ONLINE SECURITY WITH PUPPY 5

A Ciphers By Ritter Page


Terry Ritter

ritter@ciphersbyritter.com


2010 November 21


Using free Puppy Linux instead of Microsoft Windows
makes common equipment safe for online banking.


INTRODUCTION

The vast majority of home computers run Microsoft Windows and are not very secure, even with extensive anti-virus add-on programs. Those same computers can be made vastly more secure, essentially for free, by using a Puppy Linux LiveDVD, at least when banking. And Windows would still be available, when desired.

THERE IS A PROBLEM: Malicious software can and does infect personal computers to steal from online bank and brokerage accounts, and to steal identities and online bandwidth. Exceedingly clever and advanced malware cannot be stopped by firewalls, anti-virus or other features, and infections may not even be detected. Trying to "harden" a Windows installation is increasingly irritating, decreasingly effective, and the consequences of failure can be devastating: Your online bank simply cannot distinguish between "the real you" and a malware "bot" infection inside your computer, even with modern "2-factor" "one-time" and external "dongle" authentications.

THERE IS NOT ALWAYS A SOLUTION: Malware exploits holes in security-unconcious Web standards. Our Swiss-cheese standards are so intertwined with modern technology that a fundamentally secure approach would require changing every computer and every web site. Standardized weakness applies to all Web browsing platforms: desktop, laptop, netbook, smart phone, tablet and whatever comes next. Antivirus scanning cannot guarantee to detect a modern bot infection.

THERE IS AN OBVIOUS TARGET: About 91 percent of browsing is done from Microsoft Windows, and attackers will exploit anything and anybody to get at that market. The vast majority of malwares are designed to run only in a Windows environment, so most malware can be avoided simply by not using Microsoft Windows online. New cross-platform malwares can be avoided by also not using Java (JavaScript is not Java). Not everyone can avoid using Windows and Java applications online, and not everyone wants to, but stepping away from the target is a move in the right direction.

THERE MAY BE A SOLUTION FOR YOU: You can prevent malware infection provided you can boot your operating system from an optical drive. Malware "infects" by changing the "boot" or run-up data to restart malware on each session. Infection can be prevented by booting from a DVD, which is inherently "difficult or impossible" to infect. Currently, the best solution seems to be Puppy Linux:

I EXPLAIN HOW: The Puppy Linux process is exposed in detail. Serious online security is made available to anyone willing to follow directions, provided only that they have a computer with a DVD-writer optical drive. Setting up a Puppy LiveDVD the first time may take 3 or 4 hours, but every time it starts it is bot-free. Serious security means re-booting Puppy and going directly to a financial site, without first reading email or browsing. A configured Puppy DVD can be replicated in 5 or 10 minutes, and may work with only minor changes on different machines.

I. MAKE A PUPPY DVD

You cannot just buy a configured Puppy Linux LiveDVD, but you can make one yourself, by following reasonable choices described here.

These lists only seem overwhelming. Most steps are a single keypress. You are not going to "blow up" your computer by making a DVD. If you use the recommended DVD+RW discs and screw up, you can erase the DVD and try again with no loss. Nobody need know.

If you want, you can still go back to the original Windows system, which this process does not modify.

FIRST: Find and Download Lucid Puppy 5.1.1

  1. From Windows, go to one of the Puppy repositories, such as:
  2. You are looking for the ISO file "lupu-511.iso".
  3. The file "lupu-511.iso" (129MB) may be in a subdirectory such as "puppy-5.1.1" as just one of various files.
  4. Typically, a left-click on the "lupu-511.iso" entry will prepare to download the file.
  5. Have the download file placed where you can find it later.

II. BURN PUPPY ISO TO DVD

Now we have the "lupu-511.iso" file, which is an "ISO" type of file. An ISO file is just the raw sequence of bytes recorded on a CD or DVD. The ISO "image" includes both the files and the file structure which names and locates those files.

For Puppy use, I recommend DVD+RW discs which seem somewhat more reliable than other types. (You do need a DVD writer which supports DVD+RW, of course.) If you make a mistake, you can erase a DVD+RW and start over.

To burn an ISO from Microsoft Windows, you might try CDBurnerXP:

To use CDBurnerXP:

  1. Run the install.
  2. Run the program.
  3. Select the "Burn ISO Image" subprogram.
  4. At "Select ISO image to burn:" browse to the lupu-511.iso file.
  5. For "Burn method:" use "choose automatically"
  6. UNselect "DVD high compatibility"
  7. UNselect "Mode2XA instead of Mode1" (Mode1 has better error-correction)
  8. UNselect "Finalize disc" (allows multi-session saves)
  9. Select "Verify data after burning"
The resulting burn, with a DVD+RW at 4x speed, with verify, completes in about 1min 20sec.

III. BOOT PUPPY, CONFIGURE, INSTALL FIREFOX, SAVE TO DVD

Some Things to NOT Install

When used for security, Puppy Linux should not be installed to a hard drive or a USB flash drive, but should instead boot from DVD on every session. Easily-writable boot drives are easily infected.

The Linux program "Wine" which emulates Microsoft Windows should not be installed. Wine has gotten good enough to support a range of Windows malware, which is precisely what we are trying to avoid.

Similarly, the "Java" system also should not be installed, unless absolutely required. ("Java" is not the same as "JavaScript" which is part of the browser and is tamed by the Firefox add-on "NoScript".) Java is extremely dangerous because it expands the 1 percent Linux group (thus, not a target) to the 97 percent Windows + Mac + Linux group (absolutely a target) which may have Java. It is not enough to disable Java in the browser or in NoScript; Java should not even be present unless you cannot work without it.

Tell the BIOS To Boot a CD

The BIOS (Basic Input / Output System) is the computer program in control before an operating system is loaded or "booted." Basically, the BIOS goes down a list of devices to see if they hold a bootable OS to load. The first thing found that can be loaded, is loaded, and becomes the computer OS for that session. Normally, we want the "first boot device" to be "CDROM". The idea is to boot from a CD or DVD when one is present, and otherwise boot from the hard drive.

To enter the BIOS, restart the computer and watch for the message about which key to press to enter the BIOS. Often this will be Del (the delete key), but may be F1 or F2 or even something else. Press the key very quickly, or restart and try again until a BIOS configuration screen opens. Find "Boot / Boot Device Priority" or "Advanced BIOS Features / First Boot Device" or "Boot Sequence", and change the first entry to "CDROM". Move subsequent entries down, including the hard drive entry, "HDD" or "Hard Drive" or "Hard Disk". Then save changes and exit, which will start a reboot.

For BIOS help, see:

Boot Puppy and Configure

Put the Puppy DVD in the DVD reader, close the tray and restart the computer.

This is a tested, working example for my particular equipment--do not follow it blindly!

Install Firefox

Save to DVD

IV. INSTALL SECURITY ADD-ONS

Firefox add-ons provide security features which other browsers do not have. When other browsers get those features, or similar add-ons, then we can discuss whether they are as secure as Firefox.

  1. on desktop, click browse to start Firefox
  2. in Firefox, follow Tools to "Add-ons" and click
  3. select "Get Add-ons"
  4. search for and select each desired add-on and download into Firefox:
  5. click "add to Firefox..." (site contacted)
  6. after a delay, click "Install Now" (download occurs)
  7. WAIT! do not click "Restart Firefox" just yet
  8. it is faster to add all desired add-ons before restarting Firefox
  9. at least get important / security add-ons, shown in bold
  10. each can be uninstalled or just disabled later from Firefox Tools / Add-ons...
  11. when done, on the Add-ons panel, click "Restart Firefox"
  12. when Firefox comes up:

    I have once had Firefox lock up before all add-ons installed. In response, I started the process manager from Menu / System / System Status and Config / pprocess process manager. Then I selected the bottom-most Firefox process and clicked "End process" which killed the remaining Firefox window on the desktop. Subsequently clicking the desktop "browse" started Firefox again which then continued from where it left off. This appears to be rare Firefox issue. Nothing was lost.

V. CONFIGURING FIREFOX AND ADD-ONS

These are suggestions for people just getting started. If you can configure Firefox on your own, do so.

Configure Firefox

  1. Follow View / Toolbars to deselect "Bookmarks Toolbar"
  2. Follow Edit to Preferences and select the "General" tab.
  3. Set up a Home Page URL.
  4. In Downloads, select "Save files to" and browse to the bottom of the file system to select "/archive".
  5. In the Tabs tab, UNselect all warnings.
  6. In the Content tab, if "Enable Java" exists, UNselect it. (Java is NOT JavaScript!)
  7. In the Privacy tab,
  8. In the Security tab,
    1. UNselect "Remember passwords for sites" (never allow any browser to manage passwords).
    2. at "Warning Messages" click "Settings...", check only "I submit information that's not encrypted."
  9. Click "Close" to move on.

Configure Tab Mix Plus

  1. In Firefox, follow "Tools" to "Tab Mix Plus Options" and select.
  2. In the "Events" tab,
  3. In the "Display" tab, under "Tab Bar"
  4. In the "Display" tab, under "Tab"
  5. In the "Session" tab,
  6. Click "OK" to move on.

Save Changes

  1. if you have favorite sites or browser tabs you want to open on each session, set them up
  2. set up your configurations the way you want them saved
  3. close Firefox and any open windows
  4. on desktop, find "save" button and click
  5. click "SAVE"
  6. select "SAVE" and press Enter (save occurs, then tray opens)
  7. press Enter to move on.

VI. ADJUST TO PUPPY AND FIREFOX

Booting Puppy Linux from DVD is the best approach to get a believably uninfected OS.

Most people probably will start out on an existing Windows system, and Puppy does support use of Windows drives. However, Puppy does not need a hard drive, and when no hard drive is present, there is no hard drive to damage or expose. Personally, after getting beyond the traumatic change, I appreciate the increased security more than I miss having massive local storage. When necessary, I can use (and remove) USB flash drives.

Using Windows Drives

When Puppy comes up it will look for system drives (hard drives, floppies, CD's, etc.), and can use normal Windows drives. It is easy to read Windows files, and write files that Windows can use. But Puppy does not need a hard drive, and the best security is to not have one.

At first, the drive names in Linux will be unfamiliar, but it is easy to see what files are on any drive. A single click on a drive "mounts" that drive, and a directory window will appear. A mounted drive will have a name like "sr0" and some sort of indication on the drive icon as a reminder that it is mounted.

It is normal for an OS to "buffer" or temporarily store data being sent to a drive while waiting for the drive to catch up. It is important to not just yank out a USB plug for an external drive until the data have been fully stored. To "unmount" a drive, right-click-and-hold to select "Unmount sr0" (for example) and wait for the "mounted" indication to go away.

Using NoScript

NoScript is a browser add-on that disables JavaScript and also most other scripting languages, but allows scripting to be enabled for any particular web site and remembered for future use. Scripting is a problem because scripts are executable program code which the browser downloads and runs as part of a displayed page. Not enabling scripts can cause awkward page problems, but enabling a malware script can cause serious security problems. Of course, with Puppy Linux on DVD, we can restart the machine and get a clean OS with minimal effort.

Many sites can be used without JavaScript. Other sites need Flash, which is also protected by NoScript, and the site may say you need to download Flash, when you really just need to enable that site in NoScript. JavaScript can be enabled for a particular page by clicking on the "S" at the bottom of the browser window and selecting sites to allow. It can be illuminating to see how many different sites are being promoted from what seems to be a single page, and that is part of the browsing security problem. Note that a save is necessary for a new configuration to survive the next DVD boot.

Using LastPass

The user is responsible for having good passwords. A good password cannot be short and it cannot be words or names. The best password is a machine-generated sequence of random characters. A 15-random-character password should be good enough, with more brute-force security than any other part of the system. We need a different long, random password for every site, account and piece of equipment (such as a Wi-Fi router). We cannot remember such passwords, so we need a password manager to save them for us. Passwords are saved in a little database protected by cryptography done right.

The password manager LastPass.com works as a browser add-on, as a website, or as a stand-alone portable program. Normally, the browser add-on is most convenient. Alternately, users can access their passwords from the website using any uninfected computer. Or one can save the little encrypted password database, then use the standalone program to access passwords.

Starting to use password management can seem like being out of control. Only the password manager knows the actual passwords, and if it dies, what then?

  1. A copy of the encrypted password database is saved on the LastPass website. If a disaster affects your machine, you can still get your passwords online from a different machine.
  2. The browser add-on stores a copy of the encrypted database locally, for use if the LastPass site is down.
  3. The encrypted database can be exported to a local file as backup or for use by a stand-alone LastPass program.

Using LastPass can seem scary, because it tries to be automatic. New sites are included by signing in and letting LastPass create an entry. Sometimes the automatic way fails, and sometimes the web site changes their login page. A manual login option is available by clicking on the LastPass icon, and then selecting the current site. The Username or Password can be copied to the clipboard, which then can be pasted into the desired location.

Correcting a login sequence can seem daunting, but there are relaxing options. When I edited an entry and changed the name, the old entry was not lost but the new entry was added. That meant I could change the new entry as desired without losing the password.

LastPass also has a "Secure Notes" feature which saves little text files in the encrypted database:

Saving Files to DVD

Most new or modified files are automatically saved when we save a session to the DVD, preferably a DVD+RW. For some reason, the desktop "save" button seems more reliable than an update triggered by Menu / Shutdown. The "save" button copies all changed files to a new session or directory on the DVD, but does not mark them as saved, so clicking "save" again will save all the same files again! Ending the session by Menu / Shutdown will offer to save those files yet again! Just say no, by selecting "NO SAVE", then press Enter and press Enter again (to "close drive tray"). Each startup boot will complain about an "unclean exit" for "x", but just select "Ignore" and move on.

