How do you secure your Arch install?

Amanda S · 2014-01-28 12:48:55

ewaller wrote:

The reason you don't want to put '.' in your path (snip)

Thanks. Much appreciate.

ewaller wrote:

Oh, and be careful of VM's (Let's see if this bakes your noodle....). Even though there are concerns about hardware random number generators in processors having been compromised by influence on vendors by the good 'ole NSA, consider this... Inside a VM, that 'hardware' random number generator is completely, 100% pwned by the hyper-visor / emulator / VM layer. They may not be random, they may be logged, they may be sent to a third party. I would be very cautious of encryption performed inside a VM; even other entropy sources could be manipulated.

So not much work that require a special security should be done in VM's? I should be more concerned into securing the host?

/dev/zero wrote:

Amarildo wrote:
Sure. <etc>
Thanks. Good food for thought. I think there is still merit in having password that are easy to remember. As one of the sources you cite point out, if you have all these high strength passwords bound together by a key manager, then an attacker only needs to compromise the key manager. On the other hand, if you're using variants of correcthorsebatterystaple all over the place and each one is different, then only part of your protected information can be compromised at once.
There is also the $5 wrench rule to consider: no matter how strong your password, it can be extracted by anyone at any time through the targeted use of a $5 wrench on sensitive areas of your body. This brings into question how much time should be spent on either memorising crazy random passwords, or else implementing systems to manage crazy random passwords.

Yeah, that's a problem.

I think you can combine random words, as actually picked from a dictionary, and do some combo with random characters. This way most people won't stress themselves that much, considering most people are not a viable target, so they can be calm about these things.

About the password being extracted with the 5$ wrench: Well, that's the main point. If you only want to hide info from your relatives and friends, not much work is required. Here in Brazil, for example, I can count with my fingers how many people protect their data. Most of them think a user password on Windows will protect their data. It will, to some extent, but what if the attacker knows how to use a Linux LiveCD? They can then use software encryption (most are free) and use simple passwords to protect whatever they're trying to protect.

It all comes to how valuable is your data. If you're a Banker or a very important Businessman, then strong encryption is the least requirement. If you're a regular user then a simple truecrypt volume should suffice.

Awebb wrote:

Again: Brute force attacks are irrelevant unless the target is an encrypted file, hard drive or local user account with no timeouts and second guards (like a proper LDAP setup). All you achieve with strong password requirements is alienating your users and create work for the support crew.

Nothing is irrelevant when it comes to security. What you consider overkill is not my problem.

Last edited by Amanda S (2014-01-28 13:50:34)

Awebb · 2014-01-28 15:35:39

Amarildo wrote:

Awebb wrote:
Again: Brute force attacks are irrelevant unless the target is an encrypted file, hard drive or local user account with no timeouts and second guards (like a proper LDAP setup). All you achieve with strong password requirements is alienating your users and create work for the support crew.
Nothing is irrelevant when it comes to security. What you consider overkill is not my problem.

Just in case I was not clear on what I meant, I will explain once more:

Bruteforce on a password system that locks itself after three attempts is simply not possible. You did the math yourself, it would require way more than three attempts. This was my inquiry, as you were asking for system security. In fact, there are situations, were a more complex password will shift the attack vector away from cryptography closer to social engineering. The more complex a password is, the more likely it is for a user to write it on a post-it and pin it at his screen. I am also a big fan of practical cryptography, encryption and signatures are always my first thoughts, when the topic 'IT security' comes up.

I am not sure what the overall scope of this thread is. I use Arch not only as a single user desktop, but also in a multi user environment with a mixed group of users. What I think should indeed never be your problem, you are free to disregard any suggestion that exceeds or completely misses your requirements.

Amanda S · 2014-01-28 16:06:43

Yes, in that case where there are a number of attempts it's not necessary to have such a secure password.

saf · 2014-01-28 16:19:06

What are You scared of Amarildo?

1. Really sensitive data doesn't belong on a PC connected to the internet.
2. Make backups on an external HDD oder Cloud

Are You scared someone reads Your E-Mails or reads out Your password from online-banking?

When You only install stuff from the standart repos with the key-management and your a normal user it should be alright, no
need to worry or to install software.

Amanda S · 2014-01-28 16:34:13

I'm scared of online attackers, malicious minds who will try to explore vulnerabilities on systems.

nomorewindows · 2014-01-28 19:01:16

Amarildo wrote:

I'm scared of online attackers, malicious minds who will try to explore vulnerabilities on systems.

I think somebody already mentioned the heist task force; the NSA.

ANOKNUSA · 2014-01-28 19:37:19

nomorewindows wrote:

Amarildo wrote:
I'm scared of online attackers, malicious minds who will try to explore vulnerabilities on systems.
I think somebody already mentioned the heist task force; the NSA.

Couple points:
1) Vigilance against state intrusion into private life is always and forever warranted. We must never forget that.
2) Without a torture regimen, or access to the world's most sophisticated forensics tools and limitless time, anyone---including agents of the state---will be deterred and/or obstructed by full disk encryption and proper network restrictions. The first question that always pops into my head when someone adamantly insists on employing every security trick in the book is "What exactly makes you special enough to be targeted by the world's most bad-ass computer experts?" The risks and cost would require your data to be extremely valuable for someone to torture you, or run a full forensic work-up of your machine, or try and crack your myriad online passwords. Even access to your email account, while absolutely undesirable, is only a wide-open gateway into your life if you haven't taken basic precautions.

Amanda S · 2014-01-28 19:42:31

I'm not worried about NSA, really. I can't compete with them, although I strongly want to use only FOSS software.

WonderWoofy · 2014-01-28 23:46:30

Amarildo wrote:

I'm not worried about NSA, really. I can't compete with them, although I strongly want to use only FOSS software.

If you're worried about online attackers, then you really should be worried about the NSA. Though you "can't compete with them" they are ultimately the ones who are weakening the encryption standards that protect your system. So they are essentially helping potential attackers by weakening the overall security of all machines.

Amanda S · 2014-01-28 23:51:11

Yes, you're right. But ME personally, I can't move a finger to escape NSA. If they WANT me online, they WILL get me online, no matter how protected I am.
But talking about an offline scenario, I'm well protected.

@ MODS - I'm thinking on starting a new thread, called "What rules are set in your firewall?". What's the best solution, stick with this thread or create a new one?

jasonwryan · 2014-01-29 00:16:22

No: this one is done.

Try This would be the appropriate board.

nomorewindows · 2014-01-29 02:41:20

jasonwryan wrote:

No: this one is done.
Try This would be the appropriate board.

I think it could go into an already existing thread.

brebs · 2014-01-29 10:43:57

Amarildo wrote:

What rules are set in your firewall?

Argh, there's quite a few of those already, on the Arch & Gentoo forums. Example.

nomorewindows · 2014-01-30 23:25:59

Linus Torvalds explains to NSA types that it would be impractical to install their suggested backdoors into the Linux OS.

Amanda S · 2014-02-02 03:14:18

Question: Are there ways of opening closed ports?

jasonwryan · 2014-02-02 03:27:49

This is a new question: if you can't find your answer through a search (hint, you can), then start a new thread.

Closing.

Arch Linux

#26 2014-01-28 12:48:55

Re: How do you secure your Arch install?

#27 2014-01-28 15:35:39

Re: How do you secure your Arch install?

#28 2014-01-28 16:06:43

Re: How do you secure your Arch install?

#29 2014-01-28 16:19:06

Re: How do you secure your Arch install?

#30 2014-01-28 16:34:13

Re: How do you secure your Arch install?

#31 2014-01-28 19:01:16

Re: How do you secure your Arch install?

#32 2014-01-28 19:37:19

Re: How do you secure your Arch install?

#33 2014-01-28 19:42:31

Re: How do you secure your Arch install?

#34 2014-01-28 23:46:30

Re: How do you secure your Arch install?

#35 2014-01-28 23:51:11

Re: How do you secure your Arch install?

#36 2014-01-29 00:16:22

Re: How do you secure your Arch install?

#37 2014-01-29 02:41:20

Re: How do you secure your Arch install?

#38 2014-01-29 10:43:57

Re: How do you secure your Arch install?

#39 2014-01-30 23:25:59

Re: How do you secure your Arch install?

#40 2014-02-02 03:14:18

Re: How do you secure your Arch install?

#41 2014-02-02 03:27:49

Re: How do you secure your Arch install?

Board footer