From: ibuprofin@painkiller.example.tld.invalid   
      
   On Wed, 09 Jan 2013, in the Usenet newsgroup alt.os.linux.mandriva, in article   
   , Adam wrote:   
      
   >Moe Trin wrote:   
      
   [Thinkpad T60]   
      
   >So far, "killall" gets rid of most of them -- I realize that's not the   
   >"permanent" way to do it, but at least I know they can be gotten rid   
   >of while letting everything else function.   
      
   Hadn't thought of doing it that way, but I suppose it is a valid test.   
   How many services/daemons was that?   What you now should do is take   
   the list of unwanted services/daemons and determine how they are being   
   started. This could be daemons started by the boot scripts as network   
   services (i.e. /etc/rc.d/rc5.d/S* or similar), as well as services   
   started by your desktop (a menu item, perhaps under "System" ->   
   "Preferences"). A problem as I'm sure you're aware, the "Popular"   
   Linux distributions include all kinds of neat/shiny toys/applications   
   and some are set up with no concept of security (or at least none in   
   a laptop environment).   Looking at the process-ID number may give a   
   hint of where to look (numbers less than the process-ID of X are   
   probably started by boot scripts - numbers greater than the process-ID   
   of X are probably desktop toys).   
      
   >Also, I gather I /want/ "sshd" to be listening.   
      
   After you configure it, yes.   
      
   >So far the trickiest one looks like:   
      
   >tcp     0       0       *:x11   *:*     LISTEN  2383/X   
      
   >(or whatever in place of 2383, once for each X server running) since   
   >if  I kill that one, that kills X, the desktop environment, etc. and   
   >I want those running, at least locally.   
      
   Oh joy - what item of eye-candy did they add that they feel requires X   
   to be listening for network connections?   That hasn't been the default   
   mode of running X for a number of years.  What we used to do is add a   
   "-nolisten tcp" stanza to the X startup scripts, but this shouldn't   
   be required as the modern servers DON'T listen to port 6000 (or more   
   correctly, 6000 plus the server number) by default.   There was a bug   
   in a _Mandrake_ release where it was, but that was long ago.  This is   
   likely related to some application needing access to the desktop so   
   that it can be shared with the world.  On top of that, there is some   
   stanza that has been added a file in /etc/X11/ or below, to disable   
   the default "don't listen" mode.    From stolid, does nmap show this   
   port accessible on helot?   If it does, that also indicates a need to   
   tweak the firewall on helot.   
      
   Hmmm... while we're at it, what shows up using the netstat command on   
   eris and stolid?  At least the DSL router isn't forwarding "new"   
   connections to those ports, but it's something to look at.   
      
   ["WiFi active" light]   
      
   >> Adam!   You're supposed to be taking notes when you mess with that!   
      
   >Yeah, I know.   
      
   No excuse - thirty lashes!    ;-)   
      
   >There's some kernel bug involved in 2.6.39.4 and maybe later.  I'm   
   >still working on it.   
      
   ???  I'm not aware of any - is this specific to the wireless, or the   
   Thinkpad?   
      
   >Right now the wired connection under Mandriva is reliable, but the   
   >wireless (with indicator light ON) is reported by the router as a DMZ   
   >host, which I gather is NOT what I want.    I think that's something   
   >to change on the router.   
      
   I'm guessing that would be an IP range, so what does ifconfig show in   
   both cases?   Are these (locally configured) static addresses or are   
   they DHCP from the router?   
      
   >> I know you're not loading state secrets or similar material onto the   
   >> laptop, but the BIOS passwords do nothing to protect that (moving   
   >> the drive to another system is trivial).  For that. disk encryption   
   >> is the way to go, and that is dependent on operating system and   
   >> filesystem.   That does make for some minor hoops to jump through   
   >> when using multiple O/S and different types of filesystems.   
      
   >What about the BIOS's HD password(s)?  Will those keep the HD from   
   >being read on another system?   
      
   Depends how they are implemented. In some, it's part of the drive   
   firmware, and they can lock everyone (including you) out if the drive   
   goes South on you.  I've heard recommendations to avoid them unless you   
   don't mind loosing the drive and contents.  Not economically fixable.   
      
   >And disk encryption implemented anywhere other than within the HD   
   >itself sounds like it would take significant resources.   
      
   It can - but I wouldn't encrypt the entire disk.  I don't keep the   
   encryption "password" on the disk, so there is little need to encrypt   
   the O/S portion of the disk. I would do so for the home partition.  I   
   don't use the swap partition, although if you're going to hibernate   
   and use that partition as the parking place, there will be some   
   concerns there.      You take a performance hit when you're reading   
   and/or writing to the encrypted partition, but you're not doing that   
   all (or even an appreciable amount) of the time.   
      
   >>> Of course none of them will prevent theft.   
      
   >> That's the more likely risk,   
      
   >So I should add a Day-Glo plastic cover for the laptop to my shopping   
   >list, or at least some bright-colored plastic tape.   
      
   What precautions do you take for other valuables?   Well, you certainly   
   don't leave your wallet and/or credit cards out in plain sight all of   
   the time, and I'm guessing if you carry a book bag, briefcase or   
   something similar you also take some care that they don't disappear,   
   Same idea here.   The Day-Glo was/is useful in situations where the   
   system is not under your control - such as going through the X-ray   
   machines at the airport, while you're stuck in line going through the   
   metal detector, or the security klown is wanding you trying to figure   
   out why you're suspicious.  The laptop goes through the machine fairly   
   quickly, and ends up unguarded on the belt at the end of the machine   
   where anyone can pick it up - even if there is a security guard   
   watching (he/she has no idea if the stuff you're picking up is yours   
   or not) especially at a busy line like Terminal 4 at Phoenix (Useless   
   Air and Southwest - busiest carriers here).   
      
   >Maybe some hazmat stickers to the case, so any thief will think twice   
   >about taking such a potentially dangerous item.   
      
   You're assuming the thief would recognize them - unlikely.  What's   
   more likely is the authorities or some good citizen will recognize them   
   and start panicking and making waves.   Definitely not a good idea.   
      
   >Maybe putting in enough extra weight to suggest lead shielding. :-)   
      
   If it has wheels - I wouldn't want to carry it.   
      
   >Speaking of shopping, once I was buying next semester's textbook and   
   >paying for another year of renter's insurance, I figured a few more   
   >dollars wouldn't make much difference, so I ordered a 2 GB DIMM from   
   >Crucial ("guaranteed compatible") for the laptop.   
      
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)