Is TCLs Cloud Mode computing really secure ?

[Pats]

Quickly perusing this thread, I did not see mention of the secure boot code.
With that you can set both root and default user passwords.

Tiny Core does not auto mount drives, therefore Tiny Core does not auto run foreign applications, i.e., pendrive insertion attack.

Good idea of secure boot code - why not to implement it ?

I wouldn't give Flash root privileges; would you?

Frankly , I also dont know the reason - why ?

Is there any latest known virus attacks or trojans noticed by anybody in Linux in general any TCL in perticular ?

By the way - why anyone will try to browse web as a root ?
Why TCL not disable brwosing web while logged in as root ? Is it possible ?

~ Pats

[roberts]

Tiny Core's "secure" boot code has been implemented since day one.

[Pats]

Hi !
Suppose I want to connect to : http://xyzxyz.com
1) What should be the ipchains rules -  if nobody except the connected site should be able to access my pc.
2) If the connected site is https:  ( Pl note the secured protocol ) - does ipchain rules needed if the above point 1)  is to be implemented ?
Kindly elaborate !
Thanks !
~ Pats

[curaga]

Do you mean that your comp should only be able to access that site, not the other way around?
If so, the following as root should work. Note that I haven't tested this
The protocol (http/https/ftp/XXX) doesn't matter with the below rules.

# Remove old rules
iptables -F
iptables -X
iptables -Z
# Don't let anything pass by default
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Exceptions to above policy
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d ip.of.the.site -j ACCEPT
iptables -A OUTPUT -d ip.of.your.DNS -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

[Pats]

Hi

The rules should work for the situation, where all connections will be initiated from your pc - aka normal browsing. The site cannot connect to you without a request from your browser or another app.

Do you instead want a server, where only that site is able to access it?

- Curaga

Not a server !
As a simple user I always connect ( login as a registered user like so many other users of that site) to a perticular site for some monetary trasactions !
And during such transactions I want that my computer should NOT be accessible by anybody else except that perticular site ( as that site checks for presence of a cookie on my PC intermitently).
I hope I am clear this time .
Waiting for the answer!
Thanks !
~ Pats

[Pats]

One more Q !
Is the - ip.of.the.site - must ?
Can I use the xyz.com insted of ip.of.the.site ? (Although I have the ip of the site also !)
Thanks !
~ Pats

[curaga]

No, I think iptables only takes ip addresses.

[Pats]

Thanks again for prompt reply !
( As I said I hate to disturb sending private messages, but some topics - including this gets locked sometime - saying only Adnib/Moderator can reply ).

Now trying to figure out how to close some un-necessary ports on my PC using man pages of nmap, will disturb You - if need be arised .
Thanks !
~ Pats

[curaga]

If this thread is unavailable, and you think the info would be useful to others as well, please create a thread in one of the other sections.

[Pats]

Well I am un-able to post here thru Dillo , but now I can post thru mozilla and other browsers !
I am posting here , cause I just hope to keep all security related my Q/A in one thread for further archieving - thats all !

[ShatteredDaylight]

Well depending on how sensitive data is I might add/summarize that in additional to all previous posts you should definitely consider these:
!. If you're using a router make sure that's the main focus of you efforts. But not to the point of neglect for others.
2.don't even for a second consider keeping admin available on the router. Use it for maintanence only and go offline if you ever do use it. And make sure the password is ENCRYPTED most routers won't do this by default so make sure you check.
3. Take note that the more sensitive the data is or the more someone is likely to care and the more extreme you need to get. And the more extreme you get the hotter a target you paint. But a general first thing to note is that the more info they have about the system (MAC address and so on) the easier it will be to get it no matter what levels of encryption, etc. you have (examples of beating encryption include denial of service attacks). Encryption in the end is really only good for keeping data secret. Not protection.
4. A good first step is keeping your ip and MAC secure. Your MAC can't really be hidden except by putting a buffer between you and the computer in question(this buffer is your router usually). IPs are more critical in that they're stored everywhere and not usually in you control. A solution is to have a changing IP address so that the router has no info about it until connection. This will slow down the router as it will prevent IP caching in the IP table but will prevent the most sure source of info from having much info at all. Depending on the number of computers behind the router this could become infeasible quickly (for example the securest way would be to write a random number generater that rewrote your IP every send but that would quickly create IP conflicts as computers would have the same IP).


As far as I know TC would be the most secure if only for its non-persistency of apps. However I would also advise putting some sort of lock on permissions to access the boot files as well as others. I'm not sure if you can actually do this in TC as I haven't got it running yet but a basic way should be just to unmount and force it to stay unmounted.

Note: I'm not an expert in security. But people do hire blitz teams for that purpose and I have hacked several servers with nothing but some CISCO knowledge , ping, trace, telnet, and a directory of the networks's host computer names built with global directory.

[Pats]

Well depending on how sensitive data is I might add/summarize that in additional to all previous posts you should definitely consider these:

My God ! You are quite deep in yr security know-how ! I have some more Qs abt security settings which I will be posting here latter, presently I am RFFMing some linux articles and man pages !
So let us meet again here with some more Qs from me. Thanks really !
~ Pats

[Pats]

Are all of the TCs Repo mirrors safe & secure for dnloading exts ?
Or are any of them black-listed bt TC or others ?
How to find trojans / Finder tools while one i online ?
Pl clarify !
Thnks!

~ Pats

[tinypoodle]

Thanks again for prompt reply !
( As I said I hate to disturb sending private messages, but some topics - including this gets locked sometime - saying only Adnib/Moderator can reply ).

Just try to disregard, seeing this message on top of reply box I am typing in right now
(While using links in graphics mode on console)