Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Poor User's Defences, Basic Anti-Surveillance for Debian

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Poor User's Defences, Basic Anti-Surveillance for Debian

#1 Post by timbgo »

EDIT Sat 27 Dec 13h CET
This wouldn't work out of the box on the newer Apache2 deployment anymore. It's not wrong what you see here, but it is, currently, incomplete.

But there is my new guide which is much more complete and deals with these issues:
#######################################
Air-Gapped Debian Install for Newbies
http://forums.debian.net/viewtopic.php?f=16&t=119648

It also contains complete guide for serving the local mirror in your own, even only one computer, not SOHO.
#######################################
EDIT END
Poor User's Defences
====================

Basic Anti-Surveillance for Debian GNU/Linux
============================================

This is a set of simple non-expert methods of counter surveillance.
It is called Poor User's Defences after the Gospel sense of the word.

It's meant for beginners and intermediate level users.

It is incomplete as yet, but some of the methods of the set have been
fully and completely articulated and even already used by users.

Some notes on general state of GNU/Linux and Surveillance and other
introduction first.

Some of the slow to adhere and apply in the trend to reconquer our
privacy, in this our post-Snowden era, and get the Internet back for
ourselves, seem to be many of the GNU/Linux community...

The slow reverting of the tide is underway, privacy is being
reconquered, backdoors revealed and fought against, but many of the
GNU/Linux community seem to miss in helping the cause of true privacy
and security.

This is my quest to help in reverting the tide and reconquering
freedom for the users.

Yes there is such a thing, there is the GNU/Linux community, because
the fundaments are there and they are immovable! There can hardly
happen such thing in the future that could undo the GNU/Linux being
free and make GNU/Linux become proprietory and become a corporate
means of annoyance like so many and so much in this day (just think
Microsoft or Apple)...

Annoyance and failure of freedom did happen to promising other
projects, such as Java or MySQL, now de facto owned by Larry the big
guy Oracle... But those were so much weaker licences than GNU!

But GNU/Linux will become insipid, boring, and effectively broken and
truly/fully backdoored if we allow the trend of acquiescing to NSA's
wholesale spying to grow. And unfortunately, spying is possible in
most any Debian GNU/Linux of today, it is happening in many, thanks to
various factors, the major of which our dear leader Linus Torvalds
accomodating NSA's own SELinux via LSM (Linux Security Model [or
Modules])...

In the Debian GNU/Linux, we must try and get the Debian leaders to
understand that there is growing demand that the users be offered the
true option of their Debian systems based on Grsecurity patched
kernels...

I have already explained this in some of my other tips but my target
audience is firstly newbies, so pls. suffer some repeating
here. Grsecurity, one word, is often used to mean actually two
programs, not one, a kind of twin pack of two distinct programs,
Grsecurity and Pax, so I'll use that one word to mean so, since
Grsecurity patches to the kernel anyway always include Pax patches to
the kernel.

Users should at least be offered in Debian GNU/Linux distribution, the
different hardening option than the default SELinux hardening, the
sole hardening (let's leave out "armors" and things to keep things
simple). In similar fashion as users of Gentoo distribution are able
to opt for Hardened Gentoo Sources based on pure Grsecurity in Gentoo
GNU/Linux distribution (in Gentoo there is also SELinux available,
but, IIUC, few people opt for it).

As another example, the Ututo GNU/Linux distribution offers probably
even purer Grsecurity hardened Operating System.

Ututo is a Gentoo derivative, no-blobs, truly free (it's Gentoo's
equivalent to Debian's derivative Gnewsense). But anything that is not
U.S. American dominated get their share of subtle
censorship/bashing/other-means applied/addressed/thrown/blocked at
them, so e.g. in my country Croatia (ruled by it's traitors these
days) where the great friend of NSA, the GCHQ (the British spy
agency), has its way here as if my country were their own fiefdom, (so
e.g. in my country Croatia) there was no way for me to even access
Ututo GNU/Linux pages for a few months until recently, http://www.ututo.net
and http://www.ututo.org (with plain Iceweasel, or with Tor browser, just the
same, simply no access), pls. somebody report this to the
Argentinians (where Ututo is based), as it could very well be so in
many places in today's "free" Internet world! (Malvinas are
Argentinian soil, by the way!)

I mentioned these distros above as examples, just hoping that Debian
community would regain the original enthusiasm and develop in true
freedom. If it continues to offer itself solely as SELinux based OS,
it is actually fundamentally renouncing on all its true goals since
its inception. Selling its users to corpocracy through the spying
software is not in any way within any of the Debian declared goals, is
it?

Actually I believe there is no honest reason whichsoever to not
compile stock kernel packages for Debian from Grsecurity/Pax patched
kernel, to leave out non-grsec patched kernels out completely, i.e.,
wait for Spender and Pax Team and their friends developers to patch
the Linus's kernel and only then use it, but if that is, as it seems,
unlikely to happen, because the devides btwn SELinux supporters and
the Grsecurity supporters has grown over time, you, the Debian
leaders, have no ground to effectively ban Grsecurity alltogether from
Debian official kernel, and even less are you allowed to bash against
the sole protection users have from spying into their Debian boxes:
the Grsecurity!

I'm trying to help, as I said on top, at start of this post, to help
revert the tide, that up to the Snowden blessed revelations went
behind our back increasingly dominating over our lives with total
surveillance, and the tide has since been reversing and privacy of
users is being restored, slowly slowly in many areas.

I'm trying to help, with my contributions, the fight for privacy to
grow.

Debian is salvageable and could return to its old glory of true
freedom, without those SELinux spyware and such.

That would be best if that happened. But, if you really would incur
financial loss if you did so, you Debian leaders/leading developers
with a major say in decisions...

(I don't follow the scene, only remember that I absolutely didn't like
Stefano Zacchiroli, the former leader, and am still standing by
Christian Marillat and recommend his http://www.deb-multimedia.org in the
dispute that shamefully took away from Christian's repo the Debian
name; it was previously http://www.debian-multimedia.org... I also noticed the
FFmpeg, the real FFmpeg program not being anywhere in Debian official
repos... which can be perfectly understood to be against Debian
declared social contract:

LINK HERE

http://localhost/cgi-bin/dwww/usr/share ... act.txt.gz
pls. this is not a link on the web, I'm working offline while writing
this post and reinstalling my Debian, newbies pls. find below how to
find documents in you offline boxes, if you need to)

========== from:
from: http://localhost/cgi-bin/dwww/usr/share ... act.txt.gz
5. No Discrimination Against Persons or Groups
The license must not discriminate against any person or group of
persons.
==========

That says about the licence. So technically banning FFmpeg from Debian
official repo is somewhat, only somewhat (if you don't allow something
in, even though you don't write any paper/any text saying that you are
banning it, isn't that some kind of licence? isn't a ban, an effectual
ban a kind of a negative licence) arguably not contradicting and
non-conforming to that article of the Debian social contract. But it
is, it absolutely is, against the spirit of it!

But, if you really would incur financial loss if you completely
abandoned SELinux (no I don't mean moneys in the book, no!, but moneys
can flow silently...), if you really would lose who knows what (it
must be some grease that the NSA is promoting it's presence in Debian
GNU/Linux's users boxes, it by definition can't be your empty donating
for no interest and no gain, the users over to the NSA)... or if
there's intimidation on the part of the NSA (hey those are really big
guys!, and those agencies, such as CIA and FBI, and sure as sunlight
on a sunshine day, and the NSA, are agencies more powerful than any US
Administration during any mandate of any president lately, those
agencies also kill people occasionally... such as the journalist
Michael Hastings... and maybe also Aaron Schwartz...)

Well, if there would be loss or intimidation for you, then, for the
love of the Good and Happiness of the Universe, at least offer us some
options, to us the users of this Debian free GNU/Linux that had to be,
should be amongst the best and is being dragged through the mud with
this SELinux stinking saga... then keep the SELinux as option, but as
option, and not as imposition, then keep it, but just don't, pls. don't
impose it on users all and any.

It's so hard to extricate oneself from this spyware-Debian which is
the default (because of SELinux in it). I, myself, have taken pains to
learn to get my Debian free for myself through engaging in weeks and
months of study, and now that I compile the kernel in my Debian upon
every new Debian update, I am still not yet there, really safe and
private, although I am in so much better position then if I had stuck
with the stock SELinux kernel.

But I am a user somewhat advanced. And I wonder, if I took huge effort
to get me a Grsecurity Debian, how can a newbie get that much? How can
a newbie, first of all, learn that he has a spyware in his Debian?
With all the nice official talk on SELinux? And how can a newbie get
the other option into his Debian, the so much better because safer
option, the option with so much more hope to get free (remember: no
freedom without privacy), because becoming unsurveilled with it is
close to obtainable, the Grsecurity option? How can a newbie get that
much in his Debian?

In my attempts to help revert the tide against spying and for the
privacy, I was saying, in my quest to revert the tide for the benefit
of true freedom which there isn't any really without privacy, and
there isn't any privacy if there is SELinux...

In my quest, after having had real hard times with my Debian (then
SELinux based) being basically drawn to quarters through silent
intrusion, and having had attackers accessed my SOHO through the box
with the Debian (then SELinux based) installed, but were stopped, the
attackers, in their attempts on the SOHO by Grsecurity protected
kernel in another accessed system of my SOHO, running Hardened Gentoo,
and after having, me, a non-expert, but still a user somewhat
advanced, spent months by now in studying how to work my SOHO network,
mostly offline, without losing data under attack, and still
occasionally use the benefit of the Internet for getting things,
learning things, communicatig, through by now much improved
Grsecurity-based Debian that I learned to build, in this quest of mine
which is for my own security but in which quest I also share my
experiences, not only to seek advice, but also to help other users
like me, in this quest I decided that I needed a reinstall, and get my
Debian GNU/Linux under much stricter control from now on.

Because some things did break, and because of a long exposure to
attacks (such as when downloading jigdo DVDs on a connection limited
esp. for me, because I'm often loud critic of my traitor government,
to a fraction of what I pay, I'm talking about my connections
averaging 600 to 640kB/s, just imagine that!), and because I want to
update those who follow my Tips pages here on Debian Forums as well as
on Grsecurity Forums, with better information yet, and better methods
of installing Grsecurity on Debian.

I install Debian on my slow systems (three at this time, that I can
clone each onto other, since same hardware), where compiling Gentoo
would be desperately slow. I chose Debian because of its great past and
the fame that it used to be a distro where developers didn't lie about
bugs, didn't boycott people and built truly free system as gift to the
world of good GNU/Linux users. Alas is that so any more? If only it
were! I wish!

And I'll try and give my advice to newbies to Debian how best to
install it, in view of the predator surveillance in the world of
today. After all these months of use and with all the attacks that I
suffered on it and on my SOHO.

Newbies, you sure need to read the Installation manuals and FAQs and
things, which I did read myself some one year ago when I chose to go
for the Debian. Ah, before the advice, from among the large distros to
choose from, Fedora or SuSE can only be worse of a choice. Ubuntu
seems to me a commercialized derivative of Debian, so
worse... Archlinux and others, haven't much investigated... But
anyway, almost all of these massive user base GNU Linices of this day
suffer, and I can tell only now, I didn't know back then, I studied
some since then, apart from almost all of them suffering from
wholesale or partial SELinux deployment in them or some other inferior
security software, also, once the purging of SELinux is or would be
done in them, which I believe in Debian can be done successfully,
there is still in all of them the lack of choice of binaries compiled
the PIE way...

PIE stands for Position Independent Execution. It is applied in Gentoo
(and my guess is, of course, in Ututo, but from Croatia I had not been
able to access ututo.net or ututo.org in months), and PIE is the one
thing that makes binaries much harder to accomodate for any exploits
by the attacker. PIE is generally mostly sorely missing in most of
massive user base distributions of GNU/Linux of today.

So, go for the Debian if you are a newbie who figured out that NSA
and/or your own country's spy agency wouldn't miss to get into your
box just because it's a GNU/Linux box, and if you perfectly understand
that they do want to be able to control your box just as they can
control most any Windows or Mac boxes. Well, I don't mean they play
with all those boxes all of the time. C'mon. They just want to have
the ability to access and control all of them. Pardon me! All of
us. This is personal, and you should feel personal about it too. But I
can't help my friends Windows or Mac users. It's much more difficult
situation which they are in.

And, as already mentioned, read the Installation manuals, the FAQs,
maybe forums these and those... My tips are not meant to replace any
of all those in any way, shape or form.

But the information in my tips, this one and other of my tips (I'm
writing offline as always, hopefully I'll populate what these tips end
up to be with links and won't have to change the tips further too
much, in the process of that populating with the necessary links), the
information here is what you won't find in the Installation and FAQ
pages, and what I can supplement to those, and I can give that advice
from my documented and published experience (I primarily mean on
Grsecurity Forums, here on Debian Forums, but also in other places
possibly somewhat): how to get your Debian installed with the
Grsecurity protection in its kernel!

First though, I have learned for myself how to get my Debian protected
with Grsecurity only in the major but not complete measure. And that
is through the patches themselves (the easier part, but it's also the,
my guess, 90% or more of the protection that Grsecutiry offers, the
Gradm part is kind of filling the holes still left, i.e. supplementing
for the vulnerabilities still left after patching the kernel, but
which can not be accomplished by means of patches).

What I am saying is, there is still more work for me to get the full
Grsecurity's protection of my system, and that is the Gradm part, the
harder part. It is a very important part of Grsecurity's protection,
but I deemed that going public on the problem of the dragging through
the mud of the shiny Debian by immersing it in SELinux as is currently
the case was more important a task, and that I needed to do these tips
of mine on this Debian Forums first. Then, the next time I am able to
dedicate a few days to that, I'll complete my Grsecurity installation
through full Gradm deployment.

The Gradm part is what I keep postponing to do for myself, because it
is my priority fo complete the Tips that I developed, because even
though the risk of Gradm deployment missing is serious, I just don't
have the free time that would suffice for the extra work, and my Tips
have found their readers and users, which is gratifying to me, and I
wish so much for a fully Grsecurity hardened Debian GNU/Linux
available in the stock, as default for users, some day!

Readers and users of my Tips, the ones who are not more advanced than
I am, you can, for now, leave out Gradm as well...

Anyway, first of all, if you read from me for the first time, and are
still new to the fight for security-privacy, you need to forget about
any installing from the Internet. It's just not nor can it be
safe. And not just from various governments spy agencies, but any
frickin' blackhat if they feel like and you were in bad luck to get
under their attention, can compromise your system as you are
installing it.

So go and download the jigdo DVDs, to have them all offline before you
ever start installing anything.

LINK HERE jigdo automate

Next, you can find a mirror and rsync the Christian Marillat
deb-multimedia repo. You will get a really good FFmpeg, Vlc, Mplayer
and so many other good programs that are superior IMO to the official
repo counterparts.

LINK HERE deb-multimedia

And now, prepare the system, the HDD, or best, two HDDs for cloning
(there will be more talk about it below) which you will be installing
Debian onto.

If it is a brand new disk (or two of the same model, or at least
capacity, and of similar design), no zeroing (will be expained below)
necessary.

If something else was on it, which you don't need any of it anymore,
then, however long that it may take, zero it all out. All of it.

$ man dd # newbies don't do this before you understand it

$ dd if=/dev/zero bs=4096 of=/dev/that_disk

(where /dev/that_disk can be say /dev/sda if you are doing the
preparation from say systemrescue CD that you booted from a USB (only
if the stick never saw Internet), or from CD proper (slow, but sooo
much safer!), see below, or where that_disk can be sdb or sdc or some
other.

But in case you need some of the partitions of that disk, and you can
afford some particular other partition(s) of the disk for Debian,
then, the that_disk actually needs to be that/those partition(s), such
as sdb1 or hda1 or some other. The point is only in zeroing the
partition(s). Surely you need to know there isn't anything spywise in
the rest of the disk, which is hard to find out, so a new or zeroed
out disk is really best.

But a note is due here. Even after the zeroing out of partitions or a
whole disk that was previously used, there can possibly be, but so
much less of it, snippets of attackers code left in the margins of the
storage, but I'm just not really an expert.

I can tell that my attackers have killed at least one and compromised
at least one of my Ethernet cards on my SOHO, and the issues like that
are for experts to solve, far beyond my modest intellectual reach.

And code injected by the attacker can survive in, say, a ROM that thay
flashed in some way, or be it attacker-modified firmware of those
cards and some other places in a computer that was open for them in,
say, long online days and weeks. Also in RAM. The proverbial RAM that
cold boot attacks can get a lot out of... And code could be stored on
reboots there, I guess. But so much less or none can be gotten in
there if you leave the computer with the plug pulled out from the
mains for some half hour before any installation. Do that if your box
was on the internet before you venture with this your new
installation!

I'm showing you in these tips my modest user's defences against
surveillance that I have developed for myself and decided to share
publically. Again, I am not an expert, just somewhat seasoned user.

Next, IMO, all those big desktop environments are more trouble
spywise. Opt for LXDE (or XFCE, but I haven't tried it), the
Lightweight eXtensible Desktop Environment. I'm not saying some
traitor hasn't allowed some spyware in some of its components, but
less programs and lighter environment, less room for spyware. Anyway,
you will most easily follow me if you, apart from following my
choices, also have the same arch in you box(es) you plan to install
Debian onto as me (amd64).

I do not remember now, after already having installed it, exactly all
the steps and where to find it, but if you carefully go through the
options offered once you start your installation from the jigdo DVD-1,
you can't miss to find the LXDE option.

Get you system installed.. but a note is due here. If you find my tips
on countering surveillance and intrusions useful and decide to follow
up on them and use them with your new system, then you'll be in the
business of backing up and, when or if the need should arise, and it
does, it does, often at such times when you least expect it, restoring
your system from backup. When partitioning, think about that! You need
to know where you install what, so that you can back it up and have a
complete backup, and not miss anything once the necessity arises with
an ugly face staring at you and asking you if you have that system
under your fingertips, which just got b0rked, somewhere and in some
proper way backed up or whether you don't...

You need to decide... While it's easy to choose installing on the
whole disk and let the installer do any with it without you noticing
what it does, or some such, it's probably the stupidest thing to do,
because while it is possible to backup, say, an 2TB disk, it can not
only take a little too long, but also take quite somewhere as big or
almost as big as the disk itself to store that backup... All I am
saying is, choose some partitioning scheme that you can relatively
comfortably live with and which you will know how to backup and
restore.

So, get you system installed, and let me repeat, it is presumed that
you haven't connected to the internet in any moment of the
installation, nor postinstallation. Not prior to disk dumping or
fsarchiver'ing your system (explained later), so you have a backup if
your system is compromised as you venture out where "shadows" are
"taller than our souls" (Led Zeppelin, Stairways to Heaven, some year
in 1970s). So the popcon can wait. That means: don't go for any
internet mirrors whichsoever either. Bluntly pull the plug of the
Ethernet connection out of it's socket, gently but unhesitatingly,
before ever starting to install your future system, before any
zeroing. Clean install, from scratch, from zero ground or as close as
possible, is our way!

I did try to enter my local Apache served local mirror, but I couldn't
get the installer to use it, and it's not necessary to go into details
about it, because it is straightforward the installing of the base
system and upon reboot the rest.

So, install the basic system and reboot.

Once you rebooted, it's the turn to use your local mirror.

Namely, it is perfectly possible to deploy a local mirror even on a
standalone system, the one that you are installing Debian onto.

Here's how:

LINK HERE How to Install Debian Offline from Your Local Mirror

And now, sure aptitude or apt-get.

I prefer apt-get.

# apt-get update
# apt-get install [various packages]

[ but read the next paragraph first )


Install the packages as you see fit, and let's backup the system,
before ever this system sees any of the internet where more there are
shadows than souls.

Go and download and install (sure you ought already have done so, no
internet before the next step with this new installation of Debian of
yours) on a USB stick the System Rescue CD from http://www.systemrescuecd.org
(or is it net?). That is, only if you are sure the USB stick hasn't
been compromised (happens more than people think, easy target), in
which case, actually in most cases, c'mon one minute longer a problem?
when it's so much more secure!, the CD-ROM is preferable.

You now need to reboot the system into it and disk dump or use
fsarchiver to take the snapshots of your devices that you installed
Debian onto, into somewhere safe.

Once you go to the internet you firstly have to already have taken the
backup of your system. Then you can take risks a little bit by going
places, staying long online, because you know you can recover the
system later from backup.

Actually I sometimes take backups also before some crucial installs,
esp. compilations, and since you, the newbie (I really hope that this
and my other tips get to the attention of as many newbies as there are
who are not afraid of some extra work and who care for the truth in
GNU/Linux and wish for true freedom)... (and since you, the newbie),
my target audience, might not yet be familiar with these methods, you
should take the backup of the whole of your new Debian installation as
well, before compiling the Grsecurity patched kernel.

So let's go! Remember the note about you needed chose wisely the
partitioning scheme. Now is the time of reckoning! Well, part one
only. Because you will only know absolutely certainly that your backup
was done the right way once it is restored onto a system that for some
reason needed reverting to the old state, the state that the backup
was taken of...

For that exact reason, I have same hardware (in some components it
doesn't have to be, but say same MBO and same partitioning scheme on
same type HDD, it has to be, else it's more complex whether backup can
apply at all). And I will, myself, be able to restore my backup from
this machine that I just installed Debian onto, onto another same MBO,
same (or very similar) HDD type, machine.

Actually, if you're carefully reading my, you must have figured out
that two of the same (or similar, but, best if of same capacity) HDD
drives that you can use, of which one is this one you have just
installed Debian onto, and the other one is where you can restore its
backup onto, can do for you on the same MBO, right! That is, my Poor
User's Defences can perfectly well work on a standalone machine.

Neither is is absolutely indispensable to have two interchangeable
HDD, but that is, really much less extra expenditure and is really
desireable for the deployment of my method!

Upon backing up this installed Debian, we take the entire HDD drive
out, replace the other one into the computer, and restore our backup
onto it!

I hope you got this all clear. So let's do the backup.
====================================================================

Not yet. Maybe next month, God willing. Spent too much time, and actually got a few new Tips completed, but can't finish this one just yet. Have other work to do.
Last edited by timbgo on 2014-12-27 12:03, edited 4 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
korilius
Posts: 422
Joined: 2012-04-10 00:53
Location: US/IN
Has thanked: 3 times

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#2 Post by korilius »

I didn't and couldn't read everything posted - but I only took away this: grsecurity. And here is Debian's current stance on it.

https://wiki.debian.org/grsecurity

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#3 Post by dasein »

It's the ghost of Ahtiga Saraz!

Wish Craigevil were still around. He'd nuke this blatantly political rant mislabeled as a HOWTO.

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#4 Post by 4D696B65 »

This is a rant not a how to so moved to offtopic

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#5 Post by n_hologram »

timbgo wrote: [unintelligible opining intensifies...]
gr8 b8 m8, I give it an 8
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

Debian4ever
Posts: 150
Joined: 2013-10-19 22:06

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#6 Post by Debian4ever »

Blimey is that first post a post or a small novel?
Next time save your energy and write a lord of the rings novel or war and peace.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#7 Post by timbgo »

Just a minor sidenote, as I thought of it somewhere else, and not really to the detractors, no, but to good users, poor in the Gospel sense of the word, or good otherwise...
Lo and behold, moved to Offtopic! Good users, no worry! And use your sane judgement, without malice, and let us not be intimidated.
Thank you!
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

confuseling
Posts: 2121
Joined: 2009-10-21 01:03

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#8 Post by confuseling »

This board has a 'no politics' rule.

Obviously that's fuzzy - everything of much significance has some political content, depending how you look at it. You can get away with more in the discussion threads, but the how-tos should remain pretty unambiguously technical - and this isn't.

Frankly I think you should be pleased it just got moved to off topic - most distro's boards would probably have deleted it.
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#9 Post by timbgo »

How to transfer files the air-gapped way
========================================

I was Jigdo DVD downloading,
( Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php? ... 03#p540691 )
and opening Iceweasel with all the (many) windows
(which I didn't bookmark before it crashed) would have been overload for my
system on top of it, so i decided to try and browse with a lightweight browser
like Hv3.

There are others such as Dillo (very useful too), but Dillo purposefully has no
Javascript, which I would have needed if I were to post on Debian Forums.

Two machines, same or (very) similar hardware, clone the second of the first.
So first I'll call master, the second slave.

But I don't have it installed, and anyway, I try and keep my master Debian
machine to have all first, so once I clone it onto this slave Debian machine,
this one has all too.

And anyway, the master machine has access to my SOHO with the complete repo
(comprised of Debian Jigdo Testing AMD64 DVDs and deb-multimedia.org archives),
and purposefully doesn't access the internet, to stay reliably secure, while
this slave only accesses internet and not the SOHO at all.

So I get data on it the hard way, the air-gapped way.

Let me demonstate how it is done, how to know exactly what is needed to install
various packages the air-gapped way when the need arises like last night to me
while downloading, and I decided I needed Hv3.

First I'll install Hv3 onto the master Debian.

Not exactly. First I want to have a complete listing of the archives _before_ I
install it:

Code: Select all

# find /var/cache/apt/archives/ -name '*' >> FIND_`date +%s`

Code: Select all

# apt-cache search hv3

Code: Select all

# apt-get install hv3
and now after I install it:

Code: Select all

# find /var/cache/apt/archives/ -name '*' >> FIND_`date +%s`
The two files I got are:

Code: Select all

root@master:/somewhere# ls -l FIND_1400017*
-rw-r--r-- 1 root root 109758 May 13 23:44 FIND_1400017463
-rw-r--r-- 1 root root 110498 May 13 23:45 FIND_1400017525
root@master:/somewhere#

Code: Select all

$ diff FIND_1400017*
You look at the diff when you have a similar occasion, I forgot to copy it, but I did take the following lines that I used on my terminal, and I know they get me the exact listinf of the exact packages I need to air-gap transfer onto the slave system.
EDIT START
No, didn't have it in the stdin, but yes I had the files. This post is not clear enough without this
diff:

Code: Select all

$ diff /mnt/sr0/140514/FIND_1400017*
122a123
> /var/cache/apt/archives/libtcl8.6_8.6.1-6_amd64.deb
336a338
> /var/cache/apt/archives/tcl-tls_1.6+dfsg-3_amd64.deb
575a578
> /var/cache/apt/archives/libtk8.5_8.5.15-4_amd64.deb
585a589
> /var/cache/apt/archives/libtk-img_1%3a1.4.2-4_amd64.deb
587a592
> /var/cache/apt/archives/libsqlite3-tcl_3.8.4.3-1_amd64.deb
796a802
> /var/cache/apt/archives/tcllib_1.16-dfsg-1_all.deb
815a822
> /var/cache/apt/archives/tcl8.5_8.5.15-4_amd64.deb
894a902
> /var/cache/apt/archives/tk8.6_8.6.1-5_amd64.deb
1248a1257
> /var/cache/apt/archives/tk_8.6.0+8_amd64.deb
1280a1290
> /var/cache/apt/archives/tk-html3_3.0~fossil20110109-4_amd64.deb
1445a1456
> /var/cache/apt/archives/libtcl8.5_8.5.15-4_amd64.deb
1585a1597
> /var/cache/apt/archives/libtk8.6_8.6.1-5_amd64.deb
1662a1675
> /var/cache/apt/archives/hv3_3.0~fossil20110109-4_all.deb
1717a1731
> /var/cache/apt/archives/tk8.5_8.5.15-4_amd64.deb
$
EDIT END
[ $ man bash is your friend ]

Code: Select all

$ for i in `diff FIND_1400017* | grep 'var\/cache' | sed 's/> //' | cut -d'/' -f6` ; do ls -l /var/cache/apt/archives/$i ; done ;

$ for i in `diff FIND_1400017* | grep 'var\/cache' | sed 's/> //' | cut -d'/' -f6` ; do cp -aiv /var/cache/apt/archives/$i Burn/Apt-hv3.d/ ; read FAKE ; done ;

$ for i in `diff FIND_1400017* | grep 'var\/cache' | sed 's/> //' | cut -d'/' -f6` ; do sha256sum  /var/cache/apt/archives/$i Burn/Apt-hv3.d/$i ; read FAKE ; done ;
That doesn't have to really be necessary, but it's nice, and quick when you get the knack, to check those checksums.

Also, what the read FAKE ; does, is only waits for you to see if the two lines have the same checksum, which, when like two soldiers of similar stature, stand side by side, you see with naked eye if the uniform is exactly the same:

This is the output:

Code: Select all

...[snip]...
8128dfb2b6c6b361b92cf6616ef00527029281635357494c3451963223efac1c  /mnt/sr0/hv3_3.0~fossil20110109-4_all.deb
8128dfb2b6c6b361b92cf6616ef00527029281635357494c3451963223efac1c  /var/cache/apt/archives/hv3_3.0~fossil20110109-4_all.deb
Here it waits for you to Enter... And then:

Code: Select all

89741e2d02871f8c995b319584aa761d258a954dafe0c97bec4d807bbd4aec5c  /mnt/sr0/libsqlite3-tcl_3.8.4.3-1_amd64.deb
89741e2d02871f8c995b319584aa761d258a954dafe0c97bec4d807bbd4aec5c  /var/cache/apt/archives/libsqlite3-tcl_3.8.4.3-1_amd64.deb
and so on. That's quick.

And now here's what is needed on the slave machine to install hv3 air-gapped way:

Code: Select all

me@master:somewhere/Burn/Apt-hv3.d$ ls -l
total 7860
-rw-r--r-- 1 root root  189936 Apr 14 16:18 hv3_3.0~fossil20110109-4_all.deb
-rw-r--r-- 1 root root   82794 Apr 10 22:45 libsqlite3-tcl_3.8.4.3-1_amd64.deb
-rw-r--r-- 1 root root  728138 Mar  8 10:38 libtcl8.5_8.5.15-4_amd64.deb
-rw-r--r-- 1 root root  950800 Mar  8 10:38 libtcl8.6_8.6.1-6_amd64.deb
-rw-r--r-- 1 root root  734032 Mar  8 10:38 libtk8.5_8.5.15-4_amd64.deb
-rw-r--r-- 1 root root  749864 Mar  8 10:38 libtk8.6_8.6.1-5_amd64.deb
-rw-r--r-- 1 root root  133648 Dec 15 18:20 libtk-img_1%3a1.4.2-4_amd64.deb
-rw-r--r-- 1 root root   58466 Mar  8 10:38 tcl8.5_8.5.15-4_amd64.deb
-rw-r--r-- 1 root root 3944340 Feb 12 10:34 tcllib_1.16-dfsg-1_all.deb
-rw-r--r-- 1 root root   59910 May 29  2012 tcl-tls_1.6+dfsg-3_amd64.deb
-rw-r--r-- 1 root root  106242 Mar  8 10:38 tk8.5_8.5.15-4_amd64.deb
-rw-r--r-- 1 root root    5388 Mar  8 10:43 tk_8.6.0+8_amd64.deb
-rw-r--r-- 1 root root   70972 Mar  8 10:38 tk8.6_8.6.1-5_amd64.deb
-rw-r--r-- 1 root root  203230 Apr 14 16:18 tk-html3_3.0~fossil20110109-4_amd64.deb
me@master:/somewhere/Burn/Apt-hv3.d$ 
So let's burn it. Growisofs on Debian is a blessing:

Code: Select all

[b]mistake in the following line included[/b]:
growisofs -Z /dev/sr0 -R -J Burn/Apt-hv3.d/
	  -Z the first time
and then every next time instead of -Z:
	  -M
	until the DVD becomes full.

Sure, I was distracted, I thought I couldn't go wrong, and now I have on this
DVD, as I don't recommend you to allow yourself to have it. Mess guarrantied.

The command should have been:

Code: Select all

$ growisofs -M /dev/sr0 -R -J Burn/
and then I would have it in a separate directory on the DVD, and not sparsed in
among the future folders.

Because moving data in this air-gapped way is laborious but cheap, relatively,
a DVD lasts a long time. Hundreds of installs like this one.

So lets finish this install.

What I now need to do, is, simply mount the DVD onto the slave system:

Code: Select all

root@slave:/somewhere# cp -iav /mnt/sr0/*.deb /var/cache/apt/archives/
‘/mnt/sr0/hv3_3.0~fossil20110109-4_all.deb’ -> ‘/var/cache/apt/archives/hv3_3.0~fossil20110109-4_all.deb’
...[snip]...

root@slave:/somewhere# for i in `ls -1 /mnt/sr0/ | grep '\.deb'`; do sha256sum /mnt/sr0/$i /var/cache/apt/archives/$i ; done ; 
8128dfb2b6c6b361b92cf6616ef00527029281635357494c3451963223efac1c  /mnt/sr0/hv3_3.0~fossil20110109-4_all.deb
8128dfb2b6c6b361b92cf6616ef00527029281635357494c3451963223efac1c  /var/cache/apt/archives/hv3_3.0~fossil20110109-4_all.deb
89741e2d02871f8c995b319584aa761d258a954dafe0c97bec4d807bbd4aec5c  /mnt/sr0/libsqlite3-tcl_3.8.4.3-1_amd64.deb
89741e2d02871f8c995b319584aa761d258a954dafe0c97bec4d807bbd4aec5c  /var/cache/apt/archives/libsqlite3-tcl_3.8.4.3-1_amd64.deb

...[snip]...

root@slave:/somewhere# 
I didn't need to be root for that checking, but it didn't matter so much.

Sure, now that you have the packages, just:

Code: Select all

root@slave:/somewhere# apt-get install hv3
But the Hv3 didn't help, really, it does have problems with encodings. The air-gapped method, however, I hope people
will find useful.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Linadian
Posts: 490
Joined: 2013-12-20 15:25
Location: In a systemd free distro

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#10 Post by Linadian »

confuseling wrote:This board has a 'no politics' rule. Obviously that's fuzzy - everything of much significance has some political content, depending how you look at it. You can get away with more in the discussion threads, but the how-tos should remain pretty unambiguously technical - and this isn't. Frankly I think you should be pleased it just got moved to off topic - most distro's boards would probably have deleted it.
You've got that right, I've been banned for way less than that. Out of all the forums I've been to/belong to, this one still has a bit of a 'wild west' feel to it, 'gunslingers' and all, lol. :lol: :shock: :wink:
Linux Registered User 533946

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#11 Post by timbgo »

Readers of my Tips,
and I am addressing readers who read them to try and find useful information in them, if I may,

I have wished to show how I manage to stay afloat with my systems, and how I restore them clean from backup, and I started this tip for that purpose.

It is now probably much more difficult to do it here, so, if I may, and I am sure no one good willing person will say that I may not (but maybe some are not such), I'd like to point you to some information in that regard, that you can use, as regards backing up your system to have available the option to restore them from backup, which I have tried, in the Gospel sense of the word, to name:

Poor User's Defences.

