Slashdot Mirror
A Linux Distro From the US Department of Defense
donadony writes "The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the U.S. Department Of Defense. The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker's own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user's activities behind."
What about the fingerprints? Screen ghosts? Not to mention all that quantum electron crumbs...
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
I wonder if it includes a copy of CoFEE standard. They have *my* attention.
Not so much, thet use encryption instead.
New things are always on the horizon
There is a review of LPS over at DistroWatch:
http://distrowatch.com/weekly.php?issue=20110704#feature
If the computer is left on the RAM can still leave traces behind.
I don't see how this is any different than any other live CD though.
^^vv<><>BA
Yeah, this was a good idea... I actually have Ubuntu installed on a portable USB drive -- It's faster than installing off a CD and it remembers saved data, bookmarks & installed progs (instead of a clean boot image).
However, I don't think for a moment that this prevents an infected system BIOS/CMOS from infecting the MBR of the flash drive, or that even booting off of a CD-R will be able to keep me safe if the hardware can't be trusted... I mean, If you want security, why not give them a personal mobile pocket computer instead? Everyone knows that physical access = game over; If an attacker's gained physical access you've just been pwned. Not to mention how easy it is to place a low-tech internal key-logger in todays machines...
Unless the "vanilla PC" you're booting from has a hardware keylogger. Then well, duh.
I want to delete my account but Slashdot doesn't allow it.
hm. great idea, but doesn't look easy for the non-technical folk to get it up and running. imo, they're the ones that really need this type of product when they travel to hotels and whatnot.
This is a research account for studying online commenting so we can create tools to improve moderation.
Right? A personal laptop with an encrypted hard drive would seem to be the logical solution.
^^vv<><>BA
It even includes monitoring software that send all you do to the US government for analysis, it ensures you aren't doing anything nasty! 100% secure!
Now if only their Websites were this secure...... *coughAnonymouscough*
Though really, the imprint is left on the network, even if it's encrypted. and something might be left over BIOS, mechanical keylogger... There's probably a lot of ways these guys could be found out, but it could be a good thing that they're at least using SSH and a portable OS, it shows they're TRYING.
They'll probably hand out the first batch to people like Mr. Anthony Weiner just to avoid that kind of embarrassment, if not for national security...
If I were a country whose internal stability relies on the economy and the economy relies solely on exports, I'd be really careful about doing that.
Except with some useful proprietary applications with GUIs for encryption and making it difficult to have persistent data.
I guess the kernel has all proprietary divers in it so its more likely just work and support hardware but that also comes with the slightest chance that its just an excuse to get a back-door in there (thought if there is one; the other end does not care what you are doing).
Oh shit! How did I miss this gem here?
LPS differs from traditional operating systems in that it isn't continually patched.
Poor reading comprehension? You might want to work on that. You also might want to work on that little "reading into things that which is not there" problem you got as well.
You sort of missed this part
LPS is designed to run from read-only media and without any persistent storage.
as well as the release notes that show that it has been updated several times this year.
It's asinine to claim that it is tamper proof. That right there should be raising red flags.
Considering the "threat" from China and chip suppliers to consider any machine that you have not personally inspected down to the firmware to be secure is just nuts.
Sure, they booted into a different OS and bypassed the local storage completely. Great. Any OS rootkits cannot get loaded and access the "secure" OS. Fine.
What about rootkits that can get loaded via different means? NIC cards? Storage adapters? LCD monitors that have small repeaters to record and send encrypted frames of what is displayed? Keyloggers loaded directly into the keyboard?
It's only as secure as the weakest link. Hotel computers and home systems? Yeah...... I can see the TV repair man coming in and the next thing you know we have a conduit into a tamper proof secure DoD network.
That distro is not going to be smart enough to validate all the hardware it is running on, and if it did, it would defeat the whole purpose wouldn't it?
Asinine is an understatement and we actually paid to have this developed.
Eh? You can always burn a new copy when a security fix comes out, you don't have to pick between patching a running system and having no security fixes.
In case you don't see the problem they're addressing, many distros that aren't Debian (I think RHEL fixed this a couple years ago, too) don't have any particular way to prevent MITM attacks dumping compromised software in the form of an update, and providing corresponding MD5 sums. You can do like Debian, and require updates to be signed, or you can do like LPS, and not download any updates over an untrusted network. Both are valid fixes for a real problem, you might say Debian's approach is better, but neither has earned the derision you display.
But can it run America's Army?
WARNING: Smartphones have side effects--most of them undocumented.
If you think they will allow access to sensitive networks you are nuts, they won't even be able to access their email unless the computer has a smart chip reader, all this is really doing it making the printing out of plane tickets from a hotel computer a little safer.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
Ok... so, tell me why this less secure distro is worth wasting anyone's time over considering that my writable USB gets updates as soon as they're released to my distro, sans burning / installing a new ISO... Booting from a clean USB every so often? Hmm, yeah, I can do that too.
Let's not forget -- If you put the end users in charge of their own security, they won't have any. Seriously, once I talked to a guy who figured out how to bypass the "your password has expired, choose a new password" security feature. Keep the same password by changing it 5 times in a row to exhaust the previously-used password buffer.
You seriously think they'll take the time to ensure they have the latest version of their distro burned -- Well, unless it's someone else's job (say, the PROGRAM itself) to keep the users up to date, it won't happen.
If it's not updating itself, it's not worth my time, honestly.
As others have noted, there's nothing to see here, it isn't any more secure than any other distro. If you're already mindful of security this distro isn't going to help you be any more secure.
they won't even be able to access their email unless the computer has a smart chip reader
I might be wrong, but thats probably why the distro includes CAC and PIV card support.
But what if this phones home? Has any security(tm) professional tested the network traffic this produces under a VM or through a firewall? (BTW posting anonymously my captcha is "vibrator")
What about rootkits that can get loaded via different means? NIC cards? Storage adapters? LCD monitors that have small repeaters to record and send encrypted frames of what is displayed?
Statistically and practically speaking, those are if miniscule concern especially compared with the relatively common MBR rootkits out there.
Not to mention the inherent difficulties in trying to install a generic rootkit to specific hardware via CMOS overwrite; I dont think its anywhere as easy as you seem to think it is. Hint-- not all BIOSes will work on all motherboards (and the same is true of NICs, etc).
call it Dod-ian
BRILLIANT! That means that any flaws in your OS or applications (web browser) WON'T BE PATCHED
Which isnt really an issue for several reasons:
A) most of the code out there isnt targetting some obscure form of linux
B) this is a live distro, so there is no permenant storage, so no real worry of a rootkit
C) someone booting up this distro is unlikely to be doing so for reasons that would expose him to threats
Hence the lack of caring about /etc/passwd, or running as root, or all the rest. Its generally irrelevant on a live distro because you cannot get rootkitted.
Doubt the DoD really gives two shits if you look up child pr0n, tbh. More of an FBI thing.
It doesn't get patches because it runs from read-only media; the approved version is updated when necessary to address security concerns, but you have to use new read only media, rather than patching the existing one, that being the nature of "read-only".
...Because we all know that everyone wanting anonymity -must- be doing something illegal.
Taxation is legalized theft, no more, no less.
Every time I think people on /. can't get any more clueless, I read posts like this and my faith is restored.
NIC cards? All data is encrypted at Layer 3 or 4 (SSL/TLS or IPSEC), so all a NIC is going to see is encrypted Ethernet frames.
Storage adapters? So? Feel free to read the publicly-available ISO from the CD-ROM drive. In fact, just go download your own copy. No other storage adapters are used.
Hardware Key-loggers? Stopped by multi-factor smart cards (aka CAC and PIV cards). That is, they can't snarf passwords. They might gather other keystrokes, though.
LCD monitors with whatever magic paranoid shit you can dream up? Stop getting your tech ideas from Hollywood fantasies. Can you please point me to any of these so I can see one in the wild? Are they just randomly scattered around at Holiday Inns?
The access these things get you to is non-classified networks. Not for public consumption, but non-classified. Like access to office webmail or VPN, except using smart-cards to replace RSA tokens.
You're childish assertion of essentially "if it isn't absolutely 100% secure against anything I can imagine, it is worthless" shows you don't know shit about security.
Learning HOW to think is more important than learning WHAT to think.
I've been working in the kiosk industry for about 8 years now. The current company I work for has around 1000 kiosks in hotels, airports, business centers, etc as well as having around 20,000 customers.
I can tell you that 99% of hotel's are setup to NOT allow USB or CDRom booting for the very obvious reasons. Most are setup as well to only read CDROM and read/write from USB and also have a Bios password set to disable the ability to execute from a different device.
I suspect this project will die off pretty quickly or fail soon if the people involved with the idea didn't even do some simple research or know about this type of information. Sure it would be a great use for their home computers but outside of that the CD's will just be one more thing to fall into the hands of people who will abuse it and become yet another security hole.
If this catches on, and people start using it for their normal desktop, we're in serious danger of not giving the key VDI vendors billions and billions of dollars to "revolutionize" our desktop experience!! Isn't somebody going to, like, issue a petition or organize a protest or something? (Oh wait ... i see the paid lobbyists cronies of the beltway IT hegemony circling already -- never mind).
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
It would really save some annons a lot of trouble if this distro would just upload all of the confidential files to pirate bay.
Think how much time we would save waiting for the right person with the right access, or the right system to be vulnerable and get exploited. Its all going up there eventually anyway, so why not skip the middle man? I suppose thats too much efficiency to hope for.
"I opened my eyes, and everything went dark again"
So what about locked BIOSs and the like, where booting off of a CD/USB Drive is either not enabled or isn't first I mean it would work in some situations but in other situations you would be forced to use whatever you have in front of you. Of course, I'm thinking the computers would have competent IT workers...
"your password has expired, choose a new password" security feature. Keep the same password by changing it 5 times in a row to exhaust the previously-used password buffer. "
easy fix for that
have a rule that the password can not be changed for 7 days after it has been changed
(and in some instances Fire somebody for trying this trick)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
...Because I clearly said that only people taking part in illegal activities seek anonymity.
Dude. That's what housekeeping is for...
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
The environment that it offers should be largely resistant....
And it seems they also understand this.. They didn't say 100%.
---- Booth was a patriot ----
The reality is probably one guy altering knoppix for a custom spin, another guy doing QC and other saying "wouldn't it be cool if package X was in there as well".
I sounds like cheap skunkworks stuff getting a rubber stamp.
Without a trusted boot there is no way to known whether a layer lower then the operating system is not interfering. As such, if the bios, or any other firmware (e.g. network card) is malicious, you're doomed.
Too bad you don't run China then...
Sig Battery depleted. Reverting to safe mode.
If I were a country whose internal stability relies on the economy and the economy relies solely on exports, I'd be really careful about doing that.
If I were a country large enough to embrace, engulf, and extinguish any problematic regions were my clandestine activities detected, I might be careful about doing it, but not too terribly worried about the consequences of getting caught.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Good to use an onscreen keyboard to prevent hardware key loggers.
... because there's no way to log mouse movement and clicks, right? Oh, wait...
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
http://articles.boston.com/2011-01-05/news/29335792_1_child-pornography-investigation-pentagon very true. .mil distro? - who has the skills and who shows an interest.
Could be more into who would be interested in a
Domestic spying is now "Benign Information Gathering"
Correct me if I am wrong, but wouldn't it be possible to get a pseudo random number generator and overwrite all the RAM on shutdown? Thus resolving that vulnerability.
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
You forgot modified video card firmware... where's your hand-wavy magic for that one?
</tin-foil>
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
It was where you went straight away. Your mind connects anonymity with illegal activities...
You know what child pornographers and "other people" are interested in? Air. They like breathing. Is that a knock on oxygen?
Do you really believe that a seriously secure OS is something bad just because "child pornographers...among other people" might be interested in it?
That sounds a lot like an argument you'd hear from people who believe that there should be a back door in everything so "the authorities" can take a peek.
Here's a news flash: I don't give a fuck if child pornographers are interesting in something. I'm not prepared to give up every last bit of my own privacy just because there happen to be perverts in the world.
Among other people.
You are welcome on my lawn.
Yes, there is Kylin, but China's government uses GNU/Linux and Windows too.
(1) device support. For example. LiveCD does not support certain wireless adapters. (2) virtualization. Can you be sure you are not booting into a VM?
Feeling secure firing up a clean desktop?
Might want to check the back of the PC or even better bring your own keyboard.
The solution is better than nothing but I still wouldn't trust Internet cafe's --> http://www.keelog.com/
Randomised positioning is just about a requirement of an on screen keyboard used for this purpose. Of course random key mapping works for the keyboard as well.
Analogies don't equal equalities, they are merely somewhat analogous.
They said tamper proof. Not tamper resistant.
It's not what they are trying to do, it is what they are claiming as the level of security. That is my issue.
I never said completely unbreakable. I just said tamper proof is bullshit, and it is.
You're childish assertion of essentially "if it isn't absolutely 100% secure against anything I can imagine, it is worthless" shows you don't know shit about security.
The fact that you make that assertion indicates a reading comprehension problem.
My issue was with the tamper proof claim, not tamper resistant, tamper proof. That is asinine. I never claimed it was without value, or that it had to be 100% secure.
All I stated was that it is not 100% secure, therefore, not tamper proof.
This just in, pedophiles also tend to use candy to attract children. Possession of candy made illegal for anyone over 9. Stoners and college students inconsolable.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
classic sand-boxing is good, pretty efficient, but of course the user can leak information as he "surfs" on the CDROM, but at least old information is restricted.
Wait.... So you're saying Nancy Grace is a pedophile?
I hope this comment is well received... I could have moderated instead!
Persecutors will be violated!
Google "only guilty people have something to hide".
"I don't know, therefore Aliens" Wafflebox1
Yes, for people with secrets it would clearly be a very smart choice to use software developed by the military and guaranteed by the government to be secure.