I try to limit my DVD saves to once every couple of weeks or so, and then just after a clean startup and immediately after the desired updates or configuration changes. It is easy to archive files on the DVD by placing them in the "my-documents" directory before a save. Files in my-documents will be loaded from DVD to the in-memory file system in every subsequent runup, and thus be available (unless deleted and that system saved).

Saving files on the DVD rarely seems helpful to me:

Files in the Puppy /tmp directory are not saved to DVD. Files in the /archive directory are saved to DVD, but not recovered in the next boot. Changed files are saved to DVD without overwriting the older versions, and only the most recent version recovered on boot.

In most file systems, a new file replaces the old one. But each time Puppy Linux saves to DVD, it creates a new DVD directory for that save. So the DVD can contain many different versions of the same file, as it was each time it was saved. This will automatically archive the progress of a writing or programming project over time in a way that does not occur in normal computer file systems. Each DVD session, and each archived file version, can be read from DVD under Linux or Windows.

DVD Issues

As an online security system, Puppy Linux should be booted from DVD, and run in memory. The unique Puppy Linux ability to update the DVD is what makes a DVD boot practical. But updates do need to be written to the DVD, and optical storage simply is not as reliable as hard drive storage.

Since all storage systems are somewhat unreliable, our Puppy response is just to be more rigorous than usual. For example, I manually back up an important local work (like this article, during development) before the end of every session. I may copy my file to a USB flash drive (1 minute), or send the file to myself as an email attachment (2 minutes), and save it to a Windows drive (1 minute), if present. Even if I work "in the cloud" using Google Docs, I still "Download as" the file and attach it to an email to myself, thus creating a project archive without writing to the DVD.

Sometimes upon restart Puppy comes up (the splash screen shows), but then fails upon reading the last saved session. We can permanently void the last session by starting Puppy again and entering the command "puppy pfix=1" at the splash screen input.

Rarely, we can find that the last session save has made the disc completely unreadable, at least for boot purposes. Then we need to start over with a new disc we have cleverly made in advance. Or we get to start over from scratch, which may be irritating but not really a disaster.

Making a configured boot DVD

Puppy does have a "remaster" process, at Menu / Setup / Remaster Puppy live-CD, but that seems overly complex and I have had problems with it (in 4.3.1).

An alternative way to "copy" a configured Puppy DVD is to first boot from a fully-configured DVD, then save that session to a different disc. It would be nice to simply put in a blank DVD and click "save", but that does not appear to work. Puppy asks for the original boot DVD, which is immediately updated with a new session, instead of reading the system for transfer to another disc.

What has worked for me requires another Puppy ISO DVD. We can make that in Puppy:

  1. download the puppy ISO again, or copy from USB flash drive into Puppy memory, perhaps /tmp
  2. put a clean DVD in the burner tray and close tray
  3. follow Menu / Multimedia to "Burniso2cd burn iso file to CD/DVD" and click
  4. select DVD and click "OK"
  5. select drive and click "OK"
  6. browse to lupu-511.iso and click "OK"
  7. click "MULTI"
  8. set burn speed at 4 and click "OK" (burn occurs, tray opens)
  9. "Would you like to verify...?" click "Yes"
  10. manually close tray
  11. wait for burner LED to settle down
  12. click "OKAY" (verify process occurs)
  13. "the burn has been verified as good"
  14. click "OKAY" (tray opens)
  15. click "FINISHED" to move on
  16. manually close tray

When we have a Puppy ISO DVD, we can save our current configured state:

  1. on the desktop, click "save"
  2. click "SAVE" (DVD tray opens)
  3. IGNORE "Please insert the Puppy live-CD/DVD media that you booted from..."
  4. INSTEAD, insert (or do not remove) Lucid Puppy 5.1.1. ISO DVD
  5. close tray
  6. wait for the burner LED to settle down
  7. press Enter (burn process occurs)
  8. "Have saved session to live-DVD (unless it has not, which is an error)."

    Sadly, The cuteness of that message evaporates rather quickly when things do not work, since there is no indication about what went wrong or what the user could do about it.

This process usually does work and can be used to:

Difficult or Impossible to Infect

The huge advantage of a LiveDVD is that it is "difficult or impossible" for malware to change data on the DVD.

The presence of an easily-infected and immediately-writable boot drive (or even a boot USB flash drive) is what turns a successful malware "attack" into "infection." Hard drive infection happens in the blink of an eye and often cannot be detected afterwards. These infections are vastly expensive because simply deleting malware files is no longer enough for recovery. Once modern malware starts to operate, it "calls home" and then there are no limits to what it might do on the hard drive. After that, nobody can possibly know what to do to put things right. The only secure way to recover from modern malware on a boot hard drive is to re-install the OS (or recover an uninfected system image).

The alternative of a hard-to-infect and slowly-writable boot DVD makes stealth infection very difficult, and actually impossible when there is no DVD in the drive. Puppy Linux normally loads completely into RAM so the boot DVD can be removed to play music or videos -- or to prevent infection. Even if DVD infection does occur, the latest sessions can be voided by Puppy before startup, or a brand new DVD created at low cost and minimal effort (when a configured backup is available).

In practice, the ability to save security updates to the boot DVD makes a DVD boot practical. There is no perfect security, but we can make vast improvements while still retaining some shreds of practicality.

Video Issues

In the older Puppy 4.3.1 version, it was hard to take a configured Puppy DVD to another computer because the video selections generally would not work on a different system. Dealing with this generally involved trying to somehow invoke the Video Wizard by menu selections without being able to see the menus.

The current Lucid Puppy 5.1.1 seems to detect being on a different computer and automatically starts the Video Wizard, at least on the machines I have tried. This is a big, big improvement. It may be possible in general to take a configured Puppy DVD to another computer and expect to get it to work fairly easily and quickly.

  1. see "Welcome to the Puppy Video Wizard" panel
  2. select "Probe" and press Enter
  3. select appropriate format (in my case, 1024x768x24 or 1360x768x24 or 1440x900x24)
  4. select "OK" or "TEST" and press Enter
  5. select "TEST_X_NOW" and press Enter
  6. use control-alt-backspace to recover, if necessary
  7. select "FINISHED" and press Enter to move on

When moving to a new machine, if you cannot trust the hardware, you also cannot fully trust Puppy on that hardware. A hardware keystroke logger will not disappear simply by booting Puppy. External penlight-cell-size in-line loggers for PS/2 or USB keyboards are commonly available and might be installed by users. Internal laptop logger boards are uncommon, but are known to exist for laptops having a MiniPCI slot, as typically manufactured before 2008.

Connection Issues

In general, networking hardware will be different on different computers, so a configured Puppy may need new configuration.

  1. on the desktop, click "connect"
  2. find "Internet by wired or wireless LAN" and click that icon
  3. find "Simple Network Setup" and click that icon
  4. select an interface (like eth0) and click
  5. click "OK"
  6. click "YES SET AS DEFAULT"
  7. click "OK" to move on

Actually, I would prefer for Puppy to not automatically log into the Net, but instead wait until and unless I want that. Currently I do not know how to get that.

Power-Down

In a system without a hard drive, we can just turn the power off. Power failure cannot damage a hard drive when there is no hard drive.

If the system has a hard drive, we need to follow Menu / Shutdown to "Power off computer" and click. Select "NO SAVE" and press Enter (DVD tray opens), then press Enter to finish.

VII. SECURE USE

Just getting Puppy, booting it from a DVD, and using Firefox with security add-ons covers a whole lot of computing weakness. As one might expect, there are other issues:

What about passwords?

What about email?

What about browsing?

What about snooping?

VIII. MALWARE EDUCATION

Many who advocate better security can be accused of using "FUD" (Fear, Uncertainty and Doubt) to advance their cause. But if FUD by itself was a bad thing, there would be little reason to buy insurance, or even door locks, for that matter. The question is whether the problems are real or just made up, and whether the cure actually works or is just expensive snake oil.

Computer insecurity is real, and implies levels of technical, corporate, governmental and national security incompetence that are almost impossible to believe. Booting Puppy Linux from DVD is a real solution for increased security. You need not believe me: Read the articles, follow them up, and come to your own conclusions:

All Operating Systems are Vulnerable

Malware Steals

Malware Targets Microsoft Windows

Passwords

Email and SSL Security

Patching is Increasingly Tedious and Ineffective

Windows Has 91 Percent Browsing Share

Everybody Has a Malware Problem

Avoiding Dangerous Sites Cannot Protect You

Authentication Cannot Protect You

Anti-Virus Cannot Protect You

Removing Malware Cannot Protect You

Your Equipment Cannot Protect You

You Need a Password Manager

Wi-Fi is Trickier than You Think

Related Articles