Slashdot Mirror
LiveCD for Secure Web Browsing?
An anonymous reader asks: "Say you want to do your online Internet banking on your home PC, with a bank that lets you send actual money to complete strangers online, and you want to be really, really sure that some hacker isn't stealing your password or your money or both. You don't fully trust Windows, despite your best efforts to keep it secure, and you know that no OS installed on a hard disk is guaranteed secure or immune to root-kits and the like. You know enough about computer security to know that you are always just one careless mouse click or one security hole away from being screwed. You've read the advice from your bank, which says 'turn up' your security settings (whatever that means), and don't click on 'unknown' links (ever). So what you really need is a bootable CD with software so simple and stripped down that it lets you browse the web and nothing else. The nearest I can think of is one of the Linux mini-LiveCD's with Mozilla or some other browser included, such as Damn Small Linux, or ByzantineOS. Such a system shouldn't even know how to speak to your hard drives. Do Slashdot readers know of anything like this?"
Nicholas Brand (who I believe has posted here before) has compiled a great looking List of Live CDs.
Looks like they are even categorized quite extensively too. You should find at least something to ease your paranoia. But if you don't, you can make your own with Morphix, which is sort of a customizable Knoppix, and even has a how-to for something similar to what you want.
if you're worried about your money, then securing your money is the main thing. Securing the computer is useful, but there are numerous other things involved. The people holding your money are usually the banks and other financial institutions. Their online banking apps and _processes_ may not be that secure (cross site scripting attacks etc)- since most are quite new to it and haven't been burnt enough yet. Plus depending on your setup you may be reliant on your ISP to provide you the right IP address for your online banking site (and the dns traffic has to be untampered with). If you somehow get the wrong IP address you could be screwed too- unless you connect directly to the site using https and check the certs (that's assuming you ALWAYS make sure the fingerprints are the same and don't transact if fingerprints change, OR you trust the CA to NEVER incorrectly issue certs to the wrong parties - verisign has screwed up before with an MS cert).
Because of that and so many other issues, if you are really worried about your money, try to get your bank to not allow online transfers, or only to selected accounts - e.g. to the bank account you use for credit card payment. If the bank doesn't allow that, then do you feel your money is safe in that bank? If no, then change banks- or keep the bulk of your money in a safer bank and transfer money from the unsafe one to the safer one. You can often also get the bank to limit the amount transferred per day.
For online payment (and offline where reasonable) pay everyone else using your credit card. That way if anything goes wrong, at least it's not _your_money_ that's gone - it's the card issuer's money that's gone or the Merchant's (or some other party, just not you!) - in which case while you're going through all the legal processes to fix things, you still have money to live on, and the pressure is on the OTHER parties involved to get things fixed, you can actually be a bit more passive. In contrast, if it's your money that's gone, often the rest could be sitting around whilst you'd be the one burning up the phone lines trying to fix things.
In conclusion, allowing money to be transferred online from your account to random parties is quite insecure even if it's with your permission, and even if it's your own hardware and software, coz unlike ATM transfers, you and the bank are _unlikely_ to control everything else involved in the transaction. Plus the devices involved often do other things as well.
I have checked out a bank's online app before (with their permission as part of a job) and I found I could cancel other people's cheques without their permission, fortunately money transfers somehow didn't work - some other control was probably stopping it. I also found SQL injection in another bank's online app.
There are bound to be flaws in banking apps. Previously this wasn't such a problem because the only people using the banking apps were the bank's staff who had to be trusted significantly anyway.
If it can't fit on a floppy(50mb,8mb..2mb etc), you might as well just use a live cd which is normally fully loaded.
Because if you have to boot from any media except a floppy, chances of you having to get into the bios and set the boot devices are high. So while you are at it, might as well get a full supported, fully loaded media right?
As for floppy sized distros, the only thing that comes to mind, is tomsroot