Re: Re (3): Multiplicity of accounts.
I'm feeling talkative today: On Fri, Oct 4, 2013 at 4:20 AM, John Hasler jhas...@newsguy.com wrote: Jerry Stuckle writes: Plus, this being a Debian list, there are few Linux virii and trojans out there. Can you name any? http://en.wikipedia.org/wiki/Linux_malware which came up when I did a Google search on linux malware. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAr43iMZG4hSbxrXpvDrGGh=ymnvg0dnjpfgvky6on8be2t...@mail.gmail.com
Re: Re (3): Multiplicity of accounts.
On Fri, Oct 4, 2013 at 12:47 AM, peasth...@shaw.ca wrote: From: Jerry Stuckle jstuc...@attglobal.net Date: Thu, 03 Oct 2013 09:27:28 -0400 ... [local user compromise(?) is] not where the leaks occur. If someone can review the greatest hazards or give a link to a document, that would help many of us. I posted this in another branch of this thread, but since it contains some of the information you ask for, I'll post it here, too. It's a starting point. http://en.wikipedia.org/wiki/Linux_malware But basically, once you understand that a web browser is running someone else's code on your machine, under the user id that the browser is running under, which is the user id that you logged into your machine with, well, imagination is the limit. There is no greatest hazard to protect yourself from and then feel comfortable. I'm trying to work up a set of blogs that explain some best practices, but there aren't really any best practices that are effective right now. Well, refraining from surfing the web logged in to the user that you do your bank business with is probably good enough for many people, but you have to consider what packages you have loaded, what kinds, how many, who packages them for you. I would not do bank business using a computer running Wine. It's not that I remember specific vulnerabilities in Wine, but Wine is providing libraries that allow MSWindows binaries to run. That means that some MSWindows Malware will run if you click the link in the e-mail. Running as a non-root user may help limit the damage to the local user, but there may be an escalation path. One thing I'm thinking about is buying an ARM chromebook, wiping Chrome, and installing Debian, and keeping that as the dedicated bank browser machine. You probably don't have to go that far at this point in time, but you need to keep a log of what hits your router and what gets through (both sides) to have an idea of how safe your local LAN is. [Managing userids and passwords] not all that hard if you come up with a system. Clever idea. My system wasn't so simple and effective. Once you understand the idea of making things memorable to yourself, and learn to think about the memes floating around and how passwords should avoid them, there are quite a few tricks. I personally just leetspeak nonsense or semi-nonsense phrases. I used to use something like wiredvibes, leetspoke, for an admin account because wired reminded me of the network. (That password was retired many years ago.) The initial letters of a line or lyric you know, as Jerry suggested, is another one, but I'd use the second letters at least in some cases, and I'd avoid the more well known lines from well-known literature. To be or not to be is probably now in the cracking dictionaries in several forms, including leetspeak. And well-known quotes from Star Trek or The Matrix will also likely end up in such dictionaries at some point or other. If you are likely to have an attack directed specifically at you, avoid personal information. Don't use, for instance, the name of your dog in combination with a family member's name. (For several reasons.) And you should probably also avoid swear words or the names of deity, especially words that you tend to use regularly. Memes, you see. Thanks, ... Peter E. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caar43imaa63bdcl+drehytkpqbvtvkdktnopusvhntza3m3...@mail.gmail.com
Re (3): Multiplicity of accounts.
From: Jerry Stuckle jstuc...@attglobal.net Date: Thu, 03 Oct 2013 09:27:28 -0400 ... [local user compromise(?) is] not where the leaks occur. If someone can review the greatest hazards or give a link to a document, that would help many of us. [Managing userids and passwords] not all that hard if you come up with a system. Clever idea. My system wasn't so simple and effective. Thanks, ... Peter E. -- 123456789 123456789 123456789 123456789 123456789 123456789 123456789 12 Tel +13606390202 Bcc: peasthope at shaw.ca http://carnot.yi.org/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/E1VRl82-0004Br-Hp@dalton.invalid
Re: Re (3): Multiplicity of accounts.
On 10/3/2013 11:47 AM, peasth...@shaw.ca wrote: From: Jerry Stuckle jstuc...@attglobal.net Date: Thu, 03 Oct 2013 09:27:28 -0400 ... [local user compromise(?) is] not where the leaks occur. If someone can review the greatest hazards or give a link to a document, that would help many of us. [Managing userids and passwords] not all that hard if you come up with a system. Clever idea. My system wasn't so simple and effective. Thanks, ... Peter E. I don't know of a single place where that information is available. I've learned it from years (around 18) of programming on the internet, lots of newsletters and understanding how reported incidents occurred. It used to be the biggest threat was things like key loggers being installed on users' computers by trojans, capturing passwords and sending them over the internet. But most people (at least the smart ones) are now running some type of anti-virus software which catches that entry. It is still a problem, but not as much as other ways. Plus, this being a Debian list, there are few Linux virii and trojans out there. Plus, running as a non-root user limits what a trojan can do. But people using the same userid/password on multiple sites is still a huge problem. That's why hacking relatively innocuous sites to get userid/password lists is so big; they really don't care about breaking into that site (which typically isn't as secure as your bank, or good eCommerce sites, for instance). What they want are the userids and passwords which are also used on more secure sites. That's why the recommendation to use different passwords (even if you use the same userid) on different sites. There are other ways also, but we're really getting off topic for this list. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/524db244.5060...@attglobal.net
Re: Re (3): Multiplicity of accounts.
Jerry Stuckle writes: Plus, this being a Debian list, there are few Linux virii and trojans out there. Can you name any? -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87eh82p3f2@thumper.dhh.gt.org
Re: Re (3): Multiplicity of accounts.
On 10/3/2013 3:20 PM, John Hasler wrote: Jerry Stuckle writes: Plus, this being a Debian list, there are few Linux virii and trojans out there. Can you name any? Not off hand, but then that doesn't mean there aren't any. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/524dc3f2.5080...@attglobal.net
Re: Re (3): Multiplicity of accounts.
Jerry Stuckle wrote: But people using the same userid/password on multiple sites is still a huge problem. That's why hacking relatively innocuous sites to get userid/password lists is so big; they really don't care about breaking into that site (which typically isn't as secure as your bank, or good eCommerce sites, for instance). What they want are the userids and passwords which are also used on more secure sites. That's why the recommendation to use different passwords (even if you use the same userid) on different sites. Agreed. This article states that the average web user has 25 accounts but uses an average of 6.5 passwords across them. I think that is a low number of accounts for the average user these days. If anyone is reusing account names and passwords hopefully this article will scare them out of that bad practice. (shudder) Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ And of course everything worth discussing has already been on XKCD. Password Reuse http://xkcd.com/792/ Bob signature.asc Description: Digital signature