Who Ordered -This-? (Unanticipated and Possibly Mysterious Large Download)

feheeszeno,

I got the biggest kick out of your post.

You have a disease, my friend. I have dubbed this illness-
microsoft-induced paranoia with intermittent GUI-induced psychosis. Its really quite common for MS sysadmins but I am surprised to see it in one so new as yourself (It speaks well of you). But fear not! The illness will fade with regular and repeated usage of Linux. Consider Mepis like a rehab/half-way house.

You asked a mouthful. I can try to give you a general answer and maybe a little guidance but you should research the details yourself. When researching, try to find relatively current information. Things change quickly in Linux.

1. Mepis-Linux, 'out-of-the-box', is pretty darn secure.

2. Linux, generally speaking, is not susceptible to viri of the nature we currently have in the wild. Nor spyware, nor adware.

3. Mepis is based on Debian Linux. Debian provides, amongst many other things, security how-to guides and special packages if you need or wish to build Fort Knox. http://www.debian.org/

4. The chances of you being successfully hacked, running Mepis, on a dial-up connection, unless you are involved in the Mafia or the government, are slim to none.

5. Unless you have disabled Guarddog, the ports you refer to shouldn't worry you. Also, Guarddog is actually just a gui front-end for 'iptables'. Iptables is the true nitty-gritty firewall for your system. It requires command-line editing which you might want to hold off on for the moment. There is another gui front-end you can use called 'firestarter' that will give you some real-time feedback (who's connected to what and whether you should worry). But its a little harder to use and I had some stability issues with it.

6. Go to www.grc.com "Shields Up" and have yourself port-scanned (free). There is some decent and understandable information about general security and networks.

7. If you want to play with IDS, get Snort. You don't really need it, but its fun to fool with. Well, fun if you like reading packetlogs.

8. Speaking of which, /var/log/ is the location of some logs that might interest you.

9. For your purposes, you could block Samba (smb, smbd, nmbd), Lisa, Apache, CUPS and maybe a couple others using Guarddog (requires a little digging, Guarddog does not have the most intuitive structure). If you wish to disable these services completely, look around in the Mepis archives. Most of the info you need is there (I don't want to expose you to my old school trick for this- to dangerous).

10. Visit http://www.mepislovers-wiki.org/. Lots of good stuff.

11. The command netstat -tpan, in a console, will show you your current connections and 'listening' ports.

12. Don't sweat the patches. Not entirely the same concept as Windows.

Let me put it like this. If Linux made cars, I'd feel safe driving one.

Maybe this will be of a little help to you. And incidentally your questions are valid ones and I appreciate your desire and interest to be informed.

Best way to learn this stuff is read, play around, and keep asking questions. An should you ever happen to break Mepis, its rarely a painful fix.

q

Hi, Q, I was just about to send this reply when my ISP dropped my connection -again-, so once again I either have to type the whole thing in again or ask my long suffering readers to live with bad format. (I think I am a casualty of the vi versus emacs conflict.)

A scary thing I found is that the netBIOS packages I have been wondering about, the ones associated with port 137 and nmbd, might be furnished by LISa, which is apparently KDE's LAN information server, a browsing tool which is also a network daemon, which tries to provide something called a "network neighborhood" using TCP/IP protocol without smb. Apparently since I have one default disabled, lisa uses NetBIOS broadcasts via nmblookup to search for hosts. I thought that was the job of asking for DNS service, which I -have- enabled, but anyway, it seems that KDE versions prior to 3.0.5 do have a buffer overflow vulnerability in this very "feature" of LISa, which can possibly enable baddies at hostile sites to crack your box. AIIIIAIEEE!!!

So indeed, by clumsily trying to be "smart" by disabling a service I wouldn't need if everything worked right (hah!), I might have actually made things much worse.

If I understood the security advisary I read, the flaw is potentially quite serious. I guess I can hope that no baddies actually know enough to take advantage, and I can mumble that surely no sites -I- would ever visit would have baddies hanging around, but this would violate my paranoid worldview. (And see the end of this post.)

After doing a lot of surfing, reading, and collating of notes,
I have a much better idea of what I am seeing when I do a ps -ef.
One line I can't parse yet is

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COM
root 2954 0.0 0.0 3132 1432 ? S 10:26 0:00 -:0

This seems to be a child of kdm, the KDE display manager, which apparently provides the graphical login interface.

netstat -tpan currently shows that my router has established a connection with a machine which is part of the SPRINT backbone,
so I guess this makes perfect sense. It looks like my machine is
listening on a range of ports, but that no other connection is
currently established, which is good.

I also found /etc/cron.daily and /var/run (foolish grin),
and if I am reading this right, I -do- have a bunch of jobs scheduled.
I still don't understand what either of these hold, though:
/var/run just seems to be a list of tiny files recording what
might have been the PID of a process which is not currently
running, such as clamav, and /etc/ gives no hint of hourly cron jobs,
yet that's what I've observed.

But I saved the scary part for last: with heart in mouth I tried to
ssh back to that machine I mentioned, and darn if I didn't see very
slow behavior followed by mysterious download which I couldn't identify or stop except by turning off the router. That machine has a slow and somewhat unreliable modem connection, but I've never seen this type of behavior before and am wondering if I should ask it. (The head sysadmin there is kind of hard to figure, so I try to avoid talking to him. Which rewards his inscrutability... but I digress.) That's a big system which no doubt gets attacked by all manner of nasties, but if say they were experiencing a DOS attack (?), I don't see how that could lead to the weird download thing, do you?

Another weird thing: after I rebooted from my hard drive to test the wind, my system clock came back exactly three hours fast. I reset it, but that is kind of a weird thing to happen. Some of those daemons I see are supposed to keep my system time accurate, by the way.

Oh yeah, one other thing: some little known system binaries now have different md5sums wrt their original values when I installed from the liveCD. Does that mean that I somehow updated them (I did try to update using kpackage), and don't know it? I can't be more specific since that file is on my pen drive, which I can mount when I boot but forgot that I can't detect after boot (others have mentioned a similar problem, I think, so this is apparently a known bug).

feheeszeno

Hi feheeszeno

Just in answer to the system clock part of your post. Did you just "adjust" the hour setting? The clock is set by default to EST. You have to change it to your own time zone.

Have fun

HW
--

Tell me, tell me, tell me, elm! Night night! Telmetale of stem or stone. Beside the rivering waters of, hitherandthithering waters of. Night!

Hi, HW,

Thanks for allaying that particular concern. Indeed, when I rebooted the time was set to EST, but I want to keep PST, which would explain the three hour time difference. I guess I thought that when I reset the system time (I'm using the hard disk install again, cautiously), when the system "restores previous session" at next boot, it would know to set the clock to PST. I guess the utilities which periodically check the USNO atomic clock to keep my system clock in time with the world must have been assuming I am trying to keep EST time?

feheeszeno

Hi again, QTech,

I just saw a news item at Distrowatch which seems to be saying exactly the opposite: far from MEPIS being extremely secure out of the box, the story (editorial?) alleges, in part:

"Debian sarge security infrastructure is broken and has been broken
since the release of sarge... 'my experience has been that security at debian.org is a black hole, and that offers to help are ignored' ... It looks like a major upheaval in the security infrastructure of Debian is needed to ensure that the current situation does not happen again. But can it be done? Can a rather boring and thankless task of applying patches are releasing advisories be made more attractive and rewarding? Not easily. But it must be done - before Debian's reputation is further tarnished by more sloppy security work."

Sloppy security work?! Debian security infrastructure is broken?

I am vaguely aware that MEPIS is based on sid, not sarge (true?), and that a distro based on such and such could be either more or less secure out of the box than its parent. But still, what is a clueless newbie to make of this?

feheeszeno

I have an update on my strange experience.

I just summarized my disk usage, and was astonished to see that my /proc contains almost 1GB of stuff:

898M proc
516K mnt
419M home
148K tmp
128K dev
127M var
83M lib
33M etc
16K lost+found
6.0M sbin
4.9M boot
4.0K opt
3.8M bin
2.3M root
1.7G usr
0 sys

Is that excessive?

feheeszeno

How did you do that summary? I've been looking for a command or script to do that.

Al

The command is "du" see the man pages.

I think it's normal. /proc is a special type of folder it contains all the running time junk. Mine is around 500MB. I guess it also depends on how much memory you have on your system.

Don't know much about other issues... just a side remark (please don't take it badly) I think that's an example of how one should not ask questions on forums -- few people have patience to read pages of explanations and stories.

--
Post questions on www.mepislovers.org too -- very helpful community

--
Post questions on www.mepislovers.org too -- very helpful community
--

When it comes to the hard stuff, you are better off here ('cause that's where I am Disclaimer: I was thrown off of ML. Don't ask!) Seriously, this is the OFFICIAL Mepis site and obviously the 'main guys' are going to hang here, not there, MOST of the time.

ML is good for the basic stuff ("How do I install nano?") and lots of fun, non-tech chit-chat, cute screenshots, polls, and other community stuff. I think this board is MORE for the 'serious business' of Mepis.

That said, on the ML site you should read:
http://www.mepislovers-wiki.org/index.php?title=Main_Page
as Adrian has done a great job on this.

Al

Hi, Al, the size summary is very simple! As root,

cd /
du -s -h * | sort -nr > $HOME/space_report.txt
cd
vi space_report.txt

I saw that little trick at a linux tutorial site which I thought I had bookmarked, but I seem to have mislaid the url. (The author was making the point that the shell is your friend!) I added the -h flag because this shows the listing in units which mean more to me.

