Re: Re (3): Multiplicity of accounts.

[Joel Rees <joel.rees@gmail.com>]

On Fri, Oct 4, 2013 at 12:47 AM,  <peasthope@shaw.ca> wrote:
> From:   Jerry Stuckle <jstuckle@attglobal.net>
> Date:   Thu, 03 Oct 2013 09:27:28 -0400
>> ... [local user compromise(?) is] not where the leaks occur.
>
> If someone can review the greatest hazards or give a link to
> a document, that would help many of us.

I posted this in another branch of this thread, but since it contains
some of the information you ask for, I'll post it here, too. It's a
starting point.

http://en.wikipedia.org/wiki/Linux_malware

But basically, once you understand that a web browser is running
someone else's code on your machine, under the user id that the
browser is running under, which is the user id that you logged into
your machine with, well, imagination is the limit. There is no
greatest hazard to protect yourself from and then feel comfortable.

I'm trying to work up a set of blogs that explain some best practices,
but there aren't really any best practices that are effective right
now.

Well, refraining from surfing the web logged in to the user that you
do your bank business with is probably good enough for many people,
but you have to consider what packages you have loaded, what kinds,
how many, who packages them for you.

I would not do bank business using a computer running Wine. It's not
that I remember specific vulnerabilities in Wine, but Wine is
providing libraries that allow MSWindows binaries to run. That means
that some MSWindows Malware will run if you click the link in the
e-mail. Running as a non-root user may help limit the damage to the
local user, but there may be an escalation path.

One thing I'm thinking about is buying an ARM chromebook, wiping
Chrome, and installing Debian, and keeping that as the dedicated bank
browser machine. You probably don't have to go that far at this point
in time, but you need to keep a log of what hits your router and what
gets through (both sides) to have an idea of how safe your local LAN
is.

>> [Managing userids and passwords] not all that hard if you come up with a system.
>
> Clever idea.  My system wasn't so simple and effective.

Once you understand the idea of making things memorable to yourself,
and learn to think about the memes floating around and how passwords
should avoid them, there are quite a few tricks.

I personally just leetspeak nonsense or semi-nonsense phrases. I used
to use something like "wiredvibes", leetspoke, for an admin account
because wired reminded me of the network. (That password was retired
many years ago.)

The initial letters of a line or lyric you know, as Jerry suggested,
is another one, but I'd use the second letters at least in some cases,
and I'd avoid the more well known lines from well-known literature. To
be or not to be is probably now in the cracking dictionaries in
several forms, including leetspeak. And well-known quotes from Star
Trek or The Matrix will also likely end up in such dictionaries at
some point or other.

If you are likely to have an attack directed specifically at you,
avoid personal information. Don't use, for instance, the name of your
dog in combination with a family member's name. (For several reasons.)
And you should probably also avoid swear words or the names of deity,
especially words that you tend to use regularly. Memes, you see.

> Thanks,                   ... Peter E.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.