Harden Trisquel

9 respostas [Última entrada]
cinnamon

I am a member!

Desconectado
Joined: 03/06/2015

Hi is there a harden trisquel script?

I know there are several guides to increase the security of our os like ubuntu https://github.com/micahflee/linux_harden but it is not quite compatible with trisquel.

davidnotcoulthard (non verificado)
davidnotcoulthard

I think it should be rather compatible with Trisquel (which is based on Ubuntu), but.....

Google Chrome Does. Not. make the system more secure (it's Google's browser, for goodness' sake!), and Thunderbird is what you've got with Icedove, pretty much.

Having said that I think you can do pretty much what the page claims the script to do manually (searching the web for things you'll find difficulty with should help - a lot).

cinnamon

I am a member!

Desconectado
Joined: 03/06/2015

Thanks david. I was surprised when it recommended google chrome - apparently because someone convinced him - but it didn't say why. I know google chrome is not secure and should not trust the script. Icedove is better than thunderbird like you said. It's unfortunate the state of usability of some of security software, but tor and tails have done an adequate job of bridging free software and security. However these tools alone are not secure. I like to remind myself it is about the process and not the destination, and that free software as a precondition is resistant to security leaks that proprietary software does by default yet not being invincible.

marioxcc
Desconectado
Joined: 08/13/2014

Bear in mind that security doesn't comes canned (metaphorically). You can use scripts to automate part of the process of securing a system, but you shouldn't rely on them to “harden” or whatever it claims to do if you don't understand what they do or why you would need such a thing. The Tor projects warns against the mistake of thinking of security as something that comes canned; see their warning at the download page.

Taking a look at the “What this does” section, the script you mention seems quite worthless. It doesn't seem to do anything that wouldn't be better done manually by the user according to his situation. It seems to be is lacking a license, therefore it is proprietary software. Also, it installs TrueCrypt which has been discontinued and it has never been free software (See Various Licenses and Comments about Them § TrueCrypt). It also installs Chrome which is not free software, see section 9.2 from their terms of service. Chromium apparently has licensing problems as well, but I haven't investigated further because I'm not interested in having any association with Google.

If you are interested in having a secure system, make sure to research everything you install. It's not practical to audit your system (tens of millions of lines of code), but you can check basic information before installing, such as licensing. In this case, doing so would have revealed the problems that I mentioned above. Also, you can read books about security. Don't take advice or install software without knowing what it entails for and knowing why it would benefit your security.

cinnamon

I am a member!

Desconectado
Joined: 03/06/2015

Thanks Marioxcc for the lengthy response. I also beleive you - or maybe others have contributed to this discussion I proposed on IRC, and I should acknowledge them. It does seem that it would be proprietary software, but I want to put this in context for a second.

Micah Lee is a staff technologist for eff, tor, and other activist organizations. most of his code is under GPL, an this code is a fringe script I beleive he didn't mean to distribute but I found it when I was looking through his code. I doubt he would be against using the code, reading the code, distributing with or without modifications. It is an old piece of code, so this was before truecrypt stopped development.

I also recently learned indeed truecrypt was never really fully free software so I appreicate this. I have learned Chromium has licensing problems as well, and you are right that there is a strong association with google (they develop it). I am being careful about what I install.

The one good advice I take out is to find some good books on this topic. What we find on the internet is sometimes scattered and is hard to piece together. Trisquel does not have very detailed documentation (compared to debian or ubuntu) but this is also a motivation to add more and be a part of a new story for free software.

marioxcc
Desconectado
Joined: 08/13/2014

I'm glad that you found my comment useful.

>It does seem that it would be proprietary software, but I want to put this in context for a second.

If it actually lacks a license (instead of that it has a license but I didn't find it), then it is proprietary software. Maybe the author wouldn't sue anybody for using it, but because of the Berne convention, the work is automatically under the most restrictive Copyright, and since no permissions have been given to use the work, using the script as if it was free software is against Copyright law (See the link to the GNU licenses list). You have the technical ability to use the work while breaking the law, in the hope that the Copyright holder won't bring legal action, that's not free software.

It is worrying that a contributor to high-profile projects has been so irresponsible as to publish this software without taking the necessary measures to make it fully free and removing the proprietary software installation. It doesn't matters if he didn't intend to distribute the work originally, he distributed it anyway, so he should have taken the associated measures, and if he has contributed to high-profile projects, he knows what those measures are, so there is no excuse.

I don't like Copyright law, but the best we can do, is to use it as a tool for our purposes, as in Copyleft. Some people have an attitude by which they behave as if ignoring Copyright law would make it go away or not to apply to the work they make. That's a mistake, a waste of a valuable tool, and creates the licensing problems that plague some free software projects.

I am not a lawyer and this is not formal legal advice.

cinnamon

I am a member!

Desconectado
Joined: 03/06/2015

Thanks marioxcc, It seems I am learning a lot about copyright law here - it is very complex, but now I can see why it would automatically be proprietary software.

Sim
Sim
Desconectado
Joined: 09/29/2013

I don't use any scripts to harden my operating system because in doing the hardening tasks myself I can choose at each step how many convenience I'm willing to sacrifice for security. In my threat model I focus on crackers from outside because I'm the only person who has physical access to my computer. Whats your threat model? Is it similar to Micah Lee's threat model? How many convenience are you willing to give up for security? These are questions only you are able to answer.

What have I done to increase security? I stopped every service that was listening on a TCP/IP port. I use grsecurity and compile the libre linux kernel patched with grsecurity every time an update is available. It hardens your kernel and increases every other security measure. I have written my own apparmor profiles for every program that accessing the internet. I disabled java script and flash. I use epiphany as a web browser and claws mail as a mail client so that I can use every program with mprotect enabled. I don't use wifi. I use tails on a different computer where I have removed the hard drive.

Maybe you think some of these measures matches to your threat model.

cinnamon

I am a member!

Desconectado
Joined: 03/06/2015

Hi Sim,

Those measures should match to my threat model - well really all of us must take steps to protect ourselves to some degree. I am trying to explore that boundary between convenience and security. I will try to read up on mprotect and apparmor - this is the first time I've heard about mprotect, but it seems apparmor and grsecurity is not impossible to setup.

thanks!

Sim
Sim
Desconectado
Joined: 09/29/2013

Hi Cinnamon,

I'm glad I could help.

I learned a lot on this website: http://www.insanitybit.com

Maybe it can help you in the same way it helped me.