| DistroWatch Weekly
|Linux Foundation Training
|Reader Comments • Jump to last comment
1 • slax (by awong on 2009-08-03 08:01:52 GMT from Canada) |
Nice brief review of slax and good to see other people writing reviews. I wonder if LiveAndroid is a precursor to the new GoogleOS?
2 • Slax (by Mahmoud Slamah on 2009-08-03 08:05:47 GMT from Egypt)
Slax is based on SlackWare so have many advantages , i use Slax as LiveCD since tow years ago , you will like it :)
3 • Live Android (by Dorin on 2009-08-03 08:18:53 GMT from Romania)
Anyone had any luck with that?... I'm not sure if it actually works, couldn't boot it until now (could be because my computers have 64 bit processors, but I have a lot of doubts).
4 • SUSEStudio is an awesome tools (by Vavai on 2009-08-03 08:53:20 GMT from Indonesia)
Well, I've trying susestudio to built my own liveusb appliance with my specified application with successfully. It's an awesome tools.
5 • Wolvix (by Tom on 2009-08-03 09:03:42 GMT from United Kingdom)
Wolvix was originally based on Slax and then re-based to Slackware main didn't it? Slax sounds excellent and i'm looking forwards to reading the review :))) I can't imagine moving away from Wolvix although i do need to take Slax for a quick drive ;))
I thought Android was aimed at mobile phones and hand-helds while Chrome seems to be aimed at netbooks and desktops (but might be used on some hefty hand-helds)? This has confused mainstream reporters, especially the anti-linux ones ;)
What has happened to the funky DistroWatch logo? I really liked the old one and i liked the new one too but where's it gone!?!?! I'm sure i had it around here a minute ago ;)
Ahh, it's great to start the week with another wonderful DistroWatch :)) Thanks all. I had a horrible weekend in some microsquish forums so it's good to be back to some semblance of sanity :))
Many regards to all from Tom :)
6 • I'm glad CentOS is ok again (by greenpossum on 2009-08-03 09:14:02 GMT from Australia)
I guess this sort of thing happens when a project grows technically but the organisational details have not been renegotiated and refined much since founding. I hope this will serve as a reminder that projects must ensure that one person doesn't end up holding "the only copy of the office keys". Anything could happen: that person could have an accident, get kidnapped by rabid bunnies while on holiday etc, etc. and then there's a lot of pain putting the project together again, even though the source is open and "all out there".
7 • No subject (by forest on 2009-08-03 09:15:12 GMT from United Kingdom)
Ref the Android Question, this might help Dorin, so apologies in advance if I appear to be teaching you to suck eggs:
Of course it's one thing to aim a distro at a particular niche, but, as has been proved before, who knows where it might end up?
On the CentOS thing, if you missed it from this morning (from comments from last week), Caitlyn suggested having a look at Scientific Linux...if you look at their backers/support you need not con-cern (groan) yourself about it having an early bath...
8 • No subject (by Barnabyh on 2009-08-03 09:40:11 GMT from United Kingdom)
Thanks for another great DW, with a nice and succinct review, quick to read while at work )). Yes, I do like Slax, always regarded it as the unofficial Slackware Live CD.
@5, you mean you posted before reading the review on Slax?
"but then as Linux becomes more popular how can Debian compete with others when it only has a stable release every two years?"
I think they should keep doing what served them well so far. Debian has their place in the eco system and I believe their users would expect them to do nothing else than to provide extremely stable well tested software.
For other scenarios there will always be other distributions, but Debian will keep it's place and remain relevant. Even on the desktop it's nicer than Ubuntu, and with the multimedia repositories easy to add (always keep a sources list around, but there are plenty posted on the net, only a search away) who needs codecs preinstalled?
Not to diss anybody's fave here...
9 • SLAX good? I don't think so (by Udo on 2009-08-03 10:58:41 GMT from Germany)
How can distro get a good review that no real update/security policy?
I think if you would limit the distrowatch database to distros that really support their packages the list would be _A_LOT_ shorter (like below 20)
All these vulnerable hobby one man distros have work harder or die.
10 • No subject (by forest on 2009-08-03 11:26:59 GMT from United Kingdom)
An excellent point Udo, if GNULinux based distros are to survive as viable alternative desktops for the "average" user they MUST be supported properly...especially in the security department.
IF, however, you are talking from a hobbyist pov, then any and all distros are absolutely fine to play around with. Nobody expects them to be adopted by the general user so they do no harm to anyone, so to speak, but give real pleasure to those who simply like tinkering.
Whilst I agree it might be useful to have two lists of distros...one supported and one for purely hobbyist folk, I cannot see it happening owing to the very nature of this website being to report gen on ALL distros...sometimes even those of an "extinct" nature.
Personally I sit on the fence, I use any Uxx going and play with any other distro that will install on my machines. I find my interest aligns more with the bigger issue of GNULinux being spread across the planet...by hitherto unsuspected means, as in local authorities and business users say.
11 • more on Slax (by SlaxFan on 2009-08-03 11:33:22 GMT from United States)
You can copy the Slax files to a flash drive or folder on your hard drive, add modules you want to always load to rootcopy and optional to the optional folder, and run a makeiso script. It's easy to make your own custom CD. It may be the easiest distro to remaster.
12 • @11 (by Tomf on 2009-08-03 12:02:01 GMT from Taiwan)
Now *that* would make for a nice article for DWW - not too much in depth but with a working example.
I encourage you to start writing. How about it...?
13 • @5 (by Sean on 2009-08-03 12:33:55 GMT from United States)
Tom, did you install Wolvix when it was Slax based or after the change to Slackware?
I ask because we were unable to get a successful installation of Wolvix on one of our PCs last March when we were changing all work machines to whatever Linux would run the best on each one (quite a diverse pile of junk.. I mean bunch of computers here).
14 • humph (by Nobody Important on 2009-08-03 12:35:32 GMT from United States)
@9: Slax is a LiveCD distro. It is not designed to be installed.
@article: I LIKE Debian's long release gaps.
I don't want to install a new OS every six months or even nine months. I'd go with CentOS if it worked; you can stick with that for years. And why use Ubuntu LTS (the only other long-support release I can think of) when Debian 5.0 runs like magic?
The same goes for the non-technical computer users; they just want their computer to work.
@whoever: I bought two games, one at a rummage sale, one online. Both support Linux. What are the odds?!
15 • CentOS (by Dimitri Yioulos on 2009-08-03 12:41:29 GMT from United States)
So, it seems that everyone at CentOS kissed and made up. Very good news, indeed!
16 • SLAX and new distros (by mr-youse on 2009-08-03 12:54:12 GMT from United States)
Very nice SLAX review! Mini distros/rescue disks are always good to have handy for when your (or your friend's or mom's, etc) system goes belly up. I had never used SLAX personally, but the ease with which you can customize the live ISO is quite a large selling point. And based on Slackware...how could you go wrong?
One of my favorite parts of DWW is the "newly added" list of distros at the bottom. It's always nice to see up-and-coming distros being recognized, and it's interesting to see what these different groups of people are doing with GNU/linux.
HOWEVER, and it's this week especially, the little blurb describing the distro can, frankly, be a bit bland. Example: "...specifically designed to be easily and freely usable and redistributable, even for commercial purposes." Is it just me, or can this statement be applied to many, many distros already out there? Is this just poor advertising, or are there hundreds of distros out there who serve nearly identical purposes? I mean, competition is good, but that's kinda pushing it, IMO.
Anyways, always a pleasure to read a good DWW. Keep up the good work!
17 • BuddhaBuntu (by Elder V. LaCoste on 2009-08-03 13:25:22 GMT from United States)
Just wondering why this is not listed somewhere.
#5 If you are interested in a nice Slackware based distro, give Zenwalk a spin. I like Wolvix better because it is just more in harmony with what I like in a distro. Zenwalk is like Wolvix's older but smaller brother. Of course, if you want to continue the family analogy then Slackware would be the Father, Slax would be the cousin with the cool clothes (scripts) and so on.
#9 I don't know why people keep bringing up security. I have run Puppy for years (as root) and have never had any problems. Maybe it will become an issue in the future, but it just isn't one now. If you are talking about a business or business network of some kind then that is a different story and it should be the number one concern. However for home users, forget about it.
18 • No subject (by alb3rto on 2009-08-03 13:34:13 GMT from Spain)
--New distributions added to waiting list
2 of them based on ArchLinux, good to hear.
19 • CentOS, Slax and stuff (by davemc on 2009-08-03 13:43:16 GMT from United States)
Thats great news about CentOS - I was a bit worried for a while there when those headline grabbers came out last week. I hope everything works out for the better now.
That "roll your own livecd" idea is awesome! I hope all projects catch on to that. I was just getting around to taking a good look at Slax, Frugal, Slackware and Wolvix more in depth, so this is interesting timing. Maybe I will take the plunge now with a bit more confidence having read this review.
I think also of note for the last few weeks that did not receive much attention -
* Ubuntu 8.04.3. No reviews for this one anymore. I guess its just that good and stable now that it just does not attract anymore attention. Why must a distro be cutting edge/unstable to attract all the media attention? Isn't that one of the things that makes Linux unappealing to the masses when all they hear about it "cutting edge distro this broke or that broke, couldn't start X, couldn't get wifi, etc"?
*Mandriva 2010 beta's.
*Sabayon mini. I had no idea Wolfden was a girl! Also, this is a major milestone for the Sabayon crew. Congratz!
*GNOME 3 getting closer with that whole revamp. Get ready for the GNOME version of that whole KDE4 circus. Mind you, KDE4.3 is fantastic!
Great issue again.
20 • No subject (by forest on 2009-08-03 13:54:08 GMT from United Kingdom)
Security could be an issue for some folk who use the home banking systems available to them. That said of course some home banking systems are very fussy about the browser they use I gather.
21 • CentOS (by Bryan Siegfried on 2009-08-03 14:35:20 GMT from United States)
I am glad to hear about CentOS. My own personal use of Linux is primarily desktop in a small office, but CentOS plays a large role in the free Linux community. I am glad to see this community pull back together.
22 • LiVES (by noname on 2009-08-03 14:36:42 GMT from Brazil)
Thank you for supporting LiVES.
I'm a complete layman with computers and some time ago I had to make a little video and was just starting with Linux. I was using Intrepid and tried several video editing software. Unfortunately LiVES had not at the time an useful package for Ubuntu but it was by far the most easy and intuitive of them all - I admit I didn't insist with Cinerella because of a basic issue with screen resolution, but this is a view of a 'Windows Movie Maker' target audience :) ...
23 • UbuntuxDebian (regarding #14) (by noname on 2009-08-03 14:55:45 GMT from Brazil)
I'm using Hardy. There's a Brazilian version of Debian (BrDesktop), it's a Lenny live-cd. I won't talk about other broader issues since I didn't install it, but it had basic flaws in the translation of Synaptic (such a basic package). I could, and probably will, fix that translation but it's not the most straightforward thing to do and if I'm gonna recommend an OS for someone here (in Brazil) I will do it for the one that hasn't these basic careless issues.
So I ask you people from Canada and US to think that there are some things that don't affect you which interfere in the aceptability of a distro worldwide. One of the most fundamental of them is localization (and an easy way to improve it).
24 • CentOS (by Pearson on 2009-08-03 15:41:35 GMT from United States)
I, too, am glad to see this CentOS issue get resolved. I've never used CentOS, and really didn't know much about it until Caitlyn's article a couple of weeks ago. It certainly seems to fill an important niche. I wish them continued success.
This incident reminds me of the fears when Patrick Volkerding, benevolent dictator of Slackware, was seriously ill. There were rumors of Slackware's demise. As I recall, Patrick ensured that a few people were able to keep the project going while he was ill. Presumable, if his illness had preventing him from leading Slackware (thankfully, it wasn't) then control of Slackware would've passed on to those whom he trusted.
25 • @ SUSE Studio News (by Muhammad Fahd Waseem on 2009-08-03 15:57:04 GMT from Pakistan)
The announcement missed, I think, the most important part of the SUSE Studio business: the appliances so created are fully supported by Novell if you buy openSUSE. That has to be one of the most hellish tasks possible.
I am using it to create an appliance (LiveDVD) for my university and am impressed to hilt.
26 • LiVE (by Tom on 2009-08-03 16:14:05 GMT from United Kingdom)
WoooHooo, YES. It is great to see a multimedia package really out there!! I am really glad DW supported it and would love it if an exception could be made to give another $300 next week. There's not many blockers in linux now but multimedia is possibly the biggest blocker right now.
Dw might be tiny and lacking in resources but there's nothing even close to as good as Dw. I have seen a few sites that list a few distros but DW is THE authority at this & needs to be more visible imo. Contributing another $300 would seem to get Dw's name and possibly(?) logo(?) up there in lights as a significant contributor.
@20 Forest. Yes, afaik (at least last time i looked) banks insist on you using the most vulnerable web-browser and insist on one having extra vulnerability features turned right up.
@20-22 noname, i think you should own up to your name and take a bow. Yes localisations are an issue but i think linux is better than microsquish? Would Spanish or Portugese distros be an easier starting point for porting certain apps/translations from?
I just wonder how LiVE compares to VJamm, getting my friendly local VJ into OpenSource would be fantastic.
@19 DaveMC, re Wolfden - "Yes, a lot of guys think that" ;) heheheh
Debian vs Ubuntu, i think it's excellent that people who favour one type of release strategy have one and those that favour the other have the other. Choices, choices :)
One reason i like Dw is Caitlyn with her corporate experience clearly regularly miles ahead of the rest of us. For some reason it makes me feel like i'm in a truly elite hackers forum. I guess The Matrix and Trinty are the main culprits there :))
This weeks article was another good read, thanks Jesse Smith. With Chris Smart's notes it''s altogether been a great start to my week
27 • security (by Anonymous on 2009-08-03 16:51:01 GMT from United States)
Needs to be emphasized more.
Security updates are important to mainstream users who use the web for purchases and personal and financial services (most of the people I know). It would be good to know if a distro has made no commitment to provide security updates.
The latest software is suspect. Distros that early adopt (e.g. KDE 4 as their default KDE) have indicated their priorities.
Surfing as root is controversial. Curiously, some reviewers neglect to mention this controversial "feature". When a reviewer fails to mention something so important, then credibility is reduced - what else is he/she leaving out?
The fact that a system continues to operate does not mean that it hasn't been violated.
There is plenty of room for cutting-edge systems that don't provide security updates and/or run as root. But these things should be clearly described in a "review" and prominent displayed somewhere on the distro's web site.
28 • SLAX & Security / CentOS (by Landor on 2009-08-03 17:50:06 GMT from Canada)
RE Slax's Security..
I have to agree with 9 (and won't go on about what 27 brought up, but second thought I had to post about until I read to the end, very valid).
The review also spoke of running it as a home server. On that note it further speaks of a need to have more information in a review as 27 stated. This sentence is key, "I couldn't help but think that considering Slax's small footprint (about 125 MB once installed) it would be an ideal home file server, especially on older hardware", ideal? A netinstall from most of the big boys could provide an also relatively small install and be far more secure, with updates. That's ideal.
This is where someone who does know should be defining specific parameters when so many who are not versed in Linux/Security, etc, etc, are reading the review and quite possibly could find just such a statement as a way to get their fingers wet in the area of setting up a server. I personally would never setup a server, even for a short time, installed, that had little to no security updates. But, a new user would, unknowingly. A very real and definite threat to their personal information.
I'm not a big fan of washing your dirty laundry for all eyes to see. That said, I'll never agree with their reasoning to fire up the public and cause all this controversy/dissention, to then only give a brief note and clam up and say, "everything is going to be ok now". I also wonder how ok is this? In my eyes, and from the e-mail's I've received, many others(especially work), CentOS has lost a lot of credibility and quite a few people are now looking at SL a lot more. I don't blame them either. Me, I wish Whitebox was up to date. Anyone know if it's even being worked on still?
Keep your stick on the ice...
29 • Security (by Jesse on 2009-08-03 17:52:38 GMT from Canada)
@9 -- Security is very important and it's something I always take into account when evaluating a distro. However, it's pretty pointless to have security updates for liveCDs, such as Slax, in my opinion. After all, you can't apply updates to a read-only media. While Slax (or Knoppix, as another example) can be installed on a hard disk, that's obviously not their primary goal and I don't think the developers should be expected to support a project outside of its intended scope.
I also tried to test drive Austrumi (another Slackware based mini distro) this week, but the liveCD refused to boot on my PC. I was disappointed as the screen shots and description on their website looked very nice.
It's nice to see CentOS is still alive and well. I wish them all the best.
30 • @27 and 28 (by Jesse(again) on 2009-08-03 17:59:06 GMT from Canada)
I think there was a bit of a misunderstanding in regards to my comment that Slax would make a nice home file server. I did not mean a server in your home which would have access to the Internet. Rather, I meant a server which could be used as a backup point in the home and would be behind a firewall.
Obviously, unpatched machines should not face the Internet.
Sorry for the misunderstanding. I agree that many other distros would also make for a good server with the packages stripped down to a bare core. The nice bonus with Slax is, this is done for you in a very simple, user-friendly manner.
31 • @30 (by Jose Mirles on 2009-08-03 18:50:03 GMT from United States)
I thought that was what you meant! I have a media server like that at home. I use it to back up my files and images of my other PCs.
I should try Slax on that server.
Thanks for reviewing it.
32 • No subject (by pigmint on 2009-08-03 19:26:17 GMT from United States)
Disregarding the personal details, the notion that CentOS is reliant on any one person is vital selection criterion. I don't expect all projects to be revealing about this, so I welcome the news. If places like Distrowatch had a data column for it, I wouldn't bother looking at their work.
The king is dead, long live the ???. Hail Debian!
33 • bias (by Anonymous on 2009-08-03 19:27:08 GMT from United States)
"but then as Linux becomes more popular how can Debian compete with others when it only has a stable release every two years?"
Where is Debian competing? On the Desktop, Server, or Workstation? Who is it competing with? Ubuntu? Arch? Or RHEL and SLED that also do not release every 6 months.
While it is understandable that you are biased, you could do a little more to prevent your bias from showing, Chris, as not everyone feels the need to upgrade every 6-months for the sake of an upgrade.
34 • @28 (by Nobody Important on 2009-08-03 19:32:22 GMT from United States)
CentOS lost credibility?
The lead developer leaves for a year. They try to contact him in every fashion, considering he has the financial reign over the project.
When the developers get the public involved, which was their last resort, I saw nothing but desperation, not egos or attempting celebrities.
Considering they tried almost everything else, I can't say I blame them. I'd say it's ridiculous to blame them or even consider the notion that CentOS is a worse distro because of what happened.
35 • RE: 34/Credibility (by Landor on 2009-08-03 19:59:18 GMT from Canada)
You have to take this from an enterprise point of view, that's the focus. Not a hobby project or something an end user would view it as. As many have stated in countless articles about this, it shines a very poor light on the "stability and credibility" of an enterprise solution.
A friend of mine is currently revamping his whole Linux structure based on this as I type. Not to mention the speed in which SL beat CentOS in their latest release.
When countless companies/organisations use it in a myriad of solutions, red flags go up immediately and they fear basing their work on something that doesn't seem very stable. Threats from devs leaving, one dev did leave, the letter, etc, etc...
So yes, they lost credibility over all of this, part of which is the actual "stability" of the project.
I wouldn't doubt that RHEL itself benefits from the current situation with CentOS.
Keep your stick on the ice...
36 • @35 (by Nobody Important on 2009-08-03 21:35:54 GMT from United States)
Why would they lose any credibility at all? Anyone who actually bothered to figure out what the situation was actually entailing would understand the project had absolutely no loss in "stability."
If anything, I blame the press for their kneejerk stories. "CentOS about to die" or "CentOS' project lead left for two seconds and so the devs got mad."
The development and existence of CentOS was never in any danger. That's the truth. End of story.
If someone was nervous or looking at other distros because they're worried about CentOS, then they didn't bother to research the full story.
Unfortunately, the news sites tend to be the end-all source of info, and in this case few of them mentioned that the lead developer had been gone for at least a year without any issues. Hell, CentOS made a new release since the guy left. Yeah, I blame the press.
37 • SUSE & KVM (by M on 2009-08-03 22:03:58 GMT from Australia)
The way it works is that we boot your appliance in a KVM instance on our server, and expose the virtual machine framebuffer via VNC to a Flash applet running in your browser.
So there you have it.
KVM works with vmware and VirtualBox images so I would have expected this.
38 • RE: 37 (by Landor on 2009-08-03 22:18:30 GMT from Canada)
You are missing the point of it. One dev did leave the project (and was involved in the letter) about a month or so ago. Other devs were talking about leaving. There was concern over a fork if Davis didn't come forward. Those are very real fears in stability. They were not just media hype.
My friend in that business has decided that with the current situation that he cannot chance things ironing out to everyone's liking in the near future. Davis still holds a significant amount of power in CentOS, which if things don't get ironed out by some agreed time line they could very well decide to do this all over again.
Right now, the way he is seeing it, it's a like a patch on a dam. For now it's holding, but who knows about tomorrow. That's very disconcerting when you're managing a business that relies on something that you're unsure of its tomorrow. Dollars make the world turn, and when something "could" cause that to stop, you're smarter to deal with it now than cross your fingers and hope that everything works for the best tomorrow. People need food on their plates and their rent/bills paid.
It sheds a very bad light on open source projects. They really should have kept a lot private and made some other attempts to deal with this. What, I don't know, but it would have been far better for the project to deal with it internally, somehow, instead of going public. That's just my opinion though.
Keep your stick on the ice...
39 • CentOS (by Caitlyn Martin on 2009-08-03 22:54:19 GMT from United States)
This whole situation with Lance Davis was hyped way out of proportion. The whole time development moved forward, patches were released, etc... CentOS was never a one man show.
The problem which lead to the over hyping of the issue was the decision to put an internal squabble on the front page of their website. I fully agree with Landor that it's a rare that any good ever comes from airing your dirty laundy in public. Of course, if that is what caused Mr. Davis to show up to the last developers' meeting maybe this was an exception.
My remaining concern about CentOS is that thay have been really slow with security patches lately and that has nothing to do with the developers' issues which made the press lately. Red Hat got Firefox 3.0.12 (security patch) out the same day Mozilla did. Scientific Linux (another RHEL clone) had it available within 24 hours. It took CentOS more than a week. That isn't good for something with known, significant vulnerabilities.
I think, for the moment anyway, I'm going to recommend Scientifc Linux over CentOS for folks who need a free RHEL clone. I really wasn't worried about CentOS because it really is just a clone, albeit a very nice one. It should be no big deal to point someone running CentOS at a Scientific Linux repo or vice versa if one project or the other were in trouble.
40 • @38 (by Nobody Important on 2009-08-03 23:05:04 GMT from United States)
Why is your friend in business afraid of (worst case scenario) CentOS changing its name?
That's what they said they would do. They would "fork" (in this case, probably just rename the entire infrastructure) and change the name. The project would still be around. Again, I blame the press for spreading the idea that the project would be gone completely.
"...it would have been far better for the project to deal with it internally, somehow, instead of going public."
I find myself repeating my own words. Pity.
In any case, they tried to. A year.
They tried to contact this man in nearly every private way possible for an entire year.
I cannot accent this sentence more than I have. Go and read it again. They tried. They tried they tried they tried and it didn't work. They wanted their lead dev back so that their house would be back in order.
The open letter was a last shot in the dark. And it worked. For some miraculous reason, it worked, and he's back. now internally we can hope things will go back to normal.
I know you think they should have never gone public. You said this, and I've said, "They tried the best they could." I ask for nothing more, and I honestly think anyone thinking of jumping ship really has too much time on their hands.
I actually prefer the public approach. We didn't know anything was going wrong in the PCLinuxOS camp until the boat suddenly was lit ablaze. In CentOS' case, the boat is certainly not anywhere near fire.
41 • Distros, security updates, and reviews (by Caitlyn Martin on 2009-08-03 23:25:25 GMT from United States)
Udo (comment #9) made the same comment when I reviewed CD Linux a few weeks ago. Here is my take on the importance of security updates:
If you are talking about a distro designed to be installed to a hard drive then having prompt patches to close security vulnerabilities is vital. Neither Slax nor CD Linux fit into this category.
There are many more than 20 distros that do a good job on security. Many small, second tier distros are as fast as the big ones. Some are very fast indeed at getting revised packages out. Those that don't, well... if I review one like that then I will certainly point out the problem as a big negative for that distro. If you look at the ones I've reviewed for DWW or O'Reilly that are designed to be installed on a hard drive, including (K/X)Ubuntu (including Debris which uses Ubuntu repos), Fedora, Mandriva, Vector, Wolvix, Slackware, Absolute, etc... are all generally very prompt about security patches.
Live CDs are read-only which makes them very hard to crack. Granted, they can, if insecure, leave your data vulnerable. However, most people wouldn't be creating mission critical data when using a Live CD. Live CDs and DVDs are great for testing distros, for recovery/repair of systems, for operating on someone else's computer short term, etc... They are difficult to patch since you basically have to remaster the CD or DVD. The security solution for live distros is to have frequent releases. Again, the Live CD/DVD distros we have reviewed do that. To claim that reviewing these distros is useless because they don't (and can't) be patched right away is, to my mind, ridiculous. In any case these distros will continue to be reviewed now and again and they will be reviewed for what they are, not for what they aren't and don't claim to be.
42 • Linux Identity (by klhrevolution on 2009-08-03 23:26:18 GMT from United States)
I'm not one for ads but Linux Identity is a great find!
43 • No Security Policy! /Updates! (by JD on 2009-08-04 01:15:11 GMT from United States)
No Security Policy! /Updates!
This is a unfortunate downfall of most Live CDs and One Man (Or Woman) distros!
K splice Up track Manager looks like a promising fix if it would support more distros and the developers could deploy it to those specialized kernels!
I hate running software with holes in it but it's a reality, however theres still a warm safe feeling that Linux is 1 billions times safer then M$ Windows(TM) (R) ETC!...
I haven't in my 7 Years of running it had one break-in or issue so i feel somewhat invincible! but surely i will never have the smug look wiped of my face right?
*Knock On Wood
P.S What Happed to Distro Odyssey Part 2 ?
44 • Cnet/Download.com (TM) and Linux !? (by Jason on 2009-08-04 01:25:22 GMT from United States)
Cnet/Download.com (TM) and Linux !?
Has anyone ever noticed how in my opinion Cnet and Download.com(TM) seem to never even care about linux? , (they don't even have a section) However they love to build up Microsoft(TM) and seem to worship them or something ? (in my opinion based on what i've read on there site) They get all excited every time Microsoft(TM) Releases another buggy slow Operating System! Whats with them?
Good thing i found Softopedia ! it seems like they actually respect Linux, and release up to date news! they even have a weekly newsletter! No i don't work for Softopedia! but i think i like there more open attitude twords linux! and i could be wrong about Cnet but Softopedia seems like a great source for linux info! check it out! http://linux.softpedia.com/
Great Review! BTW
45 • download.com (by JS on 2009-08-04 02:26:26 GMT from Canada)
CNET / download.com did used to have a linux section but they got rid of it, not sure why - maybe complain to the editors and they'll consider bringing it back?
46 • Puppy (by S. Mack on 2009-08-04 02:45:16 GMT from United States)
I just took Macpup 061 for a little test. It is really nice and the speed is incredible.
47 • CentOS (by CS on 2009-08-04 03:11:02 GMT from United States)
Please tell me where it says if I decide to volunteer my time to help a distribution that I some how obtain ownership rights in said distribution? I'm a volunteer!
48 • @47 (by Nobody Important on 2009-08-04 04:27:43 GMT from United States)
It doesn't say that anywhere. No one has ever said that, and nobody ever will.
What is your point?
49 • Couple of things about Fedora (by Adam Williamson on 2009-08-04 07:00:13 GMT from Canada)
From the Debian bit of the article: "As Debian is one of the only major Linux distributions without a commercial entity rushing it to release"
That implies that Red Hat rushes Fedora to release (and Mandriva rushes Mandriva to release, and Novell rushes OpenSUSE to release, but I'm not representing them at present :>. Actually, Mandriva does rush Mandriva to release.)
This isn't true. Fedora's rapid release cycle doesn't have much of a particular bearing on Red Hat, commercially speaking. It wouldn't be a direct problem for Red Hat commercially if Fedora released much less often than it currently does. RHEL is on a much more conservative cycle, after all. Red Hat's income doesn't depend on selling Shiny New Bits, anyway, so there's no need to rush Shiny New Bits out the door.
Also, since distro remastering seems to be coming up a lot this week - worth noting it's quite easy to build your own Fedora (we call it 'spins'). The tools used to create official Fedora live CDs (livecd-creator) and traditional install images (pungi) are included in the repositories. For an idea of how to use livecd-creator, https://fedoraproject.org/wiki/QA/Test_Days/Live_Image is the process used to create Rawhide snapshot live CDs for Test Days. It's probably not quite as straightforward as SUSE Studio, but it's not tough at all.
50 • No subject (by forest on 2009-08-04 07:39:32 GMT from United Kingdom)
And, on a wider front, and in line with earlier comments ref business use, both desktop and server,together with security updates and ongoing support, read here:
Ref remarks about alleged bias/hype etc, from various hacks/journos/online news services...well of course it goes on, LOL. You have only to read the vituperative/acerbic copy that is published every day to see that, and, it generally all goes one way too...
Can anyone recall learning about "pocket boroughs" from their history lessons? Same thing.
51 • So how secure is Arch Linux (by dedguyde on 2009-08-04 09:39:07 GMT from United States)
I use arch linux on my laptop, and with the mention of the "very needed" firefox patch, how secure are rolling distos...should I avoid online banking?
52 • Vectorlinux page hits (by Sean on 2009-08-04 10:21:21 GMT from United States)
I'd sure like to have a better understanding as to why certain very solid, robust distros remain so far down the list here, while some of those in the top 10 seem half-baked or at best not as well thought out as Vectorlinux.
I know about the differences in hardware compatibility, for example, but Vector is at least as good with hardware as any other Slackware based distro.
I'm wondering if it has to do with the lack of exposure or popularity outside of North America. <--- I do not know that to be a fact, just speculating.
53 • No subject (by forest on 2009-08-04 10:25:00 GMT from United Kingdom)
Well, dedguyde, can't really make your decisions for you of course, but you cannot be accused of not being prudent.
Actually, your comment probably reflects the thoughts of thousands of others, which is is interesting because it indeed demonstrates that #9 and #27 are not just one or two concerned voices.
It is also, to my mind, indicative of the divide, one might say, between commercial distros and hobbyist distros.
I posted a suggestion some weeks back that there might be the threat of litigation against some distro devs, say, were it proven that there had been data loss of one kind or another from a user.
It might be prudent if in future some thought is given to attaching disclaimers to all hobbyist distros at least to the effect that the distro is purely for hobbyist use and its useage could damage your wealth...
Can you imagine the field day the "Redmond leaning" hacks/journos would have if some GNULinux tyro got mugged over the internet...it does bear thinking about...a lot.
54 • @51 (by CS on 2009-08-04 10:34:16 GMT from United States)
I'm sure ArchLinux will be providing an update. The rolling release distribution that I use already issued a Firefox update about 12 hours ago.
55 • @53 I can't sue (by Zee on 2009-08-04 11:00:51 GMT from United States)
My distros disclaimer. I'm sure other have something similar.
By using this distribution, the user hereinafter agrees to abide by all the terms and conditions of the following agreement that nobody ever reads, as well as the Geneva Convention and the U.N. Charter and the Secret Membership Oath of the Benevolent Protective Order of the Elks and such other terms and conditions, real and imaginary, as the Software Company shall deem necessary and appropriate, including the right to come to the user's home and examine the user's hard drive, as well as the user's underwear drawer if we feel like it, take it or leave it, until death do us part, one nation indivisible, by the dawn's early light,...finders keepers, losers weepers, thanks you've been a great crowd, and don't forget to tip your servers.
56 • banks (by Tom on 2009-08-04 11:08:06 GMT from United Kingdom)
i would definitely avoid on-line banking if at all possible. If you have made your system very secure then they will need you to relax your security. When ActiveX controls & IE were featuring as having massive security problems my bank insisted that i use ActiveX to visit their site. Perhaps they still do but even if they don't it just makes me wonder how secure their customer facing security is. Have they really learned good security or have they just patched a couple of minor issues leaving significant flaws elsewhere?
With linux the security issue is seldom likely to be about your own (non-corporate) security, even as root. The main troubles are the lax security of those people/organisations you engage with online. Who is more likely to be targeted, an average home user with very unusual protocols or a company with known vulnerabilities and plenty of disposable assets?
57 • banks oops (by Tom on 2009-08-04 11:10:01 GMT from United Kingdom)
"When ActiveX controls & IE were featuring ..." in the national mainstream press "... as having ..."
58 • DSL (by Elder Vintner LaCoste on 2009-08-04 12:16:43 GMT from United States)
@5 Wolvix needs to release the next beta with updated repositories soon. The manual update procedure is buried in the forums and could be confusing for first time users.
DSL - There has been no response to the queries of "What is HAPPENING?" on the DSL forum. It may be dead but then again look at SLAMPP.
@20 Hi Forest, good point. I don't do online banking so I didn't think of that. However, I do know many people who do it using Windows and Linux is surely better security-wise than Windows.
59 • Part 2 (by Michael Raugh on 2009-08-04 12:24:46 GMT from United States)
@43: Haven't written it yet, JD, but it's coming. I'm going out of town for a week or so; once I get back and settled I'll grab another distro -- either Arch or Sidux -- and get to work.
On CentOS: I tend to agree that the public posting was a bad PR move, done because every more discreet method of contacting Lance failed, and I can see how that might shake faith in the stability of CentOS. We'll have to see how the project goes from here. I do think, though, that anyone who spent the weekend frantically installing Scientific in place of CentOS wasted their time -- remember, it's an enterprise distro; that code is going to be fine for quite a while. I might start looking at SL for new experiments, though, just to be familiar in case things do get bad with CentOS.
BTW, Caitlyn, the last kernel update (2.6.18-128.2.1) was out on CentOS just 48 hours after it appeared on Red Hat's update repo. So patching speed continues to be mixed, as it generally has been. Is Scientific consistently faster?
Making a note to try Slackware, or a Slack derivative, as part of the odyssey too.
60 • GNU variants (by linux_oid on 2009-08-04 15:53:52 GMT from United States)
GNU variants is a term used by the Free Software Foundation and others to refer to operating systems which use application software and system libraries (in other words, the core userland) from GNU, but use a kernel other than GNU Hurd.
With a BSD kernel
With the OpenSolaris kernel
61 • #59, #53, #30, responses, mostly regarding security issues, #52: Page hits (by Caitlyn Martin on 2009-08-04 16:21:21 GMT from United States)
#59: Michael: I am new to Scientific Linux myself so I can't give a first hand opinion regarding their promptness with security. I do have it from several people I consider knowledgable that they are very good about getting patches out promptly. We'll see... I agree with the comment that CentOS has been a bit erratic, sometimes fast and sometimes not so much.
Oh, and I didn't quite get your comment: "remember, it's an enterprise distro; that code is going to be fine for quite a while." In an enterprise distro having patches available for security vulnerabilities which are discovered on a prompt basis is even more important. Enterprise users are the folks who should be the most security conscious. I agree that there was no need to hurriedly move people off CentOS since, as I pointed out, you could easily shift repos, but that part of your comment just didn't make sense to me. Maybe I misunderstood what you were saying.
#53 Forest: I agree there is definitely a divide between hobbyist distros and commercial ones. Having said that, being a commercial entity does not guarantee prompt updates. Case in point: Linpus Lite. As I pointed out in #41 some distros that are probably still in the hobbyist category still do a good job getting patches out. There are also distros that, IMHO, are neither hobbyist nor commercial. Case in point: Debian. There is a whole lot of middle ground. Again, in #41 I did lay out some criteria people can use for judging distros: how long they've been around, who backs them, size of community around them, and, of course, how they handle security. I think each distro has to be judged on their own merits, not simply categorized.
I also think that having security concerns (#9, #27) is important but it's also important to understand how a distro is intended to be used. Udo was saying that reviews of live CDs or smaller distros shouldn't be written at all and are useless. I completely disagree. I just think you need to keep in mind what each distro is good for and what it isn't good for, which leads me to...
#30: Jesse: I think Slax is a *terrible* choice for a file server even at home. It is not intended for hard drive installation and Tomas is very clear about that on the website. FIrewalls are far from perfect and there are security bulletins and vulnerabilities in firewall software all the time. Just because a server isn't public facing doesn't mean it's OK to run something insecure on it. There are much better choices than Slax and, in this respect, the objections to your review are warranted.
#49: Adam: Thank you for the clarification. I, personally, have come to the conclusion that six month release cycles are just too fast and leads to buggy and problematic releases more often than not. I haven't been happy with an Ubuntu release since Edgy Eft. Hardy Heron (8.04 LTS) is excellent now but it wasn't until the first maintenance release squashed the worst of the bugs. Three maintenance releases later Ubuntu does have it right. You know I wasn't happy with the last Mandriva release. I think the fact that Fedora doesn't stick to a firm release date and rush things out the door is positive and reduces the number of problems but I still haven't been happy with the recent releases.
#52: I have long given up on trying to figure out what makes something popular or not on DistroWatch. I've also come to the conclusion that the page hit rankings don't reflect the wider Linux/FOSS community. I have no idea why things land where they do on the page hit rankings.
62 • Security Updates (by Anonymous on 2009-08-04 16:53:47 GMT from United States)
I'm more concered with getting timely updates from Asus for the EEE than the one man band distros based on a major.
63 • Politicizing Linux Distros (by GreenWolf70 on 2009-08-04 17:07:40 GMT from United States)
I'm very surprised that there are no comments about the politicizing of Mint Linux. I don't know if this is the first or just the latest, but I have made sure that I have not let the origins of the developer prejudice my like or dislike of any distro, so this politicizing by the knuckleheads over at Mint feels like a betrayal of what Linux has become.
Therefore, until they withdraw their political comments (irregardless of whether I agree with them, or not) I shall shun all use of Mint and advise all those I know to do the same. Mint should understand that their politicizing of what has been (at least in my mind) a non-political forum of free thought will be no more tolerated here than the mind set of Microsoft, or SCO.
64 • Re: #63 Politicizing Linux Distros (by awong on 2009-08-04 17:40:34 GMT from Canada)
IIRC, the comments were the views of the developer and not the team, and the comments were removed because they had nothing to do with the distro.
If the comments are back up, please provide us all with a link, as I would be very concerned as a Mint user if indeed they are.
65 • Politics (by Albert Hall on 2009-08-04 18:07:32 GMT from United States)
On the topic of Mint - There was a person on here last week, (I think the name was "Notrek" or something like that) who made tasteless and controversial posts about the AntiX distro called "Intifada". I think these distros should be boycotted without exception. Political divisiveness is not what Linux should be about. It is probably best not to even bring it up in this forum because all of the "kooks" will start slithering out from under whatever they are hiding under and start making crazy posts.
Irregardless is a word that many mistakenly believe to be correct usage in formal style, when in fact it is used chiefly in nonstandard speech or casual writing. Coined in the United States in the early 20th century, it has met with a blizzard of condemnation for being an improper yoking of irrespective and regardless and for the logical absurdity of combining the negative ir- prefix and -less suffix in a single term. Although one might reasonably argue that it is no different from words with redundant affixes like debone and unravel, it has been considered a blunder for decades and will probably continue to be so.
66 • #65 (by Notorik on 2009-08-04 18:27:50 GMT from United States)
I am not surprised that you did not understand my comments last week. You obviously see everything in black and white. It is easier (and less messy) to separate everything you encounter into one of two categories, good, or evil. One neat little box for each one and everything is very tidy. Most people are mentally lazy and just want to be told what to think. It saves so much time and effort to just accept the "facts" as they are presented and not ask questions. From what I can gather, Anti (of AntiX - Intifida) is an educator whose job it is to provoke thought. I like the fact that there are some people out there who are AWAKE and are trying to wake up others.
It is amusing to me that someone last week made the assumption that we agreed on something when in fact, I did no such thing. The important point here is that Mint is an excellent distro and will survive with or without silly people boycotting it, as will Puppy and AntiX.
67 • No subject (by forest on 2009-08-04 18:28:49 GMT from United Kingdom)
A fair comment, CM, I was in fact, as you might have surmised anyway, alluding to the Uxxs. Granted not perfect but possibly better than most...as for categorization I believe we all do that anyway...ref your remark on how a distro is intended to be used, if you follow.
With ref to your response to Sean, #52, (and Sean, of course!) I would hazard a guess the rankings reflect the interest from outside the GNULinux/FOSS community...and is a measure of interested/exasperated folk sticking their collective toe in the water to see what all the fuss is about. Uxx would "appear" to be better advertised and hence more widely known.
Vector, and others, are comparatively mute in comparison, so that may, possibly, account for the ranking.
It would appear, GreenWolf70, that if there has been no comment, on this forum, then nobody is interested enough to bother commenting.
If you were to read up on all the dreadful things nations have done to each other over the centuries to the present day, then you would not be surprised if nobody would even speak to anybody else, let alone use a distro, politicized or not.
Anyway, distros are all about politics of one stamp or another the world over. The instant a national "authority" decides to underwrite/sponsor a distro there is bound to be a question about altruism.
68 • RE: 59 SL Kernel (by Landor on 2009-08-04 18:37:45 GMT from Canada)
From what I understand, SL holds off a couple days with their kernel "usually". That usually depends on the severity of the issues the kernel is replacing of course. All other updates are quite prompt with SL.
Hope this helps.
FWIW, I went and checked the White Box Linux page (can't remember the last time I did, it's be a while) The last post/new item I found on the page was 2007. If anyone is interested though, and since we've been talking about remastering, there's a quide on how to create your own RHEL clone on the site. I haven't tried it myself, but it seems fairly straight forward as I looked it over. Keep in mind though, it's meant for redistribution. Not that I'm a guru regarding licensing, I'm sure you can skip some of the process if you don't intend to redistribute it, thus making it easier to do.
If you know what you're doing, the whole process should take no more than a couple days. YMMV.
Keep your stick on the ice...
69 • Oops, forgot this one: RE 60 (by Landor on 2009-08-04 18:47:47 GMT from Canada)
While I don't agree with live distros being useless I believe totally with them being completely vulnerable, and thus useless for use over long periods. Mainly for the simple fact that the majority are root. I rarely run a livecd for more than 10-15 minutes to navigate around it, check hardware, get the feel, etc. Then, it's shutdown, and either installed or if need be, erased for the next iso to get burned to it.
I also agree with the fact that there should be a disclaimer about the vulnerabilities of running such a distro for whatever amount of time. Many do not even realise the security risks they are taking using a livecd of this nature and should be so informed.
Keep your stick on the ice...
70 • Linux Mint 7 KDE (by Eddie Wilson on 2009-08-04 19:00:53 GMT from United States)
I have installed Linux Mint 7 'Gloria' KDE on my 32 bit backup machine and I am very impressed. This is a very top quality distribution. Very Happy! :)
My main machine is an Amd triple core Phenom. It's a 64 bit system and I do a lot of video and audio work. I know that there is no 64 bit KDE version of Gloria. Very Sad! :(
Maybe in the future.
71 • Live CD and security? (by RollMeAway on 2009-08-04 19:22:41 GMT from United States)
I must be missing something here.
Why is security a concern when running a live CD?
Most, puppy for example, do not mount local drives by default.
So, even if you visit warez or the underworld of virus makers,
what is your concern?
If the system gets corrupted, everything is in ram, simply reboot!
72 • oops again (by Landor on 2009-08-04 19:22:46 GMT from Canada)
my last post (69) is in reply to 61, not 60....
73 • No subject (by forest on 2009-08-04 19:53:14 GMT from United Kingdom)
Good point...but...suppose you were to save a file to a hard drive...assuming any nasties would run under Linux of course. But then you might have tried a Linux live CD on your XP/Vista platform. Highly speculative I agree...just playing devil's advocate...for a change...
74 • Re: to number 7 (by Dorin on 2009-08-04 20:29:44 GMT from Romania)
Thanks for the link, knew about it, read it and followed step by step. I am the adept of the RTFM philosophy.
If that worked for you than it's my hardware, if not I'll try it in a virtual machine :)
75 • Ref#71 Livecd security (by Verndog on 2009-08-04 21:26:33 GMT from United States)
As Landor has alluded to, running livecd's usually means running under root, therefore your susceptible to attack.
76 • @75 (by RollMeAway on 2009-08-04 21:32:12 GMT from United States)
I'll ask again, WHAT is to be attacked other than ram?
77 • The code is fine (by Michael Raugh on 2009-08-04 21:34:55 GMT from United States)
@61: Hey, Caitlyn. What I meant is that enterprise distros (ie, Red Hat and descendants) are not very dynamic -- security updates aside, the software is going to work as well now as it did 6 months ago and will still be working 6 months hence. As opposed to shorter-cycle distros where there are more frequent bug-fixes and security updates because of the newer package sets.
The project leader hasn't stopped CentOS from keeping up with patches during the year-plus that he's been AWOL, so there's no reason to panic over it until/unless an important patch gets missed. For instance, I see a new RHEL kernel update (2.6.18-128.4.1) has appeared in the last day or so; let's see how long it takes for our CentOS boxes to pick that up.
78 • What's to attack? (by Michael Raugh on 2009-08-04 21:37:54 GMT from United States)
@76: Other machines on the network, I'd venture. A weak system can provide a comfy place to sniff network traffic and discover what else is out there.
79 • @59 Part 2 (by Miq on 2009-08-04 21:40:19 GMT from Sweden)
Hi Michael! Of course "real life" always takes precedent. I look forward to your next instalment, but I really hope it will come soon, because if it doesn't, all you've written is another review about installing Ubuntu, and we've got enough of those already.
(Beore bashing, remember I'm wearing flak-proof kevlar tights)
80 • #75, 76, 77, 79: More on security and live CDs/DVDs (by Caitlyn Martin on 2009-08-04 22:02:53 GMT from United States)
#79: "(Beore bashing, remember I'm wearing flak-proof kevlar tights)"
... and very fetching they are, too :)
#77: No argument. As I expected it was more my not understanding than anything else.
#75/76: With a vulnerable live CD any data on your hard drive(s) or other storage can be compromised or stolen. Michael's comments about using a vulnerable machine as a jumping off point to other systems is also a very valid concern.
If you look at the CD Linux review one of the points I did make is that it does NOT run as root and initially has root login disabled. Landor is absolutely correct that a system run as root is all the more vulnerable. One of the reasons to write a review is to address issues like this.
Even a live CD that doesn't run as root is vulnerable. Right now I'm back in my VectorLinux install. (I've mainly been running something else for an upcoming review.) I immediately had a notification icon on the panel once I signed in and sure enough Firefox 3.5.2 and updated language packs were waiting for me. Compare that to CD Linux 0.9.3, released in the last two weeks. It's a live CD that doesn't do security patches. So... if you installed it to your hard drive you have to know there is an issue and go upstream to get the update. It won't come from the distributor until they release their next version. If you run live you're stuck with a vulnerable browser. Whether that can lead to a security incident and lost or stolen data is debatable but you see the point.
CDLinux is a good live CD distro IMHO. It's a great rescue CD. It's wonderful for *very* short term use on a system when visiting somewhere. It's fine for checking hardware. Unless you plan on doing your own security from upstream, which is certainly possible, it's a poor choice for long term use and installing on the hard drive.
OTOH, since CD Linux is Slackware based it isn't all that hard for a savvy user to install the latest Slackware pkgtools and slapt-get (and possibly gslapt). Then you can get all your updates directly from Slackware who are always prompt about security. For someone who really likes CD Linux or another live Slackware based distro (i.e.: Austrumi) this is a real possibility. It's all about taking ownership for your security rather than leaving it in the hands of a distributor. For someone who knows what they are doing and is willing to do this CD Linux can be an acceptable distro. Again, this is precisely the sort of issue to cover in a review, not a reason to avoid reviewing a distro entirely.
Good discussion all around this week.
81 • And to different news (by Untitled on 2009-08-04 22:05:34 GMT from United Kingdom)
KDE 4.3 has just been released. Using KDE4 since the beginning up to 4.3 RC3 it's really great to see how well it's progressing, despite the early criticism which was somewhat justified, but I could see the point of the developers that things had to start somewhere and decided to stick with it and help by submitting bug reports.
Unfortunately I'm running into dependency problems on Kubuntu even though I have KDE4.3 RC3 installed, so I'll have to wait a bit longer before I can enjoy the final release.
82 • BTRFS on the Install? (by Anonymous on 2009-08-04 22:27:03 GMT from United States)
I'm looking for something different. Does any distro install btrfs during the install?
Is there lilo or grub support for it yet?
Would like to try something new and different. Just asking around..
83 • BTRFS (by Antony on 2009-08-04 23:03:19 GMT from United Kingdom)
Hi, Fedora 11 has an option to use that fs. There is a 'cheat-code': icantbelieveitsnotbtr to enter when installing Fedora 11.
84 • @82 / @83 (by Adam Williamson on 2009-08-04 23:40:37 GMT from Canada)
83 is quite correct, you can use the cheat code to use btrfs in F11. However, just to emphasize, please please PLEASE do not do this with data you care about in the slightest. btrfs is still immature and the chances of you losing access to any data stored on a btrfs partition are still fairly high.
85 • re:27 security (by dopher on 2009-08-04 23:46:40 GMT from Belgium)
When it comes to live cd's, it doesn't really matter if you are running as root. the live cd can't be compromised, and root is more or less the same as your userspace, like a regular user. (not exactly though, because you can perform certain tasks a regular user can't, and save that to your persistent userspace)
So if you suspect you have been infected, boot the clean liveCD, save the data, create a new persistent userspace, and put back the data.
"Surfing as root is controversial."
Same goes for surfing as user. As a user you have access to your /home/user dir. and that's where you have all your data. You can run scripts in your home dir, if you allow them to run (just like as a root). And those scripts can affect your personal data in your home dir. (just like root on a liveCD with persistent userspace)
Security mostly depends on the actual user.
86 • re: 85 (by dopher on 2009-08-04 23:48:50 GMT from Belgium)
Oh btw, i'm a happy puppy linux user :p (and yeah, running as root)
87 • Long time no rant.... (by Woodstock69 on 2009-08-05 00:40:36 GMT from Papua New Guinea)
@82: KDE 4.3 should be tremendous. I've been using 4.3 RC for awhile and it's a great improvement over 4.2 though on my system I have had a few quirks (under LM7KDE), not the least annoying was the disappearance of my panel. I've had to create another, but couldn't find any helpful info as to why it disappeared in the first place or how to get it back (my efforts to rebuild it are less than satisfactory and it's not as easy as "just adding the widgets again").
Whilst on the subject of LM7KDE, and not just LM, but all releases of Linux : what happened to the idea of a standard linux base (similar to BSD)? The really annoying thing about Linux distro's is the frequency of releases and the need to re-install from scratch to ensure stability, this includes all the apps I had to download to get my rig feeling just right. Though these two concepts may be mutually exclusive.
I've been using LM6KDE for awhile and love it on my laptop, then I tried LM7KDE in virtualbox and fell in love with the new features, but in order to use them full time, I have to delete v6 and install v7 which means downloading ALL my favourite apps and games AGAIN. That's fine on a broadband connection but PAINFUL on a 56K line!
Don't get me wrong, updates are great, but why not get something in place so that I only need one repo for the non-core apps, not one for every version of LM that comes out? I know there are reasons against it, and if its not technical then I'm not interested, and if it is technical, fix it. That's why Linux is great. It doesn't accept technical excuses for not fixing problems. It improves and evolves all the time. So this may be a "wish" rather than anything else.
Yes, this means it could effectively be a rolling release. And yes, I love that concept. And no, I don't want to install a rolling release linux (or anything else, including wolvix, as good as wolvix is) such as [insert your version here]. I like LMKDE and will stick with it until openSuSE 11.2 is complete and then re-evaluate which is better for me. Could be a tough fight though. I promised myself I would only go out with Minty until Susie came back from her makeover.....
LMKDE is getting better and better with each release, but the constant re-installing and re-downloading of my apps for each version is driving me mad. I have the same issue with openSuSE and all the other distro's I tried before and along with too. It really is tiresome.
I guess the simple but most tedious solution is to keep the source version of my favourite apps and recompile each time. That means loosing the convenience of pre-packaged/ one click updates which defeats the purpose really, not to mention the hideous time wasting factor....
Anyway, another great DWW. Thank you to all the maintainers, contributors, reviewers and the community for another week of great contributions.
88 • @19, GNOME3 (by Miq on 2009-08-05 01:14:08 GMT from Sweden)
Yeah, the GNOME 3 circus will come to this town. However, I don't think it will be much of one. It is painfully obvious that GNOME lacks a perspective to the future. Even though I'm a KDE4 guy I am also an interface designer and try to follow what happens with other DEs, and I read the "ambitious program declaration" about GNOME3 provided at the site:
And I tell you, it was hard to stifle yawns distending my yaws further than PacMan's ever went. While the KDE team had an enormous vision for where to take v4, the GNOMEers have none at all. They seem to realise that they need something new and future-compatible, but at the same time suffer from virulent innovation deficiency syndrome - they seem to consider changing how you open and switching between applications and a new-fangled file browser an "ambitious plan". Jeez... Well, where KDE4 has opened the doors for the DE of tomorrow, and Windows7 will habituate the teeming hordes about how DEs will look, I predict these boring plans for GNOME3, albeit haused as Something Great (tm), may be the first step to its obsolence. Oh well, here's to ya, GNOME, I'm glad I never liked you!
89 • ref#99 A redickulous statement. (by Anonymous on 2009-08-05 01:44:23 GMT from United States)
Coming from someone who/s admittingly a KDE4 user, what else can we expect!
KDE4 make ME yawn. GNOME will be here just as long as KDE will.
90 • @88 (by Nobody Important on 2009-08-05 02:34:56 GMT from United States)
Have you used Gnome 3?
I would guess not by your claims.
91 • @88 and more (by Woodstock69 on 2009-08-05 02:40:44 GMT from Papua New Guinea)
I never thought I'd say it, but I can't go back to KDE3 (damn it). I love the innovations in KDE4 too much (though there's much to dislike or at least get used to). The problem I have now is that much of the functionality I enjoyed in KDE3 is missing from KDE4, leaving it as functional as the present Gnome. OK, I exaggerate slightly, but MANY items of functionality ARE missing from KDE 4.3 (I know it will improve as it always does. I'm very impatient ;) ).
Dolphin is a great example of an incomplete app. I noticed on the devs page that the idea behind dolphin is not to compete with Konquerer, but as we know the guts of KDE4 Konquerer ARE Dolphin and thus compared to KDE3's version, it's severely limited as a file manager. I'd like to see the original file management feel and functionality of KDE3 Konquerer, if not back, at least incorporated into Dolphin.
The dolphin dev is also intimating that Konquerer is too complicated! Try using directory opus or freecommander. They're feature packed to the rafters. If I want dumbed down apps and file managers, I'll install Gnome and its apps.
In my opinion it is time to stop with the eye-candy and start making the DE functional again. Until it's at least as functional as KDE3, I wont be a happy penguin. I still can't figure out the point of KDE4's desktop view as opposed to folder view (which in my opinion is much more pleasant), the horrid border around desktop icons when moused over or the toolbar on the side of the icons. Give me "properties" on a right click any day! Mine you I prefer to use file managers to manage my files rather than the desktop if that's what the devs had in mind.
The whole point of KDE is to innovate, progress and give the user UI and configuration options. Lots of them. Not dumb it down to the standard of Gnome.
Before anyone flames me, I'm not saying Gnome is dumb. It just doesn't have many options in my opinion and is designed to be less configurable by nature. I want the opposite myself and KDE3 delivered on that. KDE4 is a worry at this stage.
92 • RE: 85 (by Landor on 2009-08-05 02:50:04 GMT from Canada)
"When it comes to live cd's, it doesn't really matter if you are running as root. the live cd can't be compromised, and root is more or less the same as your userspace, like a regular user. (not exactly though, because you can perform certain tasks a regular user can't, and save that to your persistent userspace)"
That is absolutely ludicrous! Truly!
Do you know why Windows users have so many viruses, trojans, exploits? It's because a user has administrative access (normally). No passwords to login with for any installation of a program, hardware, changes to the system's configuration (scariest of all in my opinion).
That is "EXACTLY" what a livecd gives anyone hacking into your system, and more. Access to the network, etc, etc, etc. It "can" be very dangerous toy.
To say it can't be compromised is totally absurd, and I'm sorry, but the truth. The actual data on the cd may not be, but your data on other drives, network, etc are ALL COMPROMISED.
Keep your stick on the ice...
93 • KDE Flash (by Elder V. LaCoste on 2009-08-05 03:00:08 GMT from United States)
I really appreciate the fact that many people have devoted countless hours to developing window managers for Linux. I like Gnome and KDE4 is just so smooth. All of this banter of "I don't like this" and "that one sucks" sounds like a grumpy bunch of old curmudgeons complaining because they don't like change, the one constant in the universe. Come on all you oldsters and get with the program.
On another subject, if I remember correctly someone last week said that Adobe Flash can be installed in Ubuntu 9.04 AMD 64 by installing any of the KDE packages. I just installed the whole KDE4 package and there is no Flash. Did I miss something?
@73 I caught that Devil's advocate remark.
@86 Me too, see #17.
94 • Re #92 (by Rex on 2009-08-05 03:18:59 GMT from United States)
I don't think you are correct.
1) Windows most users get so many viruses et al not because someone hacked them but because they willingly download and click on things that they shouldn't.
2) If I recall correctly, the hacker (English) that the US wants to bring over here to further punish was caught because he forgot the time zone and hacked a computer when a human was sitting in front of it. Thus he was caught.
3)To gain access to info on the hard drive while a live cd was being used, wouldn't the user notice something funny going on like files opening that he didn't open? If the user is not running as root, wouldn't the hacker have to ask for root overtly to get it?
4) Can anyone cite a verifiable case of a live cd user having his hard drive compromised (when the user didn't go off and leave the computer untended for long periods while the live cd was running) ?
95 • comments (by Nobody Important on 2009-08-05 03:19:24 GMT from United States)
@93: I agree.
I don't understand the arguments about any Desktop Environment or Window Manager. I'm neutral. I can swap to Gnome and KDE and back to Xfce, LXDE, Awesome or Fluxbox in the blink of an eye. The only one I haven't gotten used to yet is OpenBox, but I'm certainly not going to blame it.
I understand people usually like certain features or have an affinity for what they know, but come on, now.
I personally liked Gnome 3 after testing it for a while. I thought it was very neat how it fluidly moved and changed depending on what I was pointing at, much like a tiled window manager. I think that saying there is a lack of innovation in the project is outright false; it's actually very interesting and I hope it delivers.
For me, it already has.
I intend to try out KDE 4.3 when some distros support it. It looks nice and 4.2 was pretty solid, if not without a few quirks here or there.
@anyone: Now, for some good news.
I love Sidux! It installed and worked without a hitch! The Xfce version is very clean, and I will definitely try the KDE version once the jump to KDE 4.3 is finalized. the distro has a lot of what I like from Arch and Debian, but easier to configure.
The good news is that after everything was updated to the bleeding edge, the Intel driver regression went away. POOF! I believe I was using 184.108.40.206 and the newest Xorg.
In any case, Intel driver regression freedom is forthcoming! I had a Quake 3 session to celebrate. ;)
96 • Flash Player Ubuntu AMD 64 bit (by Elder V. LaCoste on 2009-08-05 04:15:45 GMT from United States)
@93 In case anyone else has this problem here is what you do:
sudo apt-get install ubuntu-restricted-extras
97 • RE: #94 (by Anonymous on 2009-08-05 07:15:25 GMT from Canada)
1) Those stupid windows users huh? Looking at PDFs and having persistent security holes in Adobe products. Serves them right eh?Ah yes, the good old linux superiority complex.
This places never changes.
98 • Free Thoughts (by Anon on 2009-08-05 07:23:50 GMT from Norway)
#63 - GreenWolf70 on 2009-08-04 17:07:40 GMT from United States minted:
"... non-political forum of free thought ..."
I don't know what political thoughts the Mint site might be espousing, and I don't care, but this site does have its lighter sides :)
99 • RE: 92 (by dopher on 2009-08-05 07:38:53 GMT from Belgium)
"Do you know why Windows users have so many viruses, trojans, exploits? It's because a user has administrative access (normally). No passwords to login with for any installation of a program, hardware, changes to the system's configuration (scariest of all in my opinion)."
Wrong. Read post 94.
And, also, windows XP can be run perfectly save, even as admin. First of all, disable the windows scripting host (this alone already will protect you for 80 procent of all virusses). Run it behind a firewall. Don't use IE, but a safe browser with script blocking as a default.(also disable all scripting in IE (even when you don't use it). And don't click on everything that moves. I've never used a real time virusscanner on windows XP, and never was hacked, or even had a virus. Again, it's mostly the user that will infect the system.
Keep your feet on the ground...
100 • No subject (by forest on 2009-08-05 10:35:54 GMT from United Kingdom)
Ref the security question...
I for one found it fascinating, again, to read of the different views folk take towards security, and, even more interestingly, how folk use their computers.
In some instances, running a live CD for example, some folk "install" the distro, check it out, then bin it.
Some run the CD and use it for real work, regardless of any consequences of nasties penetrating the rest of the system/hard drives whatsoever.
Some are especially vigilant and don't take any risks at all. To them the notion of running rogue scripts is the height of folly, especially as you have only to check out the FF add-ons for a solution.
Some appear to have certain misconceptions of how a system works ref to security issues, ie, to root or not to root.
Some folk use their machine for banking or online shopping, whilst that sort of activity does not even occur to others.
[For what it's worth, for online shopping I use a website as the shop window, then telephone the sales dept and talk to a person, decide if they really are a proper retailer...or try to, LOL, as in do they know what is up for sale, etc etc...then do the thing with the plastic, and, I don't buy from overseas, purely to avoid warranty claims problems.
I have this distrust about not knowing who exactly has a record of my card number and the code doodad on the back. There were probs with PayPal a very short while ago which were ascribed to a hardware failure...well, they would say that, wouldn't they.]
Having read the foregoing comments in the forum it would seem even more prudent to remind folk when using GNULinux stuff...just because it is NOT MS...it is NOT invulnerable...akin to a govt wealth warning.
So, after all that, perhaps it might be a notion to include a tutorial on GNULinux security issues. After all it is a part of using GNULinux stuff.
101 • new Slax (by Sean on 2009-08-05 11:21:30 GMT from United States)
We got Slax new release installed successfully on an IBM 360-30 tape driven machine.
Just kidding. :o)
It is on an old Gateway 2000 though, running fine. We did struggle with graphics for a bit, but finally went into configuration file and got the machine's weird resolution to display correctly.
The main operator of the Gateway is having fun now, whereas he was NOT doing that with constant, daily maintenance with the Windows ME. A seldom used computer is now a working machine. :o)
102 • Slax (by Greg on 2009-08-05 11:26:56 GMT from Greece)
One great disadvantage Slax has, even with the 6.1.2 release is the old kernel which doesnt support the EXT4 filesystem.
103 • @93+96: 64 bit Flash in Ubuntu/Kubuntu (by Untitled on 2009-08-05 11:41:13 GMT from United Kingdom)
and kubuntu-restricted-extras for Kubuntu.
104 • linux mint 7 kde edition (by david on 2009-08-05 11:55:42 GMT from United States)
linux mint 7 kde edition is awesome!!!! i have never really been a fan of linux mint but this has changed my mind. kde 4 has come a long way and this iteration is no exception. stable and usable seems to be right on par with kde 3.*. it is trully a pleasure. keep up the good work kde/mint team.
105 • KDE vs Gnome (by Sean on 2009-08-05 13:00:23 GMT from United States)
I found Gnome faster on the same machine (an HP laptop) than the KDE 4 version. Funny to me because I used to consider KDE to be the greatest, now realizing it was the transition from Windows that seemed better to KDE.
As it is, I ended up putting Sabayon's Gnome version on another laptop, a Toshiba I'm using now, and it seems faster than the KDE version of Sabayon.
The differences are not dramatic, but I sure noticed them so stuck with Gnome.
106 • @70 & 104 (by Andy Axnot on 2009-08-05 13:42:15 GMT from United States)
Thanks for your positive comments about Linux Mint KDE.
I downloaded it and have tried it as a live DVD and was terribly, terribly disappointed. But I wasn't sure if the fault lay with Mint or with my unfamiliarity with KDE 4.x and the Ubuntu way of doing things.
So now I'll stick with it a bit more to give it (me?) a better chance.
107 • Re:94 security (by jack on 2009-08-05 15:07:10 GMT from Canada)
I seem to be really slow today so I hope someone can explain in very simple terms:
1. I have read that some live cds will run without any hard-drive being in the machine.(does this apply to both linux and windows machines?)
2. There are hard-drive "drawers" that allow one to insert or remove a hard-drive with the turn of a key.
This still leaves the motherboard and /or the "BIOS" that might be "cracked"
3. Are there any websites that give evidence
that this (item 2) has occured?
108 • Security (by Pearson on 2009-08-05 15:10:59 GMT from United States)
Generalizations follow. There are likely exceptions to this. Take this with a grain (or two or more) of salt. I believe that most, if not all, of what follows applies just as much to a LiveCD as an installation on a Hard Drive.
In general, in Linux commands which alter the configuration of a system (e.g. mount) must be run as root. So, when running as root, malicious software could silently mount a hard drive and scour for data. No windows would open, no obvious indications of unexpected activity. The hacked user *may* notice hard drive activity.
Also typically protected from non-root users are "sniffing" tools - such as network monitors. They're protected because they can capture potentially sensitive data such as someone's password if sent over the network unencrypted (e.g. telnet, ftp, rcp, etc.), company proprietary information (contract bid rates, designs for a future product, vulnerabilities, etc.), or even credit card numbers.
So, running as root is not inherently "evil" - there are legitimate reasons. However, running as root carries a greater responsibility - more harm can be done. The more important the environment in which you work (e.g home gaming vs. MegaCorp Research & Development) the more important it is that you limit and protect your use of root.
This is not to say that non-root users are risk-free. A non-root user can have certain privileged access to proprietary data, can be used for a Denial of Access, or even may have special network privileges. Non-root users must also be careful, but their potential for damage is more limited and well-defined.
109 • Re # 108 (by Rex on 2009-08-05 15:30:45 GMT from United States)
Thanks for your comment. To understand you correctly, you say:
"In general, in Linux commands which alter the configuration of a system (e.g. mount) must be run as root. So, when running as root, malicious software could silently mount a hard drive and scour for data. No windows would open, no obvious indications of unexpected activity. The hacked user *may* notice hard drive activity."
Now it seems that you are saying that a hacker could silently mount (ie not have to ask permission) when root is running, but also that the hacker would be able to do this without having to open a file browser on the hacked machine? How then does the hacker see anything?
110 • Scientific Linux updates (by Pearson on 2009-08-05 15:33:50 GMT from United States)
I've been intrigued by Scientific Linux since the CentOS discussion began. I saw on https://www.scientificlinux.org/documentation/faq/errata their policy on Security Updates. "Within a couple days" because "RedHat is not perfect, and sometimes their errata completely break programs." The page gives a little more information about their policies.
111 • @109 Rex (Re: Security) (by Pearson on 2009-08-05 15:39:12 GMT from United States)
You asked [...]the hacker would be able to do this without having to open a file browser on the hacked machine? How then does the hacker see anything?
Well, the hacker could send the data over a network to a remote site. Let's say I've hacked your account (and I wouldn't!) to look for /etc/passwd and /etc/shadow on local hard drives. If my software finds the files, it could transfer them over the internet (maybe using the FTP protocol) to a remote machine that I own. No windows are ever opened on your screen.
112 • No subject (by forest on 2009-08-05 15:46:42 GMT from United Kingdom)
Ref Q1, certainly a machine can run off a usb stick perfectly without any hard drive being connected...I have tried it just to see if it might work. Never tried it with just an optical disc connected tho'. And, only tried with a distro.
The thing is the machine will run from booting off the BIOS, but you could save stuff only to the usb stick itself (another story for another time).
Ref Q2, dunno about drawers per se, but you can get powered external hard drive "sockets" you just drop a drive into...or even just a connector kit (IDE and SATA catered for).
You did not specify however if the hard drive in a drawer was the main drive or just a storage drive...but would it matter for your query?
I recall I used the Puppyxx series to try this a couple of times, and I believe Puppy can be installed on just about anything, even a toaster.
Hope that helps.
113 • Re: #111 - please correct the italics (by Pearson on 2009-08-05 15:51:50 GMT from United States)
I meant to close the italics after the first paragraph (after "anything?"). Could someone with the appropriate privileges please correct that?
Sorry, and thank you!
114 • Re:111 (by Rex on 2009-08-05 16:04:33 GMT from United States)
Now it seems that you are talking about software already installed (presumably by the machine owner unwittingly but willingly) transmitting data outside the owners view to a remote site. Yes of course. But that is not the live hacker stealing or compromising the machine in real time with the owner watching which is the scenario brought up concerning live cds and security.
To simplify the question. I have a machine on. I leave it and lock it. Now a hacker sees my machine. He must (I assume :) ) discover the password in order to get into my machine. So he starts a program that auto guesses possible passwords. The program take 7 minutes to guess right. Are you saying that during the seven minutes my screen will not light up and I will not be able to see this break in activity if I look at my machine?
115 • RE: 109 (by EWP on 2009-08-05 16:06:41 GMT from United States)
It's the terminal! I use it all the time. My wife's working @ home on the notebook with email and the internet. I'm ssh'd in working to the terminal doing web development. It's the way it goes. She has no idea.
116 • Re # 115 (by Rex on 2009-08-05 16:16:51 GMT from United States)
If you are responding to the live cd security question, then I think what you say is not applicable. You are connected via the terminal because you have personal access to the notebook, not because you are some stranger hacker who broke in. Is this not correct?
117 • Re:112 (by jack on 2009-08-05 16:34:17 GMT from Canada)
Sorry I was not clear.
If I turn the key and disconnect my hard-drive, and then use a live CD that can boot without a HD and then surf the internet (of course NOT being able to save anything) can a cracker implant a "trojan", "virus" etc into my motherboard and/or BIOS so that when I reconnect my hard-drive the virus goes "HA_HA" and scoops all my data etc.
sorry for such along sentence.
118 • re: 114 @ Rex, Security (by Pearson on 2009-08-05 16:40:11 GMT from United States)
I leave it and lock it. Now a hacker sees my machine. He must (I assume :) ) discover the password in order to get into my machine.
Mostly, you're right. However, and this is where the issue of security updates comes in, not all software is invulnerable. Suppose that your locked computer has Firefox running. Suppose further that there's a vulnerability in Firefox or one of the add-ons, allowing a remote user execute code. Your machine has now been hacked while you're away and no password has been guessed. Again, this is why keeping an OS up to date with security patches is important. The hypothetical vulnerability in Firefox or add-on could be patched quickly, eliminating that particular vulnerability.
The scenario I present is more representative of the theory than practice. In practice, the vulnerabilities could be in any part of your system: CUPS, OpenSSH, KDE, or even a kernel module. And in practice, the same things also happen on "traditional" (meaning not a LiveCD) Operating Systems - Unix, BSD, Linux, Windows, OSX.
But that is not the live hacker stealing or compromising the machine in real time with the owner watching which is the scenario brought up concerning live cds and security.
I don't quite understand what scenario you're describing. I must have overlooked that in the original discussion. I'm sorry if I'm not answering that particular question - if you could point me to that then I'll do my best.
Sounds like a good subject for a future DWW is the discussion of what it means to run as root and the importance of security updates. What are the risks?
119 • @96 • Flash Player Ubuntu AMD 64 bit (by Anonymous on 2009-08-05 16:50:48 GMT from United States)
Didn't work for me, don't know why. I downloaded the actal 64 bit program from a adobe and did a manual install ..smooth..smooth..smooth.
Dang! There is a new version out(post-April) ! Thanks for posting!
I'll install the latest reatest tonight. This is so kewl..
120 • Re # !!8 (by Rex on 2009-08-05 16:58:48 GMT from United States)
Good answer thanks.
I agree that the subject is a good topic for a article.
The debate I think has been going on for a long time (not here but community as a whole. Puppy running as root for example. )
One person above said they only ran a live cd for a short time (aprox 15 minutes or less) and then they shut it down as if monsters would make off with everything. I think that is absurd.
Others claimed a live cd might be better for banking. Don't agree because it is not the info on my machine itself I fear being seen without me knowing it. It is the fear of the info being seen once I send it over the net that is the danger as I see it. Live cds do not help this at all.
Also see my post #94 where I tried to clearly ask the question.
Also when a live cd logs you in as root, on most of them you can go to users accounts and make a non root account and then log out of root and into the new account.
121 • CentOS, Scientific Linux, security updates, et al... (by Caitlyn Martin on 2009-08-05 17:17:25 GMT from United States)
I've written about abandoning my experiment with CentOS on my netbook at: http://ever-increasing-entropy.blogspot.com/2009/08/end-of-centos-netbook-experiment.html
I've also explained in detail why I am recommending Scientific Linux over CentOS for servers and why I am recommending none of the above for desktops and laptops. I've asked Miq if those tights are available in my size :)
122 • RE: 116 (by EWP on 2009-08-05 18:09:03 GMT from United States)
If you are responding to the live cd security question, then I think what you say is not applicable. You are connected via the terminal because you have personal access to the notebook, not because you are some stranger hacker who broke in. Is this not correct?
I am connected via ssh remotely as ssh is running, which is something that I have allowed and configured. Never did I intend to insinuate that I'm some master hacker... Now, what I was trying to say by the post is that when you can gain access to the system, that not everything you do pops up windows for the user to see. Be it through exploit that is not updated or whatever, no system is secure. Am I worried? Not overly. Still relatively cautious however.
123 • Re #122 (by Rex on 2009-08-05 19:44:08 GMT from United States)
No I did not think you were making claims. I just wanted clarity on the issue I wish to understand.
I just don't believe that a hacker can find a user running a live cd, and from that ground zero layout with no previously installed hidden software installed on the users commuter, that the hacker can gain access to the hard drive without having to use visible means (to the user being hacked) to accomplish this.
No one as of yet has tried to cite one case where it was verified that this was done. I really am interested to know this, if it is possible.
In terms of using the net my attitude and policy is that any and everything a user sends out of the computer is to be regarded as potentially visible no matter what precautions have been taken. But that is what is sent out willingly by me but always potentially read/stolen by the unethical.
124 • Security (by Landor on 2009-08-05 20:23:23 GMT from Canada)
Here's a good example of security to remember. The Pentagon and White House were attacked, along with online sites at the same time. Key focus there "The Pentagon and White House". Albeit years ago, if you believe your system is more secure than those two could be, well, enjoy! :)
It's not paranoia, simple fact. Nothing is 100% secure and it can happen, in ways people haven't even thought of. If they did know every in and out there wouldn't be any need for security any more, would there?
I'm gonna let this topic drop for my part in it now...
Keep your stick on the ice...
125 • Spread the linux word (by RollMeAway on 2009-08-05 20:26:36 GMT from United States)
Tux USB Keys Can Make Your Donated Computers Greener, Cleaner, More Ethical, and More Educational
Remove any hard drives and include a Live Linux CD
that works with the given hardware.
126 • Re #123, Security @Rex (by Pearson on 2009-08-05 21:09:34 GMT from United States)
If you don't think in therms of "Live CD" but in terms of "running as root" and "infrequent/untimely security updates" then you will find many occurrences (being at work, I lack the time to find authoritative, non-anecdotal citations but I know that they can be found with a few minutes' worth of work). It's those characteristics of (most/many) LiveCDs, and some non-Live distros, that are the issue. It's not that LiveCDs are inherently insecure per se, but that the typical LiveCD has characteristics that make them less secure than preferred. I'm sure that a LiveCD could be provided that has frequent security updates (requiring re-burning) and has the user run without root; one may already exist.
The hacker doesn't have to know that you're running a LiveCD - he just has to discover that you're running a vulnerable system as root. At that point he can get information. He may not be able to write to the CD, but he may find information that makes writing to the CD unnecessary.
127 • Ref #126 - OOPS (by Pearson on 2009-08-05 21:51:04 GMT from United States)
I left out a phrase from the second sentence of the last paragraph. It should read (bold part is added):
At that point he can get and send information and do damage on the network or some hardware connected to the computer such as a hard drive.
128 • Chrome beta available (by RollMeAway on 2009-08-05 21:58:28 GMT from United States)
Chrome beta available for debian and fedora based distros:
Just installed on a sidux machine. Works well. Couple of functions not available yet, but quite usable.
129 • #125 (by Notorik on 2009-08-05 22:48:06 GMT from United States)
Thanks for that link. You just made a big difference in the world by posting that.
130 • No subject (by forest on 2009-08-05 23:32:01 GMT from United Kingdom)
And more or less on topic...
There could be another benefit too, purely in the technical vein...no hard drive means less power required per machine...factor in a smallish flat screen and you are certainly helping, so to speak, the green image these nippers should be hoping to copy.
131 • Absolute (by Rex on 2009-08-06 00:44:01 GMT from United States)
I have had an obsession (very irrational I know) about Slackware.
So today, because I was not wanting to trust another Grub install on my "real" machine (and Slackware Absolute used Lilo) I downloaded Sun VirtualBox, plus the Absolute 13 RC2 image, installed the Box, burnt Absolute, and then after partitioning my virtual partition, I installed. That is I rather suffered through 5 hours of install, never being certain it would work.
But Ha it did, and now I have that happy but vaguely is that all there is feeling. Still success is better than failure and if nothing else one itch has been scratched.
Still 5 hours to install, and this machine has 3 Gigs of RAM. I will have to try one of those 10 or 20 minute quickie install Distros to see how much slower the Virtual machine makes the process. My only real experience with them was using pre built OS in VMware Player. I didn't realize the VirtualBox was so easy to use. :)
132 • wine in listed packages (by hants on 2009-08-06 06:29:41 GMT from Germany)
could you please add wine to the list of packages shown in distributions?
the used version of wine often is a criteria to not choose a specific distribution.
133 • RE: 132 wine in listed packages (by ladislav on 2009-08-06 06:48:18 GMT from Taiwan)
WINE has been listed for years. Just go to any distribution page and change the view to "All tracked packages".
134 • No subject (by forerst on 2009-08-06 08:03:41 GMT from United Kingdom)
Ref Debian release cycle...not a new notion...syncing with Uxx, security issues and more.. Shuttleworth speaks...one less trip into space....it's all here:
135 • Once Is Enough (by Paul B on 2009-08-06 12:35:17 GMT from United States)
What follows is an adventure when one has lots of time to kill.
Equipment: Toshiba Satellite w/2.5G ram
OS: dual - Vista 32b w/Opensuse 64b
Problems: Vista can not upgrade to service pack 2 while part of a muliple booting system. MS says to re-install Vista. Opensuse has developed a random screen lock that is becoming more mittant and less inter. A half hearted internet search shows no cures for Suse. The live CD still works fine.
Solution: Reinstall everything. No, I am not insane. I had the flu and nothing better to do with my time.
Day one: It took 6 hours to get through reloading Vista (and all the bloatware provided by Toshiba). Then I spent anopther couple of hours removing most of the bloat. The Toshiba rescue disks do not provide many options. So a re-install requires bloat removal afterwards.
Day two: I started the windows update process. I thought that windows service packs contained all the previous updates. I was wrong. I had to go some place just when windows started updating .NET. This seemed to hang (wrong, it just takes forever), so I killed it, thinking the update would just skip that part. Wrong again. Because I had downloaded everything (but not installed everything), windows update was done. I found that I could resume updating if I waited an hour or two before another attempt. I am not sure why. Perhaps something to do in Redmond. But eventually I got all the updates installed. So I added some stuff like Opera and Open Office. Then I made a last check of the update system and Lo! I had more updates.
Day three: I think it was the third day when I finally was offered service pack 1 for an update. It updated without incident. And without much result either. Later I was finally offered service pack 2. It updated without incident. The resulting speed increase was phenomenal! Not as fast as Linux, but pretty darned impressive. By this time, it was late in the day, but I got most of Fedora 11 up and running in the time remaining. I figured about 3 hours vs. 3 days for Vista.
Day four: Fedora was probably a poor choice, but I took it because I thought that it would have the fewest updates (being the most recently released rpm based distro). So I took some time messing around with fine tuning before I got back to see if Vista would load from grub. It wouldn't. I got a "bootmgr" not found error. So after some more churning to get the windows stuff added to fstab (note Fedora, there are distros that do this automagically), I went looking for bootmgr. When I first loaded the windows partition I did a double take. There was a BOOT folder. I thought I had a Linux partition. But, no, everything else looked like Vista. And inside the BOOT folder was bootmgr.
After a little head scratching, it seems that Vista now sets up a separate partion for booting and the main windows stuff is on a separate partion. Kinda like Linux. So a simple change of "rootnoverify (hd0,0)" to "rootnoverify (hd0,1)"seemed to be in order. This worked just fine, which was a relief. I like the new Vista and will play with it some as it is much faster.
However, if I ever have to reload it, it will be history. I am not going to spend three days babysitting the install of any operating system. Once is enough.
136 • No subject (by Tom on 2009-08-06 14:29:47 GMT from United Kingdom)
#125 RollMeAway, Tux-Keys. WOW, fantastic news. A key to the future? This is really heartening news. The opportunities that linux offers undeveloped lands or places with poor IT infrastructure or lacking wealth or educationally is immense & it's fantastic to see a project like this being developed. Is this going to be another project that microsquish jumps on at the last minute to prevent it from being rolled out successfully? Notorik, forest, good to see people feel same way i do about this. Thanks RollMeAway :))
@ 135 Paul B. Vista. thanks for that. I've managed to avoid Vista but people keep needing help with it & it's becoming unavoidable now my aunt has it. Choosing distro by which was released most recently is amusing and yet so sensible :))
@133 Ladislav, "All tracked packages" & Refresh button. Wow, fantastic. Do you keep previous years tables or junk them? Perhaps something that Shawcroft could use in his research as snapshots going back, way back into time?
@131 Rex, Absolute. Lol, interesting avoidance of Wolvix or perhaps even Slax heheheh
@121 Caitlyn. CentOS. I think haste is not a good basis for changing recommendations but i see your point. I guess you're not in a position to be able to tell people to sit&wait for 3months to see how things pan out!! An unenviable position to be in.
@106 Andy Axnot, Mint LiveCd - at last someone who doesn't wipe their machine and then install something only to complain that Mint (or whichever) just isn't the same. LiveCd is smart :)
@104 David, Mint. Great to hear it's fantastic on your hardware. Hardware being a key variable, along with personal tastes on how "bad" a distro isn't ;)
Windows viruses. There's so many reasons that Windows suffers so badly. Users being forced to download random stuff from sites they've never heard of rather than having a decent package manager and repos is just one reason among endless others. http://librenix.com/?inode=21 I like the kudos, "name in lights" & the "so many dark corners to hide in" arguments.
@13 Sean. Wolvix. Back before Wolvix was rebased on Slackware-main rather than on Slax i was still working in very much the Windows world. Oooo, what i wouldn't give to go back and have serious words with myself back then *kicks self*. No distro works on every hardware combination straight out of the box but Hunter seems a lot better (ime) than most. Even people that normally really struggle with Slackware distros seem to find Wolvix Hunter works *shrugs*
Hey, cheers everone for another great week at Dw - especially thanks to RollMeAway for that awesome inspirational link :))
Regards to all from
137 • @Paul B, and anyone else who has to install Windows (by Pearson on 2009-08-06 14:42:33 GMT from United States)
Have you tried running autopatcher? It installs the Windows Updates (including Service Packs) in a more reasonable fashion (in my opinion).
Also, now that you have a working customized Windows system, you might consider using nlite to create a custom installation CD to save time the next time.
I still think most Linux package managers (and probably the BSD equivalents - I don't know much about them to say) are much more reasonable than the Windows Update Manager. One thing that bugs me about Windows software is that there's not an easy way to get updates for my miscellaneous applications. I have to let each application "phone home" to look for updates. It'd be better if it was like Linux.
138 • No subject (by forest on 2009-08-06 15:08:21 GMT from United Kingdom)
Jack this is one for google, there is so much gen on this subject it would take forever to list the urls, and you can google as well as I, LOL.
One thing I would suggest if you use FF as your browser...go into add-ons and install No Script. It asks you about every site you visit, even google itself, so if there is something you are unhappy about simply walk away.
139 • @131 (by Elder V. LaCoste on 2009-08-06 16:58:49 GMT from United States)
I am surprised you got it to work so "easily". After reading Caitlyn's review, I have not been too interested in trying it. Maybe you should have read her review first. I am curious as to why you didn't go with Vector, Wolvix, Zenwalk, or Slax?
Speaking of reviews, I was hoping to see a review of DragonFly BSD. I believe Caitlyn promised to do one or maybe she said it was "on her radar", whatever that means...
140 • A comment which perfectly illustrates my position vis a vis CentOS (by Caitlyn Martin on 2009-08-06 17:22:30 GMT from United States)
The following was a comment to my business oriented article about the CentOS situation for O'Reilly at http://broadcast.oreilly.com/2009/08/the-future-of-centos-and-crite.html
By Peter Griffin on August 6, 2009 10:15 AM | Reply
I've been running CentOS as a file/intranet server since 5.0 was released. I started becoming concerned during the protracted period that it took to get 5.3 out. Not about the "lateness" in getting 5.3 out, but the complete lack of security updates in the interim for my 5.2 system. This "No updates available" went on for over a month. My version of Firefox trailed behind Red Hat's by two versions.
We can go back and forth about how many developers CentOS has vs. Scientific Linux. To me, that is academic if the Scientific Linux developers get their distro out several weeks in advance of CentOS, and more importantly, provide more timely security patches. If I'm not mistaken, Scientific Linux also supports older "dot" releases, such as 5.1, 5.2, etc., while CentOS does not. Not an issue for me, but it does indicate a little more thoroughness on the part of the Scientific Linux developers, few in number as they may be.
My change in direction wasn't hasty. The recent news just help crystallize a decision that was building for some time.
141 • @139: DragonFly BSD review (by Caitlyn Martin on 2009-08-06 18:20:10 GMT from United States)
Yes, a review of DragonFly BSD is something I am planning to do. What I said was that it had been quite a few years since I had run BSD so I needed extra time to deal with the relearning curve. Fortunately, for me, that wasn't a big issue. I have a different review just about done for next week, one for which I've also had a lot of requests. A DragonFly BSD review will follow fairly soon after that.
142 • @139 (by Nobody Important on 2009-08-06 19:00:30 GMT from United States)
-Absolute is fairly easy to set up. Caitlyn's review caught it on its one bad release. The rest have been extraordinary.
-He's trying the Release Candidate. It's stable enough, but Paul is waiting for Slackware 13 to set anything in stone.
143 • @137, 135 (by Ben on 2009-08-06 20:19:17 GMT from United States)
Actually, for remastering Vista, it's "vlite" (which i believe is just like nlite, just for a vista install instead of NT/XP), and it works incredibly! I was able to remaster an install disc, taking out much of the bloat, slipstreaming in SP1, and throwing the drivers on the disc! In the end, my brand-new Slim Vista Ultimate was just under 1GB iso on a DVD! highly recommend, for those of us who still need to a windows partition, for work, games, whatever. thanks for bringing it up, Pearson!
144 • Corporate Freedom (by Tom on 2009-08-06 20:26:59 GMT from United Kingdom)
I keep forgetting that there's often a huge difference between what people say they want and what they really want. Corporate bodies seem to respond better when they are given freedom from choice. When told there's only one option they can either have meetings to decide on it or take an executive decision, depending on their management style. Giving these sorts of people 2 equal but different informed choices can cause sizeable problems; meetings to set a timetable of meetings, a group to investigate each option, another group to see if there are other options and another to see what the competition is doing, one or two groups to co-ordinate and someone to supervise, to report to, to report to the meetings, costings to be calculated and forecasts made. When these people say they want freedom of choice they mean freedom from choice, so perhaps a couple of blatantly absurd choices and good reasons not to choose them.
145 • Hmm (by Nobody Important on 2009-08-06 21:44:09 GMT from United States)
I do have Windows Vista (ref #143) but not of my own choice. I squashed an Ubuntu install onto the side of it to save myself sanity and time. Vista takes two to three minutes to boot; Ubuntu takes ten seconds! I don't dislike Vista, I just like Ubuntu because it uses less battery life.
If I didn't have to use Vista, I wouldn't use it. I used to play games on it quite a bit, but that was before I bought a PlayStation 2 on the cheap. after that, I can't even remember the last time I booted into Vista; it was probably just to make sure GRUB didn't mess up the list after a kernel update.
I haven't used XP in months, but I don't miss it. If Paul's post on comment 135 thought Vista was bad to set up, he probably forgot how terrible XP was. Good luck finding the manufacturer of your computer; they might have some old drivers from 2002 if you're lucky. If not...get ready to start guessing which driver you need.
To be fair, Windows 7 does download drivers and various things for you much like Ubuntu, so it's not nearly as painful for people who need a Windows environment nowadays. And Linux wasn't much easier until just recently.
146 • The security discussion and live CDs (by Caitlyn Martin on 2009-08-06 21:48:31 GMT from United States)
I just reread the discussion this week because someone e-mailed me and asked me to :) One point seems to have been overlooked. Not only do some (by no means all) live CDs run as root, they do so without a root password or with a published and widely known root password. Someone does NOT have to hack or crack your system to get in if you run that way.
Let's say I know your IP address. It is almost certainly recorded on the DW server for every comment posted. How do you think the software knows what country you're in? If the DW server can figure it out that means other software can too, right? Let's also say you aren't running tor and privoxy or some other similar software which obscures your IP address. If you're running a live CD you almost certainly aren't because tor and privoxy are likely not included. OK, so now I have your IP address and I know from your comments you run a live CD and maybe even which one. If you have an ssh server running I can ssh to your system and login as root right now and do whatever I want to it. If not I can run a port scanner against your IP address and figure out another way in. It's pretty darned easy if you know what you are doing.
You can reduce the risk if you change the root password once you boot the live CD. You can reduce it further by creating an unprivileged account and logging into that. It takes maybe a minute to do. How many of you running live CDs take that minute? The only security you have is obscurity, which is to say none at all.
Oh, and once you boot the live CD you aren't running from read only media. You are almost certainly running from RAM most of the time. Otherwise the live CD experience would be intolerably slow. Some live distros, mainly small ones, load themselves entirely into RAM at boot. Others offer doing so as an option. Your system runs really fast that way but you are back to writable media, even if it is transitory media. That means an intruder can change whatever they need to change to do whatever it is they want to do. So much for live CDs not being crackable. Sure, an intruder can't rewrite the CD. That is the least interesting part of your system to an intruder.
Landor displayed the correct level of incredulity at the disregard for even the basics of security some people display. He's not the only one shaking his head.
147 • @146 (by Nobody Important on 2009-08-07 00:33:23 GMT from United States)
While it's true that security on some systems is pretty bad, I have a few questions. These are mostly academic; I'm not refuting your claims. I'm just curious.
First off, if there is no hard drive or personal data mounted or even available to mount, then would a LiveCD's environment be of much use to a hacker? Sure, there's writable media in the RAM, but all of that is wiped when the computer is turned off.
Secondly, I know most distros come with all ports closed. Let's say I'm using Ubuntu's LiveCD, where there are no SSH ports open, or anything, for that matter. Is this a partial solution, or am i missing other ways the hackers can get in?
Finally, and remember, I'm not doubting your points; what you say is absolutely true, but I'm just thinking that it all seems a bit...dramatic to assume you're being hacked at all times. I know most people have, possibly, credit card information or bank statements on their computers, but...well, it seems like you'd be a fish in the sea. And the level of users who can be fooled by a "YOUR THE 1 MILLIONTH VISITOR" pop-up seems higher than the users who might be susceptible from a LiveCD hacker.
148 • No subject (by forest on 2009-08-07 00:38:09 GMT from United Kingdom)
Ref Scientific Linux.
The only problem with SL tho' Caitlyn is that the devs do seem to have dug themselves quite a large hole and just keep going round in circles looking for some sailor bloke called Higgs or something, see here:
149 • Re # 146 (by Rex on 2009-08-07 01:32:24 GMT from United States)
Caitlyn, over and over again people make claims about how a live cd user can (according to you) be so easily hacked. That's sweet but I'm not hearing anything that convinces me.
I have run as a live cd for hours and hours. Never been hacked. So I know that Landor is exaggerating the risk.
Now I know that people can hack. That is not the issue. The issue is and no one has come remotely close to explaining this, and I really want to know it, if I'm wrong, but if a hacker could while I run my live cd, get into my hard drive, how does he see the hard drive. I am using this computer, and I can't see my own hard drive unless I open something gui wise such as a file browser, and that is very visible to me. Does a hacker not have to also open a gui and why cannot I see him or her do it?
A possibility is the terminal. But a term is not magic. One must have valid paths to put into it.
Also I don't know that one can see another system fom one term without having to open a term in the local system. Maybe they can if they have had personal hands on access to the computer and installed software or written permissions previously for themselves.
When I used Logmein, I could not invisibly look and use the remote computer, it's screen lit up when I logged in. So if Logmein which has the advantage of installing software on the computer and has my permission cannot (I say cannot because I thought it would be an advantage to me to be able to use my remote computer without it alerting any would be burglars-my target- to the fact that I could see them) if they cannot provide such an obvious advantage, in max favorable circumstances why should I think that a hacker of a live cd environment in which he must hang from mid air competing with me for ram can do it?
And please, if it is as easy as you say, why does not one of the people who think this cite verifiable cases of it happening? Why do distro makers recklessly allow their live cds to be downloaded if they are over 2 weeks old, for surely in that time security faults must abound?
I'm not saying someone cannot hack. I'm saying I want to know how from a live cd locale they can do it invisibly. It's not enough to claim people can do it, anyone can claim anything. Cite examples verifiable of it being done.
150 • #149 Agree (by Anonymous on 2009-08-07 01:38:17 GMT from United States)
They would have to know when your using the Livecd and then hack in. Quite a long shot. I too have used Livecd's with no ill effects. FUD at it's best, I suppose.
151 • Security (by Jesse on 2009-08-07 01:50:07 GMT from Anonymous Proxy)
Caitlyn brings up some good points about liveCDs. If you're running as root and have services like ssh enabled, the system is really up for the taking. Most of the liveCDs I've used have stepped around this issue by either disabling network services or having a non-root account.
As always with security, there are varying degrees of safety. It's important to get educated and find a balance you like between convenience with security.
Someone asked several posts back about examples of boxes getting hacked by a stranger without any notice being shown to the user. I have seen this a few times. A friend of mine installed Linux on his PC and asked me to come over and help him install some extras. By the time I'd arrived a few hours later, his box had already been hacked (I think through sshd or sendmail services). The only reason I noticed is I ran some command line apps and their output looked funny. They'd been replaced by hacked versions. We had to re-install from scratch and then I showed him how to disable un-needed services and run updates.
Years ago I used to break into friend's boxes just to show I could if they got too compacent about their security. Usually their first indication I was in was a message box popping up saying "hi" or a lot of drive activity. Of course, these were friendly challenges and I would talk to them about what I was doing before and after and clean up their system for them.
152 • Re # 151 (by Rex on 2009-08-07 02:42:23 GMT from United States)
Now this is just the kind of thing I hate.
War stories with absolutely no evidence and no way you could produce the evidence even if the story were true. Plus the invisible hacker you cite, you had no personal evidence that said hacker was invisible. The deed was done by the time you got there so you are not a witness to either a hacker nor a witness that your friend had his eye on his computer the whole time. For all any might know, maybe the friend hacked the "funny" output you cite himself. LOL.
And you did not explain what should be an easy question to answer: How does the hacker see what they are doing and why exactly can they see but not be seen. Yes stuff can be installed on a computer that invisibly sends out data but that is usually done by social engineering ie clicky click by the user. Not done by live invisible hackers. Or they are "invisible" only because they trouble to work will people are asleep in bed
I guess that English master hacker facing 70 years in US prison was a lousy hacker because he talks about people at the military installations see the cursor moving on its own and cutting his connection. And he got in mostly by simply looking for computers that administrators had a blank password, not by some master craft.
If it is so easy there surely must be verified cases to be cited, not war stories by people I don't know at all.
Now if puppy runs only as root and there must have been quite a few puppy users over time, then one would think that there would start to be a manure pile of horror stories amassing in puppy land and puppies one and all would be dying or changing their habits.
153 • RE: 150 (by Landor on 2009-08-07 03:04:10 GMT from Canada)
I fully intended to drop this subject. What amazes me and again makes me shake my head at the level of knowledge people have and how easily they get stuck in some specific, yet erroneous mindset.
It was perfectly and completely stated "they do not need to figure out you are running a live cd "AT ALL". The only thing they need to figure out is that you are running something that is wide open and vulnerable. You think that by some magic means they decipher it's a live cd and then go, woah! we can rip it asunder since it's logged in as root with no need for a password! You're quite wrong, and spreading your own version of FUD.
I knew of a group of guys who frequently (a couple years ago, don't know about now) wreak havoc for the sheer pleasure of it all across the EU. They thrived on ways to find exploits in any scenario, whether it be a home system or massively deployed servers.
I'm not saying everyone should lock down their systems tighter than fort knox, what I am saying is don't believe you are totally free either just because the cd itself is not writable, you are far from it. Anyone ever hear of identity theft? Think it's only an MS user problem? Enough said I do believe.
Oh, and if you can, avoid any addons in firefox and such, keep things leaner, from sources that you know without question that can be trusted 100%.
Hell, even repos in Linux find packages dumped in them that were not legit.
Keep your stick on the ice...
154 • Re # 153 (by Rex on 2009-08-07 04:25:56 GMT from United States)
It's not FUD to say that I don't believe something and it's not FUD when I clearly am not claiming to know everything but openly challenge the believers to produce verifiable cases that we can all acknowledge.
Instead I get another war story and more panic now about Firefox addons. Plus now paranoia thrown in about Linux packages.
It does make a difference about whether it's a live cd because all the hacker has to work with is RAM and they have to assume that a live human is present who might shut down at any moment. (A hacker can read my darkest secrets but has no clue that I'm using a live CD and not my hard drive? How they going to look for my HD when they don't know where I am? ) And there is no direct connection between my live cd OS and the HD. Some gui must be supplied to communicate with the HD. And with a live cd one can be sure that they must do it all at one go. They can't sneak in and leave a little piece of code and then come back days later to work more on the house.
When Caitlyn talked about live writing abilities in RAM, what is the hacker to write with? Don't I see them open a writing gui? How does the hacker see?
None of the points and questions I asked were even referenced. Why are puppy users still alive for example ?
Why don't they have game shows where hackers win money for placing the text of the Gettysburg Address into an made up file with "place here" inside it, and do it without being noticed by the computer user? Perhaps that could be a more socially acceptable way and profitable hobby for the masses of master hackers instead of them breaking things and engaging in crude social engineering hacks as most seem to do?
