from millions of square kilometers of thick muck.

    1. Groaning Ninny

      Re: Safe data destruction

      I guess you don't know about the pocket sub with a net that's under your boat....

    2. Anonymous Coward
      Anonymous Coward

      Re: Safe data destruction

      You deserve someone dumping his rubbish into your garden/apartment....

  9. Anonymous Coward
    Anonymous Coward

    None of this matters

    ...when your ultra-secure servers are running wordpress sites.

  10. Anonymous Coward
    Anonymous Coward

    Re. None of this matters

    ...when you can break WPA2 on the fly (trivial!) and insert custom packets into the live stream in a way that is impossible to detect without .GOV level resources.

    Apparently the hardware to do this can be put into a microdrone and thanks to very inexpensive mass storage it is enough to break even a string of words +3PRN based password.

    memo to self, setting at the *minimum* a 28 digit alphanumeric upper case, lower case, symbols and never using the same password twice along with at least 16K encryption at both ends would be a minimum.

    If you haven't been through the code with a fine toothcomb and accounted for every single line and exactly what is being called from memory when, its probably been pwn3d already.

  11. jake Silver badge

    ::sighs::

    *bunto kiddies ain't "sysadmins".

    Who else was this article pointed at? Seriously, I'm curious.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like