The safe 3. profile configuration.?

[Jakob77]

CharlesV


How do you know if a Linux computer has been compromised or not.?

You are so right about protecting the computer from the user. That is a big part of it.
Do you know if we have a command that can deactivate/activate the whole network.?
I just did try to turn off my computer for a few days and that also works well for safety.

@Jakob77

It would help us a lot to know, in general terms, about your situation. Is this for your own home network? For a small business? For big business? For a group sharing an internet connection? etc

The 3. profile configuration is supposed to provide my computer with more safety in general no matter where I connect it.
If you see weak spots in any imaginary context just bring them to attention.

I never, never, never let anyone onto my machine unless I am sitting with them and watching every keystroke.

Linux must really be a weak OS since most users are so afraid of letting other people use it.?
Not good for Linux reputation if just because they don't care about making a safe configuration.?

[Eadwine Rose]

You assume a lot. It has nothing to do with weak OS. As for me, I am not letting anyone touch my personal stuff. Not even when I am sitting right next to them. But I assume you are obviously ok with that, you do you :)

[j2mcgreg]

@Jakob77 wrote:

The 3. profile configuration is supposed to provide my computer with more safety in general no matter where I connect it.
If you see weak spots in any imaginary context just bring them to attention.

and

Linux must really be a weak OS since most users are so afraid of letting other people use it.?
Not good for Linux reputation if just because they don't care about making a safe configuration.?

In a Utopian world your ideas might work, but in the reality we all live in, a malevolent person with my skill set, left unattended with your machine would have all your stuff in about 15 minutes. I expect that there are others here who would be even quicker. Simply put, physical access is the holy grail to anyone intent on stealing your data. As a security conscious individual, your first order of business is to prevent that from ever happening.

[manyroads]

I never, never, never let anyone onto my machine unless I am sitting with them and watching every keystroke.

Linux must really be a weak OS since most users are so afraid of letting other people use it.?
Not good for Linux reputation if just because they don't care about making a safe configuration.?

That's quite a leap... but as with all things, you are free to do with your PC whatever you wish. If what you do makes you feel better, that's great.

[CharlesV]

@Jakob77 Security is about looking for weaknesses and locking them down. Every OS has some weaknesses, the goal is obviously to lock it so that someone cannot get in.

Why would you hand someone the keys?

Personally, I use encryption to secure the data you need / want secured. Then, I make sure that if I walk away from the computer it is locked (not auto locked - locked!). And my systems know what machines are IN my network, and if some new device shows up, the network (at router level), shuts down. (As do my main computers) .

But again, the most critical part is the user - so there should be protection in place to protect the user *while they are using the computer* . There are many forms of protection, but you should be looking at the attack vectors that you participate in, and then those either controlled, contained, or as good a security as you can - if your worried about it.

[Jakob77]

Mostly I just want to share the benefit from my configuration with other MX users.
MX has made it easy for me to make a much safer configuration than I ever had before in Linux so it is not really appropriate for me to worry.
But if others felt the same the optimizing could perhaps be turned into some kind of a sport.

[j2mcgreg]

@Jakob77
Here's something to keep in mind. Microsoft needed it's office suite to be the most user friendly of the lot. They accomplished this by making it's components sub-modules of the kernel. By doing so, they won the office suite wars and Office quickly became their cash cow. However, this move also made it trivial to to deploy viruses and other malware. The malware plague on the Windows platform is self-inflicted because they prioritised "user friendliness" above security. In Linux and Apple's IOS, security comes first, and that's the way it should be.

[CharlesV]

I really can think of only a couple of scenario's where multiple profiles would help - and they would need to be encrypted to seriously gain any trust for me. Having email and web browsing on only one of those profiles has some possibilities - but that is a tough nut to crack. Personally, I think a VM that was JUST for that would be better. Or the other way around, the VM contains all importance - and never touches the internet.

When someone asks me how to keep a computer secure, my short answer is usually the following:

1) Never save passwords in a browser – Use an offline password manager. (KeePass or KeePassXC)

2) Use STRONG passwords ( I have HUGE list on that one!), but basically 12 Characters or more, at least 2 numbers, 2 special characters, upper and lower case, do not “make the password” about anything of ‘yours’, and if you use ‘words’ they should NEVER be found in a dictionary. (ie they should be partial, made up, or misspelled words.)

3) Never use passwords for multiple places – ever! ( you would be amazed at how much I see this done!)

4) Use an encrypted vault for anything important.

5) Do not click links in email – period!

6) Do not use search engines to lookup ANY place you go to on a regular occasion and log in. Find where you need to go, and then make a book mark – or BETTER YET, save the URL in your password manager!

7) Always lock your computer when you step away from it. ( Auto locking is good, but a 10 min auto lock is 9 min too long!)

Do not install anything that you cannot trust where it came from – and I mean *know and trust* .

9) Do not let anyone onto your computer. Even family that would never *think* about harming you can cause a serious issue by just checking their email.

10) Discipline your self in everything – websites you go to, sign-ups, opening email, backing up regularly, *thinking before you do something*.


And honestly, ( no ego here! ) … if I can have a client think “What would Charles say about doing this?” … then I have succeeded in at least one thing - helping them be more secure!

[Jakob77]

CharlesV

Thank you for some good strong stuff to read.
I use the extra profile setup on all my computers but the effects are smallest on my main computer that holds most of my private data. That is not a computer I want others to play with, and I don't use it much myself.
Computer two is the computer I use 95% of the time and where the effects from profile 3-5 starts to become a lot stronger.
If things go all wrong on computer two it can be banged.



j2mcgreg

I am pretty sure I can configure my computer in a way so you will need more than 15 minutes to steal my data but that is not what it is about.
I don't expect my IRL guests to be thiefs. And why would a thief spend 15 risky minutes cracking the computer when he can just run away with the whole thing in a few seconds.

I expect my guests to be like myself maybe a little clumsy and sometimes maybe also a little teasing.
An extra profile gives a really good protection against that. No access to my private data and no important data to keep.
I can just relax and enjoy the computer with my guests.

That is in my opinion a huge advantage and it is pretty easy to measure.
I can use autologin, I can let the guests search for the next video and I don't have to lock the screen if I go to the toilet etc.
The safe profile provides me with more security AND more user friendliness AND more freedom. A win, win, win situation.
As long as it moves that way I want to move on. Are you coming along.?


The network side is another story. From there we can expect anything and it is harder to measure the safety.
We just know for sure that if we are not connected they can't hurt us.
Changing to a second profile can deactivate the first profile (if 'log out' is used) and make it safer but we don't know how much safer.
I believe it is a lot but not enough, so a complete network disconnection as much of the time as possible is in my opinion still a good configuration.

How about 10 profiles instead of 5...
Poor cracker.. just finding the right data set to crack can take for ever.

I don't think profile 10 will enjoy less kernel security than other profiles.?

[j2mcgreg]

@Jakob77 wrote:

And why would a thief spend 15 risky minutes cracking the computer when he can just run away with the whole thing in a few seconds.

Because with a physical theft, you will notice that the item is missing fairly quickly and you will have a good idea of the identity of the culprit. But with data theft you might not know somethings awry for weeks, months or never.

I don't expect my IRL guests to be thiefs

Neither do I about my guests and friends. But I don't give them the opportunity to prove me wrong either.

That is in my opinion a huge advantage and it is pretty easy to measure.
I can use autologin, I can let the guests search for the next video and I don't have to lock the screen if I go to the toilet etc.
The safe profile provides me with more security AND more user friendliness AND more freedom. A win, win, win situation.
As long as it moves that way I want to move on. Are you coming along.?

No. Jakob77, you asked for our opinions and I gave mine. That you don't like what I am saying is obvious, but part of my role here is to warn users when I think that they are taking unwarranted risks.
The bottom line is that it is your computer and you can use it as you please.