Slashdot Mirror
kha0S Linux - It's all about Security
F1reF0x wrote to us with an interesting
story on Linux Today about kha0S Linux-a distribution primarily based on creating the most secure distribution possible. You can check out kha0s.org. Due to the United States "interesting" crypto laws, 0.99-pre4 is not currently availible on the FTP site.
Poor planning involved here, I think. This type of project should be done in a FREE country, where one's work can be distributed as desired. I hope someone doesn't make this mistake again.
p.s. - I am a US citizen
And what if you decided to make a distro like this? Are you going to move to another country before creating just so you can distribute it when it's done?
I have seen alot of comments here about the 'lame' name, concerns on US export restrictions, backdoors in the code, auditing of code, BSD style development, etc, etc, etc. So, let's just try to address any and all concerns anyone may have.
1. Export regulations. We do have developers in other places besides the US. We also have distribution points that are not located in the US. The project leadership does originate in the US, but that does not limit us from at all. All cryptographic components are worked on by developers outside the US, and distributed from sites outside the US. There is more to this distribution besides the cryptographic components, and therefore US developers are not hindered from helping out with the project. We do audit ALL source code that has been released, and we invite you to do the same.
2. Backdoors and code auditing. Since we do audit the code, and invite you to do the same, there need not be any worries about backdoors. We are trying to PROMOTE security and the idea that linux is a secure OS. By putting backdoors in code this would not only hurt our credibility, but the credibility of the linux community in general.
3. The 'lame name'. Ok. This one is not quite as complicated as you all may think. It comes down to several things really. First, as someone else has pointed out, the name is mainly based on myth and legend of the golden apple, inscribed with Kallisti. Planted by the goddes of dischord, or chaos. Now, whoever has lately tried to reserve a domain name can tell you, try getting chaos.org, or net, or whatever. So, we had to be creative. Does it sound a little bit 'script-kiddie'ish? Probably. Can the name change? Maybe. Does everyone like the name? Probably not. Do we care? Doubtful. It comes down to this: If you like what we are doing, great, if not, great.
In closing, we are not asking anyone to trust us. In fact, we are hoping you don't. Be paranoid, check out our code. We invite you to, as we have.
kha0s is not for the light of heart in this stage. In the future this will change as we add things to the distribution to allow seasoned professionals and newcomers alike to install, configure and run kha0s without having to worry about whether you did or did not forget to turn on ssh and disable rlogin.
Should anyone wish to learn more about the project, or help in the development effort, you can subscribe to our mailing list. Send an email with the subject: Subscribe to kha0s-dev@kha0s.org and you will be subscribed.
M. Adam Kendall
mak@kha0s.org
http://kha0s.org
In the short run I'm sure this would result in FUD about functionality, but I bet it would be a strategic win for the reliability and security reputation.
JADBP
Me too.
Is it just my Imagination or does the site clearly state that the software ***********IS************ available for download in the NETHERLANDS. It is not available on their server, however, it is "AVAILABLE". Why this hype over US export laws etc.... it CLEARLY states that the distribution is available. Sorry for being so negative, but no one ever posts any of my submissions and then crap like this gets posted.
http://www.jonmasters.org/
Why are they called "kids", certainly this activity is not limited to children only.
Which just barely inconveniences approximately 0.0001% of the population. C'mon, there are so many bad things about the US, why do you have to reach like that?
It's my understanding(and I could be wrong) that putting the distro on a server that is accessable by the world violates the encryption export laws. If there was a way to guarantee that only U.S. citizens could download it, then they could release it.
Indeed we are a bit 'lagged'. This the direct result of there being only a handful of developers currently working on the project. However, given this unexpected post on /. we seem to have caught the interest of quite a few potential developers.
For those who are interested, the source tree is a bit sparse at the moment. Again, this is due to the fact that our snapshots have been primarily for 'in-house' use at this stage. This will be rectified over the weekend when it is tarred up and moved to the ftp sites.
Scott Fallin
saf@kha0s.org
So why don't they just locate a server in California and then they can post all their crypto source code and not have to worry about it.
Exactly that was done with unix (i don't remember which one) and it took quite awhile to find - i think it was over a decade
I'm just curious what their goals are- I didn't see C2 listed on their web page anywhere...and I wasn't sure from looking at it whether they were more concerned with internal violations (which would call more for a B2 style implementation) or external violations (ie., from the internet). If they are going for certification from the NSA, then they will need to do a ridiculous amount of work- more work than they can probably fund. I'd be fine without the certs, but it would certainly help their salability.
Ok.
So we just add a backdoor to the C compiler. It can tell when it's compiling another C compiler and adds the back door to it. It can tell when it's compiling, say, login, and adds a back door to that. Then you just throw away the original sources and compile a compiler with your new compiler. Include that compiler and its sources to your distribution.
Just because you're paranoid doesn't mean they're not out to get you.
Speaking as a network security manager for a 10k user network and a former vicitim of hacking attempts and successes, I agree.
However, speaking as a user, and having bosses that want functionality first and security second, I feel I can safely back up my claim that the general populace want security second. I don't care how secure it can be, if its difficult to use it won't be used or it will be used improperly. I am constantly arguing the benifits of an application level (proxy) firewall over a circuit (packet filter) based firewall. Its a lost cause, the monitary benifit will almost always outweigh your perceived gain in security.
This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.
Yikes! Now that is a scary notion. Microsoft, Sun, SGI, HP, Red Hat, etc... all fail at this. Even relying on Bug Traq and the like for your security measures is only a secondary response to a primary issue. If someone is good enough, they will get in. And a distribution like this will give people like yourself a false sense of security. You do what you can, where you can, when you can. And you keep doing it over and over. You build application architectures as securely as you can, and then limit access to those applications to only the people who need the access. Then you stick in your safe guards against those who would attempt to thwart those restrictions. A generic rule of thumb at best, yes.
In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.
How large a network do you work in? Did you build the network yourself or did you have to take it over? How large is your security team? Maybe you know something fundemental that I don't. Security isn't as easy, and when you talk to the bean counters, if the possible loss isn't high enough then security will be pushed under the rug.
Again, I do think its nice that this distro is coming out, I do applaud thier efforts. But no one can make a secure Linux or *insert OS here* distribution that will make me any happier. The secure distribution that is best is the one you put together yourself for the job at hand. You do this by taking the one that is easiest for you to use (the one you feel most comfortable with) and shredding it to pieces. Leave nothing but what is absolutely needed, then secure it - first from the network, then from the users.
http://windows.scares.us
A while back Redhat started up a source code auditing mailing list. The auditors would choose some code and audit it for security holes. They closed quite a few holes that way while I was subscribed to the list.
Source code auditing is in fact a very important part of any security inititive. You can catch a lot of holes that way.
No, but...
Think practical tracking. It's not hugely likely that the development of this distribution can be geographically traced. So, if they'd never announced that it had originated in the US then they could have probably got away with burning a CD, taking it over the border _then_ uploading it. One advantage for community development here -they can't necessarily tell where you are when you write something, but it's pretty obvious where the MS campus is...
Greg
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
No, I'm not going to move. And I'm not going to make a distribution, either.
But if I wanted to do what khaOs is doing, I'd have to choose between moving and not doing it. And I am unhappy about it, too. I used to think this was a free country, but when it doesn't allow me to share the product of my intellect even when it doesn't infringe on my neighbors' rights and freedoms...I declare those rights and freedoms to be gone.
Certified Microsoft Notworking Specialist
I just want to know why the net-boy speak for the name of the distribution. Can you see the guys on irc #linux now:
#m0j0f1ght3r> I run the fr33kin' kha0s, y0u w0n't b3 abl3 to crackz my a$$.
That is why I think I might try one of the other secure distributions that were anounnced on BUGTRAQ.
Than again, I could be dead wrong, and the name could be like danish or sweedish or something...
-AP
--
A mind is a terrible thing to taste.
"A mind is a terrible thing to taste."
The name script kiddies is not meant to demean people who use scripts ;-P It means the 'cool kids' who download some scripts off of the net, and, since they can run them and bring some poor 60 year old womans Windows box to a halt, they call themselves 'Hackers'.. Don't get me started on this one.. ;-P
/00|_!! and the such.. ;-P
They tend to write things like
-- I'm the root of all that's evil, but you can call me cookie..
Big mistake on these guys part to develop the crypto portion of the system in the U.S. I should be developed 100% out of the U.S.
They should immediately release the code less the crypto log. subs. and develop those elsewhere to make a product that the U.S. export laws can't touch.
err, standard unix passwords are supposed to be 6 characters or more.
If you're talking about export regs, that question is irrelevant. If you have strong crypto code within the US, it is illegal to export it even if it was imported. The place of origin is irrelevant.
BTW, NAI has a neat way of dealing with it. All these export regs do not apply to source code in the form of a printed book. Publish, scan, and compile. And, voila! Legally exported code. NAI does this to ship their code to their international site in the Netherlands.
--The basis of all love is respect
There are two other secure linux projects, Bastille Linux ( www.bastille-linux.org), and an as yet unnamed "Secure Linux" ( http://www.reseau.nl/securelinux, you can vote for a name there). They've both been in progress for quite some time.
Everything I know in life I learnt from
how about telnetting on a box in a "free" country, and making the distribution there ?
Posted by _DogShu_:
The US is free for US citizens, NO ONE ELSE. There are tens of millions of people detained and kicked out of the country every year for entering the country illegally, or simply for not having the appropriate paperwork. The US is hardly responsible for the freedom of people outside of the US.
Tries to speak for mental states.. Not physical.. ;-P
-- I'm the root of all that's evil, but you can call me cookie..
So compile the source on an otherwise identical system running a trusted copy of the compiler.
--
Ben Kosse
Remember Ed Curry!
Who said US was responsible for freedom to non-US citizens? The beyond-stupid export regulations bring more harm than good. IMHO the same applies to the constitutional right to possess a 12 gauge shotgun; sure it's every person's right to protect their home, but AFAIK gun-related deaths/accidents outnumber homes actually saved by having a gun in the house. Don't get me wrong. Surely the Congress or the House of Senate means well, but unfortunately things don't work the way they should.
i always wanted to see such a distribution and to see how it will perform against OpenBSD
Way to go guys
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
What if these guys added back doors to their distribution.. Probably not but still for the paraniod.
Microsoft aggravates my tourettes syndrome.
Didn't I hear that some court had ruled against the export restrictions on crypto, on constitutional grounds? What has become of this? Are appeals in progress, or can we expect repeal of the (ridiculous) restrictive legislation?
Poor planning involved here, I think. This type of project should be done in a FREE country, where one's work can be distributed as desired. I hope someone doesn't make this mistake again.
p.s. - I am a US citizen
Certified Microsoft Notworking Specialist
"kha0s"?? It sounds like something invented by script kiddies.
of the rainbow.
I applaud efforts such as these, and I hope the end up with a successful distro. But I doubt they will. No matter what the headlines read, people want functionality before security. And while I hope to enjoy the fruits of thier labor on such a project, I will most likely never use it in production.
Instead I will end up looking at how it works, and taking the bits and pieces that I think I can gain the most secure functionality from. Possibly even repackaging them for easier installation on my own personal favorite distribution.
A grand idea indeed. But I much prefer the right tool for the right job approach, then the use a flamethrower to light my cigarette approach.
http://windows.scares.us
- the Crazy Fraggle
Could we at least some how distribute this within the US (like the not-for-export version of Netscape)? If it's all based on pretty much standard crypto stuff, maybe a set of scripts could be written to re-build the distribution from the original sources of the security software. It would be a lot easier to do this if more people in the US were involved. Or would those scripts, too, be illegal to export? Somehow, I doubt that.
sorry... I've working since 5am.
It's as they say. pre4 is outside the US, i.e. at replay.com. pre3 is at ftp.kha0s.org. Nothing weird to me...
Roland
Posted by FascDot Killed My Previous Use:
I can imagine the need for a line by line examination and I know there was a project out there that was doing that, dunno if kha0s is. But why adopt the bsd-style development?
---
Put Hemos through English 101!
Most of the cryptographic material that is illegal to export outside of the United States is done and distributed offsite. The article misquoted the website. Pre4 is not available on ftp.kha0s.org (which is u.s.). However, snapshots are available on ftp.replay.com (hosted in the Netherlands). Take a look at www.replay.com
I think it's about time the script kiddies had their own distribution!!!
I ran it through the de-kiddigizer.
--Somewhere there is a village missing an idiot.
Functionality's great, but only if it's on a computer you use. This type of distro seems great for machines whose only duty in life is to shuffle around packets and store files. The only time I spend with these is reading the logs, so a little reduced functionality is fine.
A little later in the dev cycle, I really want to try this distro out...
F0 07 C7 C8
i think the replacement(s) of o's with 0's and other "eleet" signatures may lead one to believe such a distribution to be unsafe. if you think this is wrong, then i am guilty, because i'm not touching this distro with a ten foot pole.
this sort of reminds me of an irc client no one would touch for the exact same reason. but it was relatively ages ago, so i'm going to go back to eating my breakfast. cheers!
Well, that is what I am going around with the BXA about right now. They seem relatively happy with:
1. web only access with 128bit ssl, logging
2. blocking non-US domains
3. requiring you to submit your info and checking it basically (zip codes right, not daffy@duck.com shit and so on), and logging
4. logging everything and saving the logs in case they are subpoenaed
But I need to get it on paper.
Anonymous ftp, absolutely illegal. I am working on the possible legal angles.
Yes, as long as nothing ever came into the US, ever. That would be OK.
To paraphrase an old quote:
"When they came for the Jews, I did not resist, as I was not a Jew.
When they came for the Blacks I did not resist, for I had fair skin.
When they came for the Muslims, I did not resist because I don't pray to Allah.
When they came for the Atheists, I did not resist because I believe in a higher power.
When they came for the Christians, I resisted, but no one was left to fight for me."
Don't let shortsightedness condemn us all.
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
Security is important. And it is very nice to see a security oriented distro like this one come out. This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.
That is of course only if I feel I can trust the kha0s people to do their side.
Having a security oriented distro might also make RedHat, SuSE, Debian, etc. incorporate some of the ideas as well, and we will all be much happier.
In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.
- the Crazy Fraggle
"The new snap is up. It can be obtained at the following sites:
.4.....
ftp.replay.com
Due to U.S. restrictions on the export of cryptographic material, 0.99-pre4 is not available at ftp.kha0s.org
"
this is from their own site...www.kha0s.org, and the ftp site they mention there, ftp.replay.com DOES have the
weird eh?
-- signed for your pleasure --
I like the idea that the distribution has, but I can't see why they had to pick a name with obvious script kiddy and warez pup appeal. Ah well, names can always be changed. Maybe a Discordian reference for a name? Kalisti Linux? :)
Anyway, I would like to see this thing offer GPL alternatives to SSH 2.0 and PGP, along with all the tools that come with the two floppy distribution, Trinux.
I wonder if Packet Storm Security has posted a link to this yet...
I have to agree to some extent. For example, I would assume that a truly secure version of Linux would drop X, or at least a large chunk of X functionality- so it's all command-line (I'd like to know the rationale if this is not the case). However, it is the case right now that enterprise machines running, say, firewalls are already at this level of paranoia- very little functionality enabled; these are the places you'd want to use this sort of distro. However, you may be right that it will be just as easy to install the components from this distro into a vanilla version of Linux and get a near comparable level of functionality. Their chance to make it popular is in it's 'out-of-the-box' functionality as a secure machine.
woops. i just visited the site and was pretty impressed. i take back most of what i said. i am sorry.
How ironic is it that a country that claims that its citizens are so free has the most restrictive and oppressive encryption export laws of the industrialized world.
Notice the golden apple, upon which is written "Kallisti", "for the prettiest one." This was the golden apple that Eris, goddess of discord (chaos), threw into a party when confronted by the Original Snub (not being invited to the party.) Of course all the goddesses assumed it was for themselves and proceeded to fight over it, causing discord.
cool huh?
all hail eris, all hail discordia!
fnord
the openbsd project has reviewed every line of code it distributes. unless these folks are prepared to do the same and adopt a bsd-style development model, this is pointless.
sc
it's kind of a funny story, in a dark, terribly sad sort of way.
www.attrition.org has all the juicy details.
-- r . m o s q u i t o --
It is possible to do secure X connections if you use SSH for all your remote connections. The ssh daemon spawns a "Xserver" on the remote machine you connect to, and forwards all the X communication to this "server" through a secure link to your display. This way, you can remove some of the most basic X security problems.
- the Crazy Fraggle
Certainly true. If I were setting up a seriously secure box, I think I'd just limit my networking services to SNMP and TCP/IP routing (through a firewall, of course). With that tactic, a lot of security issues just go away. Of course, so does the functionality of the OS...C'est la vie.