You are talking about inbound, I am talking about outbound AND inbound.

SAMBA is available for the Amiga for example (smb).
There are web servers ( blackwidow, apache )
There are myriad other little tools both in and outbound.

I repeat, once in, as there is no process or filesystem security, you are scuppered. Just because your computer initiated the connection ( client ) doesn't make it safe. That is why firewalls are only of limited use in internet security.

There are plenty of opportunities to get hacked on line all you need to do is look at something like securityfocus.

There are a list of possibilities:
tthe
1. Trojan horses - downloaded or executed through accessing a web page or opening/downloading emails or running bad software. Once in, you are reliant on whatever security the OS or the software packages that are interpreting/running the exploit provide.

2. Daemon attacks - anything from remote code exploitation ( running stuff on your machine ), denial of service, forcing it offline or sending it bad information to cause anything from buffer overflows or misallocating the entire memory in your OS.

3. Snooping and fishing for data. By not using the right level of security on your clients ( e.g. using telnet rather than SSL based clients ) they get hold of passwords and usernames just by listening in and seeing the raw plain text data passing.

4. Ephemeral security - send emails in plain text rather than using PGP or some other security plugin.

The point is you might not be exposed to any of them, or be exposable, however at the moment there is nothing out there that I have seen that does a risk assessment of the basic OS, the OS with extra packages installed, individual packages, different configurations or provides any advice whatsoever.

Other portals have long been swamped with political wars and it looks like those that want to start arguments for the sake of it will either be steering clear of here or thrown off. So, I think it is high time we started to collate our experiences and advice and stop thinking we are invulnerable.

Just know how vulnerable you are ( or not ).

Security through ignorance is stupidity. Security through willful ignorance is basically being a sucker.

I had hoped the constructive clause (1) in the terms of service might lead to decent open debate on how to fix a few issues like information, mindset and possibly even software. If it looks like the discussion on here isn't going to be constructive or will meet with knee jerk reaction then there isn't a lot of point contributing to the forum.

I don't want to get involved in ego trips, I just want to enjoy the hobby.

@Mikey_C

I already am being. Tell me what exactly are you bringing to this "deal" you are offering? I don't know I get the impression you think I'm some kind of troll.

It is exactly what I have been calling for since post 1 - to collaberate on bringing the information to the fore.

It is too big a task for one person and most of the knowledge will be out there already. It won't be a matter of just running nessus against an Amiga on your local network.

Most of these issues - because they aren't being exercised by internet intruders yet - can only be exposed by structured security testing or design analysis to discover the flaws.

@Sauron

I think it is all being taken personally whereas I'd rather people were told what are the good/bad points to do with the operating system and using the browsers/network tool online.

Eventually some kind of "cops" tool to expose inner setup flaws for beginners to install could be built but to do that you need a knowledge base. This is what I'd like to see happen. As I find things out I'll certainly let people know.


@Sister_Rita

Security through obscurity is all very well up to the point where you get hacked. The reality is though that most of our security is through ignorance - a false sense of security.

-----

In general why do it? There is no filesystem or process security built into AmigaOS, so once in, anything can be done so every daemon needs to have its own sandbox.

Thank you for being informative, friendly and helpful.

Hehe run Widows. That sounds about right for Windows!

But someone said ( other than me ) earlier that it might be possible to do something nasty through IBrowse - well it is. The JavaScript implementation in AWEB hangs on some sites too so it must be possible to attack that way.

But putting browsers to one side, just simple advice like:

1. Don't run a web server on your Amiga
2. Don't allow access to TCP: on your Amiga
3. etc etc.

Plus how much security testing has gone into the development of the TCP implementation on the Amiga, and any daemons. Just because YOU don't use some of these things doesn't mean there aren't some pretty clueless people out there who do.

For their sakes we should not be so arrogant and make some advice freely available. That advice has to come from the collective so I am asking people to be constructive about it and share experiences.

If that is considered "bitching and whining" by the moderators then lock the thread and throw me off. If not, pitch in with advice.

Certainly I'd never use SAMBA online so my advice would be there - if you don't use a firewall, make sure you turn off SAMBA first.

Does anyone know where I can get more RAM for the AmigaONE if that is the problem?

I'm not bitching and whining. I am just saying that sticking our collective heads in the sand about the potential isn't a good idea.

I am not even mentioning virus software.

Anyone who uses a computer on the net has some basic security advice to follow. Anyone who uses AmigaOS 3.0 or 4.0 on the net has to take extra precautions even if it is just to be warned that using telnet, ftp and other similar plain text mediums for userid and password access to a server is a mistake and to download a SSH variant if available.

Any server admin worth their salt want deal with SSHv1 connections.

Security through obscurity is all very well but how many of you hang around on IRC?

Well we all know that AmigaOS4 are a target for some quite hostile and disturbed people and that might include some of its users.

In a chatroom you can see the ip addresses which are connected, and go after them. Even just being able to knock people off the net might be a pain.

So as you say good advice is not to fileshare but AmigaOS4.0 I don't think has a SSH v2+ compliant implementation so either you use a lower grade ( and hackable ) SSH/SFTP or telnet/ftp which can be sniffed for passwords and userids and by using AmigaOS with these not so secure protocols can expose any server that you might own.

I guess I just think it might be sensible to acknowledge that AmigaOS might not be very secure, provide some general advice, and emphasise the need to provide a secure set of clients.

But why not?

I used to use the QL and my Sinclair QL is long gone to the QL scrapheap in the sky I bought a Q60 ( an 060 based QL with a 16 bit graphics card ) and ran SMSQ/E on that ( the QL operating system updated ) for a year or two.

Then that died.

Then I bought a QL emulator and run SMSQ/E on that from time to time. Without that I'd never be able to use it again.

You see my point? There are no plans to release a new QL, and people did think for a while that there might be a QL-PPC or a coldfusion QL but nothing.

I don't want to end up without AmigaOS4.0. So if all these other plans fall through then will someone consider either a co-operative emulator or a hostile one ( like shapeshifter ).

Ah but maybe that is because AmigaOS is so insecure you'd never find out!

Speed is important, yes, but function is too. Now users install an OS and say "where are the games? Where is wordpad? where is IE?"

Now so much gets bundled with modern OS we forget how stark life with a traditional OS is before you do work on it.

I doubt any user is running a truly stock pre OS 3.9 anywhere. They will have made some usability modification.

But stock Windows? Stock linux? All over the world. Why? Because the optional extras aren't so optional anymore.

Yes, I understand. However people who boot into stock classic Amigas are in for a shock.

I bought an A500 quite early on and found it painful until I made commands resident ( a simple modification, but it is a big shock without it ) and had a second disk drive.

Then I got an external hard disk and realised that this was how the Amiga was meant to be used. Fast, slick and no sounds like a constipated geriatric straining on the loo whenever you opened a drawer.

But even those simple modifications, which made all the difference to how I viewed WB1.3, are way beyond what a stock Amiga can do.

I thought about this because of that user on another thread whom bought a stock A1200 and is looking to modify it. I forgot for a bit it doesn't come with a pretty workbench, IBrowse and has to put up with AGA and started to remember what it was like: Bad.

It is pretty daunting getting from stock to "usable" on those older machines - usable for our expectations today.

But so long as amigans.net users don't get as arrogant as Linux users were some 8 years ago or like a web page recently which had a nasty remark on it ( they call it irony ) at someone who asked how they could get TCP/IP stack down onto a machine that doesn't have TCP/IP.

The point is new users of computers today have different expectations. They don't like to go around the houses to do what is common currency and they don't remember about 3.5" floppy disks and things like that. They probably don't think that you can connect a computer up to a TV ( a computer, not a console ).

The literate forget also.

It isn't a mistake, it is the whole point. You don't realise that things are progessing as much as they are when they are progressing.

This is why I don't get people who say that AmigaOS4.0 isn't a proper AmigaOS because it doesn't feel like AmigaOS. I say these people haven't used it, or they have gotten so used to their old tweaks and customisations they forget half of what they find alienating is their own home-making.

How did I ever learn to love Workbench 1.3? By coming from the ZX Spectrum.

Could I love it now? No.

AmigaOS 4.0 is the culimation of what AmigaOS is, and although it is essentially out of date ( in comparison with the latest Linux distributions and Windows XP/Vista ) in certain respects it is utterly Amiga.

Amiga OS 3.9 on the other hand always felt a bit like using someone elses customised Workbench 3.1.

In any incarnation is AmigaOS secure enough to risk connecting to the internet with your private data on the system?

Every other OS out there has holes and flaws and I was wondering ( in the light of a lot of people investigating the retro classic market ) if it is worth building a list of what you should and should not do with an Amiga online?

Is the advice always: Use a hardware firewall.

Is Mikey_C not a good looking man then?

Is anyone running stock ( no patches or gizmos ) levels of Workbench?

I tried recently, here is what I found:

Workbench 1.3

ARRRRGGGHHH!!! God this is AWFUL. Like the busy pointer though.

Workbench 2.04

Ugly, more pro looking but really ugly and doesn't do much. No backdrop picture!

Workbench 3.0

Disgusting. How was I ever persauded to use one of these?

Workbench 3.5

Hmm, almost like a real OS ;)

Workbench 3.9

Getting better, works pretty well off the CD.

Workbench 4.0 ( AmigaOS 4.0 )

Now that is what I call a decent out of the box experience.

The thing that is going to constrain you more than anything is space.

Memory, hard disk.

Because it is almost impossible to find a memory module for the Amiga that doesn't cost as much as one with an accelerator I'd buy the following off e-bay as a bare minimum to get going:

040/060 accelerator with as much ram as you can get.
360MB hard drive ( 2.5" ) or above.
IDE cable splitter ( 2.5" ) or adapter ( 3.5" )
CD-ROM drive, external or internal doesn't really matter as you are going to mount it outside.

I'd install Workbench on the new hard disk, I'd then get hold of Miami demo, or NetConnect ( if you can get access to it ) or an old OS3.5/3.9 CD. I have one lying around if you need one.

Then if you aren't going the 3.5/9 route start downloading stuff off the web. If connected to a PC monitor or a multisync monitor use DBLNTSC mode with 16 colours at 800x600. Forget DBLPAL - it flickers too much.

Don't use anything above that in terms of colour depth for the workbench as you'll saturate the custom chips and the serial cable starts to cut out ( it does on mine anyhow ).

Connect to the net, enjoy. Download stuff.

If OS3.5/3.9, well just run the network setup and its about the same but much more usable.

I know all about the restrictive licensing issue between Amiga and Hyperion from reading some draft contract on google. I know that when they release AmigaOS4.0 control can revert out of their hands.

What I am talking about here is how we can continue putting the politics aside.

I have an AmigaONE XE and it is not very well. It faired a bit longer than my other machine ( which was bought to try out another Amiga-a-like OS on PPC ) on which the CPU set fire to itself.

I am getting a bit worried as to what I will do next. AmigaOS4.0 obviously runs on top of firmware on a PPC with a certain subset of devices but exactly what is stopping it being used on a firmware emulator ( if it is possible with U-Boot ) written for either a PPC emulator or another PPC board ( perhaps one of the up and coming hobbyist PPC boards )?

The way I figure it is I have paid to use this prerelease and it isn't really my fault the XE is out of warranty and I have treated it with care but it does seem to be freezing a lot more recently. If it goes the way of the P*****s board and ends up in a skip what do I do then?

Can I not ever run AmigaOS4.0 again?

The ideal scenario would be for me to have a PPC emulator on my Sony VAIO until new hardware becomes available. I *know* I'd have to say that it was running slower than native to onlookers ( or maybe just a backdrop saying it ) if I wanted to show it off. But do we have a contingency plan? A plan F?