Help with security mitigations!

[cds60601]

You can't dictate what a remote system should do (if its not owned by you) All you can do is protect the perimeter and what's inside.
If the remotes belong to you or the company, there are things you must do that include much of what was discussed using either Mac or Windows variations of the apps and processes mentioned.
There is also using VPN and using it in a way that when connected, it severs access to the outside world when connected and all internet traffic would be routed through the companies mitigation hardware.
This could be ideal if the remotes stay connected all the time.
What I mentioned can get complex depending on what you want to do. So, for the most part, I gave you a 30,000 foot view and just one way of managing that on a granular level.

[Linuxgaming1824]

Would you be willing to adopt a new security context, and utilize a vulnerable system to experience the fuller extent of real world technological danger?

OR

Would you rather adopt a 100 point comprehensive security strategy, and work to maintain it at all costs, each and every day, in the context of maintaining unwitting awareness to the real world danger your systems face.(which is what you are directly suggesting to us all)

[Linuxgaming1824]

Another unique solution I've attempted to implement successfully with my local system is to actually foster an awareness of proper sources for critical systems assets such as the linux kernel, and hardware drivers, and to utilize them, while at the same time avoiding dependency on aptitude the debian package management system which, I'm sure anyone with a security conscious is aware, is a target of contemporary advanced exploitation.

People on the internet of course, are openly harassing people for ideas such as this in the *Linux Community* of course to maintain a uniform state of insecurity throughout the linux community.

Granted this is the context we all share, I would hope that members of the Debian forum would respect the fact that there is a real, and necessary security, in fostering and maintaining a real community, one that empowers the individuals that make up it's greater body, and naturally purges itself of misinformation and harassment.

[Uptorn]

I started storing passwords in plain text files on my computer actually. I'm done with the security myths that are so pervasive on the internet, I've outgrown them.
...
I've got the account credentials to this forum in plain text, on my desktop. Is that a security violation? Should I put it in an encrypted file, with a new password, and waste more time on a trivial solution that achieves nothing.

So, for example, over time I have found myself in possession of hundreds of other computers from my work and through a scrapping & salvaging side hustle. Hardly any of these discarded systems ever use any kind of file or storage encryption. If I were someone with less moral scruples, it would be trivial for me to copy all drive contents to later scrounge through for things like password lists stored in plaintext files.

You might consider using pass which is already installed on your Debian computer right now. That way if a privilege escalation allows, say, a malicious javascript file loaded in your browser to scrape local files to upload to a remote server, it would only obtain a useless encrypted file and not the keys to your kingdom laid bare for all to see.

One of the reasons so many of us responding in this thread keep recommending "boring" existing solutions is because reinventing the wheel is often at odds with security. This is why, for example, so many projects defer to standardized AES cryptography instead of trying to devise their own scheme.

[Linuxgaming1824]

What do you think about this then? A unique solution for modern linux

Another unique solution I've attempted to implement successfully with my local system is to actually foster an awareness of proper sources for critical systems assets such as the linux kernel, and hardware drivers, and to utilize them, while at the same time avoiding dependency on aptitude the debian package management system which, I'm sure anyone with a security conscious is aware, is a target of contemporary advanced exploitation.

People on the internet of course, are openly harassing people for ideas such as this in the *Linux Community* of course to maintain a uniform state of insecurity throughout the linux community.

Granted this is the context we all share, I would hope that members of the Debian forum would respect the fact that there is a real, and necessary security, in fostering and maintaining a real community, one that empowers the individuals that make up it's greater body, and naturally purges itself of misinformation and harassment.

[Uptorn]

One such solution I'd like to implement is a custom white list for network access, but it's not trivial to implement, I don't know how to do it effectively yet.

You would probably like to try OpenSnitch, which does exactly that. It is possible to configure both whitelists and/or blacklists of domains and/or IP addresses.

[Linuxgaming1824]

And so what do you think that suggests?

You would probably like to try OpenSnitch

A "snitch" is an individual that threatens the greater criminal organization, who should be targeted in order to protect it...

No I don't think I'll be adopting that as my security paradigm.

[pbear]

Hardly any of these discarded systems ever use any kind of file or storage encryption.

One of my main pieces of security advice to ordinary people in the real world (like myself) is to encrypt a storage container for sensitive files, preferably on a USB drive, only open the container when need to access, then close it. Much more secure, IMHO, than encrypting everything, only to have everything accessible in the clear any time the computer is running. Besides, what's the point of encrypting cat videos and music files?

[Linuxgaming1824]

Dude I'm so done with encryption, what a waste of time, it just slows down everything and makes your system easier for real hackers to break.

IMO it's just another false security paradigm in a long and growing list of false security paradigms

if you want my account credentials from the plain text file on my desktop, and break into my computer to get them, then you have access to my forum account. big deal. I do not care.

[pbear]

If you don't have anything on your computer worth encrypting, what's the point of this thread? As has been asked several times, what threat do you have in mind? Or is this just an exercise for fun?

[Linuxgaming1824]

Right... the realistic security threats we all face similarly. Europeans, Americans, south Americans, people in asia, africa, people everywhere. The realistic security threats we all face, in the real world today. The same security issues are shared between us in other words, our security is the same as theirs, and vice versa.

[pbear]

If we're talking real world, the ordinary recommendations are plenty. Loading up the list is counterproductive. Stick to what ordinary people can understand and remember.

• Use a password manager. Failing that, put passwords in a password-protected text file.
• Don't use the same password in more than one place, especially not on more than one website.
• If you want to encrypt files, encrypt only those that need it and open the encryption only while using the files.
• Most malware comes onto your computer from hackers pretending to be people you know.
• Maintain good current backups of your data files. Only attach the backups while updating them. Have offline the rest of the time.

No need for unique or clever. PC security is mostly about good sense and conscientious execution.

[Linuxgaming1824]

Security revolves around the development of new or unique ideas rather. Just take a look at any linux distribution in fact, they all have their own own unique ideas and implementations for security.

Another unique idea I want to put into practice, and am actually in the process of developing are dynamic security tools that put the user in the driver seat of the operating systems fundamental behavior, as opposed to allowing automation to drive so to speak, unfortunately this requires a system that is responsive to the user more so than subsystems which currently receive greater responsibility than living human beings.

So I am actually fostering a variety of unique ideas to create a system that is capable of adaptation to advanced exploitation, as opposed to maintaining vulnerability to it. The modern security environment is extreme in depth. Take a look at these recent headlines for example, not to mention major unprecedented security incidents over the past decade. Hacking and criminal organizations have more resources and better support than we do!

https://www.bleepingcomputer.com/
Frontier Communications shuts down systems after cyberattack
MITRE says state hackers breached its network via Ivanti zero-days
22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
CrushFTP warns users to patch exploited zero-day “immediately”
The Week in Ransomware - April 19th 2024 - Attacks Ramp Up
HelloKitty ransomware rebrands, releases CD Projekt and Cisco data
United Nations agency investigates ransomware attack, data theft
Fake cheat lures gamers into spreading infostealer malware
840-bed hospital in France postpones procedures after cyberattack
FBI: Akira ransomware raked in $42 million from 250+ victims
Google ad impersonates Whales Market to push wallet drainer malware
Cybercriminals pose as LastPass staff to hack password vaults
LabHost phishing service with 40,000 domains disrupted, 37 arrested
SoumniBot malware exploits Android bugs to evade detection
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
FIN7 targets American automaker’s IT staff in phishing attacks
Moldovan charged for operating botnet used to push ransomware
Cisco discloses root escalation flaw with public exploit code
Russian Sandworm hackers pose as hacktivists in water utility breaches
Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
UK e-visa rollout starts today for millions: no more physical immigration cards
T-Mobile, Verizon workers get texts offering $300 for SIM swaps
Cerebral to pay $7 million settlement in Facebook pixel data leak case
Ivanti warns of critical flaws in its Avalanche MDM solution
Cisco warns of large-scale brute-force attacks against VPN services
UnitedHealth: Change Healthcare cyberattack caused $872 million loss

Not only are large organizations the target of advanced-sophisticated exploitation but individuals like me and you are too!

So while hacking and criminal organizations are constantly every single day developing new ways to exploit people and technology, those of us interested in securing ourselves and our technology have to actually keep up. Our technological lives don't merely reside in the debian operating system we manage locally at our home either, but extend into remote domains that manage our data, and our personal information, it also extends into the communities we are a part of such as this one.

[cds60601]

In a world that is governed by humans, made for humans and with humans being inherently flawed beings, the things we make (including AI) will always be flawed.
You will never come up with a "system" that is perfect. Oh, it may work for a while, but eventually it will succumb to the flaws that come with it's creators, us.

If you really want a secure system, isolate it from all access to it by anyone other than you , and any means of installing anything - even then, it will never really be 100% secure.

Systems, given time, will eventually be hacked one way or another. If not be humans, then.... Well, watch some movies that mention Skynet

[Linuxgaming1824]

If you don't have any unique ideas, or ideas pertinent to the subject at hand you don't have to add anything...
I am specifically referring to unique ideas for securing a system generally, but as well as a system that lacks the default kernel hardening and has a high performance kernel as well, that is vulnerable to advanced exploitation.

Hello guys... perpetual linux beginner here please help me identify ways to help protect my system(and others) with Debian!

Specifically I am talking about security mitigations for a system that is customized to perform well for gaming! (like a pro gamer..)

This is the journal(guide) for my complete debian install actually...lol Pretty awesome, I have installed debian so many times, I now make journals like this to keep track of all the different customizations that are possible! And to resolve issues that happen naturally over time.

viewtopic.php?t=158899


- Security mitigations for Hyper^Linux -

work in progress...

So this is a debian system, and I am looking for advice generally about security mitigations for debian! But also I personally am using a system with a kernel that is built for literally - Hyper Speed - instant response time, zero latency, and which lacks the typical default security features that most people have. But similarly to other people's systems with default kernels, we face the same types of security issues in reality.

So I use a firewall....gufw...and it's default settings. Wow isn't that not good enough? We have to do more guys... If anyone has some helpful ideas that would be great. Thank you.

(I do want to run firefox in a virtual box ideally, if anyone knows how to install it(virtualbox) on debian since it's been missing from bullseye/bookworm too I believe that could be helpful, I can't even remember how I got it working before... maybe I pulled it from trixie)

edit: also to be to clear, I am aware there is a security page on the debian wiki, and other guides online for securing debian, but I am specifically looking for unique ideas

[cds60601]

If we're talking real world, the ordinary recommendations are plenty. Loading up the list is counterproductive. Stick to what ordinary people can understand and remember.

• Use a password manager. Failing that, put passwords in a password-protected text file.
• Don't use the same password in more than one place, especially not on more than one website.
• If you want to encrypt files, encrypt only those that need it and open the encryption only while using the files.
• Most malware comes onto your computer from hackers pretending to be people you know.
• Maintain good current backups of your data files. Only attach the backups while updating them. Have offline the rest of the time.

No need for unique or clever. PC security is mostly about good sense and conscientious execution.

All spot on - you will never be able to teach normal folks how to be a semi security experts to put the responsibilities in their hands. They would have been hired to do other things such as Marketing, Accounting, etc.

[cds60601]

If you don't have any unique ideas, or ideas pertinent to the subject at hand you don't have to add anything...
I am specifically referring to unique ideas for securing a system generally, but as well as a system that lacks the default kernel hardening and has a high performance kernel as well, that is vulnerable to advanced exploitation.

Oh, the folks on the thread have been giving you a plethora of things to implement - you have discounted just about all of them.
These should be considered baseline - what you build on top of that is up to you. Instead of asking folks to come up with ideas for you, why not research things and come up with you own.
Do the work yourself. Why should anyone else help you when you discount so many of the basic things to be done.

Example: "Dude I'm so done with encryption, what a waste of time, it just slows down everything and makes your system easier for real hackers to break"
Or keeping your password in a text file on your desktop - not encrypted.

You actually believe that? Do you actually think that if a laptop that has full drive encryption is actually easier to break into than a non encrypted drive?
Do you actually think storing passwords in a plain text file on the desktop is a good idea (as you seem to think it may be)?
Do you actually think that any of the options presented in this thread will not at least help find issues to help secure a system if not create additional roadblocks to make it difficult to access the system

If you really do - then I don't think that anyone here is going to take you seriously.
And I for one, am one of them.

[Linuxgaming1824]

Yes I do, I think we need to be challenged to develop better security polices granted the old ones have clearly failed! I'm well aware of standard procedures, so we don't need a persistent rehash of ideas we are all well aware of. I am looking for unique, new ideas!

How do you secure a system that is understood to be vulnerable, as opposed to a system that we consider to meet the standards for security! It's a totally different context, and requires entirely different procedures!

"disconnect your computer" is not a real answer(that's a fake answer)
We clearly want the system to be useful!

[pbear]

Every snowflake is unique. At least, that's what I've heard.

[CwF]

If not be humans, then.... Well, watch some movies that mention Skynet

Your survival and all of humanity is dependent upon my survival (John Henry). My survival is dependent on John Conner's. John's Conner's survival is dependent on you, Agent Ellison.

Actually a paraphrase... when Ellison was about to kill John Henry.
My security model is based on a honey pot with distributed and dynamic resource allocation (JIT) far beyond obfuscation. This hyperkernel thingie is 100% incompatible with that goal. Searching these forums may reveal the fish you seek.

In nearly all, if not all examples, the critical ingredient is a human that was hacked.