LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 03-06-2005, 08:07 PM   #1
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Rep: Reputation: 0
heresy: windows security better than linux?


Hi,

I'm a windows user, wishing to migrate to linux.

I've browsed the forum a bit but have yet to see a solution that can offer to linux, the level of security that i have on my windows laptop.

i use a product called drivecrypt (www/drivecrypt/com), and it offers me the benefits below.

if anyone can show me a linux solution that can beat or come close to the benefits below, i'd be grateful; as this is the only issue preventing me from switching.

i've seen some encryption support on linux, but nothing to this high level below.

1. data partition encrypted with 1344 bit triple blowfish. password entry after os booted up. cannot catch keystrokes with key logger.

2. os partition encrypted with 256 bit aea. password entry at mbr stage. screen message is of a disk error, so user will think that there is no os installed at all.

3. data input is via 4 line password + fingerprint scan + hardware key mixture possible.

4. plausable deniability is offered, as encrypted partitions can contain other hidden encrypted partitions, and impossible to prove the hidden parition exists. it just appears when correct password is entered.

5. if required, can place encrypted drive into a music file rather than partition, with stenography. Impossible to prove that file contains encrypted data.

i look forward to your response, and hope that you can tempt me, into the world of linux.

thanks.

lawmaker

ps. newbie question: just tell me which distro to use. mandrake/gentoo or something else?
 
Old 03-06-2005, 08:28 PM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
The Linux Security folk have a How-To on Encryption that tells you how you can go about encrypting disks. There may be other options out there as well.

I have seen people use thumb scanners under linux, but I'm not sure where they got the drivers for them. I'm sure a google search could locate that. So long as you don't let anyone have root access you can avoid key loggers pretty well... unless you go and install one yourself. Administrators can do evil things... that is why I like being the admin
 
Old 03-06-2005, 08:42 PM   #3
fancypiper
Guru
 
Registered: Feb 2003
Location: Sparta, NC USA
Distribution: Ubuntu 10.04
Posts: 5,141

Rep: Reputation: 57
Here is your reading assignment....

# Basic Linux security and virus info
The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box?
Unusual network activity? chkrootkit is a tool to locally check for signs of a rootkit
Linux Questions Security references
Security Help Files
Linux Administrator's Security Guide
Security Focus
Linux Security
Firewalls and Security

These should help you in making your distribution choice.

Preparing to install Linux:
# Choosing a Linux Distribution:
Will your hardware work?
Do you have good RAM? Memtest86 - A Stand-alone Memory Diagnostic
A Beginner's Guide to Choosing a Linux Distribution
Reasons to Choose or Not Choose Linux
LWN distro list
elinux Linux Distributions
# Freeware tools for partitioning/resizing hard drive partitions:
Any Linux Live CD usually have fdisk, cfdisk and other tools available
Ranish Partition Manager
# Understanding Linux Filesystem layout:
Directory Navigation Help File
Filesystems, Directories, and Devices Help File
Proper Filesystem Layout
Advanced filesystem implementor's guide (requires registration)

Do I buy a boxed source, download off the internet or buy some cheap CDs?
It's your choice! If you download, I suggest that you check the md5sums on the Linux ISO Images and make sure you know how to burn ISOs in Windows to install Linux
# Cheap CDs
Discount Linux CDs
Linux Central
Cheapbytes
TuxCDs
ComputerHelperGuy
CheapISO
Os Heaven

Last edited by fancypiper; 03-06-2005 at 08:44 PM.
 
Old 03-07-2005, 04:07 AM   #4
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0
ok.

i'll do masses of reading if there isn't a simply answer like in windows.

but at the end of the day, is there a package/way to do all of the features i've outlined above.

i've read of linux solutions that can do a few of the features, but not with such high encryption 1344 bit triple blowfish, or 4 line entry, or password at mbr stage, ie. before os is even booted.

as drivecrypt doesn't have a standard header in the os or data partition, it's impossible to tell that any data exists there at all; so on boot it looks like a faulty disk.


thanks.
 
Old 03-07-2005, 04:44 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by lawmaker
password at mbr stage
both lilo and grub give you the option of setting a password - and can be installed at the MBR...

http://www.google.com/linux?hl=en&lr...=Google+Search

http://www.google.com/linux?hl=en&lr...=Google+Search

just my two cents...

