The officially official Devuan Forum!

You are not logged in.

#1 2020-08-01 20:33:22

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Making Devuan more secure.

The question might be a bit odd, but I'm currently writing this message from a machine, which is under total surveillance, because of reasons. (I'm a good goy though. Don't worry.)

The thing is, that I would like to make the machine a bit less compromised at least.
- For example I don't like the fact that there are daily cron jobs running, which checks if the /etc/passwd and similar files have changed.
- Or a process running listed as "logsave -s /var/log/fsck/checkfs fsck -C -M -A -a -f in htop (I don't remember that process running on past installs and it seems suspicious.).
- Or that GRUB is listing "Debian" now instead of "Devuan".
- Or that firefox-esr was run from "/usr/lib/firefox" for some reason.
- Or that from time to time someone just starts an sshd on my system and chimes in into my xorg session, which makes the "/usr/lib/xorg/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.LfORxzDu0z" process suddenly take up around 19% of my CPU, although I've explicitly not installed any sshd, because I don't want anyone to remote into my machine.
- Or that all files from /usr/share/bash-completion/ are sourced before a shell starts.
- Or that I get a "permission denied" error when trying to change the root password as root.
etc. etc.

I still need to get the work done, and I'm not knowledgeable enough to remove the bad firmware, so I'm making this post in the hopes of learning more and maybe gettingt some book or article recommendations. I want to learn from the pros with a lot of experience. I think there isn't already a thread for aspiring sysadmins.

I've have a copy of my entire root directory from several different installs.
After realizing my machine was cracked (Btw. thanks a lot for the very clean process list.), I did a backup of all my files, including the root file system for a post mortem (I've already learned quite a bit from viewing some funky files, which were malware scripts, which defined a bunch of stuff and then pushed their path to the top of the PATH environment variable.).
I've tried Guix, Gentoo, Artix and a few others, but it always ended up with the same set of bullshit spyware.

I did a "find / -iname "*systemd*" and found at least twenty entries on a fresh install with just a few packages added, so it looks like my Devuan install isn't so systemd-free afterall (Although the libsystemd.so I can understand.).
Gentoo provides signed .DIGEST files, which list all the files of an ISO, I wish Devuan had something like this. Because I find it kind suspicious if I'm getting asked three times directly in a row if I want to install proprietary firmware.

If you want me to run any commands on my system, just ask and I'll past the results.

P.S. Since I've remove the /etc/pam.d , I can no longer "su root". Any fix?

Offline

#2 2020-08-01 21:14:56

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Offline

#3 2020-08-01 21:41:50

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,409  

Re: Making Devuan more secure.

- Or that from time to time someone just starts an sshd on my system and chimes in into my xorg session, which makes the "/usr/lib/xorg/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.LfORxzDu0z" process suddenly take up around 19% of my CPU, although I've explicitly not installed any sshd, because I don't want anyone to remote into my machine.

I would not boot that system again. Check it from another system, maybe a live-CD or live-USB.

You might want to run from live media from now on, so that you have a read-only system. That way if someone is able to install software on your system while you are running, you can just reboot to go back to the clean state. And figure out how to keep them from doing that. To save files, you can either set up a persistent volume or plug in another usb stick.

Some of your questions are answered in the release notes. (grub, su)

You can run without any policykit or dbus, but removing /etc/pam.d/ might have been a bad idea. This link is provided for general information. You don't want to use the nodbus isos I made because they are not secure. (ssh is running and the password is public)
https://dev1galaxy.org/viewtopic.php?id=2158

Offline

#4 2020-08-01 22:41:01

Altoid
Member
Registered: 2017-05-07
Posts: 1,415  

Re: Making Devuan more secure.

Hello:

freenet_bro wrote:

... tried Guix, Gentoo, Artix and a few others, but it always ended up with the same set of bullshit spyware.

Hmm ...

Just what is it that you do with your rig?

Did you sanitize your drive before each installation?

ie: with a bootable Linux install CD/DVD run gparted and clear the drive.
Then reboot, format it to FAT32, then reboot and clear it again.
Repeat till you have gone through ext3, ext4 and cleared one last time.

Only then install the OS again, from scratch.

freenet_bro wrote:

... a copy of my entire root directory from several different installs.

From what you say, I have the idea that whatever is dumping that crap into your installation is probably in your backups.
Have you gone through them and checked what was there?

Cheers,

A.

Last edited by Altoid (2020-08-01 22:46:02)

Offline

#5 2020-08-02 12:12:43

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Re: Making Devuan more secure.

golinux wrote:

Why are systemd files present in Devuan?

Thanks for the link.

golinux wrote:

Have you tried heads?

I haven't tried it, because it seems unmaintained, which made me hesitant to use it.

fsmithred wrote:

You can run without any policykit or dbus, but removing /etc/pam.d/ might have been a bad idea.

That's what I've just realized as well. I can't log into a TTY. hehe

Altoid wrote:

From what you say, I have the idea that whatever is dumping that crap into your installation is probably in your backups.

That's what I thought as well, but I didn't connect the external hard drive to an install I made and even without installing xorg or any other package a bunch of additional things were downloaded on to my machine as soon as I've plugged in the ethernet cable.
It's also interesting to note that shutdown now worked properly, but then suddenly didn't shutdown my machine and asked for a root password. ;D

Altoid wrote:

Just what is it that you do with your rig?

Something somone might find interesting obviously. LOL
No, but seriously. It's not a rig. It's just a laptop I use to work. I'm rather poor, so I can't just buy a new machine.

Altoid wrote:

Did you sanitize your drive before each installation?

ie: with a bootable Linux install CD/DVD run gparted and clear the drive.
Then reboot, format it to FAT32, then reboot and clear it again.
Repeat till you have gone through ext3, ext4 and cleared one last time.

Only then install the OS again, from scratch.

Apparenty shredding the harddisk once wasn't enough.
But I'm pretty sure it wouldn't change a lot if I used a different hard disk or bootable USB.

Altoid wrote:

You might want to run from live media from now on, so that you have a read-only system. That way if someone is able to install software on your system while you are running, you can just reboot to go back to the clean state. And figure out how to keep them from doing that. To save files, you can either set up a persistent volume or plug in another usb stick.

That's what I'm currently doing from my other machine, which also shows a lot of strange behaviour.
My gues would be that someone used my pozzed router and switches in combination with some zero day to get access to my machines, because OpenBSD didn't show any weird behaviour.

I'm fine with certain people reading everything I do and having a copy of every file I create. But it's just too much for me if they start stealing half of my CPU and breaking my window manager shortcuts.

During these interesting geopolitical times I unfortunately can't bring up the money to buy a new machine, so I just use the current situation as a learning experience. big_smile

They've already gotten everything inside of my password data base so I'm totally transparent. I've learned to appreciate the offline world and reading physical books.

Thanks for the answers.

Offline

#6 2020-08-03 19:31:42

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Re: Making Devuan more secure.

fsmithred wrote:

You might want to run from live media from now on, so that you have a read-only system. That way if someone is able to install software on your system while you are running, you can just reboot to go back to the clean state.

Iv'e installed Devuan live on a usb stick.
It used to have a regular xorg process.
Then the process became funky again, so I rebooted without internet and the process stayed that way.

$ ps axjf

 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
    0     2     0     0 ?           -1 S        0   0:00 [kthreadd]
    2     3     0     0 ?           -1 I<       0   0:00  \_ [rcu_gp]
    2     4     0     0 ?           -1 I<       0   0:00  \_ [rcu_par_gp]
    2     5     0     0 ?           -1 I        0   0:00  \_ [kworker/0:0-events]
    2     6     0     0 ?           -1 I<       0   0:00  \_ [kworker/0:0H-kblockd]
    2     7     0     0 ?           -1 I        0   0:00  \_ [kworker/u8:0-events_unbound]
    2     8     0     0 ?           -1 I<       0   0:00  \_ [mm_percpu_wq]
    2     9     0     0 ?           -1 S        0   0:00  \_ [ksoftirqd/0]
    2    10     0     0 ?           -1 I        0   0:00  \_ [rcu_sched]
    2    11     0     0 ?           -1 I        0   0:00  \_ [rcu_bh]
    2    12     0     0 ?           -1 S        0   0:00  \_ [migration/0]
    2    13     0     0 ?           -1 I        0   0:00  \_ [kworker/0:1-pm]
    2    14     0     0 ?           -1 S        0   0:00  \_ [cpuhp/0]
    2    15     0     0 ?           -1 S        0   0:00  \_ [cpuhp/1]
    2    16     0     0 ?           -1 S        0   0:00  \_ [migration/1]
    2    17     0     0 ?           -1 S        0   0:00  \_ [ksoftirqd/1]
    2    18     0     0 ?           -1 I        0   0:00  \_ [kworker/1:0-pm]
    2    19     0     0 ?           -1 I<       0   0:00  \_ [kworker/1:0H-kblockd]
    2    20     0     0 ?           -1 S        0   0:00  \_ [cpuhp/2]
    2    21     0     0 ?           -1 S        0   0:00  \_ [migration/2]
    2    22     0     0 ?           -1 S        0   0:00  \_ [ksoftirqd/2]
    2    23     0     0 ?           -1 I        0   0:00  \_ [kworker/2:0-events]
    2    24     0     0 ?           -1 I<       0   0:00  \_ [kworker/2:0H-kblockd]
    2    25     0     0 ?           -1 S        0   0:00  \_ [cpuhp/3]
    2    26     0     0 ?           -1 S        0   0:00  \_ [migration/3]
    2    27     0     0 ?           -1 S        0   0:00  \_ [ksoftirqd/3]
    2    28     0     0 ?           -1 I        0   0:00  \_ [kworker/3:0-events]
    2    29     0     0 ?           -1 I<       0   0:00  \_ [kworker/3:0H-kblockd]
    2    30     0     0 ?           -1 S        0   0:00  \_ [kdevtmpfs]
    2    31     0     0 ?           -1 I<       0   0:00  \_ [netns]
    2    32     0     0 ?           -1 S        0   0:00  \_ [kauditd]
    2    33     0     0 ?           -1 I        0   0:00  \_ [kworker/1:1-events_long]
    2    34     0     0 ?           -1 S        0   0:00  \_ [khungtaskd]
    2    35     0     0 ?           -1 S        0   0:00  \_ [oom_reaper]
    2    36     0     0 ?           -1 I<       0   0:00  \_ [writeback]
    2    37     0     0 ?           -1 S        0   0:00  \_ [kcompactd0]
    2    38     0     0 ?           -1 SN       0   0:00  \_ [ksmd]
    2    39     0     0 ?           -1 SN       0   0:00  \_ [khugepaged]
    2    40     0     0 ?           -1 I<       0   0:00  \_ [crypto]
    2    41     0     0 ?           -1 I<       0   0:00  \_ [kintegrityd]
    2    42     0     0 ?           -1 I<       0   0:00  \_ [kblockd]
    2    43     0     0 ?           -1 I<       0   0:00  \_ [edac-poller]
    2    44     0     0 ?           -1 I<       0   0:00  \_ [devfreq_wq]
    2    45     0     0 ?           -1 S        0   0:00  \_ [watchdogd]
    2    46     0     0 ?           -1 S        0   0:00  \_ [kswapd0]
    2    64     0     0 ?           -1 I<       0   0:00  \_ [kthrotld]
    2    65     0     0 ?           -1 I        0   0:00  \_ [kworker/2:1-pm]
    2    66     0     0 ?           -1 I        0   0:00  \_ [kworker/3:1-rcu_gp]
    2    67     0     0 ?           -1 I<       0   0:00  \_ [ipv6_addrconf]
    2    68     0     0 ?           -1 I        0   0:02  \_ [kworker/u8:1-events_unbound]
    2    77     0     0 ?           -1 I        0   0:00  \_ [kworker/1:2-usb_hub_wq]
    2    78     0     0 ?           -1 I<       0   0:00  \_ [kstrp]
    2   123     0     0 ?           -1 I<       0   0:00  \_ [acpi_thermal_pm]
    2   124     0     0 ?           -1 I<       0   0:00  \_ [ata_sff]
    2   126     0     0 ?           -1 S        0   0:00  \_ [scsi_eh_0]
    2   127     0     0 ?           -1 I<       0   0:00  \_ [scsi_tmf_0]
    2   128     0     0 ?           -1 S        0   0:00  \_ [scsi_eh_1]
    2   129     0     0 ?           -1 I<       0   0:00  \_ [scsi_tmf_1]
    2   130     0     0 ?           -1 I        0   0:00  \_ [kworker/0:2-pm]
    2   131     0     0 ?           -1 I        0   0:00  \_ [kworker/u8:2-events_unbound]
    2   140     0     0 ?           -1 I        0   0:00  \_ [kworker/u8:3]
    2   142     0     0 ?           -1 I        0   0:00  \_ [kworker/u8:4]
    2   181     0     0 ?           -1 I        0   0:00  \_ [kworker/3:2-events]
    2   182     0     0 ?           -1 I<       0   0:00  \_ [kworker/u9:0-hci0]
    2   183     0     0 ?           -1 S        0   0:00  \_ [i915/signal:0]
    2   184     0     0 ?           -1 S        0   0:00  \_ [i915/signal:1]
    2   185     0     0 ?           -1 S        0   0:00  \_ [i915/signal:2]
    2   186     0     0 ?           -1 S        0   0:00  \_ [i915/signal:6]
    2   187     0     0 ?           -1 I<       0   0:00  \_ [kworker/2:1H-kblockd]
    2   189     0     0 ?           -1 I        0   0:00  \_ [kworker/3:3-events]
    2   190     0     0 ?           -1 S        0   0:00  \_ [scsi_eh_2]
    2   191     0     0 ?           -1 I<       0   0:00  \_ [scsi_tmf_2]
    2   192     0     0 ?           -1 S        0   0:00  \_ [usb-storage]
    2   197     0     0 ?           -1 I<       0   0:00  \_ [md]
    2   210     0     0 ?           -1 I<       0   0:00  \_ [kworker/3:1H-kblockd]
    2   211     0     0 ?           -1 I<       0   0:00  \_ [kworker/1:1H-kblockd]
    2   212     0     0 ?           -1 I<       0   0:00  \_ [kworker/0:1H-kblockd]
    2   213     0     0 ?           -1 I<       0   0:00  \_ [raid5wq]
    2   305     0     0 ?           -1 S<       0   0:00  \_ [loop0]
    2   350     0     0 ?           -1 I        0   0:00  \_ [kworker/2:2-mm_percpu_wq]
    2   756     0     0 ?           -1 S        0   0:00  \_ [irq/126-mei_me]
    2   768     0     0 ?           -1 I<       0   0:00  \_ [kmemstick]
    2   776     0     0 ?           -1 I        0   0:00  \_ [rtsx_usb_ms_1]
    2   796     0     0 ?           -1 I<       0   0:00  \_ [cfg80211]
    2   826     0     0 ?           -1 I<       0   0:00  \_ [kworker/u9:1-hci0]
    2   827     0     0 ?           -1 I<       0   0:00  \_ [ath10k_wq]
    2   828     0     0 ?           -1 I<       0   0:00  \_ [ath10k_aux_wq]
    2   830     0     0 ?           -1 I        0   0:00  \_ [kworker/1:3-rcu_gp]
    2   850     0     0 ?           -1 I<       0   0:00  \_ [kworker/u9:2-hci0]
    2  1714     0     0 ?           -1 I<       0   0:00  \_ [rpciod]
    2  1715     0     0 ?           -1 I<       0   0:00  \_ [xprtiod]
    2  1717     0     0 ?           -1 I<       0   0:00  \_ [nfsiod]
    0     1     1     1 ?           -1 Ss       0   0:01 init [2]
    1  1681  1681  1681 ?           -1 Ss     104   0:00 /sbin/rpcbind -w
    1  1709  1709  1709 ?           -1 Ss     106   0:00 /sbin/rpc.statd
    1  1724  1724  1724 ?           -1 Ss       0   0:00 /usr/sbin/rpc.idmapd
    1  2003  2003  2003 ?           -1 Ss       0   0:00 /usr/sbin/acpi_fakekeyd
    1  2088  2088  2088 ?           -1 Ssl      0   0:00 /usr/sbin/rsyslogd
    1  2116  2116  2116 ?           -1 Ss       0   0:00 /usr/sbin/acpid
    1  2178  2178  2178 ?           -1 Ss       0   0:00 /usr/sbin/cron
    1  2228  2228  2228 ?           -1 Ss     102   0:00 /usr/bin/dbus-daemon --system
    1  2261  2260  2260 ?           -1 S      110   0:00 avahi-daemon: running [devuan.local]
 2261  2262  2260  2260 ?           -1 S      110   0:00  \_ avahi-daemon: chroot helper
    1  2286  2285  2285 ?           -1 S        0   0:00 /usr/sbin/bluetoothd
    1  2314  2314  2314 ?           -1 Ss       0   0:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf -s /etc/cups/cups-files.conf
    1  2348  2347  2347 ?           -1 Sl       0   0:00 /usr/sbin/cups-browsed
    1  2372  2371  2371 ?           -1 S        0   0:00 elogind-daemon
    1  2641  2641  2641 ?           -1 Ss     103   0:00 /usr/sbin/exim4 -bd -q30m
    1  2668  2668  2668 ?           -1 Ss       0   0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
    1  2697  2697  2697 ?           -1 Ssl    101   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 101:104
    1  2724  2724  2724 ?           -1 Ss       0   0:00 /usr/sbin/saned -a saned
 2724  2725  2724  2724 ?           -1 S        0   0:00  \_ /usr/sbin/saned -a saned
    1  2751  2751  2751 ?           -1 Ss       0   0:05 /usr/bin/slim -d
 2751  2776  2776  2776 tty7      2776 Ssl+     0   0:03  \_ /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/slim.auth vt07
 2751  3126  2751  2751 ?           -1 S     1000   0:00  \_ /bin/sh /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc
 3126  3171  3171  3171 ?           -1 Ss    1000   0:00      \_ /usr/bin/ssh-agent x-session-manager
 3126  3182  2751  2751 ?           -1 Sl    1000   0:00      \_ xfce4-session
 3182  3217  2751  2751 ?           -1 Sl    1000   0:00          \_ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
 3182  3218  2751  2751 ?           -1 S     1000   0:02          \_ /usr/bin/python3 /usr/share/system-config-printer/applet.py
 3182  3223  2751  2751 ?           -1 Sl    1000   0:00          \_ /usr/bin/python -O /usr/share/wicd/gtk/wicd-client.py --tray
 3182  3229  2751  2751 ?           -1 S     1000   0:00          \_ xscreensaver -no-splash
    1  2798  2798  2798 ?           -1 Ss       0   0:00 /usr/sbin/uuidd
    1  2828  2827  2827 ?           -1 S        0   0:00 /usr/bin/python -O /usr/share/wicd/daemon/wicd-daemon.py --keep-connection
 2828  3034  2827  2827 ?           -1 S        0   0:00  \_ /usr/bin/python -O /usr/share/wicd/daemon/monitor.py
    1  2893  2892  2892 ?           -1 S        0   0:00 /sbin/udevd udevd
    1  3062  3062  3062 tty1      3102 Ss       0   0:00 /bin/login -f
 3062  3102  3102  3062 tty1      3102 S+    1000   0:00  \_ -bash
    1  3063  3063  3063 tty2      3099 Ss       0   0:00 /bin/login -f
 3063  3099  3099  3063 tty2      3099 S+    1000   0:00  \_ -bash
    1  3064  3064  3064 tty3      3098 Ss       0   0:00 /bin/login -f
 3064  3098  3098  3064 tty3      3098 S+    1000   0:00  \_ -bash
    1  3065  3065  3065 tty4      3101 Ss       0   0:00 /bin/login -f
 3065  3101  3101  3065 tty4      3101 S+    1000   0:00  \_ -bash
    1  3066  3066  3066 tty5      3097 Ss       0   0:00 /bin/login -f
 3066  3097  3097  3066 tty5      3097 S+    1000   0:00  \_ -bash
    1  3067  3067  3067 tty6      3100 Ss       0   0:00 /bin/login -f
 3067  3100  3100  3067 tty6      3100 S+    1000   0:00  \_ -bash
    1  3123  3122  3122 ?           -1 Sl    1000   0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
    1  3160  2751  2751 ?           -1 S     1000   0:00 /usr/bin/dbus-launch --exit-with-session --sh-syntax
    1  3161  3161  3161 ?           -1 Ss    1000   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 6 --print-address 8 --session
    1  3184  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
 3184  3189  3161  3161 ?           -1 S     1000   0:00  \_ /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
    1  3191  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
    1  3195  2228  2228 ?           -1 Sl       0   0:00 /usr/lib/policykit-1/polkitd --no-debug
    1  3202  3161  3161 ?           -1 S     1000   0:00 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
    1  3206  3206  3206 ?           -1 Ss    1000   0:00 /usr/bin/gpg-agent --sh --daemon --write-env-file /home/devuan/.cache/gpg-agent-info
    1  3208  2751  2751 ?           -1 S     1000   0:00 xfwm4
    1  3212  2751  2751 ?           -1 Sl    1000   0:01 xfce4-panel
 3212  3286  2751  2751 ?           -1 S     1000   0:00  \_ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 20971558 systray Notification Area Area where notification icons appear
 3212  3289  2751  2751 ?           -1 S     1000   0:00  \_ /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 2 20971559 actions Action Buttons Log out, lock or other system actions
    1  3214  2751  2751 ?           -1 Sl    1000   0:00 Thunar --daemon
    1  3216  2751  2751 ?           -1 Sl    1000   0:00 xfdesktop
    1  3234  3233  3233 ?           -1 S<l   1000   0:01 /usr/bin/pulseaudio --start --log-target=syslog
    1  3236  2228  2228 ?           -1 SNl    105   0:00 /usr/lib/rtkit/rtkit-daemon
    1  3239  3239  3239 ?           -1 Ssl   1000   0:00 xfce4-power-manager
    1  3240  3240  3240 ?           -1 Ssl   1000   0:00 xfsettingsd
    1  3245  2228  2228 ?           -1 Sl       0   0:00 /usr/lib/upower/upowerd
    1  3251  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfsd
 3251  3362  3161  3161 ?           -1 Sl    1000   0:00  \_ /usr/lib/gvfs/gvfsd-trash --spawner :1.17 /org/gtk/gvfs/exec_spaw/0
    1  3276  3161  3161 ?           -1 SNl   1000   0:00 /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
    1  3288  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
    1  3314  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
    1  3318  2228  2228 ?           -1 Sl       0   0:00 /usr/lib/udisks2/udisksd
    1  3332  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfs-mtp-volume-monitor
    1  3337  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
    1  3342  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfs-goa-volume-monitor
    1  3347  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfs-afc-volume-monitor
    1  3359  3161  3161 ?           -1 Sl    1000   0:00 /usr/lib/gvfs/gvfsd-metadata
    1  3397  2751  2751 ?           -1 Sl    1000   0:01 xfce4-terminal
 3397  3403  3403  3403 pts/0     3431 Ss    1000   0:00  \_ bash
 3403  3431  3431  3403 pts/0     3431 R+    1000   0:00      \_ ps axjf

Also it would be nice if you could tell me how I could get a root shell on the installation medium, so I could execute the steps proposed by Altoid in order to really clean the drive.

Offline

#7 2020-08-05 19:31:01

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Making Devuan more secure.

freenet_bro wrote:
 3126  3171  3171  3171 ?           -1 Ss    1000   0:00      \_ /usr/bin/ssh-agent x-session-manager

^ That's the only "ssh" program running but it's not an SSH client or server, it's just an authentication agent (see ssh-agent(1)). Uninstall the openssh-client package to get rid of it if you're that paranoid.

freenet_bro wrote:

how I could get a root shell on the installation medium

sudo -i

Brianna Ghey — Rest In Power

Offline

#8 2020-08-05 20:19:16

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Re: Making Devuan more secure.

Head_on_a_Stick wrote:
freenet_bro wrote:
 3126  3171  3171  3171 ?           -1 Ss    1000   0:00      \_ /usr/bin/ssh-agent x-session-manager

^ That's the only "ssh" program running but it's not an SSH client or server, it's just an authentication agent (see ssh-agent(1)). Uninstall the openssh-client package to get rid of it if you're that paranoid.

I don't have it installed. ^^ I mean it's not in the apt data base. It will just install itself after I've removed it.

Head_on_a_Stick wrote:
freenet_bro wrote:

how I could get a root shell on the installation medium

sudo -i

Thanks, that's what I needed.
I never use sudo, because it blurs the line between system administrator and regular user.

Last edited by freenet_bro (2020-08-05 20:20:50)

Offline

#9 2020-08-06 16:47:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Making Devuan more secure.

freenet_bro wrote:

It will just install itself after I've removed it

Logs or it never happened tongue


Brianna Ghey — Rest In Power

Offline

#10 2020-08-18 17:29:37

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

freenet_bro wrote:

The question might be a bit odd, but I'm currently writing this message from a machine, which is under total surveillance, because of reasons. (I'm a good goy though. Don't worry.)

I was in about the same situation as you a couple of years ago.

I can indicate you some steps to at least remove their active presence on your machine, after that they still can see anything you do and even read your mind.

1) Get an older hardware like Core2 Duo with good old BIOS (instead of UEFI) and process it with ME_cleaner to remove IntelME, better to libreboot of course if you can get a right hardware.

2) Get somewhere a very old SD card of size like 256Mb and an ancient SD card reader USB1 or USB2, they are free from modern firmware backdoors. Place your bootloader and kernel onto this SD card.
Always boot your system from USB SD reader, this prevents injecting trojans during boot phase by storage devices.

3) Encrypt all your HDDs to partially isolate from their firmware trojans.
All file systems shall be created above LUKSed block devices.
Use the shortest SATA cables you can get, 10-15cm are the best, it will make it harder to kill data on your disks by active EMI attacks injecting intelligent noise making your HDD working incorrectly for some time.
And try to always use ZFS, it sees all checksums errors when you are under a EMI attack, otherwise you can silently loose your data and files.

4) Use Devuan without systemD, it is an absolute MUST.

5) Do not use modern bloated DE like KDE4 or KDE5, they are full of backdoors and can erase your important ideas in knotes and kalarm at least. I have found TrinityDE is the best DE for a workstation and NoDM+IceWM+matchbox-desktop is the best thing for a server.
With IceWM you can disable almost all services even like dbus, etc.

6) Never run proprietary software like Skype of Chrome on your sensitive computer, have a dedicated different motherboard for them and run them only in a dedicated KVM on it.

7) For SSH access to other hosts keep your secret keys in hardware devices like Nitrokey PRO2 or HSM2.

8) I am going to make an installation of a combi of Devuan+ZFS volume and OpenBSD running from that volume over a dedicated Ethernet link. They will both run on ARM hardware (two separated boards) free from X86 backdoors and trojans. Add Nitrokey PRO2 or HSM2 here and get a relatively good protection at least from general hackers, agencies still can replace your hardware or reflash something (though I guess it is harder to do on a SoC) and they can enter your room not via a front door or a window (don't ask me how).

May be I will share it in the corresponding forum area for ARM builds.

Last edited by bimon (2020-08-18 18:02:00)

Offline

#11 2020-08-18 19:23:47

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Making Devuan more secure.

bimon wrote:

process it with ME_cleaner to remove IntelME, better to libreboot of course if you can get a right hardware

That doesn't completely remove the ME and even if it did there would still be blobs in the motherboard controller firmware.

The FSF only lists a few motherboards that are blob-free: https://ryf.fsf.org/categories/mainboards

Of those boards only the POWER9 versions from Talos offer a decent level of performance. Not cheap though smile

bimon wrote:

ARM hardware (two separated boards) free from X86 backdoors and trojans

ARM is a very opaque architecture, both the motherboard controllers and the Mali graphics require blobs. Again, POWER9 is better (or perhaps RISC-V).

Last edited by Head_on_a_Stick (2020-08-18 21:11:41)


Brianna Ghey — Rest In Power

Offline

#12 2020-08-19 03:20:49

jobbautista9
Member
From: Philippines
Registered: 2020-07-11
Posts: 32  
Website

Re: Making Devuan more secure.

bimon wrote:

...KDE4 or KDE5, they are full of backdoors and can erase your important ideas in knotes and kalarm at least.

Do you have proof for these claims? And you should probably report those problems with knotes and kalarm to the upstream's or Debian's bug tracker.


Former maintainer of the iwd package. See #639! smile

You can also find me on the Pale Moon forums. I develop XUL add-ons for Pale Moon.
My PGP public key

Offline

#13 2020-08-19 06:17:07

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

jobbautista9 wrote:
bimon wrote:

...KDE4 or KDE5, they are full of backdoors and can erase your important ideas in knotes and kalarm at least.

Do you have proof for these claims? And you should probably report those problems with knotes and kalarm to the upstream's or Debian's bug tracker.

I just experienced information lost from KAlarm and KNotes in KDE4 many times after their store was ported from a file system to a database integrated into KDE.
It generally happened when I wrote down some  discrediting evidence against the attackers and when wrote to forum topics like this.
I guess the whole idea about open source backdoors is to make them available as legitimate network services say via TCP sockets, while users think they are protected by a firewall it is not actually the truth because agencies run their invisible trojans in protected rings of modern CPUs (most likely even negative rings) and such trojans can even saliently virtualize your whole computer in addition that X86 itself is not a pure hardware by itself, it is like a VM running on their mutable/updatable microcode. It is not possible to detect those trojans in your operation system, though in a case of virtualization it sometimes may be possible by measuring some calculation speeds of the CPU.

Most likely it is not easy without unified API available via a socket like systemD to manage applications from trojans because it is not easy to conform to ABIs needed to be called and out of process communication without network stack, but via network services it is much easier just like a RPC call.

Last edited by bimon (2020-08-19 06:22:00)

Offline

#14 2020-08-19 06:25:12

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

Head_on_a_Stick wrote:
bimon wrote:

process it with ME_cleaner to remove IntelME, better to libreboot of course if you can get a right hardware

That doesn't completely remove the ME and even if it did there would still be blobs in the motherboard controller firmware.

The FSF only lists a few motherboards that are blob-free: https://ryf.fsf.org/categories/mainboards

Of those boards only the POWER9 versions from Talos offer a decent level of performance. Not cheap though smile

bimon wrote:

ARM hardware (two separated boards) free from X86 backdoors and trojans

ARM is a very opaque architecture, both the motherboard controllers and the Mali graphics require blobs. Again, POWER9 is better (or perhaps RISC-V).

We talk about different price ranges, ganstalkers often attack people on a low budget just to make them even more financially vulnerable trying to get them on their slavery galleys in their corporations.

And I think it is still not easy to verify there are no backdoors in POWER9. And it is a CPU with speculative execution yet most likely vulnerable to SPECTRE and like it? When we talk about getting some better performance than ARM it may be enough to get a cheap system with Libreboot or at least Coreboot, run KVM or software emulation on it and manage it from a secure ARM device.

IMHO Talos is a good toy for wealthy men who can purchase a few of them just for experiments and trash them if they do not like something without any financial regret. I just purchased many ARMv5 and ARMv7 SoCs just for experiments, it is affordable for me and I still do not know if they solve the problems which I experienced in the past, but it is not a significant loss for my budget if something goes wrong for some of those boards.

As for ARM I would not trust anything more recent than old ARMv7 boards like Orange PI with a wireless chip removed from the board.
Modern ARMs may have large BLOBs in their SoC boot ROM and they can have trojans working in an ARM TrustZone.

To make me more confident in a current ARM hardware a vendor would have to provide an open source code for his BROM which is inside a SoC.
It shall be built reproducible and result to the same verifiable binaries which could be read from BROM. But it still most likely does not prevent them to have some   hidden code running in a TrustZone anyway or even making such verifiable BROM a fake ROM while running another proprietary BLOB hidden from us.

On the other hand there are a plenty of Cortex A7 oranges free from speculative issues which are good for a mini server running under OpenBSD.
Please understand performance does not matter at all when we talk about security, slow ARMv7 for $30-$50 may be much better and stronger in these terms than a modern shiny computer for a few thousands of USD.
Beagle bone black boards are already free from radio chips and their BROM is relatively small which is less in size than RAM of a good old ZXSpectrum, unfortunately it is not Cortex A7, therefore it is good only for a secure client SSH terminal, for a micro server it is better to use Cortex A7.

You can install only light and the most critical services like SSH, Firewall, some proxies, DNS, monitoring, intrusion detection, Jabber, e-mail, etc.  on those mini boards while running more resource demanding applications as KVM guests on other Coreboot hosts behind this secure gateway based on ARMv7 CortexA7 + Nitrokey + OpenBSD. Just allow connections to KVM hosts only from secure OpenBSD ARM host.

Last edited by bimon (2020-08-19 07:39:01)

Offline

#15 2020-08-19 06:55:20

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

And as for defending from BLOBs in storage controllers someone already discussed that in the topics like:

http://dev1galaxy.org/viewtopic.php?pid=17208#p17208
http://dev1galaxy.org/viewtopic.php?pid=16484#p16484

And unfortunately there are no affordable RISC-V having at least 1-2GB or RAM comparable to many cheap Cortex A7 boards like OrangePI some of which are even compatible with OpenBSD.

May be some MIPS like Octeons can be interesting for running OpenBSD on them too.

Do we really have any affordable choices even already in 2020 year for a hardware more secure than X86 with at least 1-2 GB of RAM except ARM Cortex A7 and MIPS?

And I would not trust even to the same Cortex A7 chips produced recently compared to older ones from a second hand market. I have already experienced several bad recent simple SATA controllers which destroyed a half of my ZFS mirrors (recoved later of course), recent chips compatible with earlier specifications look different in some cases under attacks and behave like a beasty. Most likely they have more recent backdoors in hardware and firmware. So the older BROM and SoC are the better it is in terms of resistance to ganstalker attacks.

And never trust intelligent agencies, they almost always lie just to make some profit from their public declarations, they inject many their backdoors everywhere they can to control everything and even make criminal harm to law-abiding citizens in favor of corporations who sponsor them. The same about trust to some doctors and lawers, there is a significant amount of those "specialists" who lie to you just to support the whole corrupted construction and make a harm to  individuals targeted by agencies. Sometimes even police behave the same way.

If you a targeted individual then try to never eat anything except what you get by yourself from a supermarket choosen randomly because ganstalkers sometimes use to poison people with a slowly influencing bio substances like staphylococcus which in a long term together with their electromagnetic attacks may lead to decrease of immunoresistance of your body,  dermatosis, bad reactions to the meds used and even to small mutations like a chronical blood mutations like leucosis and insomnia. They even may use mind control of your oldery relatives to make them behave like mads, often disturbing you in the most critical moments of your life for example during your sleep, trying to feed you with a food they got from unknown sources, such unverified food they were often received for free from someones may contain psychotic stuff to make you temporary mad too.

And then ganstalkers tell, you need to go to a psychiatrist, their win - congratulations! And you get a bad reputation finally.

A few of examples:
https://web.archive.org/web/20190624163 … duals.html
https://web.archive.org/web/20200314022 … cults.com/
http://www.freezepage.com/1562758630UEPBNMQAJI
https://web.archive.org/web/20190610035 … BJJVVBJ/64
https://archive.is/1ipek
https://web.archive.org/web/20190608024 … ad/1348072

I think more anonymization for key developers of Devuan and OpenBSD would not be bad for them and all of us to prevent them to repeat what happened to original Debian leader and what happened to Debian after that.

Last edited by bimon (2020-08-19 11:06:49)

Offline

#16 2020-08-19 09:58:19

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Making Devuan more secure.

Just FYI:

bimon wrote:

If you a targeted individual then try to never eat anything except what you get by yourself from a supermarket choosen randomly because ganstalkers sometimes use to poison people with a slowly influencing bio substances like staphylococcus which in a long term together with their electromagnetic attacks may lead to decrease of immunoresistance of your body,  dermatosis, bad reactions to the meds used and even to small mutations like a chronical blood mutations like leucosis and insomnia. They even may use mind control of your oldery relatives to make them behave like mads, often disturbing you in the most critical moments of your life for example during your sleep, trying to feed you with a food they got from unknown sources, such unverified food they were often received for free from someones may contain psychotic stuff to make you temporary mad too.

^ This makes you sound like a crazy person, perhaps keep such thoughts to yourself in future. Or start taking the little blue pills the doctor gave you...


Brianna Ghey — Rest In Power

Offline

#17 2020-08-19 10:22:13

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

Very probable that I was poisoned by a significant portion of staphylococcus (diagnosed later by analysis) during training courses for IBM DB2 administration in a "Network Academy" located in a building of their police academy located in Kazan, Russia on October 13, 2008 in their dining-hall, they brought a meal by themselves. During all night in their hotel I experienced continuous almost non uninterruptible meteorism, there is a eye-witness classmate, we had even to open window inspite of almost winter weather, I never used to eat in their dining-hall anymore and got food in supermarkets during the rest of training days.
When we had meeting with other classmates from different cities in the evening they talked about terror from FSB in their cities like fires and pressure, women mentioned very bad quality of doctor service in maternity hospital and how they got even disability after accouchement and could not sue the doctors in a court.
Also I felt myself sick like in a winter like getting a flue virus, gravedo and feeling very weak, it is an indication of an attack on immune system.
Later when I returned to my city large dark-red sometimes almost black pustules appeared on my head and body for many years and a few still now, during many years I experienced significant headaches. Doctors could not find a course when I asked them earlier.
I had to part with my lovely girlfriend in about two years since that DB2 training sad

ee429cb3d2034a344fdfefc0b0302108.png

And finally in 2017 I was diagnosed a polycythemia.
After I wrote several times about corruption in Russia my body experienced burning pain and vibration, my mother too (she experienced it even today after this post asking me for a tablet of aspirin), several neurologists  led me to a psychiatrists, they did not do anything to help me except harm in their clinic where I even did not get enough air to breath (a body with blood problems requires more oxygen for living) , persistent  constipation problems during a whole month period of being in their clinic when I repeatedly could not get defecation up to five days even visiting toilet room tens of times and it is even not always allowed by personal to travel to that room, btw. And it was very hard to convince them to purchase and give me laxative, without it most likely I would already be dead.   After leaving their clinic all symptoms returned in about two weeks like body burning and vibration.

Later I have found a med by myself to heal myself successfully from vibration and burning, it is neuromedin and human interferon alfa, blood returned to a relatively good condition too, I do not have an insomnia or headaches anymore except days when I do a med injection.

After that I often treat doctors (I visited tens of them before getting to psychiatrists) like charlatans just serving ZOG and agencies to make tortures against targeted individuals, they are almost like fascist in their activity against targeted individuals.

It works something like following:

navyazchivaya-ideya_83527.jpg

Last edited by bimon (2020-08-21 08:49:16)

Offline

#18 2020-08-19 13:35:42

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Re: Making Devuan more secure.

bimon wrote:
freenet_bro wrote:

    The question might be a bit odd, but I'm currently writing this message from a machine, which is under total surveillance, because of reasons. (I'm a good goy though. Don't worry.)

I was in about the same situation as you a couple of years ago.

I can indicate you some steps to at least remove their active presence on your machine, after that they still can see anything you do and even read your mind.

1) Get an older hardware like Core2 Duo with good old BIOS (instead of UEFI) and process it with ME_cleaner to remove IntelME, better to libreboot of course if you can get a right hardware.

2) Get somewhere a very old SD card of size like 256Mb and an ancient SD card reader USB1 or USB2, they are free from modern firmware backdoors. Place your bootloader and kernel onto this SD card.
Always boot your system from USB SD reader, this prevents injecting trojans during boot phase by storage devices.

3) Encrypt all your HDDs to partially isolate from their firmware trojans.
All file systems shall be created above LUKSed block devices.
Use the shortest SATA cables you can get, 10-15cm are the best, it will make it harder to kill data on your disks by active EMI attacks injecting intelligent noise making your HDD working incorrectly for some time.
And try to always use ZFS, it sees all checksums errors when you are under a EMI attack, otherwise you can silently loose your data and files.

4) Use Devuan without systemD, it is an absolute MUST.

5) Do not use modern bloated DE like KDE4 or KDE5, they are full of backdoors and can erase your important ideas in knotes and kalarm at least. I have found TrinityDE is the best DE for a workstation and NoDM+IceWM+matchbox-desktop is the best thing for a server.
With IceWM you can disable almost all services even like dbus, etc.

6) Never run proprietary software like Skype of Chrome on your sensitive computer, have a dedicated different motherboard for them and run them only in a dedicated KVM on it.

7) For SSH access to other hosts keep your secret keys in hardware devices like Nitrokey PRO2 or HSM2.

8) I am going to make an installation of a combi of Devuan+ZFS volume and OpenBSD running from that volume over a dedicated Ethernet link. They will both run on ARM hardware (two separated boards) free from X86 backdoors and trojans. Add Nitrokey PRO2 or HSM2 here and get a relatively good protection at least from general hackers, agencies still can replace your hardware or reflash something (though I guess it is harder to do on a SoC) and they can enter your room not via a front door or a window (don't ask me how).

May be I will share it in the corresponding forum area for ARM builds.

Thanks for understanding my threat model and sharing your insights.

1) I have a x200, but I don't have the necessary tools to libreboot it. I have three Raspberry Pis, but not the necessary connectors.
Currently I use two laptops. One offline laptop, where I've removed the wireless card. And an online laptop, which has OpenBSD installed and runs Devuan from a live USB (Which I'm using right now.).

"If noone is supposed to see it, then do it offline." Is my current mantra.

I don't have the knowledge to secure my systems. It's a fun learning experience though. ahahahaha...fuck
I store all my data on several external encrypted hard drives.

4) Already doing that.

5) I use suckless' dwm+st+dmenu. No gvfs policykit or all that crap.
That's the only reason I was able to figure out what was going on.
(Although dbus is somehow necessary for xorg to start, which doesn't suprise me, because my xorg binaries have been replaced. ^^)

6) I've freed myself from proprietary software a couple of years ago. I'm 100% free. (If you exclude hardware and firmware.)

7) I'll keep that in mind for the future.

8) Noone entered my home, I'm sure of that. But they're already in all the machines in my home, so does it really matter? haha

Last edited by freenet_bro (2020-08-19 13:39:21)

Offline

#19 2020-08-19 13:44:27

freenet_bro
Member
Registered: 2018-12-23
Posts: 16  

Re: Making Devuan more secure.

bimon, would it be possible to contact you outside of this forum?
I would love to be able to talk to someone, who has a deep understanding of technology as you appear to have.
Learning all that shit just through reading man-pages is very hard, because they often times assume formal training.

Offline

#20 2020-08-19 17:49:16

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

For now please write here, may be later when I have a better anonymization like I2P+Tor router we can chat sometimes in a Tox or Jabber.

