Securing my/our computer systems

aluma · 2024-02-14 09:28:34

The contents of SMBIOS can be viewed from Linux.
https://www.baeldung.com/linux/bios-access-info

P.S. I really don't know how this can help.
As far as I understand from the experience of fiddling with laptop BIOS, any surprises are possible.
Win replaces the BIOS entry with its own submenu.
Well, if the Win license key is flashed into the BIOS, you can reinstall it.
If not, replacing what was preinstalled by the manufacturer is either impossible, or even blocks entry into the BIOS.

Last edited by aluma (2024-02-14 09:48:09)

GlennW · 2024-02-14 14:16:34

Thank you aluma, I'll check it out.

cheers!

zapper · 2024-02-15 22:23:20

@golinux alas, some people only will talk to people on facebook. But that being said, its always better to avoid it as much as possible. Facebook is much like google and their search engine, a pile of crap that no one really should want.

@Glenn

ahh yes, madaiden github...

those tips that... from that person who made that lie github page.

Don't take that person's opinions seriously.

This person thinks that proprietary software is more secure then open source or if you prefer more secure than libre software.

Point being, a bunch of empty air.

An example:

https://madaidans-insecurities.github.io/linux.html

Windows is not ahead of linux in any security focused way. Quite the opposite... which this page lies about.

Last edited by zapper (2024-02-15 22:25:10)

GlennW · 2024-02-15 23:27:44

Thanks zapper, It's good to get a confirmation that I'm not going mad. I thought that may be the case... with "madaidans-insecurities".

aluma: the smbios program it quite interesting, great to see all those details...

I had thought I might find some devious code, or expose a back-door... maybe, when I get more acquainted with the program/s.

One thing I found was the python error with "info" and python3. (this system is not setup for progamming, as such, but I may compile source if required)

root@GamesBox:/root  smbios-token-ctl --dump-tokens-csv
ID,Type,Value,Name,Setting
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/libsmbios_c/smbios_token.py", line 134, in __iter__
    raise StopIteration
StopIteration

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/sbin/smbios-token-ctl", line 475, in <module>
    sys.exit( main() )
              ^^^^^^
  File "/usr/sbin/smbios-token-ctl", line 384, in main
    dumpTokensCsv(tokenTable, tokenXlator, options)
  File "/usr/sbin/smbios-token-ctl", line 246, in dumpTokensCsv
    for token in tokenTable:
RuntimeError: generator raised StopIteration
root@GamesBox:/root

progress... hardware.
I took my box apart yesterday and cleaned the case, and all the fans and filters. And rewired everything to look neater and more organised. also removing hardware like hdd drive bay shelves. A Fractal case.

I reset the cmos to defaults, still on the latest bios version for my motherboard.
reconfigured the bios to switch off unneeded resources, like eth, audio... serial the port irq reservation (having no printer/scanner attached).

after a few reboots, I had the bios boot setup as I like it, and managed to get full clock out of the ram
(up until yesterday it ran at ~3200, today it runs as spec, 3600) a nice surprise. And with performance boost turned off, clocked the cpu back up to 4000.

I also found I had not fitted the nvme ssd correctly with the mounting as well as the heatsink (this maybe why it was rebooting!!!) The plastic film was still on the heatsink (had shrivelled the plastic film a bit but not permanently damaged the heat-transfer compound)

So, now with less chance over overheating I wait to see if any surprise reboots come to being (like a ghost in the machine or something).

I strive for progress, not perfection... and I think I'm making headway towards that.

Thank you for contributing and taking the time to read.

cheers

Last edited by GlennW (2024-02-15 23:30:26)

pcalvert · 2024-02-16 03:50:35

GlennW wrote:

I am considering switching facebook to a different browser, instead of the most convenient ff-latest,
Like flashpeak-slimjet, it's a pain to setup because I don't use sudo, but it has it's own sandbox...

I would not use Slimjet. I recommend using Chromium instead.

If you do use Chromium, be sure to also install its sandbox:

# apt install chromium chromium-sandbox

However, using complete physical separation is a better approach. Your message stimulated me into thinking about this some more, and I am now considering buying an inexpensive tablet PC to use for Facebook. Either that, or an inexpensive Android smartphone with a fairly large screen. But probably not, though, since I hate browsing the web on a phone.

And there's another good reason for choosing an Android tablet. Although Android is based on Linux, Google has done a lot of work on hardening the OS. However, if you decide to go this route, do not install the Facebook app. If it comes preinstalled, uninstall it or, if that's not possible, disable it. At least one privacy expert has stated that the FB app is essentially spyware.

aluma · 2024-02-16 09:39:26

@GlennW
Cooling can be checked completely objectively. My SSD supports smart and shows the temperature. And there are stress tests for the processor. Lenovo limits it to 10 minutes on its test disk. The temperature of my laptop's processor rose to 72 degrees and did not rise further.
Old radio textbooks said that reducing the operating temperature by 10 C doubles the service life.

@pcalvert

or an inexpensive Android smartphone with a fairly large screen

Then at least well-known brands.
I had two of them, one 10" with a bluetooth keyboard (China with Polish brand), the second 7" from this "company"
https://www.devicespecifications.com/en/brand/18201a2
Both died in the 3rd year due to memory failure.

The last one is noteworthy.
After the end of the warranty period (1 year), the technical support site where there should have been updates stopped opening. And in the second year, some other one opened instead and installed some other programs. I had to do a hard reset.

I was left with the impression that the refusal after the end of the guarantee was planned in advance and was done programmatically. Maybe I'm wrong.

I just gave up on androids and bought a small used laptop.

Regards.

Last edited by aluma (2024-02-16 10:17:00)

bilhook · 2024-02-16 16:33:51

About a month ago I installed webext-ublock-origin-chromium, a current version which is in testing.
Configuration, don't need to do anything, just install it.
Works with the bank, Ebay etc.
Now I find using the internet shit without it.

GlennW · 2024-02-16 23:04:55

Hi, there is so much out there I haven't heard about... Thanks for the tips on browser filtering.

On this "Web Browser" I have eMatrix, it's quite good.

But before that even gets a chance to do much of anything, I have a host file web-address advertisement blocker, setup from here...
https://www.putorius.net/block-unwanted … ts-on.html

On FF-latest I use noscript.

The flashpeak-slimjet has a sandbox, but I rarely use slimjet, at some point I installed it (and keep it updated) to hide my surfing history from my house mates (I've moved away from them now...) who were very suspicious of my use of linux (Must be a gold digging hacker!) and I often found evidences of someone going through my stuff while I was out of the house. as a side note... I set up "motion" and a web-cam on my laptop (in the bookshelf) to film them wandering around checking my drawers, but they couldn't turn my PC on/login. Windows gamers, who thought they would get the upper hand.

I have ff-esr just for web-radio, and the occasional web search (google). I find duckduckgo finds most of what I need.

I have tor for downloading movies... with qbittorrent for iso images from Linux distros, like Devuan, or anything else I want to try out. Trinity and slack on my lap top... Slack looks too hard to setup from scratch, bit like gentoo, but I have looked.

I setup lm-sensors (sensors-detect) for monitoring sensors in the box.

For displays, I have gkrellm and conky, which have a little lag time, but are helpful to see at a glance what the heck is going on for fans, temps and voltages, as well as proc/cpu, mem, swap and drive usage and top.

It gets hot here sometimes, so my box is setup to flow through, with 4 case fans, the TruePower 750W has it's own fan, and the Graphics has it's pair, and the cpu is a noctua dual fan as well. I really should check my power consumption, but with solar panels on the roof, we pay sweet f.a. for electricity.

Right now, with all the fans maxed out, and about 26c ambient, gpu is 35c (fans 80%), cpu is 36. and I have 2 browsers open, and Konsole is doing apt update checks. and some system check script (it's just a list of jobs).

With a new battery just installed in my lappy, I'm considering using it with slax just for Face-crook. I'm getting scammer invites a couple times a week, with wat-a-sapp as well (though I rarely use that).

Anyhow, thanks for the heads-up, I will keep all these tips in mind and test them out at some stage.

Thank you

zapper · 2024-02-19 01:02:00

@GlennW fun fact, btw, minus the fun.

But seriously, that github is mocked on reddit and I have trolled them as well in the past.

I did so making a fake issue on github.

LOL!

I wonder how many other social media websites make fun of them.

They must think people are stupid to why corporations even are funding "open source"

Preferably libre software because its open source minus the possibility of proprietary with a huge focus on freedom.

pcalvert · 2024-02-19 04:10:36

zapper wrote:

Don't take that person's opinions seriously.
This person thinks that proprietary software is more secure then open source or if you prefer more secure than libre software.
Point being, a bunch of empty air.
An example:
https://madaidans-insecurities.github.io/linux.html
Windows is not ahead of linux in any security focused way. Quite the opposite... which this page lies about.

I don't agree with you. It's very clear from this person's writings that he is very knowledgeable about matters of computer security.

You misrepresent what this person wrote. He never claims that Windows is more secure than GNU/Linux. What he does is provide numerous examples showing that other operating systems, including Windows, are making progress addressing different security issues, while Linux is basically standing still. And when he talks about Linux, it appears to me that he is really only talking about kernel development.

I sometimes use Windows 10 because some useful software runs only on Windows (and sometimes MacOS as well). Because it's a proprietary OS, I don't really trust it -- I believe that the likelihood of built-in backdoors is high. As such, it only gets access to the internet when it's absolutely necessary. However, in its defence, Windows 10 has built-in security features (most disabled by default) that allow me to lock it down so tightly that any unknown program that gets onto the system will be blocked and will not run. I wish that I could do the same on GNU/Linux, but so far I have not found any simple, easy way to replicate that behavior on Linux.

Getting back to Linux, one of Madaiden's recommendations is to use Alpine Linux. That seems like very good advice to me. Alpine Linux has no systemd, uses musl instead of libc, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. Unfortunately, it does not appear to be a good choices for novices.

GlennW · 2024-02-19 23:35:01

Hi, thank you for your contributions.

I feel obliged to state that this PC has not faulted since I cleaned the fans and re-seated the nvme ssd correctly.

I still have a few un-answered queries that I will uncover myself in time, thanks to your contributions and tips.

ie, the fans switching off, and the system time being changed randomly...

I have a picture of gkrellm to show the temps. I hope it works.

GamesBox.GlennsPref gkrellm system monitor.
gkrellm system monitor

aluma · 2024-02-20 04:59:32

@GlennW
My laptop, Daedalus 5.0+Trinity DE+chromium+system monitor tde=176 processes. You have 778. Or did I misunderstand gkrellm?

Regards.

GlennW · 2024-02-20 21:06:58

...a picture of gkrellm to show the temps. I hope it works.
GamesBox.GlennsPref gkrellm system monitor.
gkrellm system monitor

aluma, This is my desktop box. Running Daedalus, Plasma/kde5. right now it has 846 processes, now 830... But I have just booted for this morning.

Last edited by GlennW (2024-02-20 21:09:03)

aluma · 2024-02-20 22:11:08

@GlennW
Thank you.
I was wrong when comparing different things
I installed gkrellm to compare readings. It shows 323 procs and top at this time in the terminal 179 tascs.

Regards.

GlennW · 2024-02-20 22:50:32

That's quite alright, I was not very particular in my description either.

This pic is my "GamesBox", everyday computing. I have 4 distros installed, and 2 of them are basically unused. Debian Bookworm, Kali (rolling release), Ubunto-Studio & Devuan Daedalus-Plasma.

this pic was after I re-assembled and checked if it would still work :-) All my fingers were crossed, static is a real danger...
GamesBox, Fractal Case

Cheers

zapper · 2024-02-22 12:21:43

@pcalvert

He doesn't really make it clear that he is talking about the kernel and also, windows security features of being locked down are largely meaningless due to being proprietary and it having backdoors.

Linux can be hardened if you know how, however. firejail is one way. I don't understand the criticisms about firejail either. Besides, windows executables are marked as executable once downloaded. The same is not true for linux. Which is why windows gets malware easily... so yeah...

GlennW · 2024-02-22 22:02:22

@ zapper

Oh,...my bad, I didn't mean to leave out the kernel... like "madaiden's" page.

I am talking about the entire system, motherboard controls, booting and the OS.

Only Devuan for security (keeping things out), the other os's are for test-driving and ideas.

fanderal · 2024-02-24 21:59:23

GlennW wrote:

securing my system from being hacked

Great thread. Got me curious so I looked up 'hacked bios' and in the list of alternate searches was 'hacked bios download.' A number of sites have tools (for good or ill) to hack/edit most any bios.

Among many similar, null-byte.wonderhowto_com had these articles:

How To Scan for Vulnerabilities on Any Website Using Nikto
How To Crack SSH Private Key Passwords with John the Ripper
How To Crack Shadow Hashes After Getting Root on a Linux System
How To Gain SSH Access to Servers by Brute-Forcing Credentials
Hack Like a Pro How to Find Directories in Websites Using DirBuster
iOS 17 Tips, Tricks, How-Tos, News
How To Find Anyone's Private Phone Number Using Facebook

Found a 2015 'BIOS Hacking' article at Schneier:

We’ve learned a lot about the NSA’s abilities to hack a computer’s BIOS so that the hack survives reinstalling the OS. Now we have a research presentation about it.

https://www.schneier.com/blog/archives/ … cking.html

I've tested ports at grc_com going back to WinXP days. Good site for learning although it's mainly for Windows. A recent test on Common Ports with NoScript set to 'Trusted' for grc:

GRC Port Authority Report created on UTC: 2024-02-14 at 00:20:52
Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000
0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

Did a test at youtube. Ran macchanger and restarted the router for a new IP, and found youtube's 'suggestions' were the same videos I'd watched the day before, despite watching a completely unrelated video. Next day, after macchanger and router, I booted TinyCore from a USB. Although watching a video unrelated to those I'd previously watched, youtube's 'suggestions' were what I'd watched both previous days.

Seems youtube's had my MAC address, stats and profile for as long as I've had this hardware. Google's everywhere and can likely identify public facing hardware no matter what security is used. I assume the other major and social networks can do the same.

While talking with neighbors when Facebook first became a hot site, I mentioned to one I wasn't interested in joining Facebook. When she said she'd never emailed me about joining I rechecked her email. Facebook was stealing members' contact lists and sending invites to contacts in the member's name. Dunno if they still do it but I've stayed away from social networks since then. When I vounteered I suggested members change their Facebook's registered email to another email with no contacts, and not use FB's in-house mail.

Got two versions of Devuan, each on a SSD, and keep personal stuff and backups on two parked HDDs. FF is for general and Waterfox for email, with NoScript, PrivactBadger, a few 'about' page tweaks and no stored passwds. I try to keep apps/services/firmware which listen to a minimum, or block when possible. Eg: iucode-tool firmware is not installed as a tiny OS inside Intel CPUs uses it to 'phone home.' Also keep ~50 default modules blacklisted.

Guess it's a balance between security and what's comfortable to maintain. It's feeling like I'm doing something yet knowing nothing I do can prevent a seriously targeted attack.

Appreciate all the tips and ideas.

zapper · 2024-02-24 22:22:50

@fanderal

Interesting, didnt 'know that intel ucode did that. Although there is a better option still, use a more libre bios, such as coreboot and have intel me disabled. You need to buy from an OEM though who would disable it for you though.

Otherwise, you are on your own regarding intel me.

Securing a computer requires three things to my knowledge:

Using as few blobs as possible, wifi included preferably meaning ath9k or similar

Coreboot + disabled me or similar

A distro that doesn't have blobs installed and refusing proprietary software that does remote dialing which means basically most of it.

Technically, emulators do use proprietary software, but they don't escape their sandboxes much if at all.

I currently use iceweasel-uxp + ematrix, httpsalways, httpsinquirer, modifyhttpresponse (blocks some useragentsniffers!) a custom ublock origin legacy, getemall, greasemonkey fork and other minor stuff. icedove-uxp and no other addons which means no google accounts!

Using a firefox equivalent, with arkenfox config and privacy badger, ublock origin and some script blocker is wise too though if you don't use the above.

The rest? Idk...

I still been using Hyperbola. They were struggling with some issue, but I think they are getting back on track now.

Devuan however, I have on my other SSD for disk cloning.

Having two SSDs on a computer can be wise sometimes.

GlennW · 2024-02-24 22:31:10

Hi fanderal, thank you for your post.

I've tested ports at grc_com going back to WinXP days.

me too, and I agree.

I keep finding some ports open, like telnet and LP...

I used zonealarm with winxp and it seemed secure enough to stop all but serious targeted attacks (which I had no evidence of, or effects)

Facebook was stealing members' contact lists and sending invites to contacts in the member's name. Dunno if they still do it but I've stayed away from social networks since then.

I think FB is still doing that. Any of my actual friends have denied trying to contact me via those methods.

I'll have a read of the schneier post very soon. I find this topic very interesting, to say the least.

I must say, I am not a gold digger and I don't have anything to steal, or hide for that matter but it's annoying when the pc crashes.

But please keep in mind that since I reseated the nvme ssd I haven't had any crashes.

So, as educational as this experience has been it seems more and more that this was my mistake,
poor eyesight when I installed and started using the nvme drive.

Thank you for the info.... I am in the process of weening myself off FB and google apps, including email and chat.

GlennW · 2024-02-24 23:02:35

Thanks zapper...

zapper · 2024-02-25 05:20:45

@glennW the coreboot + intel me disabled + ath9k wifi card thoughts should be more than sufficient for most.

The ath9k wifi card is if you don't want to depend on non-free software blobs in particular.

fanderal · 2024-02-25 18:40:54

@zapper

The iucode leak was discovered and a free fix is available, but I didn't wanna mess with replacing bios code. Same reason I haven't done the coreboot. Got a good repair shop in a local retailer and I'll ask the next time I'm there.

Intel's me expanded into more modules, same for the expanding aes* security modules. Seems more of their stuff is added to each new kernel version... the difference between Beowolf and Ceres kernels in CPU use and ram is noticable.

Agree with you about security. Wifi isn't a problem 'cause I use a wired connection, and only turn on the router's wifi when family or friends are here.

Used eMatrix for a while with PaleMoon and liked it. Got Icecat installed but haven't used it much. Hadn't heard of arkenfox but looked into Ghack's user.js. Do you know if it's as effective as claimed?

Hyperbola seems a fine OS. Tried installing in VBox and after much effort, realized I was using instructions of a different version than I was trying to install. One of those duh moments. I'll give it another go soon.

Thanks zapper.

fanderal · 2024-02-25 18:41:45

@GlennW

You're welcome, Glenn. WinXP days, with Netscape, Winamp, Zonealarm and stopping by grc to read and learn. Ever use BlackViper's site to configure services?

I keep finding some ports open, like telnet and LP...

Haven't seen it here but I'll keep an eye out. Did you find that from grc's All Ports test, another site's test or local?

I reseated the nvme ssd I haven't had any crashes.

That's good news. Hard to tell initially... sometimes it's easy and sometimes it's anything but.

You might try LibRedirect when at FB. It's a FF addon that redirects the connection to youtube and most social sites through privacy friendly frontends.

I used to use LibRedirect to watch/download youtube videos with youtube and googlevideo disabled in NoScript. Since youtube began splitting audio from video I had to download them separately. Used ffmpeg to join the m4a and mp4 but it became tedious. Started using sites like youtube4kdownloader_com and 9convert_com/en404 to download a video with audio.

Thanks for starting this thread, Glenn.

aluma · 2024-02-25 19:35:17

Daedalus 5.0 is almost default in terms of security. Result from here
https://www.grc.com/shieldsup

The officially official Devuan Forum!

#26 2024-02-14 09:28:34

Re: Securing my/our computer systems

#27 2024-02-14 14:16:34

Re: Securing my/our computer systems

#28 2024-02-15 22:23:20

Re: Securing my/our computer systems

#29 2024-02-15 23:27:44

Re: Securing my/our computer systems

#30 2024-02-16 03:50:35

Re: Securing my/our computer systems

#31 2024-02-16 09:39:26

Re: Securing my/our computer systems

#32 2024-02-16 16:33:51

Re: Securing my/our computer systems

#33 2024-02-16 23:04:55

Re: Securing my/our computer systems

#34 2024-02-19 01:02:00

Re: Securing my/our computer systems

#35 2024-02-19 04:10:36

Re: Securing my/our computer systems

#36 2024-02-19 23:35:01

Re: Securing my/our computer systems

#37 2024-02-20 04:59:32

Re: Securing my/our computer systems

#38 2024-02-20 21:06:58

Re: Securing my/our computer systems

#39 2024-02-20 22:11:08

Re: Securing my/our computer systems

#40 2024-02-20 22:50:32

Re: Securing my/our computer systems

#41 2024-02-22 12:21:43

Re: Securing my/our computer systems

#42 2024-02-22 22:02:22

Re: Securing my/our computer systems

#43 2024-02-24 21:59:23

Re: Securing my/our computer systems

#44 2024-02-24 22:22:50

Re: Securing my/our computer systems

#45 2024-02-24 22:31:10

Re: Securing my/our computer systems

#46 2024-02-24 23:02:35

Re: Securing my/our computer systems

#47 2024-02-25 05:20:45

Re: Securing my/our computer systems

#48 2024-02-25 18:40:54

Re: Securing my/our computer systems

#49 2024-02-25 18:41:45

Re: Securing my/our computer systems

#50 2024-02-25 19:35:17

Re: Securing my/our computer systems

Board footer