 
Old 03-07-2005, 05:13 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by lawmaker
1344 bit triple blowfish
according to the blowfish homepage:
Quote:
Blowfish has been added to the mainline Linux kernel, starting with v2.5.47
so my guess is that if you are running linux 2.6 getting blowfish set-up should be a snap after reading a few howtos and stuff...

of course maybe you prefer a commercial solution that does most of the work for you in which case you might like something like BestCrypt... it does 448-bit blowfish (448 * 3 = 1344):
Quote:
BestCrypt creates and supports encrypted virtual volumes for Linux. BestCrypt volume is accessible as a regular filesystem on a correspondent mount point. The data stored on a BestCrypt volume are stored in the container file. A container is a regular file, so it is possible to backup, move or copy it to other disk (CD-ROM or network, for instance) and continue to access encrypted data using BestCrypt. BestCrypt supports the following encryption algorithms: GOST (256-bit key) in Cipher Feedback mode and RIJNDAEL (256-bit key), IDEA (128-bit key), Blowfish (256-bit key), Blowfish-448 (448-bit key), Blowfish (128-bit key) DES (56-bit key), Triple DES (168-bit key), CAST (128-bit key), TWOFISH (256-bit key) in Cipher Block Chaining mode.
http://www.jetico.com/linux.htm

i'm sure there several other commercial options also, i'd imagine some even way friendlier with GUIs and stuff... but i have no experience in this area so i can't really say... try googling for blowfish 448 and see what you find:

http://www.google.com/linux?hl=en&lr...=Google+Search

good luck...
 
Old 03-07-2005, 07:37 AM   #7
broch
Member
 
Registered: Feb 2005
Distribution: Arch current, SuSe 10.1 32-bit, FreeBSD current, OpenBSD 4.0
Posts: 453

Rep: Reputation: 30
tell me how all this protect you against buffer overflows (IE), problems with ActiveX, viruses and worms?

FreeBSD has it for free (blowhish hdd protection, steganography and so on) for long time by the way (I don't have to pay for anything, and the rest of the security is way beyond you can do with windows for next several years).

So, I'd say you are not better protected than any other windows user who is on line. And you know what does it mean?
 
Old 03-07-2005, 08:56 AM   #8
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 4.0 Etch
Posts: 1,349

Rep: Reputation: 49
Since he seems to care about security, I assume he never goes online with this laptop, nor transfers any files between this laptop and other computers (except for plain text files, perhaps). Otherwise, all of that encryption is a pretty moot point.
 
Old 03-07-2005, 03:02 PM   #9
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0
hi,

the target of the security is against entry into the laptop, when it is stolen.

I work in the legal industry working in area's where some unscrupulous mib's would like the information present in my machine.

I've had a laptop taken by force by them before, under unscrupulous means, and the laptop was protected by drivecrypt. They were unable to enter the system and obtain what they wanted. don't ask me how i know this.

I'm not concerned about online hacking, trojans or the like as that issue is covered.

My total concern is about having maximum security if the laptop is stolen from me.

As I'm a newbie on linux, i would be scared of implementing a system that does anything less than encrypt the whole hard disk, as i could by accident leave loopholes for entry by somebody that knows linux better than i.

the fact that the intruder would be aware that the os is linux, is too much of a failure compared to what windows/drivecrypt offer already.

I don't understand why the linux system, which is touted for it's security doesn't have a whole system easy to use for a layman, that can compare with drivecrypt for windows.

On the issue of grub/lilo password at mbr, from what i gather it would only be a password stopping further execution of the program, rather than one to decrypt an encrypted drive.

from the replies here, it seems that the only complete commercial system present is the bestcrypt one which has a third of the strength of triple blowfish, and doesn't do whole drive, or multiple password lines/fingerprint entry.

Also, it seems that everybody is giving me rough guides, but hasn't actually done this whole disk encryption thing yet, or the answers would be less vague.

I hate to sound like the devils advocate here, but it's so sad, because i'm sure from what you are saying, that linux is more than capable of beating windows/drivecrypt, but it will take ages before i can find that out for sure.

I'm interested in the freebsd assertions, of how secure that is, and that it can compare with my current requirements. are there any links.

sigh.

thanks for the assistance.
 
Old 03-07-2005, 03:32 PM   #10
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
So, you're comparing a Linux distribution out of the box to a Windows box with a commercial third-party add-on? That hardly seems fair!

ANYHOW

Store your data under /home, and encrypt /home. Data is protected. Finished. User ReiserFS if you need to.
 
Old 03-07-2005, 03:40 PM   #11
antony.booth
LQ Newbie
 
Registered: Oct 2004
Location: UK
Distribution: Fedora
Posts: 23

Rep: Reputation: 15
You are only talking about physical theft security by encrypting your data, but 99% of the time, data is stolen by hacking, which is a greater threat because a successful hack will use your built in encryption tools to to decrypt your data before stealing it, meaning a successful robbery. You need to secure your laptop from network access, especially WiFi & Bluetooth, moreso than physical theft, as I'd rather sit outside your office for an hour and hack your network, than mug you for your laptop because it's easier and more importantly, you're blissfully unaware your information has been compromised.

