kha0S Linux - It's all about Security

F1reF0x wrote to us with an interesting story on Linux Today about kha0S Linux-a distribution primarily based on creating the most secure distribution possible. You can check out kha0s.org. Due to the United States "interesting" crypto laws, 0.99-pre4 is not currently availible on the FTP site.

Adressing the concerns/confusion/questions.

[M.+Adam+Kendall]

I have seen alot of comments here about the 'lame' name, concerns on US export restrictions, backdoors in the code, auditing of code, BSD style development, etc, etc, etc. So, let's just try to address any and all concerns anyone may have.

1. Export regulations. We do have developers in other places besides the US. We also have distribution points that are not located in the US. The project leadership does originate in the US, but that does not limit us from at all. All cryptographic components are worked on by developers outside the US, and distributed from sites outside the US. There is more to this distribution besides the cryptographic components, and therefore US developers are not hindered from helping out with the project. We do audit ALL source code that has been released, and we invite you to do the same.

2. Backdoors and code auditing. Since we do audit the code, and invite you to do the same, there need not be any worries about backdoors. We are trying to PROMOTE security and the idea that linux is a secure OS. By putting backdoors in code this would not only hurt our credibility, but the credibility of the linux community in general.

3. The 'lame name'. Ok. This one is not quite as complicated as you all may think. It comes down to several things really. First, as someone else has pointed out, the name is mainly based on myth and legend of the golden apple, inscribed with Kallisti. Planted by the goddes of dischord, or chaos. Now, whoever has lately tried to reserve a domain name can tell you, try getting chaos.org, or net, or whatever. So, we had to be creative. Does it sound a little bit 'script-kiddie'ish? Probably. Can the name change? Maybe. Does everyone like the name? Probably not. Do we care? Doubtful. It comes down to this: If you like what we are doing, great, if not, great.

In closing, we are not asking anyone to trust us. In fact, we are hoping you don't. Be paranoid, check out our code. We invite you to, as we have.
kha0s is not for the light of heart in this stage. In the future this will change as we add things to the distribution to allow seasoned professionals and newcomers alike to install, configure and run kha0s without having to worry about whether you did or did not forget to turn on ssh and disable rlogin.

Should anyone wish to learn more about the project, or help in the development effort, you can subscribe to our mailing list. Send an email with the subject: Subscribe to kha0s-dev@kha0s.org and you will be subscribed.

M. Adam Kendall
mak@kha0s.org
http://kha0s.org

Re:I'd rather not find the pot of gold at the end.

[Psarchasm]

Speaking as a network security manager for a 10k user network and a former vicitim of hacking attempts and successes, I agree.

However, speaking as a user, and having bosses that want functionality first and security second, I feel I can safely back up my claim that the general populace want security second. I don't care how secure it can be, if its difficult to use it won't be used or it will be used improperly. I am constantly arguing the benifits of an application level (proxy) firewall over a circuit (packet filter) based firewall. Its a lost cause, the monitary benifit will almost always outweigh your perceived gain in security.

This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.

Yikes! Now that is a scary notion. Microsoft, Sun, SGI, HP, Red Hat, etc... all fail at this. Even relying on Bug Traq and the like for your security measures is only a secondary response to a primary issue. If someone is good enough, they will get in. And a distribution like this will give people like yourself a false sense of security. You do what you can, where you can, when you can. And you keep doing it over and over. You build application architectures as securely as you can, and then limit access to those applications to only the people who need the access. Then you stick in your safe guards against those who would attempt to thwart those restrictions. A generic rule of thumb at best, yes.

In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.

How large a network do you work in? Did you build the network yourself or did you have to take it over? How large is your security team? Maybe you know something fundemental that I don't. Security isn't as easy, and when you talk to the bean counters, if the possible loss isn't high enough then security will be pushed under the rug.

