root mode: heresia? ... and more largely security

[Bogomips]

if you stick an experienced idiot in front of the keyboard.

Don't have to be an idiot. Just a moments lapse of concentration at a critical juncture in the proceedings.

[donald]

^
You're not the only one..
It happened to me in a countless number of occasions.
It's my way of learning,..just do it and see what gives..
but I'm clever enough to have a (clonezilla) Backup...(always) 8)

[brokenman]

In my humble opinion, security is a very vague term. It is what it is for you. If you know the risks, then I say hell, feel free to work as root, naked on your front porch. There are risks and pitfalls. People ARE watching. Know the risks, choose what you want them to see, choose your boot mode and go forth without fear of ridicule or belittlement. I choose not to work as root, nor naked.

[fullmoonremix]

Salutations...

IMHO...
For what it's worth.. .a creditable argument for (or against) contingency (or lack thereof)... comes from the ability to offer alternative (instead of critique).
Contingency is a tactic that "manges" security... which Moore's law (eg. "planned obsolescence) makes impossible to guarantee.

Best Regards...

[francois]

@aus9:
drifting off topic from logging in or not as root user

Moderation is not an easy task. The atmosphere on porteus is often relax, convivial, slightly irreverent, sometime philosophic, you have to feel the atmosphere. Let it be. We are on the tangent of security.

[markds]

Wow, I'm surprised people actually bother to still quote my old posts even after I've disappeared into obscurity for so many years.

In any case, I was asked to look at this topic and contribute my (less than important and certainly not wise) 2 cents worth.

On the root/guest debate:

If you want a secure system, whether you are logged in as root or not, makes no difference. You factor in sudo, how many actually bother to do "sudo <command>" for every single command you need to run as root, rather than do "sudo bash" and then just do all the proceeding commands as root? Is that security or just a semblence of security? To me its the latter. Afraid that as root you'll do something wrong and screw up the system? Again thats not "security" you're talking about, thats just sheer carelessness or for our newer admins, just plain inexperience.

Personally, I have been administering countless systems for well over 25 years. I've _always_ used root, from all manner of Linux distros, Solaris, HP, DEC, etc, I always use root. Ubuntu installations these days, first thing I do is to tweak the system and make sure I can logon as root. 25 years and I've never had to reinstall a machine because I did something as root so drastic that the whole machine collapsed.

So in conclusion, there is no right or wrong whether you login as root or not. Its up to you, but understand that logging in as guest only protects you from one person - yourself. If you're worth your salt as a sysadmin, you'll *know* how to get yourself out of a mess that you created because if you can *realize* you did something wrong, chances are good you will know how to undo it. And in the most extreme of circumstances (as a good admin) you'll have the backups to fall back on when all else fails.

To address some other points now:

Yes times have changed. WPA2 is almost as ridiculously easy to crack today as WEP was to crack 10 years ago. Now almost nobody will use WEP because they all know WEP is bad, even if they don't even know what WEP stands for (and it DOES NOT stand for 'Wireless Encryption Protocal'). Yes branded routers are no longer safe, one may argue they never have been, but from experience, all this poor configurations, hardcoding etc is a recent thing. They made some pretty good hardware back in the day. These days I don't buy a router or AP I can't install my own custom firmware (open wrt, ddwrt, tomato, padawan, merlin, etc) into and take absolute control of the hardware and that includes being able to change the admin username and ensure ssh access to the router/ap.

What has not changed is the fact that your machines are just end points. Root or guest, it makes no difference if your network is compromised and I don't need to be on your box to compromise the network - I could very possibly be down the street (many times I have been but thats a story for another time). If I'm on your network, I'm analyzing your traffic, catching possible passwords, keyphrases, (sadly not *everything* is encrypted these days) reading/altering conversations on the fly, and would be able to scan your machines for vulnerabilities that would give me access (keyword: Metasploit) and I would never really need to know what your root or guest password is. Do you really think being root or guest makes any difference at all?

Security today:

Its a sad fact that needs to be realized and that "security" today is a farce. You are only as secure as your network is. If you want security, its simple, unplug your machine from the network. Thats the ONLY way you're really secure. Everything else is just dressing on a very marketable term such that corporate entities will pour money down the drain. Even professional pentesters I know are fed up with the way security is just so loosely used and tossed about these days. It makes their vocation seem trivial and makes them look like con men.

As a parting note, do your BEST to secure your network, use rootkit detectors and good passwords, anti virus/anti malware, etc. These are all deterrents. As I said about WPA in that old slax forum post, if you have these deterrents in place, people will likely not push to hard to break into your systems because if you are just some random target, they would rather spend the time looking for someone MORE vulnerable than you. If you are a dedicated target because someone has a vendetta against you or pays hackers lots of money to hack you, then batten down the hatches, cause you're screwed no matter what you do and thats the reality of today.

Theres my 2 cents worth as I disappear back into obscurity again. Peach brothers and sisters!

[brokenman]

Who was that masked man? I mean, markds man.

[francois]

What masked man? Markds is markds. 8)

[francois]

@phhpro:
please bring concrete arguments for this discussion to go further.
Markds makes a living from computers and is from what I recall a security specialist.
(edited now)

@markds:

These days I don't buy a router or AP I can't install my own custom firmware (open wrt, ddwrt, tomato, padawan, merlin, etc) into and take absolute control of the hardware and that includes being able to change the admin username and ensure ssh access to the router/ap.

Can you name a few in the cheap range routers that could be bought by the forum members?

[fullmoonremix]

Salutations...

For use with DD-WRT on eBay @ modest prices...
Linksys WRT54G series: WRT54GS

Best Regards...

[markds]

Can you name a few in the cheap range routers that could be bought by the forum members?

TP-Link TL-WR2543ND (older model but very flexible in what it can do, only issue is WAN2LAN throughput is capped at 180Mbps)

Several of the TP-Link models with open wrt/dd wrt supports multiple vlans, many to one NAT, hotspot, etc, is my absolute favourite brand when it comes to a reliable and cheap solution.

ASUS RT-N56U
ASUS RT-N65U

The ASUS routers are so much better with padawan or merlin. These 2 are the cheaper ones but by no means lightweights. They can support a full 1Gbps connection even though the WAN2LAN throughput is stated as 930Mbps or so. I'm on a 1Gbps line and I've tested these and they work great with Padawan and Merlin.

*Gotta go - obscurity is calling!*

[markds]

Salutations...

For use with DD-WRT on eBay @ modest prices...
Linksys WRT54G series: WRT54GS

Best Regards...

Good overall wireless routers, but very dated. I still use a GL model with open-wrt for my home hotspot which I initially built using a RPi incorporating freeradius and an SMS gateway so people could get their temp passwords but later moved to a linux run NUC when I consolidated my various appliance systems all over the house into a single server. Only issue with these linksys models is that they are basically 10/100 and not GBit routers but if you're using them only for 54g wireless then it shouldn't matter.

Cheers!

[francois]

@ markds:

ASUS RT-N56U is 100$ CAN
ASUS RT-N65U is about twice the price

Would the cheapest one yield a good performance wifi wise over film streaming on kodi?

[francois]

I changed the tiltle to be more inclusive. Do you feel better?

Your "jeuxde mots" are still appreciated.

[markds]

Asus routers are really premium stuff for the soho user

@ markds:

ASUS RT-N56U is 100$ CAN
ASUS RT-N65U is about twice the price

Would the cheapest one yield a good performance wifi wise over film streaming on kodi?

The cheaper ones don't come with external antennas and that can be an issue. My movies are huge - I go for very hi def 12 - 20GB files so wireless streaming is a no-no for me. If you're looking at smaller (< 3GB), most wireless can handle it.

Asus routers are really premium stuff for the soho user and I would say that the cheaper TP-Link routers are just as capable as the Asus ones, especially the more recent TP-Link models. They are very flexible and with the 3rd party firmware it's definitely something you should look at.