ONLINE SECURITY WITH PUPPY 5 (original) (raw)

Terry Ritter

2010 November 21

Using free Puppy Linux instead of Microsoft Windows
makes common equipment safe for online banking.

INTRODUCTION

The vast majority of home computers run Microsoft Windows and are not very secure, even with extensive anti-virus add-on programs. Those same computers can be made vastly more secure, essentially for free, by using a Puppy Linux LiveDVD, at least when banking. And Windows would still be available, when desired.

THERE IS A PROBLEM: Malicious software can and does infect personal computersto steal from online bank and brokerage accounts, and to steal identities and online bandwidth. Exceedingly clever and advanced malware cannot be stopped by firewalls, anti-virus or other features, and infections may not even be detected. Trying to "harden" a Windows installation is increasingly irritating, decreasingly effective, and the consequences of failure can be devastating: Your online bank simply cannot distinguish between "the real you" and a malware "bot" infection inside your computer, even with modern "2-factor" "one-time" and external "dongle" authentications.

**THERE IS NOT ALWAYS A SOLUTION: Malware exploits holes in security-unconcious Web standards.**Our Swiss-cheese standards are so intertwined with modern technology that a fundamentally secure approach would require changing every computer and every web site. Standardized weakness applies to all Web browsing platforms: desktop, laptop, netbook, smart phone, tablet and whatever comes next. Antivirus scanning cannot guarantee to detect a modern bot infection.

THERE IS AN OBVIOUS TARGET: About 91 percent of browsing is done from Microsoft Windows, and attackers will exploit anything and anybody to get at that market. The vast majority of malwares are designed to run only in a Windows environment, so most malware can be avoided simply by not using Microsoft Windows online. New cross-platform malwares can be avoided by also not using Java (JavaScript is not Java). Not everyone can avoid using Windows and Java applications online, and not everyone wants to, but stepping away from the target is a move in the right direction.

THERE MAY BE A SOLUTION FOR YOU: You can prevent malware infection provided you can boot your operating system from an optical drive. Malware "infects" by changing the "boot" or run-up data to restart malware on each session. Infection can be prevented by booting from a DVD, which is inherently "difficult or impossible" to infect. Currently, the best solution seems to be Puppy Linux:

By using free Puppy Linux booted from DVD, every reboot starts a clean, uninfected system.
By immediately jumping into Firefox, the complexity of Linux is avoided, while providing a familiar and stable browser experience.
Puppy Linux is unique among LiveDVD packages in providing an easy way to update the boot DVD with browser updates and configuration changes.

**I EXPLAIN HOW: The Puppy Linux process is exposed in detail.**Serious online security is made available to anyone willing to follow directions, provided only that they have a computer with a DVD-writer optical drive. Setting up a Puppy LiveDVD the first time may take 3 or 4 hours, but every time it starts it is bot-free. Serious security means re-booting Puppy and going directly to a financial site, without first reading email or browsing. A configured Puppy DVD can be replicated in 5 or 10 minutes, and may work with only minor changes on different machines.

I. MAKE A PUPPY DVD

You cannot just buy a configured Puppy Linux LiveDVD, but you can make one yourself, by following reasonable choices described here.

**These lists only seem overwhelming.**Most steps are a single keypress. You are not going to "blow up" your computer by making a DVD. If you use the recommended DVD+RW discs and screw up, you can erase the DVD and try again with no loss. Nobody need know.

**If you want, you can still go back to the original Windows system,**which this process does not modify.

FIRST: Find and Download Lucid Puppy 5.1.1

From Windows, go to one of the Puppy repositories, such as:
- ftp://ftp.oss.cc.gatech.edu/pub/linux/distributions/puppylinux/, or
- http://puppylinux.com/, or
- http://puppylinux.org/wikka/HomePage, or
- ftp://ibiblio.org/pub/linux/distributions/puppylinux/ (very slow).
You are looking for the ISO file "lupu-511.iso".
The file "lupu-511.iso" (129MB) may be in a subdirectory such as"puppy-5.1.1" as just one of various files.
Typically, a left-click on the "lupu-511.iso" entry will prepare to download the file.
Have the download file placed where you can find it later.