155 • Ref Rex (by Ben on 2009-08-07 04:33:32 GMT from United States)
Hey Rex, it seems as if you've been asking the same question over and over again, and either not getting a response or getting one that you don't think answers your question. So, here I go offering my measly 2 cents on the situation.
as has been mentioned, when you run a liveCD (or installation or usb-booted etc etc), and you are logged into a system (the system is on), is is possible for someone else to be logged into your computer remotely without any visible cues, via ssh.
(i apologize if this is stuff you know, i'm just interpreting your question as best as i possibly can).
for instance, at my school, we have a lab of computers running fedora 7, all on a seperate network from the main school network. using an ssh client, i can log into one of the computers (assuming the computer in question is on) from anywhere with internet access, provided i have a valid username, password, and port number. someone could be sitting in front of the screen while i'm doing this, and they will have no visible clues that i am logged in.
however, they are not completely in the dark. say i'm compiling something (this is usually the only time i'm logged in remotely), and it's something not small, they may hear the hard disk spin, the fan speed up, all the signs that the computer is doing something, even if they are just staring blankly at the desktop background. also, they could go to a terminal and type "whois" to see, well, who is logged onto the system.
i think the reason everyone keeps bringing up live cds is the fact that they have either a) a default root login, b) no password for the user or root account, or c) a widely known login scheme. however, even if you are running a liveCD, and you are logged in as root, and sshd is running for one reason or another, and your password is "password", and you're yelling your IP address out the window and Tweeting it to all your friends and strangers, a dialog box isn't going to pop up on your not-so-friendly neighborhood cracker's box saying "Guess what, dude! A vulnerability!" (as cool as that would be).
i hope i didn't repeat what you already know, or muddle something you did know, or say something that is completely wrong, but in case i did, sorry. i hope this helps.
156 • No subject (by Anonymous on 2009-08-07 04:57:33 GMT from United States)
I'll keep using Livecd's and NOT get infected, and the FUD mongers can keep saying I will...til hell freezes over.
If it was as EASY as the FUDdy-duddy's say it is, then why aren't 10's of thousands of Livecd users infected.
This is ridiculous to keep spreading this nonsense.
Those of us the use Livecd's with root access are going to keep using them and the FUD-fus will keep trying to sway us otherwise.
157 • To Rex and Anonymous and all the security doubters (by Caitlyn Martin on 2009-08-07 05:17:38 GMT from United States)
FUD? Keep saying that. Do you know how many times I've been hired to clean up the mess after a security incident at a company? Trust me, it is far easier to prevent an incident in the first place. What you are saying is that you can ignore even the most basic security and get away with it. Well... maybe you can if you're very lucky. That's what "security through obscurity" means.
Infected? Who said anything about virii or worms or trojans or other malware? That isn't what an unwanted intrusion is. It's an unauthorized person gaining access to your system. They could do no harm whatsoever to the system and steal information from you, enough to steal your identity, and rip you off big time without ever "infecting" anything.
I spent 15 months working for a large contractor to the U.S. federal government doing primarily security work for a government agency. One group had an attitude like yours, a bunch of scientists who couldn't be bothered about security. In the time I was there they had two serious security incidents. I still have a framed certificate on my wall for an award I won cleaning up the mess and finally setting up reasonable security standards for them. The thanks I got from the government and my employer wasn't shared by the scientists. One told me "We're in the business of science, not security" and another told me how much harder things were since I arrived. Talk about shooting the messenger! Yeah, I reminded them where my instructions came from and who to talk to if they wanted a security waiver.
So, Mr. oh-so-smart Anonymous, you remind me of those scientists. They were all brilliant in their respective fields. When it came to computer security their PhDs might have stood for "piled higher and deeper". Go ahead, make your arrogant statements and tell those of us who clearly know security that we're spreading FUD. You'll enjoy all your live CDs and laugh until a security vulnerability bites you in the you-know-where.
You were warned.
158 • Re # 154 (by Rex on 2009-08-07 05:34:05 GMT from United States)
SSH (Secure Shell) first and foremost is a secure replacement for the r* programs (rlogin, rsh, rcp, rexec). The reason it is secure is because it uses all kinds of encryption type tomfoolery so that clear text is never sent over a network, it uses RSA keys to authenticate the user to the server and it also uses RSA keys to authenticate the server to the user.
Download yourself a copy of the latest ssh at ftp://ftp.cs.hut.fi/pub/ssh/ to begin with (version 1.2.26 as of this writing). After untarring the package type:
, standard installation procedure for any good GNU source package. All you have to do now is run sshd to start up the standalone ssh daemon listening on port 22 of your server. There's your basic ssh setup, type ssh host to login to host with your standard unix password. Xclients are automatically exported through the encrypted channel to your display and you can get a help screen of ssh escape sequences by typing ~?.
If you get adventurous and try sshing to other servers, be warned that you'll be told that the host key is not found from the list of known hosts. This is the public key found in the host's /etc/ssh_host_key.pub file. If you continue to connect, this key will be added to your $HOME/.ssh/known_hosts file. The rationale behind this is that if somebody else ever masquerades as this host, the host key would be different to the entry in known_hosts and ssh will instantly notice and tell you so. The ssh package comes with a script called make-ssh-known-hosts which looks up all the hosts in a DNS domain and adds their host keys to the /etc/ssh_known_hosts file which is also checked by ssh.
From a Web site.
Looking around, it seems that SSH has a purpose. To provide a secure tunnel. (As might be imagined ) Now it just doesn't seem likely to me that something specifically designed to be extra secure is going to be dangling in the wind exposed for all the world to use.
159 • Re # 157 (by Rex on 2009-08-07 06:26:58 GMT from United States)
Actually I am generally more than usually paranoid about security. On Windows I have anti virus (free versions) but that is not regarded by me as very effective, Just a little case of why not it might help. My main and true reliance 99% of the time is Sandboxie. My next security is that I regard everything I do as potentially discoverable. So therefore one should never put vital info on anything that connects to the net.
Basically all I'm saying is I don't believe that someone can read and or alter my hard drive while I'm running a live CD without me noticing. But if it's possible, then I'd like to know it and I'd like to know how.
Your examples of cleaning up messes does not apply to my question. I assume those business were not using live CDs. And as far as Scientists, that English hacker spoke of the vulnerability of just such groups in the military who communicated amongst themselves and trusted each other as colleagues and so let down their guard with each other. Thus he only had to find one with a blank password and the door was opened to all.
I agree one hundred per cent that if one is doing anything that can cost one in any real serious way, that they should use all the security they reasonably can. And that one should know that perfect security never exists.
Never have I said otherwise. I merely have a question in this one matter.
Regardless of what is possible for hackers to accomplish, just exactly how many of these masters are there, compared to the millions of people on line? How many are going to stumble upon someone running a live CD and say to themselves here's a bloke I don't know, don't know if they have anything worth two cents, don't know if they will log off in 5 minutes or 5 years, but I'll spend my brilliant mind and time on them. As far as I know, actual life experience proves that there are hardly any at all.
160 • #159: One last try and then I give up (by Caitlyn Martin on 2009-08-07 06:44:01 GMT from United States)
[quote]Basically all I'm saying is I don't believe that someone can read and or alter my hard drive while I'm running a live CD without me noticing. But if it's possible, then I'd like to know it and I'd like to know how.[/quote]
Exactly the same way as when you're running any distro that gets cracked. Intrusions are the same regardless of whether or not someone is using a live CD or a distro installed on the hard drive. If someone can access a system and I can gain root privileges I can change anything they want. If you want the actual methodology of exploiting specific vulnerabilities I suggest you read the descriptions in the CVE database. The fact that you are running a live CD is irrelevant. What is relevant are the vulnerabilities on your system.
Running as root with no password or a published password is like putting out the welcome mat to everyone out there no matter how malicious they may be. Sure, any system can be compromised. Some are easier to compromise than others. Running as root with no meaningful password protection makes you a target of opportunity, an easy mark.
Somehow I don't think even the most detailed or technical explanation will ever satisfy you.
161 • @ Rex (by Untitled on 2009-08-07 08:49:19 GMT from United Kingdom)
Caitlyn, as far as I read it Rex's question is much simpler than the questions you answer. If I'm correct, the question is:
"Can anyone do something on my computer without me seeing what they're doing?"
Rex, Think of SSH as a remote terminal. Let's I got into your computer using SSH and I know your root password, I can send commands to your computer using the GUI window on mine. If you have a hard disk attached I can mount it and go through its contents.
Or, I could upload a keylogger to your machine and run it (I have root permissions, remember?) and sit there looking at everything you type. You bought something on ebay and paid using paypal? I got your log in details, thank you very much, with nothing popping on your screen to tell you anything was done at all.
The point with LogMeIn and the likes is that they give you a GUI indication that someone is connected to your computer because they choose to, but do a search on "screen viewer" and you'll see how many are already out there.
At the moment, it's not very likely that your security will be compromised.
It's not worth hackers' while to do all that. Too much work for them for not enough incentives while just next door to us there many more people using a more unified operating system and with enough users like my own neighbour who clicks on every flashing banner she sees. Less work and much more to gain.
Caitlyn's point, I think, is that obscurity and the lack of incentives should not form the basis of your security strategy, but it's really up to you if you think it's enough.
162 • No subject (by forest on 2009-08-07 09:00:13 GMT from United Kingdom)
Ref Security topic.
Despite all the very detailed to-ing and fro-ing in the above...not to mention the hypthetical scenarios..the English hacker DID find a way into military sites and DID have a look around.
He DID exploit security lapses and it is worth repeating...you could have all the locks on your home you wanted, but if you don't use them...or if you give a key to a trusted neighbour, not imagining for an instant the trusted neighbour might have a dodgy mate...you see where this is leading?
You might argue this arch uber criminal mastermind was caught only by the fact that he strolled in and wandered around with the lights switched on. Hardly cloak and dagger stuff. I don't suppose "real" attacks on allegedly "hardened" systems (LOL) would be anything like as obvious.
I would suggest the real reason there has been so much fuss is down to embarrassment, because of a combination of ignored protocols, for want of a better expression, and discovering that key personnel were exactly that, "keys" to the entire system.
I would have thought asking this hacker how he achieved his entry would have been rather more productive, then put him on a retainer for life as an advisor...far more sensible and would have obviated damaging/embarrassing PR at the same time.
I recall only a few days ago a post from a service engineer who described the military computers he was obliged to service just as gunked up with rubbish as those belonging to the ordinary man in the street...hmm...very reassuring.
Ref Caitlyn's very apposite comment on the so called brainy blokes aka scientists, when I was working we had a lot a degree holders doing the exactly same job as "ordinary" folk, some were decent blokes but the majority were up their own backsides.
If ever we lost program it was 99% down to them...they were far too blase about the entire deal...the prevailing attitude was, "it will never happen to me", err, well, actually, it did.
It took some of them a while to discover they got paid the same and were treated exactly the same by management...following their cock-up.
Lastly, I was a bitsurprised that some folk are unhappy with using script blockers, granted nothing is 100% secure, but at least it is a start by being able to have the choice of run, not run...I gather a real concern is the cross scripting...a sort of uninvited guest to the feast...who turns to have an insatiable appetite...
163 • security (by Mike Thomas on 2009-08-07 09:04:06 GMT from United States)
Perhaps it's a fundamental misunderstanding of how the system functions. Linux is a network oriented OS by design. The means to access the system at the hardware level are part of the system. Rerouting input and output is also a fundamental aspect of the operating system. Whether this is done visually is generally an aspect of the particular software which is running. As a simple example, I login to a BASH shell on a networked box and use the following commands.
ls | cat > list.txt
First, the BASH shell is running remotely and it's output is only sent to the remote (my login) display. Second, the command string will only output to the file list.txt. There will be no cursor movements or open windows on the other system's terminal. Hardware has advanced quite a bit since those days. If that computer is running X and programs are run outside of the X environment and they don't send output to the X system you would never see them execute in the X environment. You may see the other tell-tale signals such as disk activity. The desktop environment is not in control of the whole system. One can see this by using another console to login. The will allow this.
One should also keep in mind that all the tools any remote access needs are already built into the system and they were designed to be used this way. It's part of the functionality of the system. Granted my example is extremely simple but the principles are the same.
You mention a GUI must be used to access the drives on your system but this is not true. The BASH shell can access the drives or any other hardware and no GUI is required. GUI simply means 'Graphical User Interface'. It is simply one means to allow users to interact with their data.
I hope this helps you understand the situation a bit better.
164 • No subject (by forest on 2009-08-07 09:32:29 GMT from United Kingdom)
That is a trifle scary...despite the post getting chewed up somehow.
I wish you had posted that earlier Mike...might have saved a few comments.
So, from your post, I am going to assume that, if I wished to play with a live CD it would be prudent NOT to use a machine with the hard drive installed, and, NOT be connected via a network.
Er, Mike, have you thought about doing an article on the security aspect for publication in DW?
165 • #154...security (by Jack on 2009-08-07 13:24:37 GMT from Canada)
I agree with you:
154 • Re # 153 (by Rex on 2009-08-07 04:25:56 GMT from United States)
It's not FUD to say that I don't believe something and it's not FUD when I clearly am not claiming to know everything but openly challenge the believers to produce verifiable cases that we can all acknowledge.
My question concerns ONLY how a machine with NO hard-drive and using a live cd can be compromised.
(BTW it would seem that my way of surfing the net is uncommon; I very very rarely find stuff that I want to make a note about or download. I can spend hours and hours on sites such as DW,/., various yahoo groups, the BBC and so on and never want to download anything to my folders (even if I had the hard-drive connected)
I hope that if this specific question has been answered ( and I am too dense to have understood it) that someone can explain it more simply.
166 • thanks ('nother off-topic query) (by Sean on 2009-08-07 14:02:41 GMT from United States)
Thanks for addressing my posted wondering about the page hits here, Caitlyn (I love that name) and others.
I have another question that could only be answered here.. so here goes: has the operator of this site, with presumed access to server logs and the info therein, ever posted or noted in DWW any data on the OSs used to come here?
I would be interested in that because we look at those things as well as regional data as a way to keep our company site tuned for our users. But also because I wonder how many use Windows, Mac and other non-linux OSs yet come here regularly vs linux users.
167 • Hacking (by Alan UK on 2009-08-07 14:23:06 GMT from United Kingdom)
Rex, I guess the best way to solve this is to invite someone to hack into your live cd-running pc.
Very interesting topic though, thanks for bringing it up.
168 • Re: 166 site statistics (by Sertse on 2009-08-07 14:29:55 GMT from Australia)
Afaik, there is also http://distrowatch.com/awstats/ which provides some interesting statistics on the users visiting the DW site. The stat about browsers and distros, especially when you click "full list/versions" is I find particularly fascinating. I say nothing on whether it means anything though :P
169 • @158 - SSH Security (by Pearson on 2009-08-07 14:33:35 GMT from United States)
Rex, you wrote
SSH (Secure Shell) first and foremost is a secure replacement for the r* programs (rlogin, rsh, rcp, rexec). The reason it is secure is because it uses all kinds of encryption type tomfoolery so that clear text is never sent over a network, it uses RSA keys to authenticate the user to the server and it also uses RSA keys to authenticate the server to the user.
Recall that there was a security flaw in OpenSSH (version 4.7) reported 1 early this year. Yes, OpenSSH is still more secure than the r* tools. It's not absolutely secure. This is another reason why timely security updates are usually important.
I'm not trying to spread FUD. As I said earlier, how important this information is depends on what you're working, where you're working and how you're working. If you need to run a disk repartitioning utility at home behind a reasonable hardware firewall, then using a LiveCD running as root is likely perfectly acceptable. If you're wanting to check your home email on a lab computer at a nuclear facility, then it's much less advisable (reason: it's more likely that people will be trying to attack a nuclear facility looking for information, and being root gives no benefit to checking your home email).
Like much of life, it's all about balance. Or, as I usually think about it: cost (or risk) vs. benefit.
Frankly, I'm somewhat confused. Your post about OpenSSH seems very informed, and sounds like you have some experience in the Linux community. And yet, you can't accept that software can run your computer and access your data without you know about it.
170 • Actually (by Rex on 2009-08-07 14:42:49 GMT from United States)
Actually I was thinking yesterday of doing that.
As I see it now, the idea is that the terminal is what is used to see with, and that with a terminal on a remote machine someone could mount my HD, ask my hard drive to list all of its file paths, open and read them ,write to them etc and no terminal would need be open on my machine, or if it was, my term would not show what their term showed and so using command line alone all could be hacked. So I would be left with only watching a system monitor to watch and try to guess from any unusual activity on it as to whether I am being presently hacked.
171 • Re # 169 (by Rex on 2009-08-07 15:06:40 GMT from United States)
Sorry if I mislead. No I am not very informed. :(
What I did because I was getting a lot of the SSH claims, I decided to look on the web and see what SSH was capable of. The first 2 paras from that post were from a web site, but I didn't put quotes around them, I just added "From a web site" after them but perhaps that wasn't clear enough.
I realized I was maybe speaking before I had all info, but what I saw there seemed to indicate that SSH was deliberately set up by the user to be a more secure means, and thus a live cd user was unlikely to go to that trouble and not take more serious security precautions than running as root and that presumably live cd makers would not be so irresponsible as to dangle open hack paths on to unwitting users machines. Yet in a way, the claims being such as they are, indirectly distro makers are being accused of that very thing because they deliberately make root only CDs and fail to force unwitting users to only run as non root. Nor do they spell out clearly in writing to the prospect what serious risks they are taking.
172 • @170 (by Patrick on 2009-08-07 15:21:35 GMT from United States)
Yes, correct. Your screen and keyboard is only one of the "terminals" (either command line of graphic) that can be used to access your system. Depending on services that are running, other "terminals" can connect to your system over the network, being a totally separate window into your system.
Another common misconception seems to be that a human hacker needs to be present to have your system hacked, and that no one has enough time on their hands to hack your system. This is just not true. Hackers make extensive use of malicious websites, robots and other automated programs.
You are running a live CD with a slightly outdated browser that now has a known vulnerability. You visit a malicious website that exploits the flaw and uses it to inject code that starts up sshd and add user credentials for the hacker. Because your live CD runs as root, the injected code CAN DO THIS. The code sends a ping to the human hacker, who logs in to your system (invisible to you, he uses a remote "terminal"), mounts your drives, starts a key logger to intercept your password, etc.
This is a very simple scenario for a hacker. It takes very little of his time because it is all automated up to the point where he is ready to log in to your system. So there goes the security through obscurity argument. And it was possible because 1. your live CD runs the browser as root and 2. the live CD does not receive security patches.
An even simpler scenario:
Any website admin knows your IP address and receives your browser string when you use their website. The browser string tells them your browser and OS, often even the version of each. Bases on this, a robot could be set up to run attacks against your system, tailored to your system. Without security updates, your live CD would probably he compromised soon.
173 • ref:170,172 terminals and hackers (by Pearson on 2009-08-07 15:45:23 GMT from United States)
As Patrick said, you are entirely correct. This is a case where a useful feature of Linux is also a potential avenue for abuse and intrusion.
Patrick also did an excellent job of explaining how the hacking process can be automated. It's this automation that makes the "security through obscurity" approach less effective.
174 • DW stats (by Sean on 2009-08-07 15:54:09 GMT from United States)
Thank you for that link (http://distrowatch.com/awstats/), Sertse!
A wealth of info.
175 • Firefox vs IE (by Sean on 2009-08-07 16:01:43 GMT from United States)
Wow, given the dominance of Windows visitors over linux (50% to 40%) it seems interesting to note that Firefox kicks the snot out of Internet Explorer in usage (61% to 13%).
Folks interested in linux are obviously savvy as to the weaknesses and vulnerabilities in IE.
176 • Re # 172 (by Rex on 2009-08-07 16:50:11 GMT from United States)
That would seem to mean that the way for max security is not to optimize 2 things but to impose maximun workable with comfort for the local user limits on them; namely the RAM and the Bandwidth speed accessible to his machine at any given moment. The hacker cannot change physical laws. Thus cut off his access to bandwidth and RAM and he will be stiffled. Programs could be written to give the local user control over the max allowed at any given time of these two aspects. The programs would automatically squelch these two items to the lowest practical level at all times based solely on what the Desktop of the local user needs at the precise moment. He doesn't need any bandwidth at all to read for 5 minutes a docment found on the Internet. The hacker would need bandwith speed to do anything and if none is ever left over, who's he goanna call? Same with RAM.
177 • No subject (by forest on 2009-08-07 17:46:05 GMT from United Kingdom)
But, how much bandwidth is this hypothetical hacker going to need to exploit the opportunity and cream off your "confidential data"?
This sort of hacker is not to be confused with the English bloke staring at a lifetime in jail, who by the sound of it, in simplistic terms, must have got in, found a file menu/links, discovered they were not PW protected and gone strolling around from there. He must have been in the systems for ages and left traces of his identity.
If this illicit data mining is automated, according to Patrick, then the hacker matey will be trying hundreds and hundreds of computers at a time. I'm assuming in this instance this is an automated opportunistic set up and if one attack fails then move to the next and so on and so forth.
I going to presume again, that the hacking process is only a matter of seconds because surely the hacker won't be squirting MBs of code around to each and every machine?
Would it not be be possible for this injected code to simply instruct the target machine to call back with the info at a later time/date?
Also, and please correct my impression, a distro firewall lets everything out by default...so what is to stop stuff being sent out, unless you set up the firewall rules so to speak? Up until now we have not had any protracted mention of firewalls.
From the above posts I can only repeat this security topic is far too big to be adequately discussed on a forum and could be the makings of a security article in the newsletter.
178 • Security (by Elder Vintner LaCoste on 2009-08-07 17:58:26 GMT from United States)
I can't claim to be an expert on security but as I said previously, I have never had any problems running a live cd. I have used Puppy for years and have visited thousands of websites safely (please take issue with this). Understand that this is just one user's experience and not a statistical analysis. However anecdotal my data is, I believe it to be accurate because I don't believe that I have just been lucky. You are much safer using a live cd on a secure website to shop than you are with a system installed on your hard drive simply because when you shut down all the information in RAM goes "bye, bye". Puppy also has a firewall and if you clean your browser cache with any regularity the chances are pretty good that you will never have a problem. I would (and do) trust this setup on a diskless, stand-alone computer not attached to a network.
179 • Your Right! #45 & About KDE 4.3 (by Jason on 2009-08-07 19:28:14 GMT from United States)
Wow looks like the new kdes out! cool! i can't wait not to use it!
haha jk i guess i should give it a chance! but isn't so slow? it uses 80% of my cpu doing nothing! and my cpu's not a weak one !
180 • speaking of security... (by Ben on 2009-08-07 22:12:10 GMT from United States)
hi again. Rex, it's good to see we've finally got your question answered.
as an ironic side note, i navigated to DW three times today to check on the comments (i find myself doing this a lot at work). however, at work, i am forced to use IE6, which is just terrible in general, but to make matters worse, i picked up a trojan. the same one three times. i think it might be parked on the home page...
sooo, whoever the webmaster for DW is, they may want to check on this...i don't know how else to get in touch. chances are, most people on here run linux (i had to wait to get home to post from firefox w/noscript so i wouldn't catch it, again), so they may not be affected, or at least not know they are. so yeah, beware i guess. and don't use IE6.
181 • @180 (by Nobody Important on 2009-08-10 03:01:02 GMT from United States)
"Don't use IE6."
Better words have never been uttered.
182 • Arch Linux 2009.08 released (by René Leonhardt on 2009-08-10 06:21:56 GMT from Germany)
The first torrent link in "Distribution Release: Arch Linux 2009.08" news
points to the .img, not the .iso file.
By the way, what is the best Arch Linux LiveCD? :)
Number of Comments: 182
Display mode: DWW Only • Comments Only • Both DWW and Comments
|• Issue 841 (2019-11-18): Emmabuntus DE3-1.00, changing keys in a keyboard layout, Debian phasing out Python 2 and voting on init diversity, Slackware gets unofficial updated live media|
|• Issue 840 (2019-11-11): Fedora 31, monitoring user activity, Fedora working to improve Python performance, FreeBSD gets faster networking|
|• Issue 839 (2019-11-04): MX 19, manipulating PDFs, Ubuntu plans features for 20.04, Fedora 29 nears EOL, Netrunner drops Manjaro-based edition|
|• Issue 838 (2019-10-28): Xubuntu 19.10, how init and service managers work together, DragonFly BSD provides emergency mode for HAMMER, Xfce team plans 4.16|
|• Issue 837 (2019-10-21): CentOS 8.0-1905, Trident finds a new base, Debian plans firewall changes, 15 years of Fedora, how to merge directories|
|• Issue 836 (2019-10-14): Archman 2019.09, Haiku improves ARM support, Project Trident shifting base OS, Unix turns 50|
|• Issue 835 (2019-10-07): Isotop, Mazon OS and, KduxOS, examples of using the find command, Mint's System Reports becomes proactive, Solus updates its desktops|
|• Issue 834 (2019-09-30): FreedomBox "Buster", CentOS gains a rolling release, Librem 5 phones shipping, Redcore updates its package manager|
|• Issue 833 (2019-09-23): Redcore Linux 1908, why Linux distros are free, Ubuntu making list of 32-bit software to keep, Richard M Stallman steps down from FSF leadership|
|• Issue 832 (2019-09-16): BlackWeb 1.2, checking for Wayland session and applications, Fedora to use nftables in firewalld, OpenBSD disables DoH in Firefox|
|• Issue 831 (2019-09-09): Adélie Linux 1.0 beta, using ffmpeg, awk and renice, Mint and elementary improvements, PureOS and Manjaro updates|
|• Issue 930 (2019-09-02): deepin 15.11, working with AppArmor profiles, elementary OS gets new greeter, exFAT support coming to Linux kernel|
|• Issue 829 (2019-08-26): EndeavourOS 2019.07.15, Drauger OS 7.4.1, finding the licenses of kernel modules, NetBSD gets Wayland application, GhostBSD changes base repo|
|• Issue 828 (2019-08-19): AcademiX 2.2, concerns with non-free firmware, UBports working on Unity8, Fedora unveils new EPEL channel, FreeBSD phasing out GCC|
|• Issue 827 (2019-08-12): Q4OS, finding files on the disk, Ubuntu works on ZFS, Haiku improves performance, OSDisc shutting down|
|• Issue 826 (2019-08-05): Quick looks at Resilient, PrimeOS, and BlueLight, flagship distros for desktops,Manjaro introduces new package manager|
|• Issue 825 (2019-07-29): Endless OS 3.6, UBports 16.04, gNewSense maintainer stepping down, Fedora developrs discuss optimizations, Project Trident launches stable branch|
|• Issue 824 (2019-07-22): Hexagon OS 1.0, Mageia publishes updated media, Fedora unveils Fedora CoreOS, managing disk usage with quotas|
|• Issue 823 (2019-07-15): Debian 10, finding 32-bit packages on a 64-bit system, Will Cooke discusses Ubuntu's desktop, IBM finalizes purchase of Red Hat|
|• Issue 822 (2019-07-08): Mageia 7, running development branches of distros, Mint team considers Snap, UBports to address Google account access|
|• Issue 821 (2019-07-01): OpenMandriva 4.0, Ubuntu's plan for 32-bit packages, Fedora Workstation improvements, DragonFly BSD's smaller kernel memory|
|• Issue 820 (2019-06-24): Clear Linux and Guix System 1.0.1, running Android applications using Anbox, Zorin partners with Star Labs, Red Hat explains networking bug, Ubuntu considers no longer updating 32-bit packages|
|• Issue 819 (2019-06-17): OS108 and Venom, renaming multiple files, checking live USB integrity, working with Fedora's Modularity, Ubuntu replacing Chromium package with snap|
|• Issue 818 (2019-06-10): openSUSE 15.1, improving boot times, FreeBSD's status report, DragonFly BSD reduces install media size|
|• Issue 817 (2019-06-03): Manjaro 18.0.4, Ubuntu Security Podcast, new Linux laptops from Dell and System76, Entroware Apollo|
|• Issue 816 (2019-05-27): Red Hat Enterprise Linux 8.0, creating firewall rules, Antergos shuts down, Matthew Miller answers questions about Fedora|
|• Issue 815 (2019-05-20): Sabayon 19.03, Clear Linux's developer features, Red Hat explains MDS flaws, an overview of mobile distro options|
|• Issue 814 (2019-05-13): Fedora 30, distributions publish Firefox fixes, CentOS publishes roadmap to 8.0, Debian plans to use Wayland by default|
|• Issue 813 (2019-05-06): ROSA R11, MX seeks help with systemd-shim, FreeBSD tests unified package management, interview with Gael Duval|
|• Issue 812 (2019-04-29): Ubuntu MATE 19.04, setting up a SOCKS web proxy, Scientific Linux discontinued, Red Hat takes over Java LTS support|
|• Issue 811 (2019-04-22): Alpine 3.9.2, rsync examples, Ubuntu working on ZFS support, Debian elects new Project Leader, Obarun releases S6 tools|
|• Issue 810 (2019-04-15): SolydXK 201902, Bedrock Linux 0.7.2, Fedora phasing out Python 2, NetBSD gets virtual machine monitor|
|• Issue 809 (2019-04-08): PCLinuxOS 2019.02, installing Falkon and problems with portable packages, Mint offers daily build previews, Ubuntu speeds up Snap packages|
|• Issue 808 (2019-04-01): Solus 4.0, security benefits and drawbacks to using a live distro, Gentoo gets GNOME ports working without systemd, Redox OS update|
|• Issue 807 (2019-03-25): Pardus 17.5, finding out which user changed a file, new Budgie features, a tool for browsing FreeBSD's sysctl values|
|• Issue 806 (2019-03-18): Kubuntu vs KDE neon, Nitrux's znx, notes on Debian's election, SUSE becomes an independent entity|
|• Issue 805 (2019-03-11): EasyOS 1.0, managing background services, Devuan team debates machine ID file, Ubuntu Studio works to remain an Ubuntu Community Edition|
|• Issue 804 (2019-03-04): Condres OS 19.02, securely erasing hard drives, new UBports devices coming in 2019, Devuan to host first conference|
|• Issue 803 (2019-02-25): Septor 2019, preventing windows from stealing focus, NetBSD and Nitrux experiment with virtual machines, pfSense upgrading to FreeBSD 12 base|
|• Issue 802 (2019-02-18): Slontoo 18.07.1, NetBSD tests newer compiler, Fedora packaging Deepin desktop, changes in Ubuntu Studio|
|• Issue 801 (2019-02-11): Project Trident 18.12, the meaning of status symbols in top, FreeBSD Foundation lists ongoing projects, Plasma Mobile team answers questions|
|• Issue 800 (2019-02-04): FreeNAS 11.2, using Ubuntu Studio software as an add-on, Nitrux developing znx, matching operating systems to file systems|
|• Issue 799 (2019-01-28): KaOS 2018.12, Linux Basics For Hackers, Debian 10 enters freeze, Ubuntu publishes new version for IoT devices|
|• Issue 798 (2019-01-21): Sculpt OS 18.09, picking a location for swap space, Solus team plans ahead, Fedora trying to get a better user count|
|• Issue 797 (2019-01-14): Reborn OS 2018.11.28, TinyPaw-Linux 1.3, dealing with processes which make the desktop unresponsive, Debian testing Secure Boot support|
|• Issue 796 (2019-01-07): FreeBSD 12.0, Peppermint releases ISO update, picking the best distro of 2018, roundtable interview with Debian, Fedora and elementary developers|
|• Issue 795 (2018-12-24): Running a Pinebook, interview with Bedrock founder, Alpine being ported to RISC-V, Librem 5 dev-kits shipped|
|• Issue 794 (2018-12-17): Void 20181111, avoiding software bloat, improvements to HAMMER2, getting application overview in GNOME Shell|
|• Issue 793 (2018-12-10): openSUSE Tumbleweed, finding non-free packages, Debian migrates to usrmerge, Hyperbola gets FSF approval|
|• Issue 792 (2018-1203): GhostBSD 18.10, when to use swap space, DragonFly BSD's wireless support, Fedora planning to pause development schedule|
|• Issue 791 (2018-11-26): Haiku R1 Beta1, default passwords on live media, Slax and Kodachi update their media, dual booting DragonFly BSD on EFI|
|• Issue 790 (2018-11-19): NetBSD 8.0, Bash tips and short-cuts, Fedora's networking benchmarked with FreeBSD, Ubuntu 18.04 to get ten years of support|
|• Issue 789 (2018-11-12): Fedora 29 Workstation and Silverblue, Haiku recovering from server outage, Fedora turns 15, Debian publishes updated media|
|• Full list of all issues|
Star Labs - Laptops built for Linux.
View our range including the Star Lite, Star LabTop and more. Available with a choice of Ubuntu, Linux Mint or Zorin OS pre-installed with many more distributions supported. Visit Star Labs for information, to buy and get support.
|Random Distribution |
FreedomBox is a Debian-based distribution, primarily used as a server operating system for home users. FreedomBox supports point-n-click settings up a number of services ranging from a calendar or jabber server to a wiki or VPN through a web interface. Firewall, domain names, user accounts, backups, and Btrfs snapshots can also be managed through a simple web-based control centre.