Unlike windows, where you have all singing, all dancing applications, Linux has many task oriented applications, which achieves 2 important security problems. 1) You install what you need and nothing more. 2) Because they only do what it says on the tin, you can be confident that installing it doesn't allow several other problems you weren't anticipating to suddenly undermine everything, like windows applications are a nightmare for. There should be no reason why a web browser visiting a web page can grant full access to your system, or receiving email without attempting to open anything can also do this, but it's the nature of a windows OS, that the integration of applications means that an application written to perform a specific task loads application data from unrelated applications, which can be vulnerable to attack, but the user or administrator is oblivious that a shared .dll being used by a media player has a vulnerability in it because it also used by IE and has specific routines that can be exploited by executing them from an activex control on a web page the media app is trying to load a bogus media driver from. It's crazy how vulnerable a windows desktop is.

Linux machines can have the security you want, but Linux is a more "taylor made" OS, where you install, configure and modify applications to suit your purpose, whereas windows is a "dump everything on" OS, to cater for mass market at the expense of performance, security and efficiency. This is why it is easier on windows. It is not more secure though. You can make Windows seem secure, but not completely. It is an illusion as the majority of the security issues are out of your hands unless you work at Microsoft. With Linux, control is in your hands, right down to editing the source code and recompiling it.
 
Old 03-07-2005, 03:41 PM   #12
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0
i agree, that's not fair.

is there a commercial/freeware third party add on(s), that would compete with my current security.

encrypting /home wouldn't compare at all with the specs i gave at the beginning.

1. temporary files could be seen possibly.
2. settings could be seen elsewhere.
3. /home wouldn't be 1344 bit triple blowfish.
4. entry wouldn't be 4 lines + fingerprint
5. the os existence would be revealed
6. plausible deniability would not exist.
7. swap file/virtual memory would reveal masses of info.

so many failings of that way.

please please, there must be a linux solution to beat windows/drivecrypt on this issue of security.
 
Old 03-07-2005, 03:48 PM   #13
antony.booth
LQ Newbie
 
Registered: Oct 2004
Location: UK
Distribution: Fedora
Posts: 23

Rep: Reputation: 15
Plausible Deniability=illegal information.

"Please help me, I'm a paedophile that keeps all my kiddie porn encrypted in windows, how can I keep it on a Linux workstation so it can't be accessed if the police raid my house?"

p.s. "I'm a lawyer honest. I have data that I need to deny ever having, because lawyers do that sort of thing and agencies have taken various life threatening measures to get their hands on it!"

Sorry, I don't buy it Mr Bond QC
 
Old 03-07-2005, 04:05 PM   #14
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 4.0 Etch
Posts: 1,349

Rep: Reputation: 49
Quote:
Originally posted by lawmaker
I'm not concerned about online hacking, trojans or the like as that issue is covered.

My total concern is about having maximum security if the laptop is stolen from me.
If you already have a solution which works and which you are familiar with, why are you wondering about a solution which you are not familiar with? You can gain familiarity with Linux using a LiveCD like Mepis--you don't even have to install anything on the hard drive. You don't even need to have a hard drive at all!

After you're familiar with Linux, then you can think about using it for mission critical data. That's just common sense, even if you didn't have any security concerns at all!

Anyway, if I were in your situation, I'd probably use a liveCD distro straight off of the CD (like Mepis), and remove the hard drive from my laptop entirely. That way, there is no data whatsoever on the laptop for anyone to steal, and nowhere for anyone to secretly install spyware.

The data itself perhaps could be on a keyring thumbdrive, encrypted of course. There's no way to install spyware on that, because by default a thumbdrive partition would be mounted without any execute permissions.

Of course, the keyring could be stolen, but it's at least easier to keep on my person 24/7, and it's convenient for making backups.
 
Old 03-07-2005, 04:10 PM   #15
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 4.0 Etch
Posts: 1,349

Rep: Reputation: 49
Quote:
Originally posted by antony.booth
Plausible Deniability=illegal information.
Oh, I think everyone who has read these posts already assumes that he's doing something shady. Maybe he's a crook. Maybe he's a lawyer for crooks. Maybe he's a terrorist. Maybe he's just a paranoid nutcase. Maybe he's just a Wintroll trying to get kicks out of showing something which Linux can't do or whatever.

I don't care. Everyone has a right to privacy, and how to ensure privacy on a computer is a legitimate goal even if some/most people using the right abuse it for malicious purposes.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Comparing security on Windows and Linux Ephracis Linux - Security 4 07-01-2005 10:17 PM
security: windows vs linux crispyleif Linux - Newbie 10 03-08-2005 03:14 AM
Any Linux Vs Windows 2000 Security resource? neelay1 Linux - Security 1 12-07-2004 02:44 PM
Linux security Vs Windows security keene General 50 11-01-2003 11:22 PM
Linux VS Windows Security demmylls Linux - General 7 10-17-2003 03:33 PM


All times are GMT -5. The time now is 02:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration