Almost everyone has poor on-line security, but free approaches
do exist to fix the problem:
The major banking security problem is malware.
So malware is a serious danger, we cannot tell if we have it, and making sure the system is clean requires a re-install ordeal. Way to go Microsoft!
Puppy Linux from DVD may not be best at everything, but right now it is best for secure browsing. A Windows hard drive is easily infected, and then it stays infected, whereas a Puppy DVD is hard to infect and easy to clean. Booting Puppy Linux from DVD loads a clean system and avoids existing Windows infections.
Linux does not make malware impossible, but it does mean getting out of the malware line of fire. Criminals have little reason to strike at Linux when they can make vastly larger profits targeting Windows. It is a fact that Mac and Linux users have for years enjoyed the advantage of few malware attacks.
Someday, Linux malware may become an issue, but right now Windows is vastly riskier than Linux. Someday, BIOS infections may become an issue too, just not now.
No other browser has anywhere near the security features produced by these add-ons:
Most attacks can be avoided simply by using some OS other than Microsoft Windows when on the Web. An attack designed to exploit the faults or use the services of a particular OS is unlikely to succeed on a different OS.
Criminals design attacks which encounter users at random. Since most users have Windows, most attacks target Windows. We can avoid most attacks by using something else.
Finding ways to harden Windows was the original goal of this research, but no solution was found. Malware can and does infect Windows, but users will not know, so users will expose their account numbers and passwords. Microsoft does not provide a tool that will certify a Windows installation as uninfected. Because of the risk of having been infected in some past session and remaining infected, Windows simply cannot be trusted with account information.
Using Puppy Linux is about as simple as an effective solution can get (especially if somebody sets it up for you, or tells you how). Puppy Linux is a very small operating system taking up only a small part of one DVD. Much of the apparent setup complexity is just configuring the OS and Firefox. The supposed alternative of trying to harden Windows enough for banking simply cannot work.
For secure banking, it is crucial to not use a system infected by malware. Since we cannot really know whether our Microsoft Windows system is infected, we are forced to find a way to load a clean system. Booting Puppy Linux from DVD is that way.
If you have a Mac, use that, but you still have an easily infected hard drive.
It is possible to subscribe to a personal VPN encryption service (like WiTopia), but that will not protect us from malware. Encryption cannot hide information when malware is in charge. Any Linux distribution should resist malware, but booting Puppy Linux from DVD also resists infection.
No. Since we boot Puppy Linux from a DVD, we do not have to change anything on the Windows hard drive. Unless we work at it, the only thing we can screw up is the DVD. And, with a DVD+RW, we can re-use the same disc and try again.
In theory, any Linux distribution can support good security simply by having a "Live" boot DVD which supports the Firefox browser. Booting from DVD avoids hard drive installation and any effect on the existing system. Booting from DVD also avoids any existing malware infections on the hard drive.
In practice, live DVD design and implementation issues make a big difference in different distributions. Some distributions may load code from CD or DVD as needed, so the DVD must remain in place, and operation is very slow. Puppy Linux loads completely into RAM and runs from RAM, which is faster than a hard drive. The Puppy boot DVD can be removed in operation. The computer does not even need to have a hard drive, even to produce an updated Puppy. When there is no hard drive, there is no hard drive information to be exposed, and there is no hard drive to infect.
In practice, supporting Firefox means supporting browser and add-on updates which quickly become a way of life. Some distributions force the user to make a new CD or DVD for each new update, which means once or twice a week. Only Puppy Linux actually burns new or changed files to new sessions (directories) on the original boot DVD. When Puppy boots, new file versions load instead of old ones, but the old versions are still there and can be read from the DVD under either Windows or Linux.
Currently, alone among all known Linux distributions, only Puppy Linux makes updates practical for a "Live" boot DVD.
When we want to access on-line accounts, we put our Puppy DVD in the optical drive and restart the system. Puppy comes up, we start Firefox, and are back in familiar territory. We do our banking, remove the Puppy DVD, and restart the system back to Windows. Even if our main OS is infected, booting the Puppy OS from DVD avoids the infection.
Puppy Linux is a free alternate operating system that most ordinary Windows users can use quickly. Puppy Linux supports the Firefox browser and most Firefox add-ons, thus delivering a browsing experience similar to Windows. There are various advantages:
Bookmarks are a self-made burden. For synchronizing bookmarks between Windows and Puppy I had been using Xmarks with great success. Eventually, though, my rapidly-expanding bookmark list made that intrusive by needing a ponderous download for every sync operation. Now, by exporting bookmarks as HTML then sending that file to myself as an email attachment, I can have all the old and obscure bookmarks available by viewing email. I save important new bookmarks to Google bookmarks "in the cloud," to avoid extending the DVD on every session. I do keep a few everyday bookmarks (tabs) locally.
Puppy Linux is not the whole security solution. Using a different OS can protect the computing environment from malware, including viruses, key-loggers and bot-nets. Browser, password, and connection security issues remain, although Firefox add-ons can be a big help. In addition to using Puppy Linux, users should:
Puppy Linux is free, voluntary software.
New versions have been coming out every few months, although none
are oriented specifically toward secure use.
Apparently Puppy has had multi-session DVD operation for years,
and may be the only live-DVD Linux supporting browser updates.
The Linux Development Environment
The reality of free Linux can be a shock to Windows users. Microsoft has a few basic flavors of Windows, all of professional quality, which stay basically the same for years. Puppy Linux has any number of different versions, often going in different directions with a few part-time developers, which may last a few months to the next version, or just die out. The way to assess the new work is to download a likely .iso, burn it to DVD and see what it does.
Business users may point to the lesser quality in the free Linux distributions, but if Microsoft was really doing a quality job, we would not be here. Reasonable people can disagree about which OS is better and yet still prefer Linux to Windows for on-line security. In most cases, we can take an ordinary PC, boot Puppy Linux in a couple of minutes, do our online work in much greater safety, then reboot Windows.
Those who do most of their work in the browser may not have as much need to reboot Windows as they first expect. However, when it comes to devices that are in any way unusual or specialized or new, Windows always has a driver, and Puppy generally does not.
In free systems, it is common for things to not work as smoothly
as in a professional product.
In the case of Puppy Linux, usually there are work-arounds, since
many other people have to do the same things as you anyway.
Or there may be a new fixed version in a few weeks or a month.
On the whole, Puppy Linux is very usable.
Puppy Linux Resources
A surprising amount of information is available, although some of it is dated and some is hard to find. Here are some starting points:
For best security, Puppy should be booted from DVD and not
installed to a USB flash drive or hard drive.
Any boot medium that is immediately writable can be easily
To freeze out malware, we need to not provide an easily infectable
While a DVD+RW obviously can be written, writing to DVD is
nontrivial, should be obvious to the user, can be absolutely
prevented by removing the DVD, and is easily voided in any case.
The following instructions are for Puppy 4.3.1 and similar.
Although the documentation recommends DVD-R, I think the results depend upon the particular burner drive the user has and particular types of DVD, which seem to vary a lot. I have had better luck with DVD+RW, and I can erase those and start over.
The BIOS is the part of the computer which is in charge before a major operating system is loaded or "booted." Basically, the BIOS goes down a list of devices to see if they hold a bootable OS to load. The first thing found that can be loaded, is loaded, and becomes the computer OS for that session. Normally, we want the "first boot device" to be "CDROM". The idea is to boot from a CD or DVD when one is present, and otherwise boot from the hard drive.
To enter the BIOS, restart the computer and watch for the message about which key to press to enter the BIOS. Often this will be Del (the delete key), but may be something else. Press the key very quickly, or restart and try again until a BIOS configuration screen opens. Find "Boot / Boot Device Priority" or "Advanced BIOS Features / First Boot Device" or "Boot Sequence", and change the first entry to CDROM. Move subsequent entries down, including the hard drive entry, "HDD" or "Hard Drive" or "Hard Disk". Then save changes and exit, which will start a reboot.
For BIOS help, see:
Puppy on a CD, or
How To Access the BIOS Setup Utility, or
How to Set BIOS to Boot from CDROM.
Download Extra Programs
We want Firefox, and it need not be the latest version because it is so easy to update. We do want the latest possible Flash Player, which is harder to update. Some Puppy versions (e.g., puppies-431.iso) include Firefox and an updated Flash Player, and so do not need .pet installs. The main Puppy version (e.g., pup-431.iso) does not have Firefox, and Flash Player quickly becomes outdated. Firefox and Flash can be installed (or re-installed) by finding and downloading .PET files. To install a .PET, copy / paste it into Puppy memory (perhaps /tmp), click it to install, then delete that file.
There is a Linux program called Wine which emulates Windows and
allows some Windows programs to run in Linux.
You may be tempted to install Wine, but DO NOT DO IT!
Wine has gotten good enough to support a range of Windows malware,
which is precisely what we are trying to avoid.
If we need to run Windows programs, we probably should stop browsing
and re-boot into Windows.
Example Puppy Install
When used for improved security, Puppy Linux should not be installed to a hard drive but should instead boot from DVD on every session. As programs and configurations are added to Puppy, the changes should be saved to the Puppy DVD, provided nothing strange has happened in that session. If any attack files actually do make it into the RAM file system and are backed up on the DVD, the session can be voided later. This example install is limited by my ancient monitor. This is a tested, working example for my particular equipment--do not follow it blindly!
When Puppy comes up it will look for system drives (hard drives, floppies, CD's, etc.). The drive names will be unfamiliar, but it is easy to see what files are on any drive. A single click on a drive "mounts" that drive, and a directory window will appear. A mounted drive will have a green on-screen dot or "LED" indicator as a reminder. Right-click-and-hold to select "Unmount" when done using the drive.
The user is responsible for having good passwords. A good password cannot be short and it cannot be words or names. The best password is a machine-generated sequence of random characters. A good 15-character password is probably stronger than every other part of the system. We cannot remember such passwords, so we need a password manager to save them for us. Passwords are saved in a little database protected by cryptography done right.
The password manager LastPass.com works either as a local
program or a website.
The contents of many other password managers can be imported into
Users can access their passwords from the website using any
Booting Puppy Linux from DVD is the best approach to get a
believably uninfected OS.
Saving the encrypted database on the Web provides both off-site
backup and synchronization for use with multiple computers.
LastPass has a Firefox add-on both for Linux and Windows.
Starting to use password management can seem like being out of control. Only the password manager knows the actual passwords, and if it dies, what then? First, there is a copy of the encrypted password database saved on the LastPass website. Next, the browser add-on stores a copy of the database locally, for use if the web site is down. And the database can be exported for backup or use by a stand-alone LastPass program.
Using LastPass can seem scary, because it tries to be automatic. New sites are included by signing in and letting LastPass create an entry. Sometimes the automatic way fails, and sometimes the web site changes their login page. A manual login option is available by clicking on the LastPass icon, and then selecting the current site. The Username or Password can be copied to the clipboard, which then can be pasted into the desired location.
Correcting a login sequence can seem daunting, but there are relaxing options. When I edited an entry and changed the name, the old entry was not lost but the new entry was added. That meant I could change the new entry as desired without losing the password.
LastPass also has a "Secure Notes" feature which saves little text files in the encrypted database. Secure Notes can be used to save Username and Password, just to make sure nothing is lost. Secure Notes also is a good way to save the security questions and answers which will be needed if the owner becomes incapacitated. Since emergencies are inevitable, your spouse or someone responsible should have your LastPass password.
New or modified files can be saved to the DVD. For some reason, the desktop "save" button seems more reliable than an update triggered by Menu / Shutdown. The "save" button copies all changed files to a new session or directory on the DVD, but does not mark them as saved, so clicking "save" again will save all the same files again! Then ending the session by Menu / Shutdown will try to save those same files again! Just say no! Each boot after a "save" will complain about an "unclean exit" for "x" but just select "Ignore" and move on.
I try to limit my DVD saves to once a week or so.
Files in the /tmp directory are not saved to DVD. Files in the /archive directory are saved to DVD, but not recovered in the next boot. Changed files are saved to DVD without overwriting the older versions, and only the most recent version recovered on boot.
In most file systems, a new file replaces the old one.
But each time Puppy Linux saves to DVD, it creates a new DVD
directory for that save.
So the DVD can contain the file as it was each time it was saved.
This will automatically archive the progress of a writing or
programming project over time in a way that does not occur in normal
computer file systems.
Each DVD session, and each archived file version, can be read from
DVD under Linux or Windows.
As a banking security system, Puppy Linux should be booted from DVD, and run in memory. The unique Puppy Linux ability to update the DVD is what makes a DVD boot practical. But updates do need to be written to the DVD, and optical storage simply is not as reliable as hard drive storage.
Since all storage systems are somewhat unreliable, our Puppy response is just to be more rigorous than usual. For example, I manually back up an important local work (like this article, during development) before the end of every session. I may copy my file to a USB flash drive (1 minute), or send the file to myself as an email attachment (2 minutes), and save it to a Windows drive (1 minute), if present. Even if I work "in the cloud" using Google Docs, I still "Download as" the file and attach it to an email to myself, thus creating a project archive without writing to the DVD.
Sometimes upon restart Puppy comes up (the splash screen shows), but then fails upon reading the last saved session. We can void the last session by starting Puppy again and entering the command "puppy pfix=1" at the splash screen input.
Rarely, we can find that the last session save has made the disc completely unreadable, at least for boot purposes. Then we need to start over with a new disc we have cleverly made in advance.
Perhaps the best way to "copy" a configured Puppy DVD is to first boot from a fully-configured DVD. Then download and burn (and verify) the current .iso to a blank DVD using Menu / Multimedia / Burniso2cd. There will be a lot of drive door opening and closing going on, and I have found it important after any door closing to watch the burner LED and wait for it to settle down before issuing a command. Then clicking "save" will burn the current configuration, effectively making a copy, probably with fewer saved DVD sessions. This may be a good common base for DVDs used by a group, a class, or a family.
Since Puppy essentially selects a video configuration when it first runs (as opposed to making a new selection on each boot), moving the already-video-configured disk to a new machine can be an adventure. By comparison to another Puppy system, it may be possible to select Menu / Setup / Xvesa Video Wizard (or whatever) and choose a reasonable mode without being able to read the selections. Once everything is configured for a particular computer, click "save" and you will have the same thing on the next boot. Eventually it would be a good idea to burn a new .iso DVD and use "save" to make a standby copy configured for that computer.
If you find errors or problems, let me know!
If you think changes are needed, let me know!
If something else needs to be covered, let me know!
If you try it with success, let me know!
If you try it and have problems, tell me about your technical level, what you tried, and what went wrong, but let me know!