Absolutely, this outrageous device should be banned immediately. They did it with incandescent light bulbs, after all: Used by pedophiles, terrorists and tax evaders all over the globe. So they did away with it. And the world is a safer place already.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
The idea that they would, in the time of 3g and WLAN, somebody like a employee of the DOD would try to use any hotel computer and make it magically safe by booting some OS.
Using an hotel computer or any internet cafe computer is like putting a malicous roommaid onto steroids.
There is an infinite number of people which had infinite time to place keyloggers, bug the monitor cable etc.
doing nothing (i.e. abstinence) is safer than sex with a condom, but sex with a condom is safer than doing nothing about protection
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
So...they are building backdoors into software designed to close backdoors? And if they changed Linux, wouldn't they then have to publish the source code? Source code!! Go crazy!!
though we lambaste TSA-type security theater with good reason, I get the impression that the feds are at least more serious about security for their own systems/installations
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Why is this an item? That distro has been around for a while (at least a year). I never actually used the software but it came in handy as a counter argument for "Linux isn't secure" trolling.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
Sounds like a good distro to use for on-line banking - assuming your bank doesn't require flash running in IE6, which in the US, is a 50-50 proposition.
This DISTRO sounds like its made for safer porn surfing ?
If they want to carry around their entire collection on read-only material it'll make them that much easier to prosecute when they get caught.
WikiLeaks News 2014 In a stunning revelation Anonymous found information indicating the Dept. of Defense gathered information from its employees. Last year the DOD was outed by WikiLeaks News as having included a key logger on the Lightweight Portable Security Linux distribution, a live-cd mandated for all DOD employees for use on non-DOD PCs. Now our sources discovered keystroke records from over a million sessions on DOD computers. Another piece of software on the live CD transferred these sessions to DOD servers while the CD were used. DOD officials were unavailable for comment.
Here will be an old abusing of God's patience and the king's English.
I love hyperbole, don't you?
I never said the OS is a bad thing. Please don't put words in my mouth.
I note that PopeRatzo never said *you* said the OS was a bad thing.
My actual intent was that it seems like something I would want to be used for official purposes only.
And that is what the objection is to: The idea that things ought to be restricted in their use because they can also be used by bad people. Just about anything can be used for good or ill; if you attempt to control anything that might potentially be misused or abused, there's nothing left.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
They only would have to provide source code if they provided the distro "out of house". If this is an "in house" only distro, they don't have to provide any source code, not even to their employees. The GPL allows for customization and internal use without the need for publishing source code. It also provides publishing source code only to the recipients of the binaries. It's not required to give to the general public, unless they distribute it to the general public.
*IANAL but have read a lot about the GPL.
I'm ignorant. And old. Back in the day I remember that a BIOS could be compromised by a virus. Is that still the case with newer computers?
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
Too bad not everybody can easily get around it.
Think crop dusters. They have an airplane, and to put a power takeoff from the engine to the spray pump would mean FAA recertification of the entire powertrain. Answer: Use a ram air turbine, a windmill that sticks out into the airstream to power the pump. No modification to the airplane itself, no recertification necessary.
What did the Republican pedophile say to the 9 year old?
"Give me all your candy, you lazy little moocher. "
You are welcome on my lawn.
"Tamper proof" is only claimed in the summary, not TFA. This is intended to be "a secure end node from trusted media" for "general telecommuting use."
It's not supposed to be a bullet-proof connection to super-secret networks, just a better way to check email from outside the office.
I don't think that word means what you think it means.
...have seeded a copy!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
And that, my friend, was my point: Who cares if "certain people might be interested in using it"?
What was your purpose in pointing out that pedophiles might be interested in using an OS that has great security and anonymity? Who cares if pedophiles "might" be interested? Why should that even enter into a discussion of such an operating system, unless you were trying to cast some uncertainty, some doubt, some fear about having such an operating system available for us to use.
I just looked at your original comment again, and the issue of pedophiles possibly being interested was the only thing you had to say. So if that's important enough for you to post, then please explain why you think it matters. What should we do or think about a secure, anonymous operating system that might be of interest to pedophiles.
You'll have to excuse my curiosity, but I find it interesting that of all the things that could be said about such an operating system, the one you choose to point out is that "pedophiles would be interested...among other people". So what?
You are welcome on my lawn.
They obviously wanted to replicate the Windows look, but went a bit too far.
Also some wooden transportation vehicle shaped like a horse comes to mind. Don't know why...
Didn't the NSA produce a Linux distribution before they got slapped down for being anti-competitive?
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
I tried both versions, on Virtualbox. While the 'normal' one booted okay, the 'de luxe' just stays with a black screen.
Nope, the checksum is even okay. So another downlaod won't cut it.
Why??