You are not logged in.

#1 2016-01-26 13:35:50

snarkyguy
New Member
Registered: 2016-01-26
Posts: 4

Crunchbang Paranoid Security Guide

The #! forums had a wonderful intro to security guide: http://crunchbang.org/forums/viewtopic.php?id=24722

I was wondering if anyone would be interested in continuing it here. It could use some additions like fail2ban, Linux Malware Detection, perhaps firejail, and other things. Does the community have any interest in resurrecting it here?

Offline

#2 2016-01-26 14:56:17

Sector11
Conky 1.9er Mod Squid
From: Upstairs
Registered: 2015-08-20
Posts: 6,841

Re: Crunchbang Paranoid Security Guide

Good idea, one doesn't need to be paranoid to be security conscious.  After all:

“Just because you're paranoid doesn't mean they aren't after you.”
― Joseph Heller, Catch-22

  smile

I'll edit the bottom of this post out if you decide to continue.

Why not edit your first post and quote the entire first post here - stripping out the opening and closing
(quote=sorcerer's_apprentice)
... content
(/quote) blocks but leaving the content,
- then leave a credit to sorcerer's_apprentice with the link to the original #! thread at the top of your post, something like this - the new contents of your fist post here:

The continuation sorcerer's_apprentice original thread: The paranoid #! Security Guide.  Some content here is subject to updates and additions as the original is now three years old.

The paranoid #! Security Guide

Table of Contents:

Introduction
...
...
... end of original content

===
12 Feb 2016 - edited xyz link
15 Feb 2016 added link to 'Security and you?

At which point people that are interested can read the main body of text here and you have the option/ability to update or fix broken links here and adding new links to the post as well.

The bit at the end, under ===, shows you are interested in keeping it going (if you are inclined to do so)


The sun will never set if you keep walking towards it. - my son
Being positive doesn't understand physics.
_______________________________
Debian 10 Buster = SharpBang ♯!

Offline

#3 2016-01-26 19:45:04

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Crunchbang Paranoid Security Guide

IMO, users concerned about security should switch to OpenBSD

http://www.openbsd.org/

Alternatively, see https://www.debian.org/doc/manuals/secu … ian-howto/


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#4 2016-01-26 19:54:00

Sector11
Conky 1.9er Mod Squid
From: Upstairs
Registered: 2015-08-20
Posts: 6,841

Re: Crunchbang Paranoid Security Guide

Really?  How is OpenBSD more secure?  OK I see this, interesting.  But how would a noob like me know that's more secure than Linux?  I mean Linux has that other OS beat three ways to Sunday IMNO (Noobish)   roll

I am being serious here ... you have my curiosity.

EDIT:  Oooo Canadian too!   devil

Last edited by Sector11 (2016-01-26 19:55:58)


The sun will never set if you keep walking towards it. - my son
Being positive doesn't understand physics.
_______________________________
Debian 10 Buster = SharpBang ♯!

Offline

#5 2016-01-26 20:00:57

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Crunchbang Paranoid Security Guide

Sector11 wrote:

How is OpenBSD more secure?

It is widely regarded as the most secure operating system currently available (although the makers of Qubes may disagree), as the home page says:

Only two remote holes in the default install, in a heck of a long time!

For details, see http://www.openbsd.org/security.html


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#6 2016-01-26 21:49:32

Sector11
Conky 1.9er Mod Squid
From: Upstairs
Registered: 2015-08-20
Posts: 6,841

Re: Crunchbang Paranoid Security Guide

Hmmm same link I posted .. will give it a read.  Thanks.
gutterslob 'almost' had me to the point of trying a BSD once ... think it was FreeBSD, can't remember.


The sun will never set if you keep walking towards it. - my son
Being positive doesn't understand physics.
_______________________________
Debian 10 Buster = SharpBang ♯!

Offline

#7 2016-01-26 21:58:01

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Crunchbang Paranoid Security Guide

Sector11 wrote:

Hmmm same link I posted

Ooops, sorry I'm tired from $WORK  ops


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#8 2016-01-27 22:09:36

snarkyguy
New Member
Registered: 2016-01-26
Posts: 4

Re: Crunchbang Paranoid Security Guide

I'm a big fan of OpenBSD and have been using it for many (15?) years. I love it as a transparent bridging firewall. There are times, though, that Linux is a preferable choice. I mainly use OpenBSD for firewalls, routing, etc. I do have a laptop running OpenBSD/XFCE, but it's not going to be for everyone. A good guide to securing linux can reach a larger user base.

OpenBSD does certain things better than anyone else, imho, such as PF and the OpenSSH spinoff, but that doesn't mean we shouldn't help secure Linux distros.

I'm sick at the moment, but I will work on bringing the old guide over. I'd like to see Linux Malware Detection, Firejail, and other things added. We may even want to touch on SELinux/AppArmor/grsecurity.  Anyone who can write concise details on security would be more than welcome to help. Other things I've experimented with on Linux would be things like AIDE and tripwire HIDS, Bro NIDS, various firewalls, Sophos Linux Antivirus (free), kernel hardening, and so forth. There's a lot of stuff out there that may or may not help, and I'd be happy discuss it here after I copy over the initial guide.

It's also worth noting OpenBSD is secure out of the box, in a configuration where SSH is basically the only service remotely available. As you add network services, it reduces security unless you secure them appropriately, just like any other OS.

Last edited by snarkyguy (2016-01-27 22:30:00)

Offline

#9 2016-01-27 22:43:08

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

@snarkyguy  I was thinking about this the day these forums opened. Then I went back over to crunchbang to take a look and started just skimming through the thread to figure out how much work it would be.

I hope you have plenty of free time.  tongue

But seriously, I'm glad you want to take on the job. I'd be happy to contribute in some way once something is up. In fact if you want to collaborate a bit you can shoot me a PM. I may not respond right away but I will answer.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#10 2016-02-05 10:12:24

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: Crunchbang Paranoid Security Guide

I've been thinking of porting, as well as updating and cleaning / structuring, that guide. It's an excellent collection of resources, but it could use some serious formatting and refactoring. Would anybody be with me on that one?

Offline

#11 2016-02-05 14:36:27

C#Coder4ever
BL Keyboard Troll
From: /dev/zero
Registered: 2015-09-29
Posts: 278

Re: Crunchbang Paranoid Security Guide

Head_on_a_Stick wrote:

IMO, users concerned about security should switch to OpenBSD

http://www.openbsd.org/

Alternatively, see https://www.debian.org/doc/manuals/secu … ian-howto/

+1 to that!

or at least a firewall running it. monkey


Peripheral, SBC, and router addict lmao
Keeb & SSD Discussions

Offline

#12 2016-02-05 20:44:38

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

@dot|not  I'll make the same offer I did with snarkyguy. I'm willing to collaborate on this. The only reason I have not just gone ahead and done the whole thing myself is the amount of work involved. Shoot me a PM if you want to take the helm and I would be glad to assist. There is more than just some reformatting to do. Much needs to be checked for updated info, and there are a number of relevant things scattered through later parts of the thread that came after sorcerer's_apprentice stopped maintaining it.

I took the time to go check some of your comments on the #! forums and I see you take much the same approach to the subject as I do. Re: OPSEC is at least as important as the tools.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#13 2016-02-05 20:47:13

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Crunchbang Paranoid Security Guide

I'm pretty sure most things are covered in the Securing Debian Manual, it is a very compehensive document.

Here is the link (again):
https://www.debian.org/doc/manuals/secu … ian-howto/


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#14 2016-02-05 20:55:12

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

HaoS  Yes the Securing Debian Manual is very relevant but the paranoid security guide covered some areas that it does not.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#15 2016-02-05 20:59:08

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Crunchbang Paranoid Security Guide

^ Ah, OK.

Excuse me, for all my noise I'm pretty clueless when it comes to security  ops


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#16 2016-02-05 21:27:55

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

^ Well no need to excuse yourself. It IS relevant. In fact I would be in favour of de-emphasizing some parts of the guide and referring people to the Securing Debian Manual where appropriate. This would make it easier to focus more on those other areas not covered there.

Of course this is all open to other opinions. I'm just glad there is a discussion taking place.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#17 2016-02-06 10:01:41

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: Crunchbang Paranoid Security Guide

I'll make the same offer I did with snarkyguy. I'm willing to collaborate on this. The only reason I have not just gone ahead and done the whole thing myself is the amount of work involved. Shoot me a PM if you want to take the helm and I would be glad to assist. There is more than just some reformatting to do. Much needs to be checked for updated info, and there are a number of relevant things scattered through later parts of the thread that came after sorcerer's_apprentice stopped maintaining it.

Beside the things you mentioned there should also be a discussion about where this guide is going to, because as of now it's 'just' (Don't get me wrong, excellent work was done!) an assortment of links, tutorials, opinions. Do we want it to be a list of every somewhat-sane security- and/or privacy-related software or do we actually want it to be a guide how to be reasonably safe (in regards to safety and privacy) while using Bunsenlabs or Linux in general or even in general?

I was also thinking about gitifying everything (not necessarily Github), so collaboration would be easier. But that would have to wait until the general direction would be clearer.

I took the time to go check some of your comments on the #! forums and I see you take much the same approach to the subject as I do. Re: OPSEC is at least as important as the tools.

Okay, who do you work for? NSA? GRU? NIS? Who wants a file on me? wink

Our opinions on that seem to overlap greatly, indeed. I'm lucky enough to not be in a position where I'm depending on flawless COMSEC and OPSEC, so I get to tinker and learn. For me it's a hobby, and I'm glad that I can sometimes be of use to others with that.

Offline

#18 2016-02-06 19:32:31

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

dot|not wrote:

there should also be a discussion about where this guide is going to....
Do we want it to be a list of every somewhat-sane security- and/or privacy-related software or do we actually want it to be a guide how to be reasonably safe (in regards to safety and privacy) while using Bunsenlabs or Linux in general or even in general?

I think editing-updating the original guide by sorcerer's_apprentice would be frustrating compared to simply writing something up from scratch. Using it as a rough guide to how to do this would on the other hand be quite useful. If this approach was taken, I would suggest in terms of attribution, "inspired by" would be appropriate.

Or maybe you would prefer to do it the way Sector11 suggested near the beginning of this thread?

Regarding what and how much to include, I would be in favour of including nearly every tool that was in the original and perhaps a bit that was not. With an approach to the subject emphasizing threat model and OPSEC. Some tools and tricks are "good enough" to cut down on corporate info harvesting etc and some things are for the next Edward Snowden or the investigative journalists they would work with.

Regarding how to handle the individual topics, I don't think writing a detailed guide to how to set up and use each tool is needed. In some cases this would be ok as some of the things are simple enough to handle this way. In other cases a link to a good guide with perhaps some brief comments would suffice.

Feedback anyone?

Who wants a file on me? wink

Given your interest in this subject I think they all do. tongue

Last edited by Anaconda (2016-02-06 19:35:37)


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#19 2016-02-06 20:06:32

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: Crunchbang Paranoid Security Guide

I think editing-updating the original guide by sorcerer's_apprentice would be frustrating compared to simply writing something up from scratch. Using it as a rough guide to how to do this would on the other hand be quite useful. If this approach was taken, I would suggest in terms of attribution, "inspired by" would be appropriate.

I wholeheartedly agree. I spent some time this afternoon skimming through it, making notes, trying to find a way to get some order or structure into it, but ended up discarding every possible model I could come up with. It's just too wildly mixed. So not just an overhaul but a complete redo from scratch seems the only non-insane way; attribution via 'inspired by' ought to be enough, yeah.

Regarding what and how much to include, I would be in favour of including nearly every tool that was in the original and perhaps a bit that was not. With an approach to the subject emphasizing threat model and OPSEC. Some tools and tricks are "good enough" to cut down on corporate info harvesting etc and some things are for the next Edward Snowden or the investigative journalists they would work with.

I'd like to see it split up.

  1. A straightforward guide, sort of a basic checklist what you should and should not do in terms of security. ("There is this service enabled per default, you should disable it", "This setting for Firefox leaks information, do this", "This tool allows you to handpick outgoing network connections comfortably", etc.) Really as detailed and as much step-by-step as possible, specifically dedicated to and aimed towards not-so-savvy users.

  2. A, as much as possible, comprehensive list of security / privacy tools and other resources. Here we can go full on fact-bombing.

Putting an emphasis und operational security might be a little bit out of scope for this guide, especially because it would potentially boring for the avid reader who 'just' wants to be a little bit more secure. While I'm enjoying reading about the way Hamas-operatives act your average visitor probably won't, he'd rather give us some weird looks. wink But I agree, including a section on how tooling is just that, tools, is a necessity.

Given your interest in this subject I think they all do. tongue

God damn it, I should have stuck to Sex, Drugs and Rock 'n Roll. wink

Offline

#20 2016-02-06 21:05:14

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

I spent some time this afternoon skimming through it, making notes, trying to find a way to get some order or structure into it, but ended up discarding every possible model I could come up with.

Same on my end. This thing is freaking huge.

Regarding the threat model and OPSEC stuff, I don't think what I had in mind is really all that different from where you are going. Threat model first, meaning "just give me the basics" vs "I work with whistle blowers". In the first scenario OPSEC is not that vital and can be treated as such. Just give them the basic tools and very basic pointers if needed. In the second scenario OPSEC does become more important and needs to be dealt with.

You mentioned in another post that this stuff is not so vital for you but more of a hobby type interest. That's how it started for me too, but lately I have begun strongly advocating the use of whistle blower quality surveillance circumvention tools to political activists. I've seen too many news stories about the surveillance state abusing so-called anti terrorist tools and targeting activists who are exercising their right to voice their disagreement with govt policies. Some of the stronger tools and techniques under discussion may also be appropriate for law firms, accountants or even just the technically curious etc.

It shouldn't be difficult to produce a guide that would be useful to such people without getting into the politics of it and ticking off the "no politics" crowd.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#21 2016-02-06 21:30:39

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: Crunchbang Paranoid Security Guide

Same on my end. This thing is freaking huge.

I think the best way (for now, a structured approach might be needed later) is to just hack away at it. We probably should also create a new thread for it and link this one, for the sake of cleanliness.

A question that just popped up in my head: Do we want it as BB-code formatted post in this board or do we want it as actual guide, as .pdf, written in Markdown or whatever floats our boat? Both has is pros and cons.

How do we handle communication? Just forum posts or do you want to take it somewhere else (IRC, XMPP, ..)?

Regarding the threat model and OPSEC stuff, I don't think what I had in mind is really all that different from where you are going. Threat model first, meaning "just give me the basics" vs "I work with whistle blowers". In the first scenario OPSEC is not that vital and can be treated as such. Just give them the basic tools and very basic pointers if needed. In the second scenario OPSEC does become more important and needs to be dealt with.

We need to differentiate between things. The first, hands-on-style thing I have in mind is more focused on security, with some basic privacy stuff (mainly focused on ads and data brokers) included. The latter is where I'd imagine going full-on. Then again, my guts tell me to just start and see where the journey leads, because endlessly discussing specifics will probably only hinder us.

You mentioned in another post that this stuff is not so vital for you but more of a hobby type interest. That's how it started for me too, but lately I have begun strongly advocating the use of whistle blower quality surveillance circumvention tools to political activists. I've seen too many news stories about the surveillance state abusing so-called anti terrorist tools and targeting activists who are exercising their right to voice their disagreement with govt policies. Some of the stronger tools and techniques under discussion may also be appropriate for law firms, accountants or even just the technically curious etc.

I also did some 'counceling' work for journalists, activists and the like. It's not that I am particularly against it, it's just that it's definitely not the main target audience in this community. I'm sure there are people who'd like to learn about dead drops, onion services for communication and pinpointing your personal details through analyzing your writing style, but that treads on the realm of tradecraft and classic intelligence/counterintelligence work and really shouldn't be the focus of our groundwork.

It shouldn't be difficult to produce a guide that would be useful to such people without getting into the politics of it and ticking off the "no politics" crowd.

Aye, it probably shouldn't. Nevertheless, it's a shit-ton of work. big_smile


For the rest of the people reading this thread: Please don't be discourage by the nerd-talk, everybody is welcome to join in on this!

Offline

#22 2016-02-07 22:30:20

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 230

Re: Crunchbang Paranoid Security Guide

just hack away at it

I have come to the same conclusion. It's just too big to try to do it all at once and then post. I'd say get some portion of it ready and then post. Let it grow organically from there.

create a new thread for it ... for the sake of cleanliness.

Yeah, that one seemed obvious.  tongue

A pdf or some such guide? Interesting idea, but I think just a forum post would probably be better. It would probably get more use and feedback if people don't have to click a link and download something.

How do we handle communication? Just forum posts or do you want to take it somewhere else

If we keep bashing this out over the forum it'll probably be too much clutter for some folks. Maybe bordering on that now for some. I think just using the PM function provided by the forum will be fine. If we identify something specific that needs a bit of feedback we can still throw it out here in the open for comment.

I spent a couple of hours last night working with some "supposed to be simple" tools for encrypted email. You know, for the KISS part of things. Strangely I found I had more trouble with this than just using the CLI. Go figure. Anyway I'll spend some more time with that tonight. No need to go into detail here. I'll just sort it out.

I think I'm going to do up a list of the things I'm comfortable contributing to and send it to you in a PM along with any other relevant thoughts. This may take me a day or two as I have other projects on the go.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

Board footer

Powered by FluxBB