II. BURN PUPPY ISO TO DVD

Now we have the "lupu-511.iso" file, which is an "ISO" type of file. An ISO file is just the raw sequence of bytes recorded on a CD or DVD. The ISO "image" includes both the files and the file structure which names and locates those files.

For Puppy use, I recommend DVD+RW discs which seem somewhat more reliable than other types. (You do need a DVD writer which supports DVD+RW, of course.) If you make a mistake, you can erase a DVD+RW and start over.

To burn an ISO from Microsoft Windows, you might try CDBurnerXP:

http://cdburnerxp.se/en/download

To use CDBurnerXP:

Run the install.
Run the program.
Select the "Burn ISO Image" subprogram.
At "Select ISO image to burn:" browse to the lupu-511.iso file.
For "Burn method:" use "choose automatically"
UNselect "DVD high compatibility"
UNselect "Mode2XA instead of Mode1" (Mode1 has better error-correction)
UNselect "Finalize disc" (allows multi-session saves)
Select "Verify data after burning" The resulting burn, with a DVD+RW at 4x speed, with verify, completes in about 1min 20sec.

III. BOOT PUPPY, CONFIGURE, INSTALL FIREFOX, SAVE TO DVD

Some Things to NOT Install

When used for security, Puppy Linux should not be installed to a hard drive or a USB flash drive, but should instead boot from DVD on every session. Easily-writable boot drives are easily infected.

The Linux program "Wine" which emulates Microsoft Windows shouldnot be installed. Wine has gotten good enough to support a range of Windows malware, which is precisely what we are trying to avoid.

Similarly, the "Java" system also should not be installed, unless absolutely required. ("Java" is not the same as "JavaScript" which is part of the browser and is tamed by the Firefox add-on "NoScript".) Java is extremely dangerous because it expands the 1 percent Linux group (thus, not a target) to the 97 percent Windows + Mac + Linux group (absolutely a target) which may have Java. It is not enough to disable Java in the browser or in NoScript; Java should not even be present unless you cannot work without it.

Tell the BIOS To Boot a CD

The BIOS (Basic Input / Output System) is the computer program in control before an operating system is loaded or "booted." Basically, the BIOS goes down a list of devices to see if they hold a bootable OS to load. The first thing found that can be loaded, is loaded, and becomes the computer OS for that session. Normally, we want the "first boot device" to be "CDROM". The idea is to boot from a CD or DVD when one is present, and otherwise boot from the hard drive.

To enter the BIOS, restart the computer and watch for the message about which key to press to enter the BIOS. Often this will be Del (the delete key), but may be F1 or F2 or even something else. Press the key very quickly, or restart and try again until a BIOS configuration screen opens. Find "Boot / Boot Device Priority" or "Advanced BIOS Features / First Boot Device" or "Boot Sequence", and change the first entry to "CDROM". Move subsequent entries down, including the hard drive entry, "HDD" or "Hard Drive" or "Hard Disk". Then save changes and exit, which will start a reboot.

For BIOS help, see:

Boot Puppy and Configure

Put the Puppy DVD in the DVD reader, close the tray and restart the computer.

This is a tested, working example for my particular equipment--do not follow it blindly!

WAIT to Configure Internet
On my systems, Lucid Puppy sets up a wired (CAT5) Internet connection automatically, and I have not tried to set up Wi-Fi. However, some sort of Web connection will be needed to download a video driver and also Firefox. Ideally one would plug in by wire to get things going before taking on a Wi-Fi configuration.
1. on the desktop, click connect
2. click on internet by network or wireless LAN
3. select an interface (like eth0) and click
4. click on Auto DHCP (connection succeeds)
5. save configuration
6. click Done to move on
Set Up Firewall
1. follow Menu / Network to Linux-Firewall firewall and click
2. select OK, press Enter (confirm default install)
3. press Enter to move on
Install Intel Graphics
1. on the desktop, click quickpet
2. select "Drivers"
3. click Xorg High icon (download occurs)
4. click OK to confirm install
5. follow Menu / Shutdown to Restart X Server and click
Click the "Classic Configuration Experience" icon on the first startup panel
1. select "us" keyboard layout and press Enter
2. select "US/Central timezone" and "OK" then press Enter
3. select "Local" time and press Enter
4. select "Probe" (video display) and press Enter
5. select 1024x768x24 or 1280x800x24 and "TEST", then press Enter
6. select "TEST_X_NOW" and press Enter
7. use control-alt-backspace to recover, if necessary
8. select "FINISHED" and press Enter to move on

Install Firefox

Get Firefox
1. on the desktop, click quickpet
2. select Internet Pets
3. click on Firefox icon (download occurs)
4. click OK to confirm install
Update Firefox
1. on desktop, click browse to start Firefox
2. in Firefox, follow Help to select "Check for Updates"
3. click "Update Firefox" (download occurs)
4. click "Restart Firefox"
5. click "Restart"
Update Flash
1. on Firefox update screen, click on "Update Adobe Flash Player"
2. select Linux version ".deb for Ubuntu..."
3. click "Download Now"
4. click OK to confirm "Open with" petget (download occurs)
5. click "OK" to confirm install

Save to DVD

Save Changes to DVD+RW, then Reboot
1. follow Menu / Shutdown to Power-off computer and click
2. select "SAVE TO CD" then press Enter
3. select "SAVE" then press Enter (save occurs)
4. select "OK" and press Enter to power down
5. wait 5 seconds then restart computer
6. Puppy comes back up

IV. INSTALL SECURITY ADD-ONS

Firefox add-ons provide security features which other browsers do not have. When other browsers get those features, or similar add-ons, then we can discuss whether they are as secure as Firefox.

on desktop, click browse to start Firefox
in Firefox, follow Tools to "Add-ons" and click
select "Get Add-ons"
search for and select each desired add-on and download into Firefox:
- if not updated on Mozilla, go to author's site for the latest version
- if apparently unavailable, keep looking. If necessary, use a general Google search for "Firefox addon" and the add-on name to find it somewhere on the Mozilla site.
click "add to Firefox..." (site contacted)
after a delay, click "Install Now" (download occurs)
WAIT! do not click "Restart Firefox" just yet
it is faster to add all desired add-ons before restarting Firefox
at least get important / security add-ons, shown in bold
- Adblock Plus -- hide ads to improve speed
- BetterPrivacy -- clear Flash cookies and DOM storage
- Cert Viewer Plus -- certificate viewer enhancements
- Certificate Patrol -- track certificate changes to expose SSL man-in-the-middle
- CipherFox -- show current cipher and keysize
- CoLT -- allow selecting link text, location, or both
- Cookie Monster -- control cookies
- CopyAllUrls -- save tab URL's as text, recover tabs from text
- Down Them All -- fast download manager
- Extension List Dumper -- save add-on names as text
- JSView -- expose external stylesheets and JavaScripts
- Google Docs Viewer -- view .PDF files safely
- LastPass -- cross-platform syncing encrypted passwords in the cloud
- MD5 Reborned Hasher -- check hash in normal downloads
- MultipleTabHandler -- close multiple tabs
- NoScript -- whitelist for scripts, XSS protect, etc.
  Options / Advanced / HTTPS can demand an SSL connection and block a site otherwise.
- NoSquint -- page and text sizing per site
- PageDiff -- show differences between HTML pages
- Perspectives -- notaries expose SSL man-in-the-middle
- Safe -- colored outline around SSL pages
- Save Complete -- File / Save Page As... improved
- SearchMenu -- fast dictionary, thesaurus (keep disabled until needed)
- Shooter -- capture screen or entire page as graphic
- ShowIP -- show page IP address
- SSLPasswdWarning -- warns when sending password w/o SSL
- Tab Mix Plus -- tab setup / crash protect (also Bookmark All Tabs)
- Uppity -- URL up-one-level
- URL Tooltip -- expose link URL with mouse
- WOT -- (Web Of Trust) danger colors on search result links
each can be uninstalled or just disabled later from Firefox Tools / Add-ons...
when done, on the Add-ons panel, click "Restart Firefox"
when Firefox comes up:

use Tab Mix Plus Session Manager
click "No Thanks" on LastPass
click "Enable only Multiple Tab Handler's Features"
click "Decline" on WOT
in the browser, select the Adblock Plus page and click "Add Subscription"
I have once had Firefox lock up before all add-ons installed. In response, I started the process manager fromMenu / System / System Status andConfig / pprocess process manager.Then I selected the bottom-most Firefox process and clicked "End process" which killed the remaining Firefox window on the desktop. Subsequently clicking the desktop "browse" started Firefox again which then continued from where it left off. This appears to be rare Firefox issue. Nothing was lost.

V. CONFIGURING FIREFOX AND ADD-ONS

These are suggestions for people just getting started. If you can configure Firefox on your own, do so.

Configure Firefox

Follow View / Toolbars to deselect "Bookmarks Toolbar"
Follow Edit to Preferences and select the "General" tab.
Set up a Home Page URL.
In Downloads, select "Save files to" and browse to the bottom of the file system to select "/archive".
In the Tabs tab, UNselect all warnings.
In the Content tab, if "Enable Java" exists, UNselect it. (Java is NOT JavaScript!)
In the Privacy tab,
- at "Firefox will:" choose "Use custom settings for history".
- UNselect "Accept third-party cookies"
- Select "Clear history when Firefox closes", click "Settings..." and select everything EXCEPT "NoSquint Site History, "Site Preferences" and "Tab Mix Plus Saved Sessions" then click "OK".
In the Security tab,
1. UNselect "Remember passwords for sites" (never allow any browser to manage passwords).
2. at "Warning Messages" click "Settings...", check only "I submit information that's not encrypted."
Click "Close" to move on.

Configure Tab Mix Plus

In Firefox, follow "Tools" to "Tab Mix Plus Options" and select.
In the "Events" tab,
- under "Tab Closing", for "When closing current tab, focus", select "Last selected tab".
- under "Tab Features", "Max number of closed tabs to remember" enter 50 and select.
In the "Display" tab, under "Tab Bar"
- Select "New tab button" and "on Left Side".
- Select "Close tab button".
- UNselect "All..." and "Extra..." options.
- For Hide the tab bar, select "Never".
- For When tabs don't fit width, select "Multi-row".
- For Max number of rows to display, select "5".
In the "Display" tab, under "Tab"
- under "Highlight" select "Current tab" only.
- under "Show on Tab" UNselect "Close tab button".
- for "Tab width" use 25 to 250.
In the "Session" tab,
- select "Enable Session Manager" and "Enable Crash Recovery" only.
- On "Start / Exit", for "When Browser Starts", select "Ask Before Restoring".
- For "When Browser Exits", select "Save Session".
- For "Startup Session", select "Last Session".
- In Preserve tab, select everything.
Click "OK" to move on.

Save Changes

if you have favorite sites or browser tabs you want to open on each session, set them up
set up your configurations the way you want them saved
close Firefox and any open windows
on desktop, find "save" button and click
click "SAVE"
select "SAVE" and press Enter (save occurs, then tray opens)
press Enter to move on.

VI. ADJUST TO PUPPY AND FIREFOX

Booting Puppy Linux from DVD is the best approach to get a believably uninfected OS.

Most people probably will start out on an existing Windows system, and Puppy does support use of Windows drives. However, Puppy does not need a hard drive, and when no hard drive is present, there is no hard drive to damage or expose. Personally, after getting beyond the traumatic change, I appreciate the increased security more than I miss having massive local storage. When necessary, I can use (and remove) USB flash drives.

Using Windows Drives

When Puppy comes up it will look for system drives (hard drives, floppies, CD's, etc.), and can use normal Windows drives. It is easy to read Windows files, and write files that Windows can use. But Puppy does not need a hard drive, and the best security is to not have one.

At first, the drive names in Linux will be unfamiliar, but it is easy to see what files are on any drive. A single click on a drive "mounts" that drive, and a directory window will appear. A mounted drive will have a name like "sr0" and some sort of indication on the drive icon as a reminder that it is mounted.

It is normal for an OS to "buffer" or temporarily store data being sent to a drive while waiting for the drive to catch up. It is important to not just yank out a USB plug for an external drive until the data have been fully stored. To "unmount" a drive, right-click-and-hold to select "Unmount sr0" (for example) and wait for the "mounted" indication to go away.

Using NoScript

NoScript is a browser add-on that disables JavaScript and also most other scripting languages, but allows scripting to be enabled for any particular web site and remembered for future use. Scripting is a problem because scripts are executable program code which the browser downloads and runs as part of a displayed page. Not enabling scripts can cause awkward page problems, but enabling a malware script can cause serious security problems. Of course, with Puppy Linux on DVD, we can restart the machine and get a clean OS with minimal effort.

Many sites can be used without JavaScript. Other sites need Flash, which is also protected by NoScript, and the site may say you need to download Flash, when you really just need to enable that site in NoScript. JavaScript can be enabled for a particular page by clicking on the "S" at the bottom of the browser window and selecting sites to allow. It can be illuminating to see how many different sites are being promoted from what seems to be a single page, and that is part of the browsing security problem. Note that a save is necessary for a new configuration to survive the next DVD boot.

Using LastPass

The user is responsible for having good passwords. A good password cannot be short and it cannot be words or names. The best password is a machine-generated sequence of random characters. A 15-random-character password should be good enough, with more brute-force security than any other part of the system. We need a different long, random password for every site, account and piece of equipment (such as a Wi-Fi router). We cannot remember such passwords, so we need a password manager to save them for us. Passwords are saved in a little database protected by cryptography done right.

The password manager LastPass.com works as a browser add-on, as a website, or as a stand-alone portable program. Normally, the browser add-on is most convenient. Alternately, users can access their passwords from the website using any uninfected computer. Or one can save the little encrypted password database, then use the standalone program to access passwords.

Starting to use password management can seem like being out of control. Only the password manager knows the actual passwords, and if it dies, what then?

A copy of the encrypted password database is saved on the LastPass website. If a disaster affects your machine, you can still get your passwords online from a different machine.
The browser add-on stores a copy of the encrypted database locally, for use if the LastPass site is down.
The encrypted database can be exported to a local file as backup or for use by a stand-alone LastPass program.

Using LastPass can seem scary, because it tries to be automatic. New sites are included by signing in and letting LastPass create an entry. Sometimes the automatic way fails, and sometimes the web site changes their login page. A manual login option is available by clicking on the LastPass icon, and then selecting the current site. The Username or Password can be copied to the clipboard, which then can be pasted into the desired location.

Correcting a login sequence can seem daunting, but there are relaxing options. When I edited an entry and changed the name, the old entry was not lost but the new entry was added. That meant I could change the new entry as desired without losing the password.

LastPass also has a "Secure Notes" feature which saves little text files in the encrypted database:

Secure Notes is good for saving text lists of everyday tabs (URL's) as created by the Copy All URLs add-on "Copy", and then placed in a Secure Note using "Paste". Later, perhaps on a different machine, I can highlight that list in the Secure Note, copy it to clipboard with Ctrl-C, then use Edit / Copy All URLs "Paste" to open that whole list of tabs. That avoids the need for normal bookmarks and local storage (which would require a DVD write after every addition), but also makes the list available on any machine I use, since LastPass will be open anyway.
Secure Notes is also good for holding a text list of the installed add-ons created by the Extension List Dumper add-on. From Tools / Add-ons, click the "Dump list" button, then click "Copy to clipboard" and paste that into a Secure Note. Unfortunately, I know of no way to use that list to automatically load all the add-ons, but I can use it on a new install to remind me what add-ons are needed.
Secure Notes is a good way to save the authentication security questions and answers needed for access from a different computer. This will be crucial if you become incapacitated and someone has to handle your affairs for you. It is important that your spouse or someone responsible have your LastPass password, and, thus, all your account access information. We are not in this life alone.

Saving Files to DVD

Most new or modified files are automatically saved when we save a session to the DVD, preferably a DVD+RW. For some reason, the desktop "save" button seems more reliable than an update triggered by Menu / Shutdown. The "save" button copies all changed files to a new session or directory on the DVD, but does not mark them as saved, so clicking "save" again will save all the same files again! Ending the session by Menu / Shutdown will offer to save those files yet again! Just say no, by selecting "NO SAVE", then press Enter and press Enter again (to "close drive tray"). Each startup boot will complain about an "unclean exit" for "x", but just select "Ignore" and move on.

I try to limit my DVD saves to once every couple of weeks or so, and then just after a clean startup and immediately after the desired updates or configuration changes. It is easy to archive files on the DVD by placing them in the "my-documents" directory before a save. Files in my-documents will be loaded from DVD to the in-memory file system in every subsequent runup, and thus be available (unless deleted and that system saved).

Saving files on the DVD rarely seems helpful to me:

I often send files to myself as email attachments, and also create text in Gmail, which provides automatic real-time editing backup.
I use Google bookmarks extensively.
I almost never need local storage, and my Web computers are very usable and even comfortable with no hard drive at all. Obviously, I do have extensive storage on the Microsoft Windows boxes, but those are generally aimed at offline use.

Files in the Puppy /tmp directory are not saved to DVD. Files in the /archive directory are saved to DVD, but not recovered in the next boot. Changed files are saved to DVD without overwriting the older versions, and only the most recent version recovered on boot.

In most file systems, a new file replaces the old one. But each time Puppy Linux saves to DVD, it creates a new DVD directory for that save. So the DVD can contain many different versions of the same file, as it was each time it was saved. This will automatically archive the progress of a writing or programming project over time in a way that does not occur in normal computer file systems. Each DVD session, and each archived file version, can be read from DVD under Linux or Windows.

DVD Issues

As an online security system, Puppy Linux should be booted from DVD, and run in memory. The unique Puppy Linux ability to update the DVD is what makes a DVD boot practical. But updates do need to be written to the DVD, and optical storage simply is not as reliable as hard drive storage.

Since all storage systems are somewhat unreliable, our Puppy response is just to be more rigorous than usual. For example, I manually back up an important local work (like this article, during development) before the end of every session. I may copy my file to a USB flash drive (1 minute), or send the file to myself as an email attachment (2 minutes), and save it to a Windows drive (1 minute), if present. Even if I work "in the cloud" using Google Docs, I still "Download as" the file and attach it to an email to myself, thus creating a project archive without writing to the DVD.

Sometimes upon restart Puppy comes up (the splash screen shows), but then fails upon reading the last saved session. We can permanently void the last session by starting Puppy again and entering the command "puppy pfix=1" at the splash screen input.

Rarely, we can find that the last session save has made the disc completely unreadable, at least for boot purposes. Then we need to start over with a new disc we have cleverly made in advance. Or we get to start over from scratch, which may be irritating but not really a disaster.

Making a configured boot DVD

Puppy does have a "remaster" process, at Menu / Setup / Remaster Puppy live-CD, but that seems overly complex and I have had problems with it (in 4.3.1).

An alternative way to "copy" a configured Puppy DVD is to first boot from a fully-configured DVD, then save that session to a different disc. It would be nice to simply put in a blank DVD and click "save", but that does not appear to work. Puppy asks for the original boot DVD, which is immediately updated with a new session, instead of reading the system for transfer to another disc.

What has worked for me requires another Puppy ISO DVD. We can make that in Puppy:

download the puppy ISO again, or copy from USB flash drive into Puppy memory, perhaps /tmp
put a clean DVD in the burner tray and close tray
follow Menu / Multimedia to "Burniso2cd burn iso file to CD/DVD" and click
select DVD and click "OK"
select drive and click "OK"
browse to lupu-511.iso and click "OK"
click "MULTI"
set burn speed at 4 and click "OK" (burn occurs, tray opens)
"Would you like to verify...?" click "Yes"
manually close tray
wait for burner LED to settle down
click "OKAY" (verify process occurs)
"the burn has been verified as good"
click "OKAY" (tray opens)
click "FINISHED" to move on
manually close tray

When we have a Puppy ISO DVD, we can save our current configured state:

on the desktop, click "save"
click "SAVE" (DVD tray opens)
IGNORE "Please insert the Puppy live-CD/DVD media that you booted from..."
INSTEAD, insert (or do not remove) Lucid Puppy 5.1.1. ISO DVD
close tray
wait for the burner LED to settle down
press Enter (burn process occurs)
"Have saved session to live-DVD (unless it has not, which is an error)."
Sadly, The cuteness of that message evaporates rather quickly when things do not work, since there is no indication about what went wrong or what the user could do about it.

This process usually does work and can be used to:

Manufacture a few mostly-configured DVDs for a group, a class, or a family, much easier than configuring each one by hand.
Make a backup, in case something goes wrong and a boot disc is damaged.
Combine accumulated boot sessions into a single session for faster loading.
Possibly update to a new Puppy version just by saving to a DVD with the new ISO.

Difficult or Impossible to Infect

The huge advantage of a LiveDVD is that it is "difficult or impossible" for malware to change data on the DVD.

The presence of an easily-infected and immediately-writable boot drive (or even a boot USB flash drive) is what turns a successful malware "attack" into "infection." Hard drive infection happens in the blink of an eye and often cannot be detected afterwards. These infections are vastly expensive because simply deleting malware files is no longer enough for recovery. Once modern malware starts to operate, it "calls home" and then there are no limits to what it might do on the hard drive. After that, nobody can possibly know what to do to put things right. The only secure way to recover from modern malware on a boot hard drive is to re-install the OS (or recover an uninfected system image).

The alternative of a hard-to-infect and slowly-writable boot DVD makes stealth infection very difficult, and actually_impossible_ when there is no DVD in the drive. Puppy Linux normally loads completely into RAM so the boot DVD can be removed to play music or videos -- or to prevent infection. Even if DVD infection does occur, the latest sessions can be voided by Puppy before startup, or a brand new DVD created at low cost and minimal effort (when a configured backup is available).

In practice, the ability to save security updates to the boot DVD makes a DVD boot practical. There is no perfect security, but we can make vast improvements while still retaining some shreds of practicality.

Video Issues

In the older Puppy 4.3.1 version, it was hard to take a configured Puppy DVD to another computer because the video selections generally would not work on a different system. Dealing with this generally involved trying to somehow invoke the Video Wizard by menu selections without being able to see the menus.

The current Lucid Puppy 5.1.1 seems to detect being on a different computer and automatically starts the Video Wizard, at least on the machines I have tried. This is a big, big improvement. It may be possible in general to take a configured Puppy DVD to another computer and expect to get it to work fairly easily and quickly.

see "Welcome to the Puppy Video Wizard" panel
select "Probe" and press Enter
select appropriate format (in my case, 1024x768x24 or 1360x768x24 or 1440x900x24)
select "OK" or "TEST" and press Enter
select "TEST_X_NOW" and press Enter
use control-alt-backspace to recover, if necessary
select "FINISHED" and press Enter to move on

When moving to a new machine, if you cannot trust the hardware, you also cannot fully trust Puppy on that hardware. A hardware keystroke logger will not disappear simply by booting Puppy. External penlight-cell-size in-line loggers for PS/2 or USB keyboards are commonly available and might be installed by users. Internal laptop logger boards are uncommon, but are known to exist for laptops having a MiniPCI slot, as typically manufactured before 2008.

Connection Issues

In general, networking hardware will be different on different computers, so a configured Puppy may need new configuration.

on the desktop, click "connect"
find "Internet by wired or wireless LAN" and click that icon
find "Simple Network Setup" and click that icon
select an interface (like eth0) and click
click "OK"
click "YES SET AS DEFAULT"
click "OK" to move on

Actually, I would prefer for Puppy to not automatically log into the Net, but instead wait until and unless I want that. Currently I do not know how to get that.

Power-Down

In a system without a hard drive, we can just turn the power off. Power failure cannot damage a hard drive when there is no hard drive.

If the system has a hard drive, we need to follow Menu / Shutdown to "Power off computer" and click. Select "NO SAVE" and press Enter (DVD tray opens), then press Enter to finish.

VII. SECURE USE

Just getting Puppy, booting it from a DVD, and using Firefox with security add-ons covers a whole lot of computing weakness. As one might expect, there are other issues:

What about passwords?

Even the most basic security requires us to use long random values for passwords.
We need to make and use a different long random password for every device and every site and every account.
Never save passwords in a browser.
Instead, use the LastPass password add-on.
LastPass works in Firefox, for both Windows and Linux, and also has website access via SSL.
Do not email passwords to anyone, including yourself.
Delete all on-line emails containing passwords.
Install passwords in your LastPass.com account (or save as Secure Notes).
Avoid entering a password on a web page until after SSL (https://) has been established (use the SSLPasswdWarning add-on).
If forced to enter a password without SSL, consider the account public.

What about email?

We should use on-line email (try Google Gmail), since they can scan better than we can.
Always connect to on-line email via SSL encrypted connection. (Set the Gmail option.)
Do not click on a link in unexpected email.
Always mouse over links and examine the address before you click.
Never click on an email link to a financial account.
Do not download unexpected attachments, since a malware email can pretend to be from one of your friends.
In Gmail, view .PDF files online without downloading.
When browsing, view .PDF files in Google Docs Viewer without downloading.
Never supply or confirm User ID, Password, or any private data via email. Never email passwords!
Emails which do not address you by name are probably not really from accounts that do have your name.

What about browsing?

Always mouse over links and examine the address before you click.
Do not download browser toolbars.
Any alert that claims your system has malware probably is itself malware.
Any page which wants you to download and install something may be distributing malware. (The Firefox / Mozilla download pages are generally OK.)
If you need an update or a player, go to the manufacturer's page and download it from there.
Even respected companies can have their pages invaded and used to distribute malware.
NoScript is our friend even in Linux since JavaScript code will run on any browser.
Avoid using Java online. (JavaScript is not Java.)

What about snooping?

Currently, most information on the web is sent unencrypted, in the open, over broadband.
For wireless, anybody nearby can read what you send unless WPA2 security has been established.
But WPA2 security only extends through the air to the router, and then your data are unprotected again.
Even with wired (CAT5) connections, anybody on the same sub-network (e.g., the whole neighborhood or any room in a motel) might read what you send.
Avoid snooping by establishing an SSL (https://) encrypted connection wherever possible.
Expect a border around an SSL page (from the Safe add-on).
Never do banking or purchasing without first establishing SSL.
SSL uses a cryptographic certificate to link a web site to an issuer whose certificate is included in your browser.
Never approve a new SSL certificate!.
It is OK to use an existing SSL certificate that is slightly out of date.
Let the Certificate Patrol and Perspectives add-ons guide you on certificate problems.
Secrecy requires establishing an SSL connection before entering a password (use the SSLPasswdWarning add-on).
Instead of establishing SSL with each account, one might subscribe to a personal VPN service (like WiTopia).

VIII. MALWARE EDUCATION

Many who advocate better security can be accused of using "FUD" (Fear, Uncertainty and Doubt) to advance their cause. But if FUD by itself was a bad thing, there would be little reason to buy insurance, or even door locks, for that matter. The question is whether the problems are real or just made up, and whether the cure actually works or is just expensive snake oil.

Computer insecurity is real, and implies levels of technical, corporate, governmental and national security incompetence that are almost impossible to believe. Booting Puppy Linux from DVD is a real solution for increased security. You need not believe me: Read the articles, follow them up, and come to your own conclusions:

All Operating Systems are Vulnerable

Malware Steals

Malware Targets Microsoft Windows

Passwords

"only five percent of people use digits or special characters in their passwords and that sixty percent use single-case-only access codes." (BitDefender, Softpedia Nov. 2010)

Email and SSL Security

Patching is Increasingly Tedious and Ineffective

Everybody Has a Malware Problem

Avoiding Dangerous Sites Cannot Protect You

Authentication Cannot Protect You

Anti-Virus Cannot Protect You

Removing Malware Cannot Protect You

Your Equipment Cannot Protect You

You Need a Password Manager

"It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session." (Sect. 6.1) (CCS'09 Nov. 2009)