I think I might have found the site via MepisLovers. And about MepisLovers, for some reason I can't seem to create an account there. My only guess is that perhaps their website requires some service which via guarddog I disabled. Since they never replied to my email inquiries I guess I'll never know. Has anyone else had any trouble contacting MepisLovers? LinuxQuestions also seems nifty, although more general in scope. Does anyone here use that forum?

feheeszeno

Hi, AdrianTM,

Did I hear that right from Al? You created the LinuxQuestions.org wiki? Great site, thanks, keep it up! (I have bookmarked it and am trying to work through it.)

Thanks much for the information about proc. It helps to know I'm not the only one. I put 2GB RAM in this box (in part so I would have option of running knoppix with the "toram" cheat code), so it might make sense then that I seem to have almost 1GB of stuff in /proc. Wow, computers are not so simple...

feheeszeno

Thanks for the code-snippet. I'll give it whirl.

The LQ-Mepis site is brand new and is growing. I expect it will become very popular as it is a one-stop shop for all types of issues. I know a lot of the more experienced folks who hang here also contribute over there as well (as do I from time to time.)

I'm just a part-time Mepis user. I run Kanotix as my 'workhorse' but have some Mepis distros in the shop for less experienced folks on some older hardware (since Mepis comes with a 2.4 kernel). Kanotix is not quite ready for newbies but it runs lightening fast on new equipment as it was heavily patched for i586.

Al

feheeszeno,

The /proc directory is a structure put in place to allow viewing (and sometimes controlling) certain aspects of Linux. Consider it a way of peeking into the operating system's memory and structure. The system itself controls what is placed in this directory. Treat it as a "Look. Don't Touch" directory. You can go down through the sub-directories and even "cat" the files to see what they contain, but under no circumstances should you consider deleting anything! It will grow and shrink as you use your system, add applications, move files and directories around, modify users. Again, feel free to peruse it, but you risk putting your system in an unstable state if you delete the wrong things.

Jon

Thanks, jon!

That is a good warning. Fortunately, I already knew that, but this is an example of the kind of thing which should be a screaming warning :-/ in Linux tutorials.

As a newbie sysadmin (of my home system), I have a somewhat disorganized list of comments for anyone seeking to provide a set of web pages to guide the linux newbie through the process of creating a useful/secure home system. I am assuming a takeover installation, say by clicking on "install me" from the SimplyMepis live CD.

* you should have a router to act as a rudimentary firewall while you are installing and patching your system (of course, you probably need to borrow someone else's machine in order to configure the router-- the one I bought turned out to have the firewall disabled by default),

* if given the choice, opt to be presented with a login shell at boottime, and to type "startx" after logging in to start X (an extra step which I tolerate in another box using a Red Hat type distro because it can be convenient if X breaks and you want instant reassurance that your files are still present and accessible),

* as soon as possible during installation, create an ordinary user, and avoid logging in as the superuser (in a shell, use su to become superuser if needed),

* be very careful what you type in a shell where you have assumed superuser identity--- try to get in the habit of looking for # versus % prompts),

* keep notes of your answers to questions during the installation process,

* once install is complete, send output of some useful information garnering apps to a file and print it out, or write down information from something like KInfoCenter GUI (which is a very helpful feature of KDE, BTW, but it would be great if the Help button led to instructions for saving to a text file what you see there), specifically, try to figure out/confirm what hardware you have inside and outside the box, what directories are in /, what the partitions are, what services are running at boot time-- basic information, like learning some basic operating parameters of your new car.

* if you are Windows person new to linux, be aware that in unix everything is a file, so use the file command a lot; never modify system "files" in /proc, as per jon's warning,

* instead of deleting config files you want to play with modifying, cp original to a backup and try modifying the original (in a new MEPIS install, this might come up if you have the screen flicker problem, but have found a driver which you think might fix the problem),

* keep a careful diary in which you note down changes to config files and other things you might later need to recall you did, including some kind of shorthand of things you did with a GUI, in
menu1 -> menu2 -> menu3 -> click "button" style.

* expect to surf the web for info on a regular basis, e.g. I have found that man pages often don't have any information on something like "ksmserver", but Google or Wikipedia quickly give a helpful brief description of what function some application you are unfamiliar with but curious about is supposed to do.

* keep a personal glossary and tip sheet in a loose leaf notebook-- in case you need to take your machine off the web, you might need to remember how to do something you did once or twice before, plus this will help you learn more about home computing.

Actually, I have some comments and questions about these imperatives :-/

Someone advised me to avoid logging in as root to the graphical login shell which, as I have recently learned, is provided for KDE desktops by kdm. I probably didn't understand what he was telling me, since what I remember now doesn't seem to make much sense. Something about how this results in running X with root privileges, and this being not only a huge security vulnerability but also dangerous because X can be buggy in ways which can do serious damage if run with root privileges. Does that make any sense?

Also, has anyone here tried to keep a personal computer glossary and if so, did they find a particular application useful in creating and keeping it organized? I have been doing this in a haphazard manner; it would be nice to keep a database version on this machine, which I can alphabetize, break into sections, whatever, but which can also be printed out conveniently from time to time.

Same question, for a tip sheet of common activities and useful tricks, e.g. how to perform regular backups, how to obtain rough information on how you are utilizing disk space (the shell command above), etc.

As part of these two, does anyone know a web site which collects information on line commands for tasks which so far I only know how to call using a GUI? Or even line commands to call the apps which I currently only know how to call by using the KDE kicker? A key example: line commands for apt commands or rpm commands equivalent to kpackage GUI (do I have that right?).

feheeszeno

As usual feheeszeno, you have some good points and a lot of questions

Your comments for newbies are good. As you mentioned about "borrowing" a router from a friend. I would almost add to your comments, if possible have a separate computer upon which to store your "stuff". If the one you're installing to goes down in flames (nope, never happened to me ) then you have your other system where you have notes and perhaps even a link to the Internet. I know, this isn't always possible, but it's very useful!

A useful "ezine" that I recommend (I have no affiliation with it) is TUX Magazine (www.tuxmagazine.com). It is a free, downloadable PDF magazine. It requires registration with an email address for notification. So the only unfortunate part is for dialup users since the issues tend to be 3+ MB in size. Anyway, in the latest issue they review "tomboy". It is a "Post-It Note" (tm) application similar to Knotes. I'm trying it out. The advantage over Knotes is that you can link notes together. So during the initial crazy make-notes-about-everything stage this might be a way to collect them together for eventual organization. It is available through apt-get and synaptic. Just search for "tomboy". I have not yet posted back to TUX Magazine to give instructions on how to start this app. automatically. But go into KDE, start up the "Home" icon, find the ".kde" folder and then the Autostart folder. Go into the Autostart folder. Right-click and choose "Create New" then File, then "Link to Application". Enter "Tomboy" in the General tab for the application name. Then, on the Application tab, enter "tomboy" in the Command field. Click OK. If you want to change the icon, go back to the General tab, click on the big icon, choose "Other icons" and then browse to /usr/bin which is where tomboy lives. There is a custom icon for it.

As to organizing your information I would recommend starting as you have with the notes and not-so-organized way. Then, create a spot, perhaps in your Documents directory, and call it "doc" or "man" or something. Inside there, create more directories/folders to stuff text files. I like to create additional folders since I can create one for system info, user info, OpenOffice info..., you get the idea. Once you've slightly ordered your stuff it might be time to use a documentation tool like OpenOffice and make everything "pretty". Yes, it would be great to put it into a database (MySQL, PostreSQL, etc.), but to use that well would mean PLANNING how you want to structure things. Eventually OpenOffice will have a small database (Base) built into it. But it's currently 2.0 Beta, and it's definitely NOT READY. Perhaps before putting your notes into a Writer or word-processor document, use a spreadsheet to throw things in. That way you can see what types of info you have in common between documents (date, application name, location, problems encountered, solutions found...)

As to your question on a cross-reference of various commands, that gets tricky. You may want to wander to O'Reilly (www.oreilly.com) and pick up a copy of Linux in a Nutshell or some of their other great books (wonderful place to spend lots of money!). Also, check out the website "The Linux Documentation Project" (www.tldp.org). Go nuts there! Finally, another person, loninappleton, posted some info on a new book (from one of O'Reilly's subsidiaries) Linux for Non-Geeks http://www.mepis.org/node/7124

Ok, that should keep you busy for a few minutes

Jon

First, I now see I confused LinuxQ wiki with MepisLovers wiki.

Second, I've seen Kanotix mentioned in Distrowatch, but haven't tried it, even though I believe that it has a Live CD version. (Every distro should, since not everyone has unused machines on which they can try installing a completely unfamiliar distro from scratch). I'll keep it mind since I do have an i586 machine. I haven't found Mepis to be slow, but I don't really have anything to compare it with, and I haven't yet tried running under Linux any software where speed might be a concern for me. Also, I have a dialup connection.

Third, I'd like to eventually create a small home network, with one machine for web but (hopefully) no compilers, and the other with production apps, tools, compilers, etc. My idea (which I think is valid, but I'm still too clueless to work out the details) is that this two box model should allow one to adapt permissions and so forth to the different needs of doing internal work and communicating as safely as possible with the outside world. Perhaps I might eventually swap the roles of the two machines, and have Kanotix on the production machine and MEPIS on the more exposed machine.

Has anyone here created a home system like this? I am looking say five years (months?) ahead to a time when, I fear, linux home users may be attacked as much as Windows users are now. Bearing in mind for example the alleged rapid growth of overseas organized crime groups employing capable hackers. It seems to me that the current situation may soon result in a signficant migration of Windows home users to linux, and that at some point, suddenly crooks will find in profitable to put much more effort into activities which will cause trouble for linux home users.

I have read that cracker networks swap list of IP addresses of machines, including home machines, which use particular versions of particular OS's with known vulnerabilities. I have read that OC groups buy such lists in order to break into thousands of machines for use in attacking large companies. I have read that one method they use is to mount denial of service attacks, then after hurting business for a day by inconveniencing customers, they demand ransom. I have read that companies such as banks often prefer to pay the mob. This is impossible to confirm, since obviously no-one can compile statistics on unreported crimes, but there does seem to be considerable anecdotal evidence that this is all too common. I dislike the idea of (by passive inactivity) helping crooks perform deeds which ultimately harm everyone sufficiently to be eager to take proactive steps in advance of governmental policies, which seem to run a decade behind developments in the world of computing. Paying attention to security issues, it seems to me, is part of good citizenship. And the more technically able citizens should, I think, try to help the less able ones.

Also, there is concern in some quarters about cyberwarfare by certain nations and NGOs which feel threatened by U.S. government policies or the American economic/cultural juggernaut, which could begin with mass attacks on home users in the U.S., perhaps as a stepping-stone toward attacking government or company sites (Some say this has already happened.)

I also have a comment about the notion, which as I recall someone might have mentioned earlier in this thread, that no evil person is likely to find it worthwhile to attack a linux home user. My problem with this suggestion is that you're thinking rationally, but not everyone thinks that way. People who comfort themselves with the idea that "I'm a nice person and not a celebrity, so no-one would want to put a lot of effort into harming me" might find out the hard way that persons who develop obsessive grudges can have motivations which are utterly unfathomable to their victims, or to the law-enforcement personnel who sometimes have to clean up the mess.

And don't forget that it is much harder than many people realize to remain anonymous or to prevent a very determined person from linking up an account with a name and street address. Bear in mind that hundreds of people are typically involved in maintaining databases used by your bank, your grocery store, your credit card vendor. There are also increasingly detailed on-line public records. And there are thousands of marketing companies which-- at least until very recently-- could apparently buy a huge collection of dossiers on almost every private citizen in the U.S. from companies such as ChoicePoint. Who knows what was in the information sold, as it now appears, by ChoicePoint to what are now believed to be OC groups?

Databases compiled for a benign or comparatively harmless purpose can often be very easily abused. And I have read in several places (books, news stories, web sites) that databases are typically the -least- secure things around, because they are so complicated to design and maintain that there are specialists who know databases but not security, and specialists who know security but not databases, but very few who know both. With the result that most databases used by banks, voting machine vendors, etc., are actually terribly insecure.

While I have no programming experience to speak of, here I actually do have some personal experience. For a volunteer gig, I once needed to try to learn how to use Microsoft Access. I am no programmer, or even very knowledgeable about computers, but I quickly discovered, by accident, how apalling this product is regarding stability/security. So imagine my reaction when I read, in connection with voting machine scandals in recent U.S. elections, that Diebold or some such company used Access, with, apparently, a world readable database at an address not hard to find, which was apparently accessible using standard default passwords which had never been disabled. This was for an actual election. (I might have forgotten some details, but you get the idea.)

Clearly discussion of these issues would be off topic here-- my point is simply that even if you think of yourself as a harmless, law abiding, tax paying, responsibly voting, and generally well behaved private citizen, ultimately no-one gets to choose his enemies.

As I see it, security concerns should concern everyone. Putting your head in the sand or relying on government or industry to fix the problem could hurt not only yourself but other innocent people, all around the world. That is true now and very likely to be even more true in the future.

So for various reasons, I think -someone- should be exploring the possibility of helping newbies like me create much more secure home systems, perhaps by taking advantage of this kind of two machine model.

feheeszeno

feheeszeno (is the hungarianness of this name on purpose?),

I've learned a lot from your posts. This is totally off topic, if it's possible to get off topic in this particular thread... Have you read Gravity's Rainbow by Thomas Pynchon?

I did have one actual contribution to this thread, lessee if I can find what it was...

Oh! yeah yeah yeah, that was it!

A couple installs ago... I was poking around my computer, *ahem* just exploring. And well, we ex-Windows users have always been root, root is just the way we operate(d). And I thought I had to "be" root to "see" root files.

So. *cough* I was browsing around in superuser mode, cause I'm, um, CLI-challenged, and, well, I don't know what I looked at, but it was bad, cause I lost it all.

Fortunately, since then, I've learned that the user is free to look at most anything, and can't do a lot to pluck sings zup.

Perhaps for someone who is not as "detail" oriented as yourself, you might modify your list to recommend recording every change you make logged in as root (?).

Thanks for the info

HW
--

Tell me, tell me, tell me, elm! Night night! Telmetale of stem or stone. Beside the rivering waters of, hitherandthithering waters of. Night!

I also have a comment about the notion, which as I recall someone might have mentioned earlier in this thread, that no evil person is likely to find it worthwhile to attack a linux home user.

That is not what I said, if you care to re-read my post. And as an IT professional, I stand by my statement. The statistical odds of Mepis-Linux being hacked over a dial-up connection are very slim. Not impossible, but highly unlikely. These odds do increase if we are talking about a high speed connection or god forbid, an unencrypted WAP. But even then, Mepis is such a relatively small distro, it would not be worth the effort or cost to design any sort of generalized exploit. Chances of success are too limited.

Yes, this is security by obscurity (a poor practice in general), but security none the less.

Incidently, I believe that what you have recognized as a "mysterious download" is actually just the excessive traffic generated by an encrypted SSH connection.

Paranoia has its place, but its a lousy motto to live by.

Hi, HitheringWaters,

Unfortunately I am only an honorary Hungarian.

I thought only the FBI wanted to examine the reading habits of American citizens?

I hardly have the energy to log the stuff I am already (especially since I never seem to have logged/recorded the stuff I wish I had minutes or weeks later). As you may know, MEPIS by default logs the event each time you, as an ordinary user, become superuser, so I know that I don't do this hundreds of times per day (it only seems that way). And if I were Nixon, I'd demand that Haldeman instruct my machine to write to a file every single keystroke that anyone types as superuser on my machine.

For those of you who wish to experiment with spying on yourself, it is not hard, at least for whatever you type in a shell. Try

man script

I have another project: find and read man pages on the thousands of apps and unix utilities which were installed by default on my machine. So far, most are utterly baffling, some tipped me onto things which are quite useful but which I never would have otherwise considered, and a few are, to my mind, somewhat scary.

Anyway, on second thought, yes, it is important to tell the newbie MEPIS user (for example) what the default permissions are, that this in general makes it easy for his ordinary user to read anything, but hard for him to accidently delete anything important. And that a little knowledge is a dangerous thing, since that could lead to a discussion of more paranoid permissions on certain directories or files, which can mess things up if you don't know what you are doing, as may very well have happened in my case.

feheeszeno

Hi, qtech,

Sorry, owing to laziness I see that I did seem to implicitly mischaracterize what you said. Actually, I was probably thinking more of comments I have seen elsewhere which might be described as expressing the belief "that no evil person is likely to find it worthwhile to attack a linux home user".

I take the point that your assessment that my risk level is actually very small comes from experience and knowledge, and I apologize if I implied otherwise.

You said

> Mepis is such a relatively small distro, it would not be worth the
> effort or cost to design any sort of generalized exploit

I understand the point, but ironically, it is precisely because I understand the limited but genuine value of security by obscurity that I can't really explain why I find this unsatisfactory.

This leads to another question: what is a flustered newbie to make of all those security warnings? I can hardly understand a word they are saying, but they often seem rather scary. Maybe the problem is that they don't often qualify warnings in words a newbie can understand. I realize that the advisories are not written for atechnicals, but it sure would be nice if someone could redact the most important warnings for the general public. E.g. by saying "this shouldn't affect a home user, unless you let many people log into ordinary user accounts on your machine, but Zyborg Corp. reports that..."

Back to the original topic of this thread: please note that one reason I was alarmed is that the download seemed to start when I logged -off- the remote machine, and this seemed to be reproducible yesterday, yet I couldn't figure out what was causing it or what innocuous phenomenon it might represent. So I don't see how this could be due to ssh, since I was not running ssh after I logged out from the remote machine. The behavior I saw yesterday was -not- repeated when I ssh'd to that remote machine today, but I haven't yet been able to contact the sysadmins to ask if they know anything.

I hope that nothing I have said offends anyone here. I have simply been trying to explain something which is worrying me and why I want help.

I guess posting here is like seeking vaccination.

feheeszeno,

I'd like to respond to one question that you bring up above. You ask, "What is a flustered newbie to make of all those security warnings?" and state that you cannot understand what they are saying.

Don't you find it interesting that in the "World of Windows" when it comes to security warnings that they all are explained along the lines of, "A security weakness has been discovered that can seriously compromise a user's computer." Gosh, that was helpful! There's something wrong that will allow someone to do something bad!

Contrast that with the Linux world where, "Bubba has found that if you write 'foo' to the /usr/bin/bar script while wearing argyle socks then the framitz will experience a buffer overflow."

Linux, and the various developers, live in a world of informing others. It is better to tell too much (even some of which could be wrong) and let many people know about a problem even if it will effect few of them. By you learning what might be a problem, you decide what you want to do.

So yes, there can be a lot of information, often an overwelming amount. And you've already discovered that finding answers is sometimes difficult. But I hope that you will find that there are many people out here willing to help you learn more about Open Source, Free Software and Linux. And I also hope that you will then share the wealth with others

Jon

HW, I just realized why your sig has been bothering me.

Did you realize its connection with the security issue I cannot really discuss without violating security by obscurity?

Hint: what does Pynchon have in common with a second author who famously quoted the lines-- the lines in your sig--- which were famously recorded by a third author? Maybe you already realized that there is a chilling parallel between a true life story in the news this very day and the Hourglass Lake episode in the Most Famous Work of author number two. Now, to what-- other than the two most obvious felonies-- does the narrator of this MFW confess? No, fergodssakes don't post the answer--- reread the thread. Now imagine HH searching for Mrs. RFS using Google.

See what I mean? <-- Another quote from MFW

feheeszeno

I understand the point, but ironically, it is precisely because I understand the limited but genuine value of security by obscurity that I can't really explain why I find this unsatisfactory.

Perhaps you find it unsatisfactory, because ultimately it is just that.
Obscure does not mean invisible.

This leads to another question: what is a flustered newbie to make of all those security warnings?

Tough question to answer. Although you have already answered part of it in your recognition that you, the end-user, should have at least a passing interest if not an obligation to pay heed to certain security measures.

But beyond that, things become complex (more so than usual). I offer, for example, the article you mentioned earlier regarding the so called 'security break-down in Debian'.

http://news.zdnet.co.uk/software/linuxunix/0,39020390,39207235,00.htm

I can certainly see where you might find that un-nerving. Frankly, I think the article is quite distorted and generally alarmist and can safely be ignored by the home-user. My personal opinion is that ZDNet frequently takes a rather dim view of Linux in general. I would like to know who their corporate sponsors are.

My point being that everybody has an agenda. If Symantec (Norton anti-virus) squashed all of the worms in the world, they would go out of business. If Microsoft makes a truly secure (or functional) product, they would loose a fortune in services revenue (and I'd be out of work). Spam could easily be largely eliminated from email, but its a billion dollar industry with a government lobby group. If ZDNet needed a 'big news story' to run...

it sure would be nice if someone could redact the most important warnings for the general public. E.g. by saying "this shouldn't affect a home user, unless you let many people log into ordinary user accounts on your machine, but Zyborg Corp. reports that..."

I agree, there could be better communication to the general public. But, keep in mind that Linux is 'free'. Debian, much less Mepis, simply does not have unlimited financial resources and cannot afford to provide the sort of customer service that would befit a beginner. In fact, its pretty amazing what they have accomplished on a shoestring budget. Compared to, oh, lets say the richest man in the world and the product he offers.

One final point. The Linux community is where you can find answers (and lots of opinions). Thats why you are here. Thats why I'm here. And there are an awful lot of generous folks (I tip my cap to Jon DuQuense) that give back and ask nothing in return. I find that a rather rare and beautiful thing these days.

As to your "mysterious download", there are a variety of possible explanations, the very least likely of which is that you've been hacked. Assuming of course, as I mentioned earlier, that you haven't ticked off the mafia or the government.

You can use Synaptic/Kpackage/apt-get to install 'chkrootkit' if you are truly worried. Type 'chkrootkit' (as root or su) in a terminal and it will hunt down any trojans. Maybe its installed by default, I can't recall.

Keep reading. Keep asking questions. There will be a point when things all suddenly start making sense. The more you put into it, the more you will gain.

Hi, jon,

I am writing this stuff down, and finding it very useful, so thanks for your input.

About KNotes: I have to say that in the other distro I use, I found that a horribly distracting "feature" which I grew to loathe because for some reason, I could never delete sticky notes, and upon every reboot, every one I'd ever created would reappear and I'd have to manually delete them! (This was before I learned about the killall command.) Even worse, I could never uninstall the program. Eventually, it died the miserable death I'd been praying for-- unfortunately, I have no idea what finally killed it. But despite this bad experience, I will check out Tomboy. And I plan to look for the O'Reilly books you mentioned.

About security advisories: I seem to be having trouble expressing myself. What I actually wanted to say is that I wish these advisories could be organized along the lines of

* executive summary of who is affected,
* summary of problem for n00bs,
* detailed and precise report, suitable for sysadmins and developers.

Information is good, but best in small bytes-- that's what I am trying to say.

I -do- take the point that full and complete disclosure is absolutely neccessary for Open Source, and I have no quarrel with that.

Before anyone says this, I see that "executive summaries" might be too much to ask for from people providing security advisories, but even a n00b can dream...

You've all been very helpful indeed, and very patient with my long winded posts. I still have some unanswered questions (like what the heck that download thing was the other day) and I hope you'll keep it coming. About that download--- I've been trying to guess why Qtech thought it might be ssh related. Is the idea that my logging off the remote machine somehow triggered a flow of log entries (going from one place to another in my box), which I misintrepreted as network traffic coming through my router from Out There?

feheeszeno

Hi, Qtech,

When I read the DistroWatch article, I didn't realize it came from ZDNet, an organization which I've never even heard of.

I do attempt to bear in mind the possibility of hidden agendas. A comical example: I'm a n00b, but it has not escaped my ironical notice that the blog of the founder of the distro upon which MEPIS is based, and various linux-friendly sites seem to have corporate sponsors, one of which is Microsoft--- whose sponsorship apparently consists soley of paying for an ad banner to their anti-Linux site. This actually reminds me of some desperate adverts by Big Tobacco in the last few years before they had to admit that smoking is bad for your health!

Speaking of financial support: I got SimplyMEPIS as a free inclusion from Linux Format. I tried it, I like it, I've been using it and want to continue using it, and despite my not being the richest man in the world, I think its time I sent some money to someone to show my gratitude. Er, this is really embarrasing, but the fact is, there isn't a whole lot of information at mepis.com, so I don't know who Warren is, or if anyone else works at Mepis, whether it's a nonprofit or not, and if I wanted to mail an order for an official MEPIS 3.3.1 disk, I don't know what amount to put on the check. (Bear in mind that I really don't want to explain here why I don't use another method of payment.)

I probably do need to obtain a new one because yesterday I managed to badly -scratch- the bootable copy I made of the live CD. Speaking of which, to boot off the CD, I put it in the drive, and reboot (the BIOS is already set to boot from the CD before the hard drive). But when I want to reboot from the HD, I always have trouble ejecting the disk so that my machine will boot from the HD again. While experimenting, I got the drive to open, but while I was in the act of grabbing it, it suddenly closed and jammed with the disk half in and half out. -That- can't be good! Fortunately, I don't think this harmed the drive, but it scratched the CD. So, does anyone know I am supposed to do this?

feheeszeno

Oops, qt, I forgot to say that I did install chkrootkit, ran it after the weird download episode, and my system passed. I do tend to think that what I saw was very likely due to something happening as a result of something I have inadvertently broken, or something entirely innocuous which I wasn't expecting and misinterpreted as a possibly serious problem.

feheeszeno

Hello again feheeszeno! That is one of the other things I like about Linux in general, and the Live CD versions of Linux that have popped up lately. You can "Try before you buy". I know I downloaded a few versions of Mepis and played with it in virtual pcs (on Windows yet), installed it, broke it, installed it again, liked it. After I determined that it was of value to me, I passed on the word, and then I sent "Da Boys" (Warren, David, et. al.) some money. Go here:
http://store.mepis.com/home.php
to get a real-live-cd

I'm sure if you want to send a check instead of on-line payments that that would be possible. Contact Mepis through email and get the specs.

Also, as qtech pointed out previously there can often be confusing articles and hidden agendas. Just today on Slashdot is an article about Microsoft's purchase of Claria and now Microsoft's anti-spyware program "downgrades" Claria's alleged "spyware":
Slashdot | Windows AntiSpyware Downgrades Claria Detections
http://yro.slashdot.org/yro/05/07/07/1234217.shtml?tid=158&tid=172&tid=201

Well, I think it's great that we can keep each other informed and all learn in the process! Keep asking the tricky questions feheeszeno; it keeps us on our toes

Jon

...and now Microsoft's anti-spyware program "downgrades" Claria's alleged "spyware"

I knew this was coming (but not this fast), yet I am still shocked.

But hey, now you can keep your spyware current with Windows Update!

Organized crime at its best. Just lovely.

...software and spyware MONEY CAN BUY

Well, feheeszeno (they called me "sonka" for a short time in my past. It means both "ham" and "little Sean" [they did *not* {just to put you at ease} refer to me as "Kaiser Soze"), you've gone done out obscured me. But what does it matter, as long as we follow the bouncing ball to either the Zero or the exquisite restful plenitude of the definite article?

I'm afraid I've got no clue to "Author number two," or, "Author number three." I'm always happy to hear about someone who's quoted the Wake.

BTW, to which sig were you referring? I've changed it recently.

A-and... you weren't responsible for switching my clock to Berlin time, were you? hehe. Just putting all my paranoid wonderments to rest...

--

Tell me, tell me, tell me, elm! Night night! Telmetale of stem or stone. Beside the rivering waters of, hitherandthithering waters of. Night!