|grepLinux

Exploring Linux, security, and privacy

What’s Different About Linux: Programs

Briefly: Software Culture Shock

Starting with Linux can be daunting for longtime Windows or Mac OS X users, and just about everyone who has tried out Linux has had to adjust to the fact that you’re not meant to manage software like you’re used to. This often winds up frustrating users who try to reuse their tried-and-true methods in Linux which often leads to a poor user experience. However, if a new user is willing to learn the basics of how package management works in Linux, they’ll discover the greatest immediate usability improvement that Linux-based operating systems offer compared to their counterparts.

Keep reading for a detailed look at how software management differs on Linux and what users can expect in practical use.

Account Password Security: Advanced Edition

Just the Steps

What follows is a discussion on how to use file sync software like Dropbox and encryption software like TrueCrypt to securely and conveniently access an offline password database like those created through KeePassX on every device. The idea is to create a small encrypted file container with TrueCrypt, place the password database inside of it, and sync the file container using Dropbox. Then on any device access the file container in Dropbox, decrypt and mount it with TrueCrypt, and load the password database with KeePassX; this only has to be done once until a device is shut down. The result is a highly secure and convenient way of managing online account credentials.

A thorough look with all the details follows.

Not Just the NSA: Privacy Breaches Closer to Home

In Short: Negligence and Privacy

These days talk of the NSA’s PRISM program and its other surveillance programs tend to be the focus of privacy discussions, but recent gaffes like at yesterday’s Super Bowl XLVIII and more serious incidents such as during the trial of George Zimmerman for Trayvon Martin’s murder show us that the average Joe can cause serious privacy leaks as well.

I give an overview of these events and offer a suggestion on the sort of vigilance you should keep in mind.

Password Security Failure: When Websites Don’t Get It

In Brief: Many Websites are Visibly Vulnerable

While I’ve discussed how absolute security is impossible, there’s a difference between building a secured website that may be breached by a concerted and resourceful effort and building a website that advertises potential attack vectors. Several websites are guilty of this and do things like email plaintext passwords or use unnecessarily restrictive password rules; these problems tend to make it much easier for an attacker to compromise user credentials.

For a more detailed look into the problem and ways to begin mitigating it, read on.

The @N Hack: Why Absolute Security Is a Myth

The Gist: Trust and Error Defeat Security

A recent social engineering attack on PayPal and GoDaddy allowed an attacker to commandeer the victim’s email on GoDaddy and hold his Facebook account hostage in order to facilitate the transfer of the @N Twitter handle (reportedly worth about $50,000 USD) to the attacker. This incident illustrates how organizations fail to train their representatives to resist old and simple social engineering techniques. More broadly I use this as a case study with which to demonstrate how no matter what, we can never have absolute security when it comes to safeguarding our online presence; between social engineering attacks and zero-day exploits we can always expect there to be a weak link in a long chain of security.

Read on for full details.

Linux Fragmentation and New Users

The Bottom Line

There are some particular perceptions among many non-Linux users that in order to use Linux one must be

  • Willing to resort to the command line to accomplish mundane tasks
  • A computer science major
  • Able to find and rely on others to use their own system

While I disagree with these views on the whole, I think there is a degree of merit provided one applies a more level-headed tone to the rhetoric; instead of discussing that I’d like to consider why these perceptions exist. I propose that a major cause is the vast fragmentation of the Linux platform.

While Linux fragmentation offers truly — without exaggeration — unparalleled freedom of choice when it comes to customizing one’s computing interface and workflow, this can make offering help to any individual through their particular GUI very cumbersome. Consequently, the terminal becomes the common denominator since there are only a few common Linux filesystem layouts in use by the various distributions and the GNU Core Utilities can be assumed to be installed on any Linux system. This makes offering terminal commands the most direct approach for most people offering assistance to others, and this helps bolster the aforementioned perceptions: if everyone is receiving help through terminal commands, surely this is the only way to fix these problems.

The best we can do is accept that some people will feel this way and attempt to educate them on the benefits of computing diversity and choice; whether this is important to them or not is their choice, and perhaps they’ll come around to appreciating this diversity.

Keep reading for a more thorough analysis.

Account Password Security: Basic Edition

The Short Version

Sharing credentials (username and passwords) between the numerous online accounts we have is a difficult dangerous habit to break. I propose the following steps as a manageable way to fix the problem:

  • Select password database software like KeePassX or LastPass and if necessary complementary mobile apps
  • Track down all of the online accounts you’re aware of and scour your email account(s) for accounts you’ve forgotten; for each account:
    • If you no longer care about the account, delete with prejudice (pkill -9 $account) if possible
    • If two-factor authentication is available, set it up
    • Remove any non-critical personal information, especially from legacy accounts
    • Generate a unique random username (if you can change it) and password (with maximum length and largest dictionary) and store it in the password database
    • If a security question is required, create an entry in the password database for a random answer and make note of the site and question in the database entry
  • Lock down the security of your password database; use a unique, memorable, and strong password and see the Advanced Edition (coming soon) for more details
  • Enjoy the ability click a few buttons to log into your accounts!

Read on for full details.

Howdy!

Welcome to |grepLinux! My goal is to use this site as a platform with which to offer my thoughts on topics in Linux, security, math, and perhaps life in general. I’ve been wanting to start something like this for a long while as I find writing to be therapeutic and in this format I think it can also be educational for both you and me.

There’ve been several controversies in recent memory that have sparked in me a desire to discuss or to use as motivation to discuss important related topics. Consider: