A Linux Distro From the US Department of Defense

donadony writes "The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the U.S. Department Of Defense. The idea behind it is that government workers can use a CD-ROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker's own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user's activities behind."

Review

There is a review of LPS over at DistroWatch:
http://distrowatch.com/weekly.php?issue=20110704#feature

Re:Review

[LoRdTAW]

Eh its already known that things like expensive toilet seats, step ladders, hammers and other run of the mill items are mostly a myth. Certain items like the step ladder turned out to be custom built ladders for the F-14 fighter jet and not something you buy at home depot to paint your ceiling. Other explanations are the adding of overhead costs to line items in the financial breakdown of the finished piece of military hardware.

Military hardware is mostly low production and highly custom. Computer monitors on battle ships might cost upward of $100,000 but they may have only made 10 of them at a time and specked to resist EMP (from a nuke) constant rocking and other severe environmental operating conditions.

There are even military specs for chip (IC) packaging. So the circuit boards inside some of the military hardware might be completely different from consumer electronics even though they may perform the same or similar function.

Re:Ha! BIOS, gotcha!

[rbollinger]

It's like using a condom... it won't protect you 100% but that's still safer than doing nothing!

Re:RAM

[Pharmboy]

I don't see how this is any different than any other live CD though.

As someone else pointed out, this is an "approved" method, meaning they have vetted the distro and believe it to be secure. This actually makes sense, and is much better than telling your soldiers "go download some live linux cd and make sure it is secure".

One of the major benefits of Linux is the ability to make your own distro for special applications like this. And since it is available freely for download (not required but they did it anyway) and the source is available, that makes it even better.

Re:BIOS?

If I were a country whose internal stability relies on the economy and the economy relies solely on exports, I'd be really careful about doing that.

Re:keylogger

[Xtifr]

A condom won't protect you from the common cold, but that's no reason not to use one.

Re:Ha! BIOS, gotcha!

[physicsphairy]

Actually, doing nothing is the tried and true Slashdot defense against STDs.

Re:RAM

[LordLimecat]

Its different because not only is it approved for clearanced work, it also has a version of Firefox with CAC-reader support. My understanding has always been that CAC support was limited to windows; no longer.

Re:Oh, it get's WORSE!

[LordLimecat]

BRILLIANT! That means that any flaws in your OS or applications (web browser) WON'T BE PATCHED

Which isnt really an issue for several reasons:
A) most of the code out there isnt targetting some obscure form of linux
B) this is a live distro, so there is no permenant storage, so no real worry of a rootkit
C) someone booting up this distro is unlikely to be doing so for reasons that would expose him to threats

Hence the lack of caring about /etc/passwd, or running as root, or all the rest. Its generally irrelevant on a live distro because you cannot get rootkitted.

Re:RAM

[Jah-Wren+Ryel]

As someone else pointed out, this is an "approved" method, meaning they have vetted the distro and believe it to be secure. This actually makes sense, and is much better than telling your soldiers "go download some live linux cd and make sure it is secure".

More likely it is about CYA. Government security runs on CYA. Having an approved distribution means that everyone else in the organisation can use it, recommend it, even mandate it without having to worry about taking the blame if there is something wrong with it. Without an approved distro, no distro would be permitted at all.

More generally government security is totally top down - you have groups of "experts" (who may or may not actually be experts) who come up with procedures and requirements. Those are then made into official policy and distributed downline to security officers and regular users who are expected to follow those procedures to the letter without trying to think through the actual goals. When the official policy is fuzzy, you get different sites making different interpretations, sometimes with head-shakingly comedic effect - like mandatory windows virus-scans on non-windows comptuers or forbidding the installation of ssh (because its not officially approved) while leaving rlogin in place. But even those, often ridiculous, interpretations still have full CYA as long as they don't violate the official documented policies.

Re:No trace, eh?

[Darkness404]

...Because we all know that everyone wanting anonymity -must- be doing something illegal.

Re:BIOS?

[icebike]

Too bad you don't run China then...

Re:Wont work in hotels, airports, etc.

[lostfayth]

I used to work in the hospitality industry as well - the company installed, maintained and supported guest internet access for hotels and transit companies (we had several bus and rail contracts). For the locations with a lot of government or corporate guests, standing orders from the hotel management was to do whatever was necessary to get these guests online. Lockheed-Martin employees were one of our biggest sources of calls, their vpn would not let them reach the captive portals and they had to be passed through manually. Many government employees and contractors had exactly the same problem. Anyone else would be told to contact their IT department to sort that mess out.

Don't underestimate what hotels will do to accomidate what may be one of their largest customer groups. When a company like Lockheed-Martin says fix this or our employees will no longer be staying at your hotel, you fix their complaint, you don't tell them 'but we locked down that functionality' and lose 80+% of your business.

Re:No trace, eh?

[PopeRatzo]

Seems like something child pornographers would be interested in. Among other people.

You know what child pornographers and "other people" are interested in? Air. They like breathing. Is that a knock on oxygen?

Do you really believe that a seriously secure OS is something bad just because "child pornographers...among other people" might be interested in it?

That sounds a lot like an argument you'd hear from people who believe that there should be a back door in everything so "the authorities" can take a peek.

Here's a news flash: I don't give a fuck if child pornographers are interesting in something. I'm not prepared to give up every last bit of my own privacy just because there happen to be perverts in the world.

Among other people.

Re:RAM

[fluffy99]

This isn't intended to be just another Live CD. The disks or thumb drives are corporate specific, and are setup to boot and provide a secure VPN into the company. Not for general use. In fact they are usually setup so they can only reach out to the company or agency's VPN server. This is a far more secure solution that letting users install VPN software on their personal computers, and a lot cheaper than buying them govt owned computers that they might try to connect to the general internet.