Bonus Article: KGIII Rants A Little About Security

The below ‘article’ is a rant about security – except it was written while really, really intoxicated. It’s not very good. I can’t even clean it up to make it good – but it does have some good bits scattered throughout and I’m just going to publish this as a ‘BONUS ARTICLE‘. 

Note: I may someday break this article down into bits and pieces, which is the only way I can think of to make it worth reading. At this point, I just don’t want the time to be wasted, so it might as well get published.


After trying to edit it, again while inebriated, I am not sure I can turn this into an article… I’m a bit inebriated. It’s perfectly legal here. I think I can… It’ll need to be pretty simple.

Let’s talk some basics about security!

You know what I get a kick out of? I get a kick out of seeing the people who move to Linux for “privacy reasons”, only to see them log back in to social media/forums to show that they have now moved to Linux.

They’ll login to accounts where they left plenty of personal information.

I’m not sure who they think they’re hiding from, but it’s not good privacy and they’re hiding from nobody important.

Real privacy is difficult, possibly next to impossible.

Seriously… Even the vaunted Tor is generally only as safe as you are smart, and then only on .onion domains. Once you hit the regular web, you’re probably not safe from a nation-state. Here are some theoretical attacks against Tor.

Realistically? How much privacy do you need or want? As you can guess, it’s a spectrum and and there are extremes on either end. There are also the law of diminishing returns on either end of the spectrum.

By the way, privacy is not security. Privacy is just one aspect of security.

So then, what is security?

Let’s start with the basics. For at least ‘good’ physical security, it should be ‘who you are’, ‘something you have’, and ‘something you know’.

For example, the security guard should check your ID to ensure who you are. The ID is something you have. The something you know is a password, a PIN, or a passphrase. That’s the least amount of security you can physically have to be any good.

Then, there are things you can do to improve it, for example. You can make it a rotating passphrase, make the guards work in pairs, require confirmation from someone proven to be in the building at the time, etc… You can do a layered approach where they may need all three of those things to enter yet another section and incorporate a man-trap between them.

Of course, on the other end of the spectrum is anyone and anything gets in and out. We tend to call those public spaces, when anyone can get in and out. As a general rule, you lose some rights to be in the public spaces – among those rights would be some degree of privacy (which will vary per jurisdiction). That’s pretty damned insecure. As far as security (and privacy goes) that’s the opposite.

So, again, there’s this giant spectrum of security. Where you want to be on that line is up to you. I find it’s a judgement call. We’re even willing to give up some privacy to be recognizable on a forum. Some of that lack of privacy is what keeps the forum secure and running smoothly. We give that privacy up because we get something in exchange.

At the same time, we might not want Google knowing everything we’re up to. We may be some dissident trying to reach a journalist to expose human rights violations and be under legitimate threat of death – or worse than death. We all make judgement calls about how much of our information we’re going to share.

And, really, unless you’re at the extremes, life is pretty good. It’s pretty easy to retain a little bit of privacy while participating in an online community. It’s less easy to do so with a typical Facebook account. where you are in some way connected to a more physical you.

Me? Oh, come on… I’ve long-since eaten the Google kool-aid. The ads here are from Google. I use their Analytics to better optimize the site, and all that – and more. Hell, I use Google Chrome and I’m logged in as the same user that does all those other things. I don’t use Gmail very often, so there’s that. I only use one of their accounts and that’s just to service my phone. But, that too is tied to all things Google.

The thing is, I know this. I know the privacy I give away. I made an informed decision to cede that privacy for those benefits. For me, the risks outweigh the benefits and I have a level of trust for Google. 

That’s the right choice – for me. Y’all make your own choices. If you don’t know how to block Analytics (or ads), just go ahead and ask. Just because I use those things doesn’t mean you need to. You’re perfectly free to block anything you want. You’ll still show up and be counted in the raw server logs. I’ll still be able to see what you did on the site. (Don’t worry, I don’t much care – unless you’re harming the site. The site’s security automatically blocks hundreds of requests per day.) But, yeah, I could see your IP address.

Oh, man… Oh no!!! Your IP address?!?

And the things people think about their IP address, as though it’s some great secret. If you really care, use a VPN – but learn what a VPN actually is before buying into the hype. They tout it as some great security (and it actually can be, but not how you’re using it) but it’s not really. Especially if you’re logging into sites like the video site you’re unlocking!

By the way, it’s ‘security’ when you connect to a VPN ’cause a web access point is locked down so that it only takes inputs from one IP address. That’s not how you’re gonna be using your VPN. (Well, you might, if you keep reading these articles.)

No, your IP address isn’t important. There’s no l337 hacker out there that’s just waiting to learn your IP address before he dusts the Cheetos off his shirt and gets to work hacking you. It’s just bots scanning bots at this point and you’re behind a NAT anyhow. Keep your stuff secure, mostly by keeping it off the public internet.

Ah, yes… The MAC address people…

No, you don’t need to change your MAC. The only reason you’d want to do so would be for something local. It’s not hiding you from Google, ’cause it’s only seen at the very first hop in network traffic. Once the packet is beyond that point, it uses its own MAC address. While changing your MAC address is a useful skill (for local “Spoofing” purposes), it’s not gonna make you appear any different to the rest of the web.

Lemme see… 

More security stuff to spew out onto the page?

I’ve been known to say, “Security is a process, not an application.” I’m probably not the first to express it similarly, but it doesn’t make it any less true. It is indeed a process. It starts best with a good plan and deciding where on the spectrum you’d like to be. Be sure to compare that with where on the spectrum you need to be to accomplish your computational goals. Somewhere in the middle is probably gonna be the sweet spot for you.

The thing is, you have to know where you can be on the spectrum involved. You have to know what the extremes are. You have to be aware of what techniques are available and what they really do. You need to be aware of what threats there are and what goals you want to accomplish. ‘Cause the only completely secure computer is one that doesn’t work and you might want to be extra sure by burying it in 25 feet of concrete.

Want some privacy? How about blocking third party cookies and scripting. How about you take a look at browser fingerprinting and deciding where you want to be on that spectrum? In pretty much every OS you can block DNS requests by using  your hosts file. There are even curated lists that you can download and use.

Alright, I wrote this while impaired. I’ll eventually schedule it or delete it. I’ll probably proofread it, maybe trying to make it salvageable, and the likes.


Meh… After reading this sober, I’m just gonna submit it as a bonus article. It’s not very good. I just barely proofread it and it wasn’t nearly as good as it seemed while drunk!

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Remove AppArmor From Ubuntu

In today’s article, we’re going to learn how to remove AppArmor from Ubuntu. This will work for other distros, like Debian. It’s actually not a very difficult task to remove AppArmor from Ubuntu, but it’s not something you necessarily want to do. Just because you can, doesn’t mean you should…

As many of you know, I write many of these articles based on the notes I’ve taken over the years. I’m a little reluctant to write this one, because removing AppArmor is probably not the best of choices.

AppArmor is similar to the various jails and application isolation techniques. It’s a security tool that restricts applications to a constrained set of resources. If the application is then compromised, it only has access to that set of resources and not to the whole system.

In other words, unless you know what you’re doing, you almost certainly don’t want to remove AppArmor from Ubuntu. In fact, if you don’t know what you’re doing then doing this is almost certainly a ‘not-bright’ choice.

If you’re going to remove AppArmor, you should consider replacing it with something else. SELinux is an option that’s similar, though I suppose you could use something like Firejail and be prepared to craft your own application profiles.

Again, removing AppArmor from Ubuntu (or whatever distro you’re using that has it) is probably not a good idea. I include the article because the information is already out there and because some folks may just decide to operate their system without such protections. This is Linux, you have the freedom to make bad choices. This isn’t even the first time I’ve shown you how to make bad choices.

Remove AppArmor From Ubuntu:

Like oh so many of these articles, you’re gonna need an open terminal. Just press CTRL + ALT + T and your default terminal should open. (I say that a whole lot on this site.)

We should first check to ensure AppArmor exists and is running. To do so, enter the following command:

What you’re looking for is several lines into the output. You’re looking for ‘apparmor module is loaded‘. If you see that, AppArmor both exists and is running. So, the next step in removing AppArmor is to stop the service. You do that with:

In case AppArmor is somehow installed again, we’ll make sure that it won’t start at boot by disabling the service entirely. That seems like a good idea.

Finally, we nuke AppArmor from existence with a purge command:

And that should do it. You probably want to reboot, just to make sure there are no tendrils sticking around – but stopping the service first should mean you don’t need to. Either way, you have now removed AppArmor from your system – assuming you followed the directions.

Closure:

Again, and I can’t stress this enough, don’t do this unless you know what you’re doing and unless you have something to replace AppArmor with. It’s really a bad idea and you’ll gain very little. I wouldn’t even do this with a system air-gapped from the network, unless I had a very good reason to do so.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Change Snap Application Privileges In Lubuntu

In today’s article, we’re going to learn how to change Snap application privileges in Lubuntu. With Ubuntu, it’s a bit more straightforward. In Lubuntu, you have to dig around a little bit. Don’t worry, ‘snot hard – it’s just not all that intuitive. 

Snap applications come with their own privileges. This is useful because sometimes you may want to change them, to enable something that was disabled or to disable something that was enabled. I think it’s sorted now, but at one point you even had to change the permissions to let the Firefox browser access removable media.

In Ubuntu it’s pretty straightforward and there are a ton of tutorials already out there that will help you change Snap application privileges. It’s just one of those things that comes with Snaps, so we’ll cover Lubuntu.

I’ve written about Snap applications before, including sharing how to disable Snaps completely. However, the reality is that they’re going to be a part of the Ubuntu ecosystem for the foreseeable future.

Like them or not, they will be a part of Ubuntu and official Ubuntu flavors. I suspect trying to avoid them will get more difficult. With the new Lubuntu, for example, the Firefox browser will come as a Snap application by default.

So, well, even we folks using Lubuntu must come to grips with Snap applications. This can be a pretty painless process, if you’re armed with some information. That’s what this article is meant to do. This article is meant to teach you how to …

Change Snap Application Privileges In Lubuntu:

This is actually pretty easy, but not necessarily intuitive. Unlike many of my articles, you don’t actually have to start with an open terminal. No, you need to start with “Discover”.

So, crack open your menu, click on System Tools, and then click on Discover. Once you have Discover open, you can use the search or installed option to find the application in question. In this article, I decided to just use Firefox – seeing as we Lubuntu users will be faced with a Snap app Firefox.

When you find the application, you just click on it. It looks like so:

click on Firefox to begin
See? I even started you off with a handy arrow! It’s a recurring theme!

Once you’ve clicked the application, then you just click on the obvious! You just click on “Configure permissions”. That looks like this:

click on permissions to continue
Yup. I gave you another handy arrow – but it should be obvious now.

Finally, you can adjust the individual permissions. That looks like this:

finally, adjust your permissions as needed
There are a bunch of settings you can change. Again, you get a handy arrow!

That’s about it, really. The thing is, you have to use Discover. While the Muon application is able to install applications, it doesn’t deal with Snap applications. Only the Discover application has these menus and it’s the only way (at least graphically, by default) for you to adjust the individual Snap application privileges.

So, while it’s not necessarily intuitive – it’s not dreadfully difficult. You just have to know where to look and then it becomes obvious.

Closure:

Guess what? As of tomorrow, a day where no article is scheduled, it will have been a full year that this project has been alive. That’s right! I’ve gone the full year without missing  a single publication date! If I can do it, so can’t you! 

So, am I done? No… No, I don’t think so. I still have articles that need to be written, things that need to be said. I’ve had a great deal of fun, though it has been a lot of work. I’ve learned some, you’ve learned some, and I’d say it’s a net benefit to the Linux community – though I suppose I’m a bit biased. (Feel free to agree with me!)

I may take a few days off. I’m not actually sure. I haven’t decided. I have decided that this can’t be the last article, so there’s that. Which is nice… If nothing else, I’ll see you again in a few days. I might enjoy taking a break. Then again, I kinda suck at taking breaks. I truly suck at retirement.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Check To See If SELinux Is Working

In today’s article, you’ll learn how to see if SELinux Is Working on your system. Your system may not have SELinux, but many do. This article is for those people. You’re welcome!

SELinux stands for Security-Enhanced Linux and its function is to provide greater controls over who can access the system. It was actually developed by the US spy-agency – the NSA. You’ll often find SELinux in distros that fall within the RHEL family tree. The link at the start of this paragraph will give you even more details.

This article is just about checking to see if SELinux is working. It should be noted that SELinux has three operational states. I’ll cover them lightly here.

The first operational status is usually the default, which is ‘enforcing’. This means that it’s working and blocking as designed.

The second possible result is ‘permissive’. When SELinux is in this state, it is not blocking anything – but it is logging everything. So, you’ll see things after the fact, when you check the logs.

The third is simply ‘disabled’. That’s self-explanatory. If it’s disabled, it means it isn’t working. If it’s disabled, it’s easy enough to start it. If you choose not to, you’re not taking advantage of a security tool.

It’s not a very difficult article to follow, I don’t imagine. Pretty much anyone can figure this out. We won’t be going into details other than what the headline, and explaining everything about SELinux would take a lot of time and is beyond my level of expertise. 

See If SELinux Is Working:

This article requires an open terminal, like many other articles on this site. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

With your terminal open,  the very first command you can use is simply:

That’ll spit out exactly the answer you’re looking for. However, the command that’s more interesting is the one that follows, an arguably better command to learn more about the status of SELinux:

That command outputs a ton of information. The output of that command has more information. Included in that information is the SELinux status. It’s a quick way to see if SELinux is working. 

The output of that command would look something like this:

selinux status
See? The output lets us see that everything is fine. 

See the line – which is “Current mode:”? Well, that’s how you see if SELinux is working. It also feeds you other information, for a more deep view of your SELinux status.

I suppose if you use that command and want to narrow it down, you could do something like:

Which is really just a bit silly when you already have the getenforce command available. There’s no reason to occupy one of your memory banks with that command, as it’s really just some fun with grep.

Closure:

Yup… There you have it. You have another article! ‘Snot really all that handy for those of us who don’t use SELinux. But, if you are using SELinux, this is a perfectly handy way  to see if See If SELinux Is Working.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Has Your Email/Phone (Personal Information) Been Involved In A Data Breach?

Today’s article isn’t all that Linux specific, but pertains to your personal information and whether or not it has been leaked or hacked. This is good information to know. While there’s not much that you can do after the fact, there are steps you can take when the inevitable happens and those steps will vary depending on the severity of the hack and how much information the bad folks got away with.

Basically, when you visit sites you leave at least some information behind. Depending on the site, you may leave more information behind than other sites. For instance, you may leave behind your email address when you signed up for their newsletter. This is relatively benign (insert plug for the Linux-Tips newsletter), but more concerning when you add more information to it – such as your password, phone number, username, answers to security questions, etc…

Sometimes, those sites aren’t all that well defended and people manage to find exploits that give them access to this data. These are known as data breaches. Your data is then, more often than not, put up somewhere online for sale or even for free. The usual goal is to sell this data, as profit is the ultimate motive these days.

There’s quite a bit that bad actors can do with this hacked and leaked data. This is especially true if you do things like re-use passwords. By the way, that’s something you should never do. Don’t use a password or a ‘password system’. Generate random passwords for every use. 

Enter “have i been pwned?”

This have i been pwned? site has been around for a long time. You can visit the site by clicking the following:

have i been pwned?

Go there and enter your email address or phone number. It will then let you know if your data has been exposed in a data breach. The site’s name is a play on the word ‘pwned’ – which means similar to ‘owned’ or, in this case, your personal information been exposed by way of a data breach.

If your personal information has been included in a data breach that was made public, it’ll be listed in the results. For example, I have one email address that was involved in a very dark time for Linux Mint. See this:

my data has been breached
My personal information was compromised in this attack. Also, yes that happened. It’s very much real.

You can be reasonably comfortable putting your email into that site. They have a long, long history of good behavior and, at the end of the day, you’d just lose your email address. So, feel free to drop your email addresses into the site.

NOTE: I take your personal information seriously. If I ask for it, I secure it. I only ask for as much information as required for the role. Signing up for the newsletter doesn’t even ask for a username! Passwords are salted and hashed (not saved in plain text). There’s a layered approach to prevent compromise, including things like requiring 2FA for administrative roles.

Again, “have i been pwned?” has no motivation to do anything with your email address and their reputation is pretty solid. You can drop your email address into the search box safely.

They Lost Your Personal Information: 

So, what can you do if you found out that your personal information has been compromised? There’s not a whole lot, actually. Once the data is out there, it’s out there. You can’t do anything to take it back.

What you can do is stop doing business with these people. You can change your passwords for the compromised sites. You can also check other accounts for signs of compromise. Depending on the data that was lost, you can lock your credit or use a credit monitoring service.

When (not ‘if’) you find your email and personal information in these lists, it can be a little jarring. It’s not entirely unlike finding out that your house has been broken into. But, you can relax. It’s not the end of the world or anything of that nature.

In many cases, passwords aren’t stored in plain text. They’re hashed and salted before they’re stored. The password you typed in is just checked against the hashed values and, so long as you match, you’re let into your account. That’s a great thing, a great start even, but rainbow table attacks still exist to attack hashed passwords.

If there are extra security steps you can take, take them! If you can enable 2FA (2 Factor Authentication), they by all means do so. A login that requires a second factor, such as a code sent to email or to text message, is much more secure. This is more useful before a hack occurs, of course.

When you give out your personal information, ask yourself if you truly need to give the information and if you trust the company with that information. Different companies may have different trust levels for you. I trust this site with all my information, ’cause I own it. I trust sneakydownload.site enough to have my email address and nothing more. There’s a pretty broad spectrum of trust and a very personal choice to make.

Closure:

This article could easily run thousands of words, as security, privacy, and personal information are broad subjects. Be careful who you trust and be sure to check in once in a while to see if your personal information has been compromised. On Linux-Tips.us, I just avoid collecting data. I find it easier to protect your data if I don’t actually have it. However, even this small site is under attack constantly:

Linux Tips attacks
That’s a week’s worth of attacks. That’s just for a small site.

The two spam comment selections are from people/bots who made it through the first levels of defense. Even the rest of the numbers are people who made it through the basic security checks, now that I think about it in this light. Point being that a site is constantly under attack and your personal information is a commodity, so protect it well.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

 

Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.