Security and Privacy Forum

Suggestions and feedback for Linux Mint and the forums
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests

Does Mint Need a "Security and Privacy" forum?

Yes
99
49%
No
4
2%
Probably Yes
15
7%
Probably Not
6
3%
This would be very useful!
46
23%
Recent News says that we really need this
30
15%
Dumb Idea
3
1%
 
Total votes: 203

clfarron4

Re: Security and Privacy Forum

Post by clfarron4 »

clfarron4 wrote:The reason I made my point about tin-foil hat people was from a discussion I was having on a Google+ community for Linux Mint users. I'll link the post tonight.
Ok, so the post seems to have been deleted, but the long and short of it is that some-one want to develop a duress passphrase system that would nuke the users home directory into oblivion, and seemed to want to do it with new rules for PAM and modifications to the way Linux stores passphrases.
monkeyboy wrote:Can someone please tell me a form of communication that governments haven't mined for information? Bottom line I never expect privacy on a public channel.
There isn't one. The post system is one way to lessen it slightly, but it is much slower. Otherwise, you're best encrypting your way to glory.
deminted

Re: Security and Privacy Forum

Post by deminted »

Months ago (Wed Nov 13, 2013 3:45) monkeyboy asked
Post by monkeyboy on Wed Nov 13, 2013 3:45 pm
Can someone please tell me a form of communication that governments haven't mined for information? Bottom line I never expect privacy on a public channel.
A direct answer might be contemplative prayer, perhaps. (But they are working on it.)

Ahem..
Do we mean to say we always expect to get run over when we cross a busy road, so it isn't worth taking any precaution?
Or we always expect burglars, so we leave our doors open because they'd get in anyway?


Explicitly - if I catch your drift correctly - I don't think that's good reasoning of yours, monkeyboy, and I don't believe that even you should make it easy for governments or other thieving crooks to get into your computer system, just because it's inevitable they can.
But you are correct when you imply that not even Linux is secure from exploits or subverted code (or subverted coding base).


To further expose the insanity of current trends in Mint (sorry, CLeF) - I've just installed Mint 16, and I find no default firewall (not that inbound-only ufw is up to much anyway - locking stable doors after horses have bolted), and I have to expose the system & go online without a firewall in order to fetch a firewall. :roll: Security consciousness would preclude this irrational behaviour.

And that root by default has no password protection at all (is that really best practice?), and Mint has no prompt to set one, or to warn any trusting soul that installs it.

From personal experience, I was seeing from sysmon that a lot of data (10% to 30% of fetched data when browsing) was disappearing upline for no apparent cause, plus my browser was regularly filling up my 8Gb core memory until it slowed the system to a crawl. I do not like this.
The after quite a few hours(+) of delving I discovered 'apparmor' and it's default profiles. I installed it, and both these problems went away (mostly!), so my current 'data sent' is less than 5% of data fetched (still too much IMO), and I rarely get to over 4Gb memory used..

But with recent changes, I find it's now impossible - in live system - to disable smbd shares (when I have no use for them), and I have an ssh-agent running which I can't get rid of ( try a w³ebsearch for ssh-agent security vulnerabilities).

So what the ... is going on here? Is Mint put together by that well-trusted protective element the NSA, or is it infiltrated by mafia? Is the excision of Unity a red herring to lull us into a false sense?

I see it's become something of a hot potato because Mint was accused in a blog elsewhere of being insecure (and unsuitable for say, banking) - for slightly wrong reasons - but I see that as no reason at all to sideline discussion of security/privacy considerations and provision of tutorials & individual help where needed (even if that amounts to merely referencing more security-oriented sites).

Whatever, (IMNSHO) Mint forum, and very likely Mint development effort itself, needs it's act assembled wrt the security/privacy topic.
(Even that thing about ostriches burying their heads in the sand is a myth, I'm told.)



Bump
Previous1

Re: Security and Privacy Forum

Post by Previous1 »

So what the ... is going on here? Is Mint put together by that well-trusted protective element the NSA, or is it infiltrated by mafia? Is the excision of Unity a red herring to lull us into a false sense?
Mint does prioritize "stability" over "security", even more so than Ubuntu (sometimes for reasons I can't fathom, like disabling AppArmor entirely because "it breaks pdf printing" - fwiw it doesn't), but I wouldn't go as far as calling it malignant.

There's thousands of security topics and projects on and for Linux, but most users and developers have other priorities. Even Linus himself thinks security is boring (feel free to google on that).
FreedomOfTheOpenCode

Re: Security and Privacy Forum

Post by FreedomOfTheOpenCode »

There's quite a lot of good advice about security in Linux over on the Trisquel forum at http://trisquel.info/en/forum/firewall-trisquel. It gets interesting about half-way down. There's also some good advice about DNS resolvers elsewhere on the same forum.
deminted

Re: Security and Privacy Forum

Post by deminted »

Thanks, FreedomOfTheOpenCode - useful but I think we need more in depth, more about why the common misconception that Linux is invulnerable is plain wrong, more simple tutorials, and some place for helping people who have a problem. {And maybe even some moral/political philosophy about freedoms & privacy, for those who don't understand! }
Mint users deserve to have direct access to the whys & wherefors, and the howtos, even if it is just pointing people at fuller resources elsewhere.

And also it's just possible that some Mint developers may need to be reminded occasionally of their responsibilities to the community, especially if they just feel that fundamental essentials are boring and 'in the way'.

@ Previous1
when you wrote
Even Linus himself thinks security is boring (feel free to google on that).
You could easily send people away with an incorrect view of the man's thoughts on that!

He's also said:
To me, security is important. But it’s no less important than everything *else* that is also important!
which is to say, boring but entirely necessary...
(that's without even going into the point that ordinary bugs can be massively inconvenient, and also lead to vulnerability.)

Linus Himself has also spoken (and signalled) about the attentions of the NSA, a reference here: http://www.youtube.com/watch?v=wwRYyWn7BEo

Previous1
also noted
... like, for reasons I can't fathom, like disabling AppArmor entirely because "it breaks pdf printing" - (for what it's worth, it doesn't) ...
Now there's a case in point - why is that acceptable if it is without reason, why hasn't the state of affairs been corrected - and who exactly is behind that sort of 'accidental' oversight? And should they be trusted by the rest of us?
I regret having to make that point, but it's a reality.
Perhaps I have a bias from being a former head of technical security. But that was on a different platform, and decades ago; I'm out of my depth in Linux & frankly very concerned by some peoples' lax approach. But then I also have wider experience & I'm pretty well the opposite of the 'black-and-white' bore Linus imagines - I do know the type - http://news.cnet.com/2100-1007-6243900.html

From development management & QA experience I'd agree with what Westerback is quoted as saying in that article, that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity, and consistency usually produces better code than other approaches."

I'd like to emphasize again that it isn't just the snooping by over-reaching govermental bodies in foreign nations (potentially passing on financial intelligence to favoured players) that is pertinent, it's that if vulnerabilities - bugs, backdoors - exist for any reason, they become available for baddies to use as much as for anyone else.
That is to say, if anyone thinks that lax or tacked-on security is an acceptible trade-off for some other form of utility, are they happy to have all your data compromised, or erased, or for all your passwords to be used by some third party?

It leaves me unhappy. And verging on TL;DR :mrgreen:

We need a security/privacy forum here.
Previous1

Re: Security and Privacy Forum

Post by Previous1 »

You could easily send people away with an incorrect view of the man's thoughts on that!
I stand corrected.

I've added my vote for a security forum. The poll is positive, and with the reasons explained to have one (besides the small effort), what's the compelling reason not to have one?
viking777

Re: Security and Privacy Forum

Post by viking777 »

MishaSherpa, I think this feature is very necessary, so have voted accordingly. I thought I voiced this concern on the forum once, but I can't find the post so maybe I am dreaming.

As devils advocate though I also believe that the forum already has too many categories (the first one I would remove would be 'newbie questions', it is just a repository for the terminally lazy). Although having said that I wouldn't like the job of reallocating all the 'newbie question' posts elsewhere :shock:
altair4
Level 20
Level 20
Posts: 11427
Joined: Tue Feb 03, 2009 10:27 am

Re: Security and Privacy Forum

Post by altair4 »

@viking777

MishaSherpa has either been excommunicated from this forum for overall hooliganism or has decided to retire to the front porch of his home and terrorize the grandkids with stories of the NSA.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
viking777

Re: Security and Privacy Forum

Post by viking777 »

altair4 wrote:@viking777

MishaSherpa has either been excommunicated from this forum for overall hooliganism or has decided to retire to the front porch of his home and terrorize the grandkids with stories of the NSA.
I see you are right, and I seem to be having a 'blonde day' today. Still, never mind I still think we ought to have a security section in the forum
Mohr

Re: Security and Privacy Forum

Post by Mohr »

altair4 wrote:@viking777

MishaSherpa has either been excommunicated from this forum for overall hooliganism or has decided to retire to the front porch of his home and terrorize the grandkids with stories of the NSA.
Why are talking like that? Obviously you didn't like him? Or don't you like / understand people that care for privacy?
zerolimit

Re: Security and Privacy Forum

Post by zerolimit »

From a different perspective...

Usage of Tor skyrocketed following the NSA leaks and recent anti-piracy laws overseas. People are actively looking for ways to stay secure and anonymous. Non-techies had no idea what Tor was and now big news outlets like Wired and The Guardian are running stories on it all the time.

Would a renewed commitment on security attract new Linux Mint users, and also increase our community support? Just a thought, looking at it from the benefits of a "marketing" standpoint.
clfarron4

Re: Security and Privacy Forum

Post by clfarron4 »

zerolimit wrote:Would a renewed commitment on security attract new Linux Mint users, and also increase our community support? Just a thought, looking at it from the benefits of a "marketing" standpoint.
On the bits which are fairly easy to implement and fix when things go wrong, so implementation of TOR, encrypted home directories would be all right. HOWEVER, managing things like the LVM on LUKS/Full Disk Encryption without dumbing it down is walking along a tightrope.
Previous1

Re: Security and Privacy Forum

Post by Previous1 »

On the bits which are fairly easy to implement and fix when things go wrong, so implementation of TOR, encrypted home directories would be all right. HOWEVER, managing things like the LVM on LUKS/Full Disk Encryption without dumbing it down is walking along a tightrope.
It's easy enough to separate security topics from easy to crazy, eg like (to some extent) the Securing Debian Manual does.
So this is from October and they still won't make a forum? Is the 30 seconds in phpBB control panel (to add a security forum) too much work?
See http://www.linuxmint.com/about.php
Mint wrote:It's safe and reliable. Thanks to a conservative approach to software updates, a unique Update Manager and the robustness of its Linux architecture, Linux Mint requires very little maintenance (no regressions, no antivirus, no anti-spyware...etc).
Perhaps Mint believes it's already safe "enough" and needn't devote a separate topic to security. I don't buy that and it goes against:
Mint wrote:It's community-driven. Users are encouraged to send feedback to the project so that their ideas can be used to improve Linux Mint.
Either way we can post/sticky a Security topic in the Tutorial forum in the mean-time.

edit: http://forums.linuxmint.com/viewtopic.p ... 97#p818597
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: Security and Privacy Forum

Post by xenopeek »

For now I've stickied Previous1's Security Tutorials topic. Good initiative! Appreciating your constructive approach. Let's add relevant links there for users that want to improve or audit their system's security on Linux Mint. Or post new tutorials and link them there.

The forum team has several changes planned for the next few months, one being reorganizing the forum structure. The current forum structure has evolved over the years and needs work. Over the past few months a few suggestions/requests for a dedicated subforum have come up, and we want to accommodate those in the reorganization.
Image
Brahim Salem

Re: Security and Privacy Forum

Post by Brahim Salem »

great idea guys :D
User avatar
DarrenG
Level 2
Level 2
Posts: 69
Joined: Mon Jun 23, 2014 9:12 pm
Location: New Zealand

Re: Security and Privacy Forum

Post by DarrenG »

I've voted Yes, This would be very useful!, and Recent News says that we really need this
“People shouldn't be afraid of their government. Governments should be afraid of their people.”
MajorLunaC

Re: Security and Privacy Forum

Post by MajorLunaC »

What I would like to know is if there are better alternatives to WordPress, even something simpler. Not all FOSS are equal, as there is no guarantee of quality or security in the design. So far, WordPress has racked up (or better yet "wracked" up) quite a record of vulnerabilities over the years. Here's 8 pages worth of them, starting on page 8:

https://threatpost.com/page/8/?s=wordpress

Joomla fares much better, but it may be that it hasn't been as popular up to now, and it's getting to be a bigger target:

https://threatpost.com/page/1/?s=Joomla

I'm sure there has to be something more secure, even if it's just plain and simple HTML. Forget flashiness, if it sacrifices security and privacy.
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security and Privacy Forum

Post by Moem »

The downloads page should in my view be a static page and have no Wordpress at all.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
User avatar
Terryphi
Level 4
Level 4
Posts: 254
Joined: Mon Jun 06, 2011 6:30 am
Location: West Wales. UK
Contact:

Re: Security and Privacy Forum

Post by Terryphi »

M0em wrote:The downloads page should in my view be a static page and have no Wordpress at all.
I agree.
Chiefahol

Re: Security and Privacy Forum

Post by Chiefahol »

Sounds nice.
Post Reply

Return to “Suggestions & Feedback”