Gregg's Nearly Interminable Adventures in Linux Land

[kacir]

Quote:

Originally Posted by Gregg Bell

Are we all vulnerable to keystroke sniffing all the time?

Yes. That sniffing can be hardware or software.
Software keyboard logger is a small program (virus) on your PC that reads keyboard input and sends it somewhere. So everything you type is sent to a hacker and he can use this to look for passwords. The thing is, there is magnitude higher probability that you might have such a keyboard logger in a Windows installation than Linux installation. Linux has its share of problems with vulnerabilities, most of them are applicable to servers, not desktop computers, such as yours. Even then, keyboard loggers are relatively rare even on Windows.
I would be afraid of a hardware keylogger if I was a teacher using a computer in a lab accesible by students or a high profile criminal / hacker / silk-road operator that is of interest to NSA, FBI, CIA, MOSAD, ... . In the first case it would be a device plugged into a computer between a keyboard and an USB slot, or perhaps installed inside a modified keyboard, in the later case it would be a small bug under the table sensing signals along the cable, or perhaps reading Bluetooth traffic and transmitting data to a nearby unmarked surveillance van.

Quote:

Originally Posted by Gregg Bell

That's the thing. I never knew. He was just convincing me that if I had an email client I wouldn't be entering the password in the keyboard. Hence safer.

Yes, safer. But this eliminates only one [of many] vectors of attack. If you are really concerned about entering passwords, just switch to one of many on-screen keyboards for entering passwords. This is what some highly secure systems, or *very* paranoid users do. Secure on-screen keyboards for entering passwords also swap position of keys, so that you can't log mouse movements, and use only Red Green and Blue color to display keys and key labels (so it would be more difficult to sniff signals from a VGA cable leading to your monitor. But I wouldn't worry about such details, unless I were responsible for communications safety for an USA embassy in Moscow ;-)

[avantman42]

Quote:

Originally Posted by Gregg Bell

Thanks Russell. I have most of my passwords in KeePass2. I figured the important ones were safer being written down, though. But those are two-factor authentication cases anyway. Google and Chrome always want my passwords and I always say no. Maybe I should use them? Or just put all my passwords in Keepass2. I could even get one of those Key Files for Keepass2.

I keep all of mine in Keepass. As long as your master password is good, you're very unlikely to have any issues. Keeping them on paper (I assume that's what you mean by "written down") is theoretically more secure, but if they're less secure so that it's feasible to type them out, then that'll offset that extra security.

[DMcCunney]

Quote:

Originally Posted by Gregg Bell

Thanks a lot for the explanation, Dennis. So I use KeePass2 for most of my passwords but I figured I was safer having my important passwords offline written down somewhere. Firefox and Chrome are always asking to store my passwords and I'm always saying no. Would it be wise to store even my important passwords in the browsers? Or maybe they'd be better off in KeePass2?

What makes you assume important passwords are safer written down on paper and not stored in your browser?

My passwords all live in Firefox, and get entered automatically when I visit sites. Sites that use passwords pretty much all use https these days. I have a couple of password manager extensions that allow me to see what the stored passwords are, and export them to a file for import elsewhere. (I do a lot of playing with custom Firefox profiles. When I spin up a new one, my existing bookmarks and passwords get imported.)

I've never used something like Keypass or LastPass because I haven't needed them. (And there are folks who are paranoid about keeping password stores in the cloud.)

There are a site or two I visit that require you to change your password periodically, and when I visit I discover my saved password no longer works, and I must request an email to reset it. Annoying, but not worth complaint.

How might my passwords be extracted from my browser? I've never heard of that occurring. Most threats use things like keystroke loggers and man-in-the-middle attacks. Keystroke loggers are like viruses - easy enough to block if you have a secure system - and man-in-the-middle attacks require the attacker to be able to read your traffic. That's what https is all about. They can't.

Quote:

Are we all vulnerable to keystroke sniffing all the time?

No. How vulnerable we are depends upon our knowledge of securing our systems, and we are when we access the Internet. The vast majority of my usage is from my desktop, at home, with a router with security enabled and software and hardware firewalls. The only way someone gets access to my data is sitting down at my desktop's keyboard. If they can do that, I have much bigger problems than password security.)

Vulnerability tends to occur if you are accessing the Internet while traveling. I seldom do, and when I do, I'm likely doing it from a hotel room. I'm not online from a bar or restaurant with free Wifi.

Quote:

I don't say anything sensitive either. I just don't want to get hacked and then have the scumbag send out spoofing or phishing emails to my friends. (Or if it was my list, 5K readers.)

Which is why you exercise proper precautions to prevent being hacked. It simply isn't a concern for me, because I use Gmail as primary email address. If I used Yahoo I'd be nervous, because they've had massive breaches. AOL got hacked in the old days, but they've tightened up since.

(Verizon is dropping their own email. They bought AOL a while back, and are advising fo0lks with verizon.net address to switch to an AOL account. They bought Yahoo, too. Whether Yahoo email will continue to exist is unclear. I personally doubt it. Why support two webmail solutions if you're Verizon?)

Quote:

I don't want a client. I used Thunderbird along time ago and didn't like it.

I've never had a problem with Thunderbird. It has quirks, but works well once you have it configured. And there are an assortment of addons for it to customize it more to your liking.

As mentioned, I don't use it for email. I could, and it does have my Gmail address configured, but that's strictly for the odd case where I might need to send email from Tbird. I almost never have to do that.

Quote:

It was just that Godaddy guy hammering me about how I needed a client.

He lied to you to sell you something.

Quote:

That's the thing. I never knew. He was just convincing me that if I had an email client I wouldn't be entering the password in the keyboard. Hence safer.

Hardly safer. Security begins with knowledge. He was able to push you on it because you lack knowledge. You need to repair that lack.

Quote:

I got Essentials because Godaddy's free email (that came with the website builder) was horrific.

And how much do you actually use GoDaddy's free email? Since you have, like, and use Gmail, what do you need GoDaddy's email for?

Quote:

And Godaddy hosts my website and their new website builder is really pretty good. And 24/7 telephone support is good. Most of the people are really good, but some are real salesmen. (I have to gear up for being sold something every time I call.)

Okay, you have a legitimate reason for using their service, and are (mostly) happy with them.
______
Dennis

[kacir]

Quote:

Originally Posted by DMcCunney

What makes you assume important passwords are safer written down on paper and not stored in your browser?

Somebody can find a bug in the browser and hijack some plugin and get all your passwords at once.
When passwords are stored on paper, no amount of hacking(*) is going to read them.

(*) unless they hack your webcam and happen to read the piece of paper on your table

[Gregg Bell]

Quote:

Originally Posted by kacir

Yes. That sniffing can be hardware or software.
Software keyboard logger is a small program (virus) on your PC that reads keyboard input and sends it somewhere. So everything you type is sent to a hacker and he can use this to look for passwords. The thing is, there is magnitude higher probability that you might have such a keyboard logger in a Windows installation than Linux installation. Linux has its share of problems with vulnerabilities, most of them are applicable to servers, not desktop computers, such as yours. Even then, keyboard loggers are relatively rare even on Windows.
I would be afraid of a hardware keylogger if I was a teacher using a computer in a lab accesible by students or a high profile criminal / hacker / silk-road operator that is of interest to NSA, FBI, CIA, MOSAD, ... . In the first case it would be a device plugged into a computer between a keyboard and an USB slot, or perhaps installed inside a modified keyboard, in the later case it would be a small bug under the table sensing signals along the cable, or perhaps reading Bluetooth traffic and transmitting data to a nearby unmarked surveillance van.
Yes, safer. But this eliminates only one [of many] vectors of attack. If you are really concerned about entering passwords, just switch to one of many on-screen keyboards for entering passwords. This is what some highly secure systems, or *very* paranoid users do. Secure on-screen keyboards for entering passwords also swap position of keys, so that you can't log mouse movements, and use only Red Green and Blue color to display keys and key labels (so it would be more difficult to sniff signals from a VGA cable leading to your monitor. But I wouldn't worry about such details, unless I were responsible for communications safety for an USA embassy in Moscow ;-)

Thanks a lot, kacir, for the explanation. I'm really just a small fry so I'm sure I don't need NSA level protection. Your explanation gave me a sense of what's reasonable. (I need to accept the fact that there's always going to be some level of risk.)

[Gregg Bell]

Quote:

Originally Posted by avantman42

I keep all of mine in Keepass. As long as your master password is good, you're very unlikely to have any issues. Keeping them on paper (I assume that's what you mean by "written down") is theoretically more secure, but if they're less secure so that it's feasible to type them out, then that'll offset that extra security.

Thanks Russell. I've got a killer good master password, so I'm covered there. I guess the risk is if they somehow get your Keepass file, then they've got all your passwords. I think, like Kacir was saying, it's unlikely to have a keystroke logger esp. on Linux and all my important passwords need two-factor authentication anyway. I suppose I'm pretty safe. Even so, I'm going to check into getting a key on a usb drive. I guess that makes KeePass2 even more secure.

[Gregg Bell]

Quote:

Originally Posted by DMcCunney

What makes you assume important passwords are safer written down on paper and not stored in your browser?

My passwords all live in Firefox, and get entered automatically when I visit sites. Sites that use passwords pretty much all use https these days. I have a couple of password manager extensions that allow me to see what the stored passwords are, and export them to a file for import elsewhere. (I do a lot of playing with custom Firefox profiles. When I spin up a new one, my existing bookmarks and passwords get imported.)

I've never used something like Keypass or LastPass because I haven't needed them. (And there are folks who are paranoid about keeping password stores in the cloud.)

There are a site or two I visit that require you to change your password periodically, and when I visit I discover my saved password no longer works, and I must request an email to reset it. Annoying, but not worth complaint.

How might my passwords be extracted from my browser? I've never heard of that occurring. Most threats use things like keystroke loggers and man-in-the-middle attacks. Keystroke loggers are like viruses - easy enough to block if you have a secure system - and man-in-the-middle attacks require the attacker to be able to read your traffic. That's what https is all about. They can't.


No. How vulnerable we are depends upon our knowledge of securing our systems, and we are when we access the Internet. The vast majority of my usage is from my desktop, at home, with a router with security enabled and software and hardware firewalls. The only way someone gets access to my data is sitting down at my desktop's keyboard. If they can do that, I have much bigger problems than password security.)

Vulnerability tends to occur if you are accessing the Internet while traveling. I seldom do, and when I do, I'm likely doing it from a hotel room. I'm not online from a bar or restaurant with free Wifi.


Which is why you exercise proper precautions to prevent being hacked. It simply isn't a concern for me, because I use Gmail as primary email address. If I used Yahoo I'd be nervous, because they've had massive breaches. AOL got hacked in the old days, but they've tightened up since.

(Verizon is dropping their own email. They bought AOL a while back, and are advising fo0lks with verizon.net address to switch to an AOL account. They bought Yahoo, too. Whether Yahoo email will continue to exist is unclear. I personally doubt it. Why support two webmail solutions if you're Verizon?)


I've never had a problem with Thunderbird. It has quirks, but works well once you have it configured. And there are an assortment of addons for it to customize it more to your liking.

As mentioned, I don't use it for email. I could, and it does have my Gmail address configured, but that's strictly for the odd case where I might need to send email from Tbird. I almost never have to do that.


He lied to you to sell you something.


Hardly safer. Security begins with knowledge. He was able to push you on it because you lack knowledge. You need to repair that lack.


And how much do you actually use GoDaddy's free email? Since you have, like, and use Gmail, what do you need GoDaddy's email for?


Okay, you have a legitimate reason for using their service, and are (mostly) happy with them.
______
Dennis

Thanks a lot, Dennis. Yeah, you're really helping me repair my lack of knowledge. And I'm realizing I'm not as terribly vulnerable as I thought I was. I had the Godaddy free email because it came with the domain. Then it was so bad I upgraded to the Essentials. I read I could've re-routed (if that's the right term) so I could've used Gmail with that same email address I used with Godaddy but it seemed complicated and I was just too burned out to mess with it. Anyway, I'm committed to Essentials for three years and I like it so that's okay.

[Gregg Bell]

Re: my #765 post. I think I figured it out. (Why the browsers were funky after my Christian Mingle site was hijacked.) It was just an incredible coincidence in that Comcast (my internet provider) was having connectivity issues right when I was straightening out the hijacking thing. Hence, it seemed like I had a virus. I think it's all good now. I'll be careful but I think it's good.

http://money.cnn.com/2017/11/06/tech...l-3/index.html

[DMcCunney]

Quote:

Originally Posted by kacir

Somebody can find a bug in the browser and hijack some plugin and get all your passwords at once.
When passwords are stored on paper, no amount of hacking(*) is going to read them.

(*) unless they hack your webcam and happen to read the piece of paper on your table

I am concerned about neither of those.

I run Firefox.

I use very few plugins - Cisco's H_264 video codec, Google's Widevine Content Decryption, and a current version of Shockwave Flash. (Flash is set to require permission to run and does not get invoked automatically. I keep it around because I have a few sites in my bookmarks that use it - mostly design and fashion sites whom use it to good effect, and are transitioning to HTML5/CSS3 in any case.)

And I don't have a web cam.

You may find password sniffers a concern. I have layered defenses, and don't.
______
Dennis

[DMcCunney]

Quote:

Originally Posted by Gregg Bell

Thanks a lot, Dennis. Yeah, you're really helping me repair my lack of knowledge. And I'm realizing I'm not as terribly vulnerable as I thought I was. I had the Godaddy free email because it came with the domain. Then it was so bad I upgraded to the Essentials. I read I could've re-routed (if that's the right term) so I could've used Gmail with that same email address I used with Godaddy but it seemed complicated and I was just too burned out to mess with it. Anyway, I'm committed to Essentials for three years and I like it so that's okay.

I'm still missing something.

Yes, you could have used Gmail instead. Getting it to poll your GoDaddy email should be the work of a moment, and mail will appear in your Gmail Inbox.

What do you actually use the GoDaddy email for? What gets sent to it and when do you respond from it?

Speaking personally, one of the things I like about Gmail is that all of my mail appears in one place, regardless of source. I don't have to use different means of reading and replying to they mail, and have to remember what comes from where. I got cured of trying to do that years ago.
______
Dennis

[Gregg Bell]

Quote:

Originally Posted by DMcCunney

I'm still missing something.

Yes, you could have used Gmail instead. Getting it to poll your GoDaddy email should be the work of a moment, and mail will appear in your Gmail Inbox.

What do you actually use the GoDaddy email for? What gets sent to it and when do you respond from it?

Speaking personally, one of the things I like about Gmail is that all of my mail appears in one place, regardless of source. I don't have to use different means of reading and replying to the mail, and have to remember what comes from where. I got cured of trying to do that years ago.
______
Dennis

Hi Dennis.

As far as I understood I needed an email address connected to my website. I need it to send out mass mailing with email providers like MailChimp. They don't like just a Gmail address or something like that. I guess the website email makes them feel more comfortable that I'm not a spammer. So when I got Godaddy to host and build my site it came with the free email that was connected to the website. But the email (Workspace) was terrible. They offered a newer email (the Office 365 Essentials). That's what I have now.

[Gregg Bell]

Quote:

Originally Posted by DMcCunney

I'm still missing something.

Yes, you could have used Gmail instead. Getting it to poll your GoDaddy email should be the work of a moment, and mail will appear in your Gmail Inbox.

What do you actually use the GoDaddy email for? What gets sent to it and when do you respond from it?

I use it for responding to people who write to me. They either write from a contact box on my website or I've sent a mass mailing (5K) to my newsletter and they're responding to that.

Quote:

Originally Posted by DMcCunney

Speaking personally, one of the things I like about Gmail is that all of my mail appears in one place, regardless of source. I don't have to use different means of reading and replying to they mail, and have to remember what comes from where. I got cured of trying to do that years ago.
______
Dennis

I called Godaddy and I do not have to use the MS Essentials. I have a 30 day window to get a full refund.

I talked to the Godaddy guy and he said the best way to use Gmail was to set up forwarding. Specifically he said:

1) Set up a new Gmail account
2)Export the contacts from my Godaddy Workspace email account (which is the old Godaddy email)
3)Import the contacts into the new Gmail account.
4)Delete the Godaddy Workspace email account
5)Click on "Create Forward"
6)Delete the MS Essentials

I know you have all your email accounts in one place. I don't have the know-how to do that. (Maybe some day.) But for now, do you think the tech's suggestions make sense? Thanks.

[Gregg Bell]

I got it figured out pretty good. (You can disregard that last message.) Thanks!

[Gregg Bell]

Help me pick a computer? Year-end madness has a hold of me. I have all Linux computers now and I thought these refurbished computers would give me a great chance to nab Windows 7 and upgrade it to Windows 10. (If I can. One guy did it on the $59 dollar machine.) Any opinions on which would be best (of the three)? Thanks. Gregg

https://www.newegg.com/Product/Produ...9SIAAYZ8AA3963

[DMcCunney]

Quote:

Originally Posted by Gregg Bell

Help me pick a computer? Year-end madness has a hold of me. I have all Linux computers now and I thought these refurbished computers would give me a great chance to nab Windows 7 and upgrade it to Windows 10. (If I can. One guy did it on the $59 dollar machine.) Any opinions on which would be best (of the three)? Thanks. Gregg

https://www.newegg.com/Product/Produ...9SIAAYZ8AA3963

My current desktop is a refurb ex-corporate HP SFF box, which came with a an Intel i5-2400 CPU at 3.1-3.4 GHZ, 8GB RAM, and a 500GB SATA HD with Win7 Pro installed.

It was an emergency replacement for a Dell SFF unit that suffered a power supply failure, and the design was such that I needed to get a new machine.

I had gotten a 240GB Crucial SSD and a low profile ATI-AMD video card to replace the built-in Intel graphics in the Dell. I reused both in the HP.

I had upgraded the Dell from Win7 Pro to Win10 Pro with MS's free upgrade offer. MS's free upgrade offer was long over when I got the HP, but I had downloaded the Win10 Pro upgrade media to a thumb drive. As expected, when I plugged in the thumb drive and ran setup from it, it upgraded the Win7 Pro install to Win10 Pro just fine. (I did have to tell it not to look for updates before installing. I did that at first, and it came back and told me it couldn't find a valid Win10 license. I killed the upgrade process and restarted and told it not to check for updates, and it matter of factly installed Win10 Pro and then checked for updates as the last thing it did. )

Once I was up and running on Win10, I wiped the SSD and reset it to factory stock state, then cloned the Win10 install on the SATA drive to the SSD and set it as the boot drive.

As it happened, the onboard Intel HD2000 graphics on the HP motherboard performed better than the AMD-ATI card, so it got pulled and is sitting in a parts drawer.

I do recommend more than 4GB RAM. My HP came with 8GB, but I can go up to 32GB if needed. Thus far, no need, but the headroom is there is I need it.

I also recommend getting an SSD. You get a nice performance boost, with booting and program loads happening much faster. I just got a 120GB SSD from budget vendor at my local Micro Center outlet for $30. It's a mid life kicker for an old netbook. The fact that it's a budget model isn't a concern. SSDs have gotten for more reliable, an online torture test reports have reported petabytes of writes required before any failed.

And you may want to check that the CPU in the machine you buy is on Win10's supported list. I discovered after the fact that the quad-core Xeon CPU in the Dell was not on the supported list, and the system only saw two of the four cores. The i5-2400 is supported and sees and uses all four cores.

Without a closer look at the three you listed, it's hard to make detailed recommendations beyong checking the CPU is supported by Win10.

One area I'd think hard about is serviceability. The Dell was a PITA to work in when I needed to pop the hood. The HP was designed for easy service, and it was easy to pop the hood and get to what was installed. It was also expandable. I was able to install teh SSD as boot drive, the supplied SATA HD as data drive, and installed the SATA HD from the old Dell as a secondary data drive. (I repurposed the SATA port the onboard DVD player used for that, as I have no need to access DVDs.) More recently, I added a PCI-e USB 3.0 card, as the HP didn't come with it, and a 4 port USB3 hub plugging into it. There was a spare mini-PCI-e slot the card could fit into. Works fine.
______
Dennis