Domain: kha0s.org
Stories and comments across the archive that link to kha0s.org.
Comments · 11
-
Re:I wonder...The source audit is what makes the difference. There are various projects for secure Linux distros like Bastille, Nexus and Khaos. For the most part they only fix configuration errors, things like not enabling every service by default, correct file permissions, etc.
However, this will not catch coding errors. If there's a bug in the kernel or in a service that you happen to be running, you're still vulnerable. Only Kha0s has a goal of doing a source audit which seems to be going very slowly.
-
Redundant or not, i have to get this off my chest
A) I think that everything that guy says in regard to people who review open source should be taken with a grain of salt. He obviously has an attitude problem and suffers from quite an overblown ego. That doesn't mean much other than we cannot trust his opinions on matters like Linux. B) The comment about surprise that there has not been a super secure linux distro? What about khaOS?? And I cannot speak for other distributions but I know that there is a package for SuSE (6.4) in the security section that super secures the installation by removing all possible wholes in the system and blocking most all services. I know it isnt the same as in OpenBSD but it is enough to keep the newbie hackers from breaking down the walls of my modest server. C) The complaint that most distributions come pre-configured for all sorts of software with no care for system security: WHAT THE HELL IS WINDOWS THEN?!?! It is so aggrivating to hear people bitch and moan all the time about hard linux is to install and how hard it is to use. So the distro manufactuers start making easy to use linux. People start buying it. Everyone is happy until someone complains that it is stupid to make things easy to use because it compromises security. I am not saying we can't have our cake and eat it too but Linux needs to be cut some slack because everyone working on it is doing their best to make it accessible to the public and right now that means weaker security. One more thing though: just because distros come with pre-configured installations, most people will choose to change the installation and make configurations of their own based on experience. It seems that it is only the new linux users that will be affected by the security flaws of base install. But then again, they probably wont be running a major website based on mysql and setting up their own firewall right away either so it all needs to be kept in perspective.
-
Re:Linux distros could learn something"What I'd like to see is a Linux distro which installed the bare basics"
I dont know what version of RedHat you used but 6.2. has the option to just install, Kde OR Gnome or try a server install, you are not forced to install both.
If you want just the basics get one of the "Linux on a floppy" distributions, and add stuff form there. compiling your own kernel as shown on "Linux from scratch" would be overkill for what you seem to want.
"Seek and thou shalt find", if you had made an effort to search then you might have seen this:
Trustix
http://www.icewalk.com/softlib/app/app_01091.html
or Bastille linuxkha0s
i could go on, and on and on, and on but instead i suggest you Read this Article it lists various security focused linux distributions.
www.kha0s.orgDistributors are listening, but they should not underestimate the importance of marketing and gaining mindshare (case in point is the success of micro$oft).
--
"Rumours of my death have been greatly exaggerated"
http://www.mozilla.org -
Re:New project, anyone?
There is one. KhA0s Linux. Despite the silly name (53k00r1733
/\/\4k35 U 3r337) it looks like it will be pretty cool if it ever flies and is definitely being built with security in mind. Crypto filesystem and other nifties are on their list of features. They are looking for help, too.
Lemme see if I can find a url...
Ah. Here it is.
Enjoy! -
Re:New distro vs. install option?
Personally I think it'd be nice if Linux took OpenBSD's path of concentrating on security, for example by auditing all code for security problems. But that doesn't look like it'll happen any time soon.
My impression is that this is what kha0s Linux is all about -- "better living though paranoia"
-
Subjectivism running rampant
The Linux distributions are placed at the mercy of seperate development teams, with different goals.
Only in their current models. The major distributions work on a smorgasbord model, trying to include any application the end user might want or need in the distribution. The BSDs take an alternate--and perhaps enlightened--approach, clearly distinguishing the "core" from the rest. From the BSD perspective, I would argue that nearly all the major distributions share the same core, even without the LSB. Where the Linux camps and BSD camps differ is in the definition of the core.
Correct me if I'm wrong, but by FreeBSD having tight control over the inclusion of core tools into the distribution, they can build a secure and stable distribution much more easily than can be done for Linux.
Ask and ye shall receive. Again, you're thinking of distributions like Red Hat, where any project of note is included in the distribution. One could easily create a secure distribution (such as Khaos is working on) simply by taking a more conservative stance on what the core should be.
Increasingly, it doesn't matter whether you run Linux or a BSD, if you check your favorite software it usually compiles for anything remotely Unix-like. Even commercial software, such as Netscape, can be installed, but there is a clear distinction in the BSD camp that it is not part of the "core"--though that courtesy isn't often given to Linux distributions. BSDers might point out Netscape as a potential security flaw in the distribution. Linux users would say,"Duh. You don't install that crap on your production machines."
Also, the issues of package dependancies, upgrades etc become exponentially more simple to handle. In this regard, I doubt FreeBSD can be touched by any Linux distro.
Again, only in the current form. The sheer number of permutations of system libraries under Linux can make for installation nightmares, but it also makes for unbelievable flexibility. Yes, it's possible to run KDE and GNOME apps side by side, and a Caldera user might have to do some hunting to install gnumeric correctly, but those issues are still possible under the BSDs. Anything that's not part of the core will cause the same headaches, and for all the problems with
.debs and .rpms the BSDs are eventually going to face the same problems in user-interface-land. Wait until the BSD UI Core Wars come, and all of a sudden Red Hat starts looking good.In reality, users in both camps know the best way to handle userland software is './configure ; make ; make install', and it'll probably be that way for a very long time. That's how Unix got us here in the first place.
Obviously contributed software or applications is a different matter. I'm speaking of the core tools that form a distribution.
The problem is that some people now consider GNOME and KDE as core tools, much the way most distributions consider X a core tool. What the BSD camp sees as a detriment, the Linux camp sees as a unifying theme of freedom. Yes, it does cause it's share of headaches, but just as there are projects targetted specifically at FreeBSD, there are projects targetted specifically at glibc2.1 systems, or Debian systems. Just as the article's author pointed out, that it's not fragmentation, but differing market niches. The lines are blurry, but they definitely exist. Red Hat isn't for everyone.
Hopefully the LSB can and will solve this problem. I really hope it's sooner than later.
Don't we all.
-
info: security distributions & resources
see the Linux Weekly News' Security page for information on Linux security projects which are already under way:
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal -
Re:Security audit/rock solid distro
I am not sure if this what you are talking about but. kha0s linux They are working on a "secure" version of linux.
-
Adressing the concerns/confusion/questions.
I have seen alot of comments here about the 'lame' name, concerns on US export restrictions, backdoors in the code, auditing of code, BSD style development, etc, etc, etc. So, let's just try to address any and all concerns anyone may have.
1. Export regulations. We do have developers in other places besides the US. We also have distribution points that are not located in the US. The project leadership does originate in the US, but that does not limit us from at all. All cryptographic components are worked on by developers outside the US, and distributed from sites outside the US. There is more to this distribution besides the cryptographic components, and therefore US developers are not hindered from helping out with the project. We do audit ALL source code that has been released, and we invite you to do the same.
2. Backdoors and code auditing. Since we do audit the code, and invite you to do the same, there need not be any worries about backdoors. We are trying to PROMOTE security and the idea that linux is a secure OS. By putting backdoors in code this would not only hurt our credibility, but the credibility of the linux community in general.
3. The 'lame name'. Ok. This one is not quite as complicated as you all may think. It comes down to several things really. First, as someone else has pointed out, the name is mainly based on myth and legend of the golden apple, inscribed with Kallisti. Planted by the goddes of dischord, or chaos. Now, whoever has lately tried to reserve a domain name can tell you, try getting chaos.org, or net, or whatever. So, we had to be creative. Does it sound a little bit 'script-kiddie'ish? Probably. Can the name change? Maybe. Does everyone like the name? Probably not. Do we care? Doubtful. It comes down to this: If you like what we are doing, great, if not, great.
In closing, we are not asking anyone to trust us. In fact, we are hoping you don't. Be paranoid, check out our code. We invite you to, as we have.
kha0s is not for the light of heart in this stage. In the future this will change as we add things to the distribution to allow seasoned professionals and newcomers alike to install, configure and run kha0s without having to worry about whether you did or did not forget to turn on ssh and disable rlogin.
Should anyone wish to learn more about the project, or help in the development effort, you can subscribe to our mailing list. Send an email with the subject: Subscribe to kha0s-dev@kha0s.org and you will be subscribed.
M. Adam Kendall
mak@kha0s.org
http://kha0s.org -
Adressing the concerns/confusion/questions.
I have seen alot of comments here about the 'lame' name, concerns on US export restrictions, backdoors in the code, auditing of code, BSD style development, etc, etc, etc. So, let's just try to address any and all concerns anyone may have.
1. Export regulations. We do have developers in other places besides the US. We also have distribution points that are not located in the US. The project leadership does originate in the US, but that does not limit us from at all. All cryptographic components are worked on by developers outside the US, and distributed from sites outside the US. There is more to this distribution besides the cryptographic components, and therefore US developers are not hindered from helping out with the project. We do audit ALL source code that has been released, and we invite you to do the same.
2. Backdoors and code auditing. Since we do audit the code, and invite you to do the same, there need not be any worries about backdoors. We are trying to PROMOTE security and the idea that linux is a secure OS. By putting backdoors in code this would not only hurt our credibility, but the credibility of the linux community in general.
3. The 'lame name'. Ok. This one is not quite as complicated as you all may think. It comes down to several things really. First, as someone else has pointed out, the name is mainly based on myth and legend of the golden apple, inscribed with Kallisti. Planted by the goddes of dischord, or chaos. Now, whoever has lately tried to reserve a domain name can tell you, try getting chaos.org, or net, or whatever. So, we had to be creative. Does it sound a little bit 'script-kiddie'ish? Probably. Can the name change? Maybe. Does everyone like the name? Probably not. Do we care? Doubtful. It comes down to this: If you like what we are doing, great, if not, great.
In closing, we are not asking anyone to trust us. In fact, we are hoping you don't. Be paranoid, check out our code. We invite you to, as we have.
kha0s is not for the light of heart in this stage. In the future this will change as we add things to the distribution to allow seasoned professionals and newcomers alike to install, configure and run kha0s without having to worry about whether you did or did not forget to turn on ssh and disable rlogin.
Should anyone wish to learn more about the project, or help in the development effort, you can subscribe to our mailing list. Send an email with the subject: Subscribe to kha0s-dev@kha0s.org and you will be subscribed.
M. Adam Kendall
mak@kha0s.org
http://kha0s.org -
Secure Distribution
Kha0s Linux is an attempt to create a VERY secure version of Linux. Currently it is in development. Look around. . .