Here, in the second part of this topic in Gentoo Forums, you can draw some general information how to backup or clone your system:

( the top title: Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider )
The Backup/Cloning Method in Poor User's Security
https://forums.gentoo.org/viewtopic-t-9 ... ml#7613044

Cheers!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
RU55EL
Posts: 546
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#12 Post by RU55EL »

timbgo wrote:[...] in the Gospel sense of the word, to name:

Poor User's Defences. [...]
I don't get it...are you talking about religion or defenses?

http://en.wikipedia.org/wiki/Gospel

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#13 Post by Randicus »

The OP is way too long for me to read, but I did skim through it to get an idea of what it is about. I saw tips to increase security, not a rant. I did not scrutinise the tips, so do not know how good or bad the advice is, but at this point my impression is that timbgo has earned a reputation as a ranter, so anything he posts is dismissed as a rant.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#14 Post by timbgo »

Randicus wrote:The OP is way too long for me to read, but I did skim through it to get an idea of what it is about. I saw tips to increase security, not a rant. I did not scrutinise the tips, so do not know how good or bad the advice is, but at this point my impression is that timbgo has earned a reputation as a ranter, so anything he posts is dismissed as a rant.
Thanks Randicus, that's enough of a pass fo me 8)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
RU55EL
Posts: 546
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#15 Post by RU55EL »

timbgo wrote:Poor User's Defences
====================

Basic Anti-Surveillance for Debian GNU/Linux
============================================

This is a set of simple non-expert methods of counter surveillance.
It is called Poor User's Defences after the Gospel sense of the word.

[...]
I find the OP very confusing. The post starts with the above title including "Anti-Serveillance" but then mentions counter surveillance. Is this about protecting yourself and your computer system, or about spying on someone else? Then the reference to the Gospel? I'm sorry, too confusing for me.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#16 Post by timbgo »

RU55EL wrote:
timbgo wrote:Poor User's Defences
====================

Basic Anti-Surveillance for Debian GNU/Linux
============================================

This is a set of simple non-expert methods of counter surveillance.
It is called Poor User's Defences after the Gospel sense of the word.

[...]
I find the OP very confusing. The post starts with the above title including "Anti-Serveillance" but then mentions counter surveillance. Is this about protecting yourself and your computer system, or about spying on someone else? Then the reference to the Gospel? I'm sorry, too confusing for me.
You are right, to some extent, about "counter". My wrong use of the word. Didn't mean what the word implies. Just preventing surveillance, not surveilling on others, I abhorr the sole notion of it.
As far as Gospel, my religion is like anyone else's views, admitted as long as it doesn't obstruct the matter I talk about, which if doesn't, like the little cross around a neck doesn't prevent a person to participate in a discussion. Pls. leave that to my own decision. Thank you.
EDIT: Pls. leave the decision (actually the freedom) what to name my method to me.
Last edited by timbgo on 2014-09-09 22:06, edited 2 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
RU55EL
Posts: 546
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#17 Post by RU55EL »

timbgo wrote:[...]
As far as Gospel, my religion is like anyone else's views, admitted as long as it doesn't obstruct the matter I talk about, which if doesn't, like the little cross around a neck doesn't prevent a person to participate in a discussion.
Again, you have me totally confused! Your religion is nothing like my views! If you want to discuss computer operating system - OK. If you want to discuss religion, I don't think this is the place. I don't see any cross around your neck, I only see the text that you post.
timbgo wrote:Pls. leave that to my own decision. Thank you.
What is Pls? Leave what to your own decision? Sorry, but this confuses me. There is really no point in continuing this discussion further. Sorry, but it will only confuse me.

User avatar
Linadian
Posts: 490
Joined: 2013-12-20 15:25
Location: In a systemd free distro

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#18 Post by Linadian »

RU55EL wrote:What is Pls?
Usually shorthand for 'please', but this isn't a text on a phone so I don't see the point of it either.
Linux Registered User 533946

timbgo
Posts: 265
Joined: 2013-04-14 12:17

#19 Post by timbgo »

I wonder what to do now with this tip.

It is a tip, and it's been ruined, really, by people who otherwise do good things in Gentoo, and whom I respect, like dasein, who is Osamu Aoke, the author of the superb Debian Reference Guide, IIUC,and the other one whom I don't know, who actually moved it Offtopic.

Now, people are reading this, and making all kinds of necessary and non comments...

And that's not conducive to writing anything, if you get distracted without a reason...

The kid, RUSSELL, that must be a kid, browsing with parental consent (how could a grown up Ango-Saxon not know what "Pls." means?), and that is really marvelous from a parent to teach their kids Debian GNU/Linux!...

The kid made me actually want to try and improve the first post, that I left uncompleted for too long...

I wish I will be able to find time to do it.

No, I won't touch the old one, because then it wouldn't be clear what and why what happened. I do agree that there were reasons for objecting to the post. But not that many!

I intend to keep the name and the very short explanation of what the name of my method means, but to call that politics, the name of the method and those, I'm counting, altogether
eleven words, three the name, eight the explanation...

To call that politics, is really a gross exaggeration.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Poor User's Defences, Basic Anti-Surveillance for Debian

#20 Post by timbgo »

For you people who are awaiting to read more on my method, which is suitable for even newbies, well somewhat obstinate newbies like I was, who don't easily give up, and don't easily belive honey-speaking big guys, be they even leaders, this is a fine read for you:

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044

So far so good, the article, which those are two parts of, appears to be as I posted it, and available. That is not absolutely certain to remain, depends on which side in, generally FOSS Linux, the good honest and truthful one, or the opposite one, will carry more clout in the future at deciding things. To be on the safe side, if you like what you read, save those pages for yourself. Surely if you begin to feel those might be tl;dr, pls. just don't read those!

A lot is there that hardly anyone will tell you and you, don't just believe what I say there, you decide if I write the true there.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply