<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>This email (<a href="http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html" data-mce-href="http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html">link to the blog post</a>) was powted a while ago on the Full Disclosure mailing list. Some of the advice only applies to Desktop computers, but I find it's still a very good read in the general case.<br><br>--<br>Justicerage<br><br>???----- Original Message -----<br>????From: "Joshua Rogers" <megamansec@gmail.com><br>To: fulldisclosure@seclists.org<br>Sent: Saturday, June 14, 2014 7:22:14 PM<br>Subject: [FD] Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.<br><br>?????Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.<br><br><br> Securing your Ubuntu Desktop OS from intruders<br><br>Recently I have become interested in securing my laptop from predators<br>such as hackers, thieves, and law enforcement.<br>To do this, I've explored various programs to run; and how to run them,<br>without interrupting usability by the average user.<br><br>In this blog we'll be running through vectors of attacks that one could<br>use to gain access to your unencrypted data.<br><br><br>Before starting, the following must be known:<br><br>1. The author of this article is currently running Ubuntu 14.04<br>LTS(Trusty), and all commands and patches work on it for the author. The<br>author accepts no liability when it comes to these commands/patches<br>being run by other users; this is purely informational.<br>2. It is assumed Full-Disk-Encryption is being used.<br>3. It is assumed your $HOME directory is encrypted using ecryptfs, with<br>filenames encrypted. This can be checked using the command<br>`ecryptfs-verify -h -e'<br>4. It is assumed you do not have the evil program called Java, or any of<br>its counterparts like IcedTea, etc. installed.<br><br><br>When you're told to run the program 'Nano', you can use vim,vi,emacs,<br>etc. Nano is purely the text editor that I use. To exit out of Nano, you<br>press control-x.<br><br><br><br><br><br><br> FireWire attacks<br><br><br>Firewire has for awhile been known to allow attackers to gain access to<br>a computer's Physical memor[RAM], and enable the attacker to grab the<br>encryption key used for devices that are mounted.<br>The most obvious method of defeating this attack is by not compiling the<br>kernel with any firewire modules included, but for the sake of this<br>article, I'll include methods of mitigation. After all, some Ubuntu<br>users probably wouldn't be able to compile their own kernel every update.<br><br>To mitigate the risks with firewire, we will disable them in a blacklist<br>file in modprobe.d.<br><br>1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano<br>/etc/modprobe.d/blacklist-firewire.conf'<br>2. Remove the contents(or comment everything out) and replace it with<br>the following:<br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br>2<br>3<br>4<br>5<br>6<br>7<br>8<br>9<br>10<br>11<br>12<br>13<br>14<br>15<br>16<br>17<br>18<br>19<br>20<br>21<br>22<br>23<br>24<br>25<br>26<br>27<br> <br>|# Prevent automatic loading of firewire module(s).|<br> <br>|blacklist ohci1394|<br>|blacklist sbp2|<br>|blacklist dv1394|<br>|blacklist raw1394|<br>|blacklist video1394|<br> <br>|blacklist firewire-ohci|<br>|blacklist firewire-sbp2|<br>|blacklist firewire-core|<br>|blacklist firewire-net|<br>|blacklist firewire-serial|<br> <br>|# Prevent manual loading of firewire module(s).|<br> <br>|install ohchi1394 false|<br>|install sbp2 false|<br>|install dv1394 false|<br>|install raw1394 false|<br>|install video1394 false|<br> <br>|install firewire-ohci false|<br>|install firewire-sbp2 false|<br>|install firewire-core false|<br>|install firewire-net false|<br>|install firewire-serial false|<br><br><br>This will 1. blacklist all the firewire modules from starting at boot,<br>and 2. prevent loading of firewire through forceful techniques.<br><br>After doing this, you *must* run `sudo update-initramfs -k all -u' for<br>it to take effect on next boot.<br><br><br><br><br><br> Hardening Firefox<br><br><br> <br><br>The abilities of web-browsers are not only astounding, but also<br>extremely vulnerable. With 0-day exploits being found for nearly<br>everything, the bad guys are always looking for ways to exploit your<br>browser.<br>Methods used to exploit browsers are usually split up into two parts:<br>exploiting the actual browser, and exploiting addon(such as Adblock and<br>Acrobat Reader).<br><br><br>Using the method I describe should mitigate most, if not all techniques<br>involved in the exploitation of Firefox, and addons used.<br><br><br>Most services when installed create a user for themselves, where they<br>cannot escape from without some sort of local root kernel exploit.<br>Unlike services, firefox is normally run at the same permissions as the<br>user running it, which entails an attacker to be able to gain the same<br>permissions of the user. With access, an attacker could record the<br>keystrokes of the user, and wait until they run 'sudo' to gain root<br>access(or, god forbid, somebody has nopasswd enabled on their account.)<br><br>By creating a user specifically for firefox, we lock it into its own<br>folder where it [shouldn't be able to] escape.<br><br><br><br>First off, we want to create our new user called 'firefox'.<br><br>1. Run 'sudo adduser --system --quiet --shell /bin/false --group<br>--disabled-password --disabled-login firefox' in the terminal.<br><br><br><br>The commandline(and all references to) 'firefox' is a link to<br>/usr/bin/firefox, which is just a launcher script, so we can move that<br>to something like 'firefox-start'.<br><br>2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal.<br><br>Now we want to recreate the firefox file, and make it execute as our<br>'firefox' user, with all of the parameters that it normally would.<br>To do this, we must make a script to be run when using the command<br>'firefox'.<br><br><br>We have two options here. We either make a very simple script to run<br>Firefox as the 'firefox' user, or we use some X11 trickery.<br><br>The problem with the first, is that an experienced hacker could control<br>*all* X11 activity. Including logging keystrokes, injecting keystrokes,<br>taking screenshots, etc.<br><br>The problem with the second, is that extensions such as XRANDR will not<br>work. Another highly problematic downside is that you cannot<br>copy-and-paste from your browser into another application. You can<br>copy-and-paste from other applications into the browser, but not the<br>other way around. This makes it incredibly difficult if you want to<br>copy, for example, a quote from Wikipedia into an email.<br><br>Due to not having a solution to this, I've decided to show you how to do<br>both.<br><br>-----<br><br><br> Vulnerable Method<br><br><br>This method gives the reader a very easy way of doing things, and is<br>probably OK for the average user.<br><br>Open up /usr/bin/firefox, which should now be an empty file, and place a<br>script in it so it will run firefox was the user 'firefox'.<br>3[.1]. sudo nano /usr/bin/firefox<br>And enter the script:<br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br>2<br> <br>|#!/bin/bash|<br>|sudo -H -u firefox ||"/usr/bin/firefox-start"| |"$@"|<br><br><br>The -H flag is used to tell the system that we want to set our home<br>directory to /home/firefox/. -u is used to tell the system that we want<br>to run the program as the user 'firefox', and the last two flags tell<br>the system to run /usr/bin/firefox-start(the REAL firefox script) with<br>the flags $@, which means it will run with whatever /usr/bin/firefox was<br>run with.<br><br>We need to allow the 'firefox' user to access X, so we go to "System -><br>Preferences -> Startup Applications" and add a new startup program.<br>The name and comment is irrelevant, but the command should be this:<br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br> <br>|xhost +SI:localuser:firefox|<br><br><br><br><br>-----<br><br><br> 'Paranoid' Method<br><br>This method, as stated above, stops the user from copy-and-pasting from<br>the browser into a different program. It is much more safe, and is<br>considered secure.<br><br><br><br><br>3[.2]. Run `sudo nano /usr/bin/firefox', and put in..<br><br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br>2<br>3<br>4<br>5<br>6<br>7<br>8<br>9<br>10<br>11<br>12<br>13<br>14<br>15<br>16<br>17<br> <br>|#!/bin/bash|<br> <br>|xa=||"/home/firefox/.Xauthority"|<br> <br>|exec| |newgrp firefox <<-EOF|<br> <br>| ||if| |[ -e ||"$xa"| |]; then|<br>| ||if| |[ ! -r ||"$xa"| |]; then|<br>| ||rm -f ||"$xa"|<br>| ||elif [ ! -w ||"$xa"| |]; then|<br>| ||mv ||"$xa"| |"$xa.tmp"| |&& cp ||"$xa.tmp"| |"$xa"| |&& rm -f<br>||"$xa.tmp"| |&& ||chmod| |660 ||"$xa"|<br>| ||fi|<br>| ||fi &&|<br>| ||xauth -q -i -f ||"$xa"| |generate ||"$DISPLAY"| |. ||"untrusted"|<br>|&& ||chmod| |g+rw ||"$xa"| |&&|<br>| ||sudo -H -u firefox XAUTHORITY=||"$xa"| |"/usr/bin/firefox-start"| |"$@"|<br> <br>|EOF|<br><br><br>This script will run every time you open up firefox.<br><br>Now we need to make the file executable.<br><br>[4]. Run `sudo chmod +x /usr/bin/firefox'.<br><br> As you can see in the script, it relies on the usage of the 'newgrp'<br>program being able to access the 'firefox' group. To do this, you must<br>add yourself into the 'firefox' group.<br><br>[5]. Run `sudo useradd -a -G firefox $USER'.<br>This will add you into the group of 'firefox'.<br>You will now need to reboot to make this come into effect.<br><br><br>To allow changes to be made by groups, you must run a chmod command on<br>the user folder.<br>[6]. Run `chmod -R g+rwxs ~firefox'<br><br>This allows anybody in the 'firefox' group is make changes in the<br>/home/firefox/ directory.<br><br>-----<br><br><br>Now you can run 'firefox', and it'll run the browser as the user<br>'firefox', not as your user. Yay! We got most likely the hardest part<br>finished.<br><br><br> Audio<br><br><br>I, like many of you probably do, like to play music in my browser.<br>Whether it be through HTML5, or Flash. But since our new user 'firefox'<br>isn't part of the 'audio' group, we must add ourselves to it.<br><br>[?]. Run `sudo usermod -a -G audio firefox'<br>Now with another reboot(or logout), audio should be able to be played.<br><br><br>Finally, due to multiple users using PULSE(your account, and then flash<br>in the 'firefox' user), we have to set up 'firefox' to use a slave<br>server, and your real user as the master.<br><br><br>First of all, we want to copy the default pulseaudio settings to your<br>home directory.<br><br>[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/default.pa ~/.pulse/'<br><br>Now edit it.<br><br>[?]. Run `nano ~/.pulse/default.pa'<br>Add to the bottom of the file: "load-module module-native-protocol-tcp<br>auth-ip-acl=127.0.0.1" and save.<br><br>And that's it. Firefox will automatically use use that as a master<br>server, thus becoming a slave.<br><br>There are probably security implications to do with this, but they would<br>be minor.(At most, listening to microphone, which I doubt anyways)<br><br><br><br> Addons<br><br> Although mostly un-important, it might interest some people to install<br>some addons in Firefox to enhance your browsing privacy.<br><br>These include:<br><br>Adblock Edge<br><https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/> -<br>Basically AdBlock without the whitelisted ads. Removes ads & unwanted<br>elements on webpages. Recommend using https://www.fanboy.co.nz/<br><https://www.fanboy.co.nz/>in conjunction too.<br>HTTPS-Everywhere <https://www.eff.org/https-everywhere> - Trys to use<br>HTTPS/SSL on webpages known to work with them.<br>BetterPrivacy<br><https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/> -<br>Handles long-term, non-HTTP cookies such as flash cookies.(In options,<br>make sure 'Always ask' is unchecked.)<br>User Agent Switcher<br><https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/> -<br>Makes it possible for you to change your User-Agent to something else.<br>Download http://techpatterns.com/downloads/firefox/useragentswitcher.xml<br>and import it through the application in Firefox(Edit User-Agents).<br>Smart Referer<https://www.blogger.com/> - Only sets referrer if staying<br>on the same page.<br><br>In the page "about:addons"(type it into your URL-bar), go to "Plugins",<br>and make sure everything is set to "Ask to Activate".<br><br>In the page "about:config"(type it into your URL-bar), set geo.enabled<br>to false(double click on it if it's true), set<br>network.dns.disablePrefetch to true, set network.websocket.enabled to<br>false,<br><br><br><br><br><br> MAC-Address<br><br><br>Although not necessarily a security risk, your MAC Address may be used<br>for tracking, and later identification.<br><br>To do this, we use an interesting program called macchanger<br><https://github.com/alobbs/macchanger>.<br>Macchanger, created by "Alvaro Lopez Ortega<br><https://github.com/alobbs>", is a program that quickly and easily<br>spoofs your mac address.<br><br>Although a new and updated version of macchanger exists on Github, we'll<br>be using the repository's version.<br><br>We actually need to install macchange. To do so:<br>1. Run `sudo apt-get install macchanger'<br><br><br><br>Although originally I wanted to set up a script to change the mac<br>address every time you connected to a wireless network, I encountered a<br>problem. The default network manager in Ubuntu, NetworkManager,<br>deprecated pre-up, and post-down. The developers have said that<br><https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/336736><br>they will not be bringing it back either. Interestingly, many of the<br>commenters on the invalid bug-report page also inquire the removal, as<br>they also were trying to use macchanger.<br><br>By creating an init script, we can make the program 'macchanger' run on<br>boot.<br><br><br>1. Run `sudo nano /etc/init.d/changemac', and insert the following:<br><br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br>2<br>3<br>4<br>5<br>6<br>7<br>8<br>9<br>10<br>11<br>12<br>13<br>14<br>15<br>16<br>17<br>18<br>19<br> <br>|#!/bin/bash|<br> <br> <br>|# Disable the network devices|<br>|ifconfig eth0 down|<br>|ifconfig wlan0 down|<br> <br> <br>|# Spoof the mac addresses|<br>|/usr/bin/macchanger -a eth0|<br>|/usr/bin/macchanger -a wlan0|<br> <br> <br>|# Re-enable the devices|<br>|ifconfig eth0 up|<br>|ifconfig wlan0 up|<br> <br> <br>|exit| |0|<br><br><br><br>Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac').<br>This script will, on boot, take down wlan0 and eth0, change their<br>mac-addresses, and then bring them back up. If need be, edit eth0 and<br>wlan0 for your respective names on your system.<br><br>We now must actually the script run on boot. This can be done by running<br>'update-rc.d'.<br>2. Run `sudo update-rc.d changemac defaults 10'<br><br>On each reboot, your mac address should change, without any implications<br>in regard to connectivity.<br><br><br><br> Anti-Viruses<br><br>It's commonly said by in-experienced users of all distributions that<br>Linux cannot get viruses(Mac users also say this). But in reality, they<br>can get viruses, but it's rare.<br>As described here <https://help.ubuntu.com/community/Linuxvirus>, many<br>Linux Trojans/Viruses/Worms have been made, but with little success.<br>Although there is little chance of actually getting one, it's considered<br>a good gesture to others, for you to scan for viruses. -- "If you are<br>going to trade files in a Windows world, you'll need to scan those files<br>for viruses. You won't get infected, but you may help infect someone else."<br>i.e; You may forward an email through your email that contains a windows<br>virus.<br><br>Some Windows viruses can also be run through Wine.<br><br> <br>We'll be using ClamAV, an open-source anti-virus program.<br>We first have to install it.<br><br>1. Run `sudo apt-get install clamav clamtk clamav-daemon'<br><br>Once finished installing, we must update our 'AntiVirus definitions'.<br> <br>2. Run `sudo freshclam'<br>This may take awhile.<br><br><br>ClamAV can be run in three ways:Manually in the terminal, manually<br>through a GUI, or as a daemon.<br><br>I'm going to run it as a GUI.<br>It can be run as a GUI by opening the terminal and typing running `clamtk'.<br><br><br>When you open clamtk, you're showed options in regard to how you want to<br>run ClamAV. It's very simple and needs no explanation. You can set up an<br>automatic schedule for scanning in Advanced->Scheduler.<br><br><br>Originally, I wanted to make it so that Firefox would scan all<br>downloaded files using ClamAV. I found the addon Fireclam<br><https://addons.mozilla.org/en-US/firefox/addon/fireclam/> which is a<br>Firefox mod that scans downloaded files through ClamAV, and gives you a<br>warning if it returns anything. <br>The problem with it, is that on download, Firefox freezes for 3-5<br>seconds while the scan is actually going on. This is a huge<br>inconvenience and to me makes it unusable. I'm keeping it up here purely<br>to show that it exists. ClamAV can also be set-up with Thunderbird.<br><br><br><br>*Note: ClamAV does _not_ delete any files. That's up to you. It purely<br>notifies you to the existence.** *<br><br><br><br> DNSCrypt<br><br>Something a lot of people don't realize is that DNS is completely<br>unencrypted.<br>We're going to add encryption which will prevent spying.<br>To do this, we're going to use OpenDNS's<br><http://www.opendns.com/about/innovations/dnscrypt/>DNSCrypt<br><http://dnscrypt.org/>.<br><br>So, we want to download the current version, dnscrypt-proxy-1.4.0<br><http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2>.<br>1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt'<br><br>2. Run `sudo apt-get update'<br><br>3. Run `software-properties-gtk', go to "Other Software", and tick the<br>source-code option for shnatsel/dnscrypt.<br><br><br>Now we want to confirm that the ppa is actually secure. To do this..<br><br>4. Run `sudo apt-get source --download-only dnscrypt-proxy'<br>Generate a SHA256 signature for the source.<br>5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2'<br>Pull the official signature from the DNSCrypt website.<br>6. Run `dig +short +dnssec TXT<br>dnscrypt-proxy-1.4.0.tar.bz2.download.dnscrypt.org'<br><br><br>Now compare the results. If they're the same, you're ready to go.<br><br><br>Now actually installing, and setting everything up.<br>7. Run `sudo apt-get install dnscrypt-proxy'<br><br>8. Run `nm-connection-editor', and edit your connection. Go to IPv4<br>Settings and select 'Automatic (DHCP) addresses only' for the "Method".<br>In the DNS servers, set it to:<br>127.0.0.2<br><br>This will make it so that by default, 127.0.0.2 is used for DNS.<br><br>Due to a bug(?) in apparmor, you must run the following commands:<br><br>9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain<br>/etc/apparmor.d/usr.sbin.dnscrypt-proxy'<br><br>Now to setup dnscrypt, and make it start on startup.<br><br>10. Run `sudo nano /etc/init.d/dnscrypt' and put in:<br>?<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html#><br>1<br>2<br>3<br>4<br>5<br>6<br>7<br>8<br>9<br>10<br>11<br>12<br>13<br>14<br>15<br>16<br>17<br>18<br>19<br>20<br>21<br>22<br>23<br>24<br>25<br>26<br>27<br>28<br>29<br>30<br>31<br>32<br>33<br>34<br>35<br>36<br>37<br>38<br>39<br>40<br>41<br>42<br>43<br>44<br> <br>|#!/bin/sh|<br>|# This is ||for| |the file /etc/init.d/dnscrypt|<br>|### BEGIN INIT INFO|<br>|# Provides: dnscrypt|<br>|# Required-Start: ||$all|<br>|# Required-Stop: ||$all|<br>|# Default-Start: 2 3 4 5|<br>|# Default-Stop: 0 1 6|<br>|# Short-Description: DNSCrypt ||for| |OpenDNS|<br>|# Description: Launch the dnscrypt to communicate with OpenDNS|<br>|### ||END| |INIT INFO|<br>|DAEMON=||"/usr/sbin/dnscrypt-proxy"|<br>|NAME=||"dnscrypt"|<br> <br>|dnscrypt_start()|<br>|{|<br>| ||echo| |"Starting dnscrypt"|<br>| ||dnscrypt-proxy -u nobody -R opendns --local-port=53<br>--local-address=127.0.0.2 --daemonize |<br>|}|<br> <br>|dnscrypt_stop()|<br>|{|<br>| ||echo| |"Stopping dnscrypt"|<br>| ||start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3<br>--||exec| |"$DAEMON"| |> /dev/null|<br>|}|<br> <br>|case| |"$1"| |in|<br>| ||start)|<br>| ||dnscrypt_start|<br>| ||;;|<br>| ||stop)|<br>| ||dnscrypt_stop|<br>| ||;;|<br>| ||restart|force-reload)|<br>| ||dnscrypt_stop|<br>| ||dnscrypt_start|<br>| ||;;|<br>| ||*)|<br>| ||echo| |"Usage: /etc/init.d/$NAME<br>{start|stop|restart|force-reload}"| |>&2|<br>| ||exit| |1|<br>| ||;;|<br>|esac|<br> <br>|exit| |0|<br><br><br><br>11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d<br>dnscrypt defaults'.<br><br>Finally, we must edit /etc/default/dnscrypt-proxy.<br><br>12. Run `sudo nano /etc/default/dnscrypt-proxy'<br>Make sure that the "local-address" is set to "127.0.0.2:53",<br>"resolvconf" is set to "on", and "user" is set to "nobody",<br><br>And then reboot.<br><br><br>Now you'll be resolving with encryption. You can confirm you're using it<br>correctly by going to http://www.opendns.com/welcome/.<br><br>You can also run `sudo tcpdump -i any -n -A 208.67.220.220', which will<br>display the ASCII output of the packets going in/out of port 443(since<br>it uses port 443, not 53). You can then run `dig debug.opendns.com' in<br>another terminal, and you should see encrypted text through tcpdump.<br><br>Make sure that /nonexistent exists, and is chowned to<br>nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent')<br><br><br><br> <br><br><br> *Evil-Maid Attacks***<br><br>I won't be covering prevention of evil-maid attacks in this post due to<br>the limitation of what one can actually do to prevent against an<br>evil-maid attack. However, one example of what you can do is moving the<br>boot partition in Ubuntu to a secure USB stick. A guide on how to do<br>this can be found here<br><http://newspaint.wordpress.com/2013/11/30/moving-linux-boot-partition-to-usb-drive/>.<br><br>But in reality, if somebody is able to tamper with your computer while<br>it's not in your possession, they could install a hardware keylogger<br><https://en.wikipedia.org/wiki/Hardware_keylogger> to get your<br>encryption key.<br><br><br><br> ColdBoot Attacks<br><br>Again, I won't be covering much when it comes to coldboot attacks.<br>Most computers these days use DDR3 ram, which as far as I can find,<br>aren't vulnerable to coldboot attacks. I will however give<br>recommendations to stop the theoretical attack.<br><br><br>1. Set an Administrator password for the BIOS.<br>Although this wouldn't help if an attacker were to take the ram out of<br>your system, and put it into theirs then dump it, it will delay how long<br>it takes for the ram to be dumped.<br><br>2. Turn off Quickboot/Fastboot in your BIOS.<br>Not all computers support this, but some do. By turning off<br>Quickboot/Fastboot, your system will 'check' the memory on boot, thus<br>overwriting everything.<br>*<br>*<br>*<br>* *<br>* *<br>* *<br>* *<br>* *<br>* *<br>*<br><br><br> Unrelated<br><br>*<br>*<br><br><br> *File Removal*<br><br>As most readers will know, deleting files through usual methods(and the<br>command `rm') only remove the "links" to the files contents on the<br>harddrive. To remove files securely, you can use the program BleachBit<br><http://bleachbit.sourceforge.net/>. <br>You can install it by running `sudo apt-get install bleachbit'. <br>To securely delete a file, run `bleachbit -s file.txt'. It can also be<br>used on directories.<br><br>Once of the problems with 'secure file removal', is that it only<br>'securely'(?) deletes the current contents of files. If the file has<br>been edited at all, then reminisce of it may still exist.<br><br><http://4.bp.blogspot.com/-V5DA2D3vF0o/U5w-W2eH8VI/AAAAAAAAAJk/ty-v0Wgzmcc/s1600/file_shred_graphics.png><br><br>Credit: BleachBit<br><br><br>This diagram explains it well; using secure removal tools, only the<br>green blocks would be removed. The red blocks are old versions of the<br>files. <br>To deal with this, and delete all un-used disk space, you can use<br>BleachBit as a cleaner.<br>To do this, you can run `sudo bleachbit -o -c system.free_disk_space'.<br>*NOTE:* This will take a long time to use your harddrive. It creates a<br>file with random data that fills up the harddrive, then deletes it. If<br>you're using an SSD, *_DO NOT_* use this.<br><br>Bleachbit can also be used for other things. you can view them by<br>running `bleachbit --gui'.<br><br><br><br><br><br><br><br><br><br><br>With all of these security measures implemented, I am confident that my<br>computer is fairly secure from external, and remote hackers. It's much<br>more of a hobbyist thing. If you really need good secure, use Tails<br><https://tails.boum.org/>. After all, one could always torture you for<br>access. <https://xkcd.com/538/><br><br>I've personally done everything that is shown in this blog, as well as<br>participate in 'good practise', such as shutting down my computer when<br>I'm not using it.<br><br><br><br><br>Full: Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.<br><http://blog.internot.info/2014/06/securing-ubuntu-desktop-from-bad-guys.html><br><br>_______________________________________________<br>Sent through the Full Disclosure mailing list<br>http://nmap.org/mailman/listinfo/fulldisclosure<br>Web Archives & RSS: http://seclists.org/fulldisclosure/ </div></div></body></html>