Last edited by bimon (2020-08-19 17:49:51)

Offline

#21 2020-08-19 18:06:47

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

freenet_bro wrote:

I have three Raspberry Pis, but not the necessary connectors.

Raspberry Pis could not even start without large BLOBs for video chip.

The best what I was able to find are AllWinner Cortex A7 and Beagle Bone Black boards.
They are affordable and can work (at least in a text mode) without BLOBs except their small BROM inside their SoC.

IMHO even librebooted X86 is not good as a secure SSH terminal to control other hosts, they can be used only to host something non critical in terms of security.

I do not know anything affordable for a secure trusted terminal better than an old ARM Cortex A7 free from BLOBs and wireless chips with a Nitrokey or may be GNUK for keeping your secret keys there.

Btw, there is an interesting ARM laptop trying to be as free as possible (not Cortex A7 though):

https://web.archive.org/web/20200828204 … _Main_Page
https://www.bunniestudios.com/blog/?cat=28

Last edited by bimon (2020-08-28 20:43:02)

Offline

#22 2020-08-19 19:00:26

chris2be8
Member
Registered: 2018-08-11
Posts: 264  

Re: Making Devuan more secure.

Hello bimon,

The staphylococcus poisoning was probably an accident. It's impossible to say exactly what effect it would have on any given individual. So it's not any use to control someone.

There's an old saying, "Never ascribe to malice anything adequately explained by stupidity". Which fits this case quite well.

But if you do need to keep secrets:
1: The safest option is to keep it all in your head. If you must share information talk face to face and make sure there are no listening devices around.

2: Use pencil (or pen) and paper. Mass surveilance of mail is too much work for the authorities (at least in civilised countries). If you must use a computer use one that's not connected to the internet (check for wireless adapters etc). This is standard for tax advisers etc (not illegal but laws can be changed to your disadvantage if they know what you are planning).

3: If you have to use the internet then use normal computer security procedures. And keep anything really sensitive off the system.

Chris

Offline

#23 2020-08-20 02:22:29

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

chris2be8 wrote:

Hello bimon,

The staphylococcus poisoning was probably an accident. It's impossible to say exactly what effect it would have on any given individual. So it's not any use to control someone.

Hello Chris,

The accident happened only to me, not to my classmate who was eating at the same place (the same small table) and he was brought his meal too by a staff and it looked on the surface the same as mine.

The effects of poisoning by golden staphylococcus are predictable: persistent meteorism, bad microflora and as a consequence a bad immune resistance,  insomnia, dermatosis and bad blood reaction on meds used for handling of dermatosis.

The whole effect is a gain for ganstalkers, a person becomes more vulnerable to their attacks (including load sounds at night, anonymous calls, etc.), harder life, personal problems, difficult to work productively because of regular insomnia.

Last edited by bimon (2020-08-20 11:59:35)

Offline

#24 2020-08-20 02:40:50

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

chris2be8 wrote:

But if you do need to keep secrets:
1: The safest option is to keep it all in your head. If you must share information talk face to face and make sure there are no listening devices around.

2: Use pencil (or pen) and paper. Mass surveilance of mail is too much work for the authorities (at least in civilised countries). If you must use a computer use one that's not connected to the internet (check for wireless adapters etc). This is standard for tax advisers etc (not illegal but laws can be changed to your disadvantage if they know what you are planning).

3: If you have to use the internet then use normal computer security procedures. And keep anything really sensitive off the system.

Chris

1. Two very important channels for data leakage often not taken into account are:
1.1 Electromagnetic emanation from all computer buses (like SATA, USB, Ethernet, PS2, VGA, HDMI, etc.)
1.2 Psi operators can read your mind (your current thoughts and may be even memory) distantly, predict some future and try to correct it in their favor.

Though these two channels are not directly related to each other they are often used by some agencies together at the same time.
So you shall never use passwords as they can be intercepted both from computer bus and your head without any visible connection like LAN, etc.
Always try to use keys which are not stored on devices like HDDs or SSDs. For example Nitrokey company states HSM2 is protected from data leakage by emanation channel (but at which grade? a few layers of tin foil?), though there may be other backdoors in Nitrokey of course. Even their crypto algorithms most likely are not strong enough against NSA and may be other agencies too.
May be GNUK (or Nitrokey Start) sometimes can be better in terms of its open source, I do not know unfortunately.

2,3. My computers were attacked by electromagnetic attacks too, it does not matter if Internet is connected or not.

https://web.archive.org/web/20191105180 … ssues/9518

Also a standalone (without Internet and even without LAN connection) relatively old computer (Intel about 2002 model)  which was almost always turned off at my home was reflashed somehow and did not boot into Linux until I reflashed it again back to a stock BIOS from a floppy.

Another standalone computer (AMD about 2010 model) with a modern HGST 6TB HUS drive was controlled remotely and replaced some of video surveillance files into a binary rubish, and it had ZFS, it means HDD most likely has a backdoor for remote wireless control and its Linux drivers have an interface to bypass control into the kernel and may be some userspace.

Last edited by bimon (2020-08-21 06:16:30)

Offline

#25 2020-10-10 03:34:38

bimon
Member
Registered: 2019-09-09
Posts: 172  

Re: Making Devuan more secure.

Btw, Nitrokey HSM2 USB token and a flat SC-HSM2 4K smart card both implement a data channel encryption (between your PC PKCS11 lib and their crypto chip) via BSI TR-03110 protocol also used in some national personal ID cards. May be it just is so called protection from attacks on emanation side channel.

bimon wrote:

Another standalone computer (AMD about 2010 model) with a modern HGST 6TB HUS drive was controlled remotely and replaced some of video surveillance files into a binary rubish, and it had ZFS, it means HDD most likely has a backdoor for remote wireless control and its Linux drivers have an interface to bypass control into the kernel and may be some userspace.

Actually it may be a wired (not wireless as I mentioned earlier) backdoor, IMHO the most probable channel for remote control is an AC power line, a signal can be modulated somehow and some modern devices with a powerful enough MCUs or SoCs for example like modern HDDs can have corresponding modems to phone via AC line in an active mode, not like a relatively safe for us good old passive readonly TEMPEST known earlier.

Last edited by bimon (2020-10-10 04:12:14)

Offline

Board footer