This topic is a summary of some of the methods discussed on the forum that will improve your Puppy security when doing financial, online buying or other sensitive transactions on the web.
Regardless of what level of methods you choose, make yourself a small target.
* Boot
* Complete your transactions
* Shutdown, don't save and reboot
If you must leave a boot session open:
* Close the browser
* Use Puppy's internet connection tools to disconnect from the internet
All of the methods are most effective if the running Puppy is the only drive and operating partition attached to the computer. If this is not possible you can temporarily disable other drives/partitions during your session. See notes on the lockset utility.
IMO, Level 2, #1, #3 and #4 are easiest to implement with good protection. Also there are combinations of methods that can be used.
Finally, these only affect your OS and do nothing to protect you from social engineering or other user focused attacks.
Level 1
1. * Run a newer version of Puppy
2. * Enable Puppy firewall
3. * Use a dedicated Puppy for sensitive transactions
4. * If you use a savefile/folder use a dedicated one
5. * Boot with no savefile/folder (also referred to as "ram only" or pupmode 5)
6. * Run a newer version of a web browser
7. * Run the browser as user "spot"
8. * Configure your browser settings to "harden" it against attack (settings are a little different
- for each brand, check the web for yours)
9. * If using a "portable" browser, only use a dedicated install of it
Level 2
All of Level 1 plus boot from write protected media including:
1. * Boot from external media (USB flash, SDcard) with no savefile/folder
++easy to setup
++allows customization
++easy to make changes
--requires creating a ydrv .sfs file for customization (see instructions below)
--requires additional ram for ydrv
DO NOT use pfix=nocopy in grub (this will allow you to remove the
device after the boot is complete)
--requires removing media after system is booted to prevent writing
2. * Boot from CD or DVD
--requires CD/DVD drive
--slow booting
--requires remastering the ISO if customization is desired
--requires remaking media to make changes
3. * SDcard with write protect switch (can also then be used in a SD to USB adapter)
++allows use of save file (caution required)
++easy to make changes
++easy to include .sfs and portables (testing required, Notes below)
4. * USB flash with write protect switch
++allows use of save file
++easy to make changes
++easy to include .sfs and portables (testing required, Notes below)
--more expensive than SDcard
5. * Boot from Puppy ISO using Ventoy (USB)
++easy to include .sfs and portables (testing required, Notes below)
--requires installing and configuring Ventoy
--requires remastering the ISO if customization is desired
6. * Boot from Puppy ISO using a virtual machine (VM)
++easy to include .sfs and portables (testing required, Notes below)
--requires computer with adequate resources to run a VM
--requires installing and configuring VM software
--requires remastering the ISO if customization is desired
7. * Install Puppy ISO to a USB that is formatted as ISO9660. Can be done using the DD command or using Rosa Image Writer
--requires remastering the ISO if customization is desired
--requires remaking media to make changes
Level 3
1. * Write protect a drive partition using software
++Can be applied to both internal or external drives
++Allows customization
++Can be changed/edited
++Can hide access to other drives
--requires creating a ydrv .sfs file
--Requires detailed setup
--Not as positive as some other Level 2 media
What is write protected:
* All files and directories (at the time of protection) in the top level directory
What can still be written:
* New files or directories can be added to the top level directory
* Changes can be made to the running session (true of all the methods), but are not saved after reboot.
Example setup using BookwormPup64 on USB:
* Create a bootable ext3/4 USB using Menu>FrugalPup
* Open the USB boot partition and edit grub.cfg as follows:
- pmedia=usbflash
- DO NOT use nocopy in grub.cfg pfix
* Boot from the USB
* Install lockset.pet
* Create a ydrv .sfs (see instructions below)
* Check functions, do not use any protect or disable functions yet
* When satisfied click: Lock Protect
* Use the disable buttons to disable drives & partitions including the boot drive/partition
Creating a ydrv .sfs
NOTE: a ydrv will require additional ram, so you may want to limit adding additional programs
* Boot drive
* Customize, i.e, add programs, configure internet, add website bookmarks, etc
* Shut down and create savefolder
* Reboot
* Install nicOS-Utility-Suite-2022.pet https://www.forum.puppylinux.com/viewto ... 827#p69307
* Run Menu>Utility>NicOS_Utility-Suite
- 1st window, select 5
- 2nd window, select 1, 2, 4
- 3rd window, choose your working area, be sure to note the drive and partition selected
When finished, a Rox window should open showing the new ydrv
* Cut/Copy the ydrv .sfs file into the same directory as your savefolder (main Puppy directory)
* Rename your savefolder, i.e, dpupsave, rename to dpupsav, you can also just move it to another drive/partition
* Reboot, DO NOT SAVE
NOTES on using write protected media:
* Portable programs cannot run from write-protected media
These work-arounds can be used
* Portable programs have to be placed in /root
* Portable browsers or any app that must run as user "spot" must be placed in /root/spot
About the lockset utility
- lockset.jpg (11.37 KiB) Viewed 638 times
Lockset is not hack proof, it just adds new layers of obstacles and obfuscation.
It can write protect the boot drive partition (ext format only) and can also temporarily disable both drives and partitions. Lockset.pet installs the utility into /root/Startup so it runs automatically at boot. It requires "yad". Although lockset is specified in Level 3, it could also be adapted to other methods, testing required.
Some drives or partitions may not allow you to disable them.
Last, to unprotect a drive partition:
* Boot another Puppy
* Insert any external drive that was protected
* Click the icon on the desktop for the protected drive partition
A Rox window will open in the top level directory
* Press: F4
A terminal will open
* Type: chattr -R -i *
* Press: enter
wizard
UPDATE 250417: See post #6 for additional tools
