LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 12-13-2010, 11:11 PM   #16
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380

Quote:
Originally Posted by Cosmicb View Post
Are those "signature checks" needed when you download Fedora from the Fedora Project site?..
Yes, it doesn't matter where you download the ISO from. Even if you download from an extremely trustworthy site via SSL, there's still nothing to guarantee the ISO hasn't been tampered with, so you really should get into the habit of verifying.

Quote:
and when you apply Fedora updater updates..?
I don't use Fedora but I would assume their package manager automatically does digital signature verification for you. I found this site after a quick google so it would seem my assumption is correct.

Quote:
Can hacks fake the updater?, like someone nasty did to my PC through Linux OS, not Fedora...
You mean provide the package manager/updater with fake/tampered packages? Of course they can, but digital signature verification is there to (among other things) detect when these kind of attacks take place, preventing the package from being installed.

Last edited by win32sux; 12-13-2010 at 11:13 PM.
 
Old 12-14-2010, 04:08 AM   #17
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
Are those "signature checks" needed when you download Fedora from the Fedora Project site?..and when you apply Fedora updater updates..? Can hacks fake the updater?
You should verify the initial download, even from the fedora project site. As I said, also verify them AFTER you burn to disc too. This accomplishes several things: 1 - you verify that you received a good image. Several things can go wrong including the wrong file being uploaded on the server, an error in transmission that passes the check sum tests, a hijacked project site. 2 - You know that you didn't have any problems with the creation of the iso. Many of these files will get copied to your drive and a wrong bit or byte could cause crashes.

Once you have the system up and running, when using the known repositories, the packages will automatically get verified against the PGP signatures as part of the process. In order to download from other repositories, you will need to manually install the keys to do so, adding a layer of "I know what I am doing" protection.

Relax, I think you are worrying too much about this. Be vigilant, but not paranoid.
 
Old 12-14-2010, 07:11 AM   #18
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
"http://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s1-diskpartsetup-x86.html" is how I've been installing.. 'Seems to be the best method...

If the "original site" isn't.. then where do we get our OS install ISO's and updates from..?

Huge passwords is a real pain in the foof, but it's the only way to go...

Thanks Doc.. For me "upping meds", would be taking a second multi-vitamin with multi-minerals, plus a double muti amino-acid complex, and maybe an extra dropper of passion flower extract natural beta blocker, or pomegranite extract bb..
Which meds are your choice of favourites?..

Thanks for the info expert dude..

If there was just one thing that could keep your black-skills out of a target's Fedora OS, What would that be..? besides pulling the net-connection or power-cord...
 
Old 12-14-2010, 07:27 AM   #19
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
Quoting: "I think you are worrying too much about this. Be vigilant, but not paranoid."


I ain't worried in the slightest.. If doo hits my fan, doo hits my fan.. is when I run a clean-up, what ever it takes... this is me learning how to be vigilant... I am merely striving to learn the obscure facts, so there won't be need to do clean-ups, by my own fault...


_________________



Quoting: "There are no answers, only choices."


Maybe to make a choice, one needs the list of answers..?

Last edited by Cosmicb; 12-14-2010 at 07:34 AM.
 
Old 12-14-2010, 08:20 AM   #20
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
Quoting: "https://fedoraproject.org/keys"...


___________


Jeepers! that's a lot to know and do to be only slightly secure..
It seems to run a truly secure PC OS, one need be a computer expert.. and even then it's still iffy if you have something the kooks want to steal, or you've upset the expert kooks and their puppeteers into childish vengeance-mode, given that the calming/rationalising serotonin feature in humanity is progressively self-destructing, by various obvious negative-health debilitative factors...

I've been pondering the ways the computer industry could modify the PC, to make it safer from attacks, for noisy "goodie-goodie" environmentalists and such.. I'm wondering if the industry made a tiny package in the tower, isolated from the base system's mother-board as a secondary sister-board, and ran that as the "internet PC".. shuttling items back and forth with built-in AVS auto-scanned flash-system.. wouldn't that be the way to go, to make interneting safer and cleaner, for Innocents, in this war-torn black-soul Internet..?
After all, the internet was invented exclusively/inclusively as a war-tool, and everything that's evil about humanity is stringently represented ("echoed") in/on the internet...
I thinks the world needs a tiny Net PC that acts as a "middleman" between their private personal data computers, blocking the evils of the Internet, a system which totally isolates the private PC system from the global com-system.. then no PC would ever be black hack infiltrated, nor compromised.. but that's just a silly pipedream, for another time, another place, another planet...
 
Old 12-14-2010, 08:43 AM   #21
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
Quoting: "You mean provide the package manager/updater with fake/tampered packages? Of course they can, but digital signature verification is there to (among other things) detect when these kind of attacks take place, preventing the package from being installed."


_______________


Can "digital signature", or "digital signature verification", and the "other things", be compromised..?

Last edited by Cosmicb; 12-14-2010 at 08:46 AM.
 
Old 12-14-2010, 08:48 AM   #22
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,578
Blog Entries: 31

Rep: Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198Reputation: 1198
"How would you know that someone has tried to get into your hd's OS?" Screwdriver marks on the casing? Footprints in the butter?
 
Old 12-14-2010, 08:59 AM   #23
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by catkin View Post
"How would you know that someone has tried to get into your hd's OS?" Screwdriver marks on the casing? Footprints in the butter?

...and the door entry-counter registering too many digits.. and the hidden old Windows tower recording IR video activity where and when there shouldn't be.. and the covert-entry remote-alarm beeping in my pocket...
 
Old 12-14-2010, 04:55 PM   #24
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Cosmicb View Post
Can "digital signature", or "digital signature verification", and the "other things", be compromised..?
Of course. If you get access to the private key, you can use it to sign files.

For example, Red Hat suffered this type of breach not too long ago.

Last edited by win32sux; 12-14-2010 at 04:57 PM.
 
Old 12-14-2010, 06:10 PM   #25
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
Well that took some of the wind outa my sails as far as me trying to make residential Net computer secure...

Why do people do that to good honest people, and to their good honest projects..?

Even if I managed to secure my PC, it wouldn't matter.. my internet activity is extremely monitored... Some unscrupulous people are desperate for new input... If they asked as friend and a brother, Id give them what they need freely.. They don't need to try to steal everything all of the time, just because they can...
I suppose we can confidentially say that there's no such thing as a secure computer, if it's connected to the war-based Internet...

Why do you run Ubuntu on the Net, when it is so vulnerable to outside access and tampering..?
Doesn't your hd have that little yuck partition that Linux installs can't delete..? or do you use DBAN as a hd cleaner too..? or something else..?
I'm supposing you're running some sort of evolved bot..? and the computer you're running on the Net is probably your "I don't give a damn what happens to it computer"... Or, your front end is protected by corporate and/or military-class state of the art super-walls..? Probably all three... I thinks you're a good-black, or better...

Me thinks I'm gonna learn some more, from the super users, like yourself.. and I'm gonna maintain my policy of "one crapper tower for Net work, transferring data via flash, and the others, my personal items PC's, never connected.. connecting them only for the occasional update and package, then maintaining them disconnected ASAP, like I've been doing...
I figures if it works do it... If only I could get the ISO install CD happnin' of the OS as I've got it.. then whenever the OS so much as twitches wrong, I could run DBAN, then drop-in the custom install CD.. which is probably my best overall basic security plan for my connected PC.. but I just can't figure what I'm doing wrong..? All I'm doing is wasting CD's, and hours and hours of computer time creating duds...
Ten years I've been trying to make an ISO install CD for this purpose, and all attempts failed... I'm feeling very stupid...
 
Old 12-14-2010, 06:46 PM   #26
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Cosmicb View Post
I suppose we can confidentially say that there's no such thing as a secure computer, if it's connected to the war-based Internet...
There's secure computers all over the Internet. You're using one of them right now (LQ). The thing is, there's no computers which are 100% secure. They all have some levels of risk which must be managed, regardless of whether they are connected to the Internet or not.

Quote:
Why do you run Ubuntu on the Net, when it is so vulnerable to outside access and tampering..?
LOL! Where did you get the idea that Ubuntu is such a crappy distro? It actually has some decent security features out of the box, and it doesn't stand in your way when you want to take additional measures on your own.

Quote:
Doesn't your hd have that little yuck partition that Linux installs can't delete..? or do you use DBAN as a hd cleaner too..? or something else..?
I'm supposing you're running some sort of evolved bot..? and the computer you're running on the Net is probably your "I don't give a damn what happens to it computer"... Or, your front end is protected by corporate and/or military-class state of the art super-walls..? Probably all three... I thinks you're a good-black, or better...

Me thinks I'm gonna learn some more, from the super users, like yourself..
My PC doesn't have any fancy security measures (I'm just an average GNU/Linux user, don't let the Moderator title fool you).

Last edited by win32sux; 12-14-2010 at 06:52 PM.
 
Old 12-14-2010, 06:49 PM   #27
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
If you look in a book store, such as Barnes & Nobels, they may sell Linux magazines & starter kit magazines where you can purchase a pressed CD/DVD. A read only source from a magazine should be secure unless the distributor has been hacked.

If you download an ISO image, compare the md5sum hash with what is published on the website. Your burner software will calculate the hash of the ISO image for you.

Make sure you select to burn an image. You might be burning a disc with the ISO file in it instead.

In the ConSecWest competition where security experts competed to crack a Windows, Mac and Linux and Ubuntu laptop for a $20,000 prize, the Ubuntu laptop survived. The others required user interaction (e.g. using the browser) to be compromised. These computers had up-to-date security updates applied. The Mac fell first, because Apple hadn't promptly released a security patch for a known vulnerability. The lesson I learned from this competition was how important it is to apply security patches.

Last edited by jschiwal; 12-14-2010 at 06:58 PM.
 
Old 12-14-2010, 07:02 PM   #28
Cosmicb
Member
 
Registered: Feb 2009
Posts: 70

Original Poster
Rep: Reputation: 0
I can burn ISO install CD's from the ISO downloads.. but I just find find it to create and burn the live installable customized OS, as I've made it, with all my preferred packages and files, and tweaking... This one CD would be my Best defence clean-up to hack attacks...
I've found that when corporate hacks can't find anything in my OS of value, they often trash the OS in spite.. sort of like "the kid who breaks another kids toy, because he can't have it"...

_________________


Quoting: "In the ConSecWest competition where security experts competed to crack a Windows, Mac and Linux and Ubuntu laptop for a $20,000 prize."

That would have been a riot to spectate... It would even make a good novel and movie...

_________________


Here's a weird thing that happens way too often..
Nearly every time I mention, in a PC forum, about problems making a custom bootable ISO of the OS, I gets an email from Acronis a few minutes after I've posted about failing to make that CD...
And sure enough, suddenly there's yet another Acronis offer in my inbox...

Last edited by Cosmicb; 12-14-2010 at 07:20 PM.
 
Old 12-14-2010, 07:53 PM   #29
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885Reputation: 4885
I wonder why you think that Acronis, or any corporation, will monitor you or break into your computer regularly and break things?
 
Old 12-14-2010, 08:35 PM   #30
AsusDave
Member
 
Registered: Jul 2008
Distribution: Debian, Ubuntu 10.04
Posts: 151

Rep: Reputation: 34
Thinking that keeping your computer off the Internet will make it more secure is a fallacy also. Just google about Iran's nuclear plants and the "weaponized" virus that was used. Mind bogglingly genius...

To be honest though, I don't know what scared me more when reading about it; how far viruses had evolved or that Iran runs their nuclear plants on Windows!!

HTH
Dave
 
1 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sorce based distro (gentoo) Vs Binary based distro(fedora, debian,..) ashwin_cse Linux - Distributions 7 02-08-2010 01:46 PM
pci based usb hc based on necd72010xf1 and pinnacle pctv card bt878 based ashwani_gupt Linux - Hardware 0 12-17-2009 08:34 AM
web based gnome desktop fedora 8 nomb Fedora 3 11-08-2007 07:19 PM
CD not mounting in Fedora-core1 or based psiva Linux - Hardware 5 04-09-2004 07:27 AM
Custom RedHat (Fedora) Based Distribution jimrt Linux - Distributions 3 11-14-2003 08:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration