# Gentoo Admin for Individual

## slim2k

Hi .. I would like to hire a ultra-paranoid personal Gentoo Security Admin Tutor ..

I'm setting up a laptop making it as secure as I possible can and learning in the process.  This is a http://puri.sm laptop with coreboot with me-cleaner already applied.  If someone has some experience and a passion in the following I would love to hire you.  I need help over voice or video conference (save a few keystokes my hands get tired after typing 1/2 a lifetime)..

Things I have in mind:

- Gentoo TTY console (feature setup and glitches)

- Encrypted Luks partition booting (including /boot)

- Docker and other visualization solutions

- Coreboot payload environment

- Hardened Linux Kernel environment

- Sand-boxing

- SELinux

Future considerations:

- Secure firmware on SD drives

- USB configuration to protect against BadUSB

Please be willing to accept crypto, that is a huge plus.  If you already have a decent reputation on this forum I'll send payments first.  I'm in the Central Timezone ..

The over-all vision: I need to build a core system as minimal as possible and organize and virtualize / sandbox applications in secure environments (how all computers should be built).  Anything we create is 100% open source..

----------

## Ant P.

Everything you need to achieve those things is on https://wiki.gentoo.org. Show us you're willing to learn and not be a help vampire. A Gentoo user that can't build or maintain their own system will get owned sooner or later.

----------

## slim2k

 *Ant P. wrote:*   

> Everything you need to achieve those things is on https://wiki.gentoo.org. Show us you're willing to learn and not be a help vampire. A Gentoo user that can't build or maintain their own system will get owned sooner or later.

 

The way I see your comment: your calling me a name for asking for help and being willing to pay for it..

----------

## Ant P.

You're not willing to pay; you're offering something of questionable legitimacy currently in the middle of a bubble crash in return for someone reading wiki pages aloud to you because you're too lazy to do so yourself. Nobody here wants to create another walking liability.

If you really want help, rephrase your query.

----------

## slim2k

 *Ant P. wrote:*   

> You're not willing to pay; you're offering something of questionable legitimacy currently in the middle of a bubble crash in return for someone reading wiki pages aloud to you because you're too lazy to do so yourself. Nobody here wants to create another walking liability.

 

There are asset pegged cryptos (also decentralized) if you don't want to take the risk..  I have ready the wikis, there are bugs that are not covered .. It is more work than I have time for, I have other libraries to maintain but I'm forced to put in all the time myself because general security is lacking..  This is at the expense of my primary skill.

Wow, why the attitude.. I did not come here with an attitude.  I should just leave..  Your making a lot of assumptions here.

----------

## Ant P.

Distro security is a process, not a vending machine. Bugs in the basic installation docs? Show us them and explain why you think they're bugs.

----------

## Spargeltarzan

I ask myself why it shouldn't be legitimate to ask for voice over ip support with payment? Of course, we are a community, supporting each other on a  volunteer basis. However, if someone wants to learn faster, achieve a certain system within a clear timeframe or simply wants some starting help, why not?

The author even proposed to pay first.

I am currently in the same position that I want migrate my system to a fully secured, hardened, selinux box with virtualization for even stronger mechanisms (see Qubes OS). Due to the crsecurity stop and all the recent news with PIE in profile 17, I even don't know the first step to do although I have read the whole wiki and the last 4-5 pages in this forum section. Currently, it is even unclear if the documentation is still valid, I think it is mostly outdated. I even don't know which kernel we could use or how to secure the gentoo-sources what was a recommendation in the news item of the crsecurity stop. (you see my thread some lines under this one)

Therefore I understand someone who wants to pay 1-2 hours for a voice call, understanding the mechanisms, probably to maintain his box alone after it. Is it wrong, that one earns money for 1-2 hours voice call support?

----------

## NeddySeagoon

slim2k,

You are putting the cart before the horse.  Why are you considering those options?

You need to do your threat analysis first then put in place measures to mitigate those threats.

There is no absolute in security and security is like the layers of an onion.  The harder you make it for attackers, the more intrusive the security becomes in your use of the system.

Before you even pick a stage3 tarball, do your threat analysis and decide what you need to defend against.

At the same time, decide how much day to day inconvenience you will accept in the use of the system.

Security is not a fire and forget thing. It has to be maintained.

----------

## Spargeltarzan

@ NeddySeagoon: don't forget some users might not be aware of the kind of attacks they could suffer from. They will mostly say "fulls secured", probably like I do, because I don't know what all could happen to me in the Linux world

----------

## Hu

Spargeltarzan: there is nothing wrong with offering to pay for support.  However, we somewhat frequently see users who neither understand their Gentoo system, nor wish to understand it, but only want some immediate problem solved.  Most don't offer to pay for the fix, but even for those who do, it's questionable whether that's a good use of their money or the respondent's time.  I see it as a service to the poster to warn that buying one fix today is a stopgap, not a full solution.  If the poster truly wants to pay for support, possibly on a recurring basis until he/she masters self-supporting the system, he/she is welcome to do so.

slim2k: how do you propose to determine reputation?  Some users have very high post counts, but little or no expertise in the areas you need serviced.  In the time it will take you to evaluate a respondent's reputation, you could probably do quite a bit of real work.  :Smile: 

----------

## Spargeltarzan

Agree  :Smile: 

For me I enter with hardened and selinux a new world, after I entered a new world with Gentoo started at July  :Smile:  I used Linux before, but I used the "out of the box security solution" what was distributed. 

When I think about Neddys approach of course I understand, for example, someone who uses VPN wants to protect packages over the network and should be aware of this first. For deeper investigations on the local system, kernel Pax, PIE, etc. even my studies of the informatics and my profession as an information security specialist some years ago doesn't help me to fully describe, judge and answer all possible security threats - it is a new world  :Smile: 

I learned much since July and will not stop it

----------

## slim2k

 *Hu wrote:*   

> Spargeltarzan: there is nothing wrong with offering to pay for support.  However, we somewhat frequently see users who neither understand their Gentoo system, nor wish to understand it, but only want some immediate problem solved.  Most don't offer to pay for the fix, but even for those who do, it's questionable whether that's a good use of their money or the respondent's time.  I see it as a service to the poster to warn that buying one fix today is a stopgap, not a full solution.  If the poster truly wants to pay for support, possibly on a recurring basis until he/she masters self-supporting the system, he/she is welcome to do so.
> 
> slim2k: how do you propose to determine reputation?  Some users have very high post counts, but little or no expertise in the areas you need serviced.  In the time it will take you to evaluate a respondent's reputation, you could probably do quite a bit of real work. 

 

Interesting, thanks for explaining some perspective from the community.  Fortunately I have some skills in everything mentioned above and experience chipping away at security and backup processes that change slowly over years..  I'm not scared of Gentoo either.  I already have this stuff above installed and have used Gentoo in the past .. That is of course the easy part.  But I'm use to small bits of progress over time.  Also fortunate, I have dedicated hardware for this so it is not trying to be my desktop too..

My primary skill is JavaScript with emphasis on security.  Any help is appreciated here though.  I can have architecture level discussions so I'll evaluate skills that way..  It will be helpful if someone is interested and gets a supporting comments.  Yes, I realize I'll be working on this for a long time..  I am requesting to be taught and guided .. I have the skills to code, etc but could use extra help.  A plus is that we could create tools for other users to do this too.. I will not try to profit from any of that if it happens..  I can help promote a blog on steemit or maybe you'll get some more material for the wiki ..  More users are using crypto these days and they are going to need more secure computers.

----------

## NeddySeagoon

slim2k,

You need to start by describing the perceived threats.

e.g. Leaving your laptop on a train.  You might want to use LUKS to delay unauthorised users getting to your personal data.

There are other ways too.

On the other hand, for a system in a data centre that is physically secure, HDD encryption is not going to contribute anything to your security.

Don't even think about defending against governments.  They will send the boys round to beat your secrets out of you.

Its much more cost effective than attacking your system.

Start off by defining your threats, then design your defences.

----------

## Spargeltarzan

 *NeddySeagoon wrote:*   

> 
> 
> Don't even think about defending against governments.  They will send the boys round to beat your secrets out of you.
> 
> 

 

Avoiding backdoors in Windows for governments is a major plus for Linux, I hope they do not send these boys to every Linux user...

----------

## slim2k

 *Spargeltarzan wrote:*   

>  *NeddySeagoon wrote:*   
> 
> Don't even think about defending against governments.  They will send the boys round to beat your secrets out of you.
> 
>  
> ...

 

One name for it is the "Five Dollar Wrench Attack" .. Why spend millions brute forcing a password when you can get a wrench at the hardware store for about $5 (maybe $10 now with inflation).  That seems to have a decent solution in https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed "passphrases" where every passphrase is valid and leads to a empty wallet (unless funded).  Different balances can be under different pass-phrases.  It is like an extra word on the mnemonic phrase.

Also, blockchains are getting time locks and multisig so you can get groups and delays where a cancellation can happen.

Securing Intel ME and understanding hardware and then having a audible secure software environment is going to help everything.  Even with cold storage or offline storage you have to interact with it somehow.  If you sign something in cold storage you need a way to convert something human readable into what your signing a hash (that is what is signed).  So if that blockchain adds a new operation you want to sign you may need to update a plugin just to see what your signing.  Cold storage needs to be updated in some way.  Another part of cold storage does not need exposure to this plug-in.  Additionally, within one blockchains space the transaction previewer and the private key signing can have different secure spaces but both are trusted.

----------