Again, I do think its nice that this distro is coming out, I do applaud thier efforts. But no one can make a secure Linux or *insert OS here* distribution that will make me any happier. The secure distribution that is best is the one you put together yourself for the job at hand. You do this by taking the one that is easiest for you to use (the one you feel most comfortable with) and shredding it to pieces. Leave nothing but what is absolutely needed, then secure it - first from the network, then from the users.

Re:ftp.khaos.org - why keep it in the USA?

[remande]

However, how can you guarantee that it is "made in the USA"?

If you're talking about export regs, that question is irrelevant. If you have strong crypto code within the US, it is illegal to export it even if it was imported. The place of origin is irrelevant.

BTW, NAI has a neat way of dealing with it. All these export regs do not apply to source code in the form of a printed book. Publish, scan, and compile. And, voila! Legally exported code. NAI does this to ship their code to their international site in the Netherlands.

Re:Backdoors

[Colm@TCD]

When such a distribution becomes available, I imagine that lots of people will be taking a very close look at the source, to check for back doors... that's one of the big strengths of Open-Source - it's very hard to "slip something in" without it being easily noticeable.

ObMSbash: compare and contrast NT - do you trust all of Microsoft's programmers?

I'd rather not find the pot of gold at the end...

[Psarchasm]

of the rainbow.

I applaud efforts such as these, and I hope the end up with a successful distro. But I doubt they will. No matter what the headlines read, people want functionality before security. And while I hope to enjoy the fruits of thier labor on such a project, I will most likely never use it in production.

Instead I will end up looking at how it works, and taking the bits and pieces that I think I can gain the most secure functionality from. Possibly even repackaging them for easier installation on my own personal favorite distribution.

A grand idea indeed. But I much prefer the right tool for the right job approach, then the use a flamethrower to light my cigarette approach.

ftp.khaos.org - why keep it in the USA?

[CrazyFraggle]

Due to U.S. restrictions on the export of cryptographic material, 0.99-pre4 is not available at ftp.kha0s.org. We are working with an attorney in order to determine if and how we will be able to distribute kha0s from the Unitied States.

But does ftp.khaos.org have to be in the USA? AFAIK ftp.kerneli.org is located in Norway to avoid restrictions on IPsec and other security stuff in the kernel. Why do Khaos have to use an american ftp site?

Re:ftp.khaos.org - why keep it in the USA?

[CrazyFraggle]

I see the problem. However, how can you guarantee that it is "made in the USA"? Since we are talking mainly OpenSource software, there is a great chance that some part of almost every component has been made/modified outside of the US.

Take SSH. I assume it will be in this distro. SSH is currently located in Finland. Putting it in an american based distro is import, not export. (Why are there no legislations on importing things the american government don't want to be exported?)

But since a distro is basically a collection of software, how can anybody say for sure that it was collected in the USA? If say, i log into an ftp server in Belgium on a shell account, and then downloads the software packages from servers in Finland, Norway, Iran, whatever to that computer. Bundles them together and call them a distro. Even if I do that from the US, I still haven't exported anything, since none of it has come through the US.

Re:Yeah, but what if...

[Le+douanier]

In every system you have to put your trust somewhere (or to recode all in hex like the precedent poster did). In this case I would rather put my trust in RMS and the FSF than in any closed source software.

Of course you can do what you did (and this already have been done) but you can do a program that check for this kind of backdoor too I think. or you can compile the things in assembly language and then verify that their is no back door before feeding it to the assembler (don't know if this is the correct English word). Of course this can be the assembler that implement the back door...or this can be the linker that add the back door at loading time.....

Good to see a less insecure linux

[elflord]

The defaults in some linux distributions are ridiculous. It's easy for a newbie to plug in a distribution, and have fingerd, telnetd, (anon) ftpd, rshd, and rlogind all going out of the box. And these services are kind enough to proudly and loudly announce the kernel version to any potential crackers. I hope this distribution will default to more paranoid settings, and use the convention that the user has to know what they are doing to turn a service *on*, not to turn it *off*.