Linux Foundation releases PARANOID internal infosec guide

Workstation security tips for system administrators.


Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.

The baseline hardening recommendations are designed that balance security and convenience for its many remote admins, rather than a full-blown security document.

The document is designed to be adapted to individual admins' requirements, and contains explanations justifying security paranoia.

Severity levels range from low to critical, and escalate to "paranoid" for those willing to operate in blacked-out faraday cages under more inconvenient but secure conditions.

"We use this set of guidelines to ensure that a sys admin's system passes core security requirements in order to reduce the risk of it becoming an attack vector against the rest of our infrastructure," Ryabitsev explains.

"You may read this document and think it is way too paranoid, while someone else may think this barely scratches the surface.

"Security is just like driving on the highway - anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person."

Ryabitsev is a web and Linux security geek who manages Linux Foundation-hosted collaborative projects. He says the guidelines should be adjusted if they are out of step with organisational risk appetites.

The first section covers buying hardware and lists SecureBoot as a critical feature, and a lack of firewire and Thunderbolt ports as as a bonus. Here password-protected UEFI boot mode is a must.

An admin's operating system distro of choice has to meet a dozen critical requirements around fast patching, verification, and native disk encryption. The latter must include Linux Unified Key Setup full disk encryption, including swap, an unprivileged admin group account, and lots of robust passwords.

The hardened Linux geek will need to globally disable firewire and Thunderbolt modules where they exist, filter incoming ports with firewalls, disable shd, and schedule automatic updates.

To be a fully-paranoid neckbeard, admins must install rkhunter and an intrusion detection system, and, crucially, maintain it (including running checks from a trusted environment).

Firefox is your browser of choice for accessing trusted sites. It must sport NoScript, Privacy Badger, and HTTPS Everywhere, and should have Certificate Patrol which squeals when out of date TLS certs are found.

The more secure Chromium is the sludge plow of the internet using seccomp, sandboxing, and kernel user namespaces to clear a secure path through insecure web trash. Admins should outfit their Chromium plow with Privacy Badger and HTTPS Everywhere (this correspondent recommends ScriptSafe to fully ruin the shininess and ad revenues of websites).

Chrome should also be dumped in a VM where possible, a configuration that is "surprisingly workable" if RAM-intensive, so says Ryabitsev.

The doc suggests VMs to compartmentalise applications, and points to the the Qubes-OS project as a suitable environment.

Password managers are a good idea; separate password managers for untrusted and trusted browsers are even better for the paranoid trophy seekers.

The guide does not touch on hardware data destruction, but robotics engineer 'zoz' has offered some tips for the slightly nervous to fully paranoid. The easy way is to remove disk platters with a couple of Torx screwdrivers, rubbing with a rare earth magnet, crushing in a manner offering the admin the most gratification, burning with fire, and dispersal among city limits.

Truely paranoid admins seeking GCHQ Five Eyes-assured obliteration will need to dabble in thermal, serious kinetic, and electric means of hard drive destruction. Zoz in his DEF CON talk showcases oxygen, copper, and thermate injection, and custom-made explosives. ®

Similar topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022