[Klug-general] The most secure Linux laptop in the world

Tue Nov 27 13:34:04 GMT 2007

On Tue, 2007-11-27 at 12:25 +0000, Stephen Ryan wrote:
> Hi Stephen, from near Hythe in Kent here. Just joined KLUG.
>  
> I am on a mission to find the most secure (yet functional) Linux
> distro in the world. It must have the tiniest of footprints.
> I have played with Knoppix CD, but i want something much, much,
> smaller and something that even a novice can configure.
> Smallest amount of code - just enough functionality.
>  
> http://intrench.blogspot.com/2007/11/if-there-is-such-thing-as-total.html
>  

Sounds to me like you're looking for a utopian experience. However, and
I hate to break this to you, utopia is a place that doesn't exist,
lollipops for guessing why, except you Jim, you're a cunning linguist.

Incidentally, what's the difference between a chorus line and a
magician?

The magician has a cunning array of stunts... :)

Anyway, what's the use case for this? I mean do you just want to build
one of 'those' computers that are featured in movies like "Die Hard 4.0"
and alike which are uncrackable in order to stage a more realistic
incarnation of that particular grade of action movie? Or do you just
want to boast and brag that you've got an uncrackable computer to the
hacks on the net, because if its the latter... try and do some research
about how the general internet evil underground react to such
challenges, usually the challenger is beaten to a pulp, and begging for
mercy.

If you want to win, get a computer that's on the internet and pull the
wire out... Job done :)

The point I'm making about the above rant is this, with any computer
system, there are going to be issues, for instance BSD only boasts its
boast because about 99% of remotely exploitable software is turned off
by default :P Not because the software has any inherent security magic.
That's always a good trick, read between the marketing lines, apache has
been thoroughly beaten up over the last 10 years with about 5 days
average from a remotely exploitable problem to a fix, with a work around
available within a few hours. BSD runs apache, but turns it off by
default...

The holy trinity as always are firewall, updates, and anti-virus. 

There are quirky things such as egg sniffing where you'd use iptables
and I believe a little patch is required to the kernel, and you offload
packets to check for egg (shell code google:metasploit) patterns in
packets. Usually this stuff is called deep packet inspection, and is
currently used by loads of ISPs to filter out bit torrent traffic 
(B4%74R6%!!)

Realistically there's no point in sniffing eggs unless you're expecting
to be attacked, or have an ovum fetish... A lot of other largely
insignificant security features are possible however generally useless.
Essentially support is the no. 1 issue, there must be a short exploit to
patch time frame from your distributor. After that you've got a fighting
chance. 

A firewall is a must, knock something together that does the following;
block any/all unused ports on any internet interfaces (anything not
explicitly allowed is denied), if multiple syn packets are received -
rate limit them, if they continue to come block the IP address, identify
and filter any bad packets (DHCP requests etc...) block any ICMP
traffic, block any traffic destined to invalid networks, block any
traffic destined to anywhere but here. I find when writing IP tables its
best to think of them as a sort of turing machine.

Then you've got your two most important issues dealt with...

Antivirus... Ah bugger it, use clam AV and configure it to scan the
whole box once a month and email me if it finds something.

So that's security if you want to get serious about it as much as anyone
else does... The important thing is the use case though. If you can come
up with a reasonable one then it may be a worth while
project/investigation.

Hope this helps,
 K,