The US Department Of Defense (DOD) has released version 1.5 of their LPS (Lightweight Portable Security) OS. LPS is a highly secure CD/USB bootable OS based on a thin Linux client.
The LPS family was created to address particular use cases: LPS is a safer, general-purpose solution for using web-based applications.
LPS allows general web browsing and connecting to remote networks. It includes a smart card-enabled Firefox browser supporting CAC and PIV cards, a PDF and text viewer, Java, and Encryption Wizard. LPS turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer. Any malware that might infect a computer can only run within that session. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot LPS immediately before performing any online banking transactions. LPS should also be rebooted immediately after visiting any risky web sites, or when the user has reason to suspect malware might have been loaded.
The DOD provides two different versions available for download in the form of an ISO image: LPS-Public (281 MB), and LPS-Public Deluxe (440 MB). The Deluxe edition is the same as the Public, but also includes Libre Office and Adobe Reader.
A few of the recent updates to version 1.5 include:
- Firefox v24 (With HTTPS Everywhere v3.4.5 and NoScript v2.5.8.14)
- Adobe Reader v9.5.5
- Libre Office v4.1.5
- Pidgin v2.10.9
- IPv6 support
- Linux Kernel v3.10.22
LPS has been my favorite go-to tool when I am using a possibly compromised system, or even one that is just plain slow; pop in my keychain USB drive and reboot the computer, now I can do whatever I need without any worries of stolen passwords. I also occasionally use it to test the functionality of the hardware on systems that have a botched OS.
Are there any other great tools like this that you would suggest? What do you use?
(Score: 2, Funny) by gishzida on Monday April 07 2014, @09:52PM
I wonder how many foreign governments / terrorist organizations will appreciate a secure thumbdrive bootable OS... oh wait... what if this was written specifically for their use? Can you say "I've been pwned?!!!"
I can't say I trust like this any more. government =! security
(Score: 4, Informative) by hemocyanin on Tuesday April 08 2014, @05:22AM
To trust the DOD with your privacy is like trusting your dog with a T-bone. This at least has a chance of being legit: https://tails.boum.org/ [boum.org]
One comforting thing -- rather than talk hyperbolically about how secure it is -- it contains a nice set of warnings that geeks should really try to get their non-geek friends to read: https://tails.boum.org/doc/about/warning/index.en. html [boum.org]
(Score: 0) by Anonymous Coward on Monday April 07 2014, @10:01PM
>java
>*adobe* reader
(Score: 1) by DECbot on Monday April 07 2014, @10:06PM
cats~$ sudo chown -R us /home/base
(Score: 0) by Anonymous Coward on Monday April 07 2014, @11:24PM
>java
well, java does suck, but most of the security holes are from the web plugin.
adobe reader, on the other hand, is pretty much inexcusable.
(Score: 5, Informative) by stormwyrm on Tuesday April 08 2014, @01:00AM
I believe the idea behind LPS is that even if security holes are exploited in programs it includes they'll never make any headway because the session is transient and there is no permanent storage. Sure, pwn Adobe Reader all you like, your pwning of my system ends in an hour or so, and you'll be lucky to get anything useful then. Frankly, I'd much rather use Tails [boum.org] if I ever needed such functionality.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Tuesday April 08 2014, @02:53AM
Yikes, those two security jokes (Adoobey-doo-doo and Oracle-ommmm-Java-will-eat-u).
I don't think I would anyways fall for the DOD's microbrew OS, especially any public "come and get it" release.
Linux, distros from Europe (not India, China, Russia, USA). No Apple products are permitted in my house - seriously, that is my rule.
(Score: 5, Insightful) by edIII on Monday April 07 2014, @10:29PM
While I can appreciate the effort at pushing out a secure OS, the DOD cannot seriously believe for a nanosecond that anyone would trust them.
If you install an OS written by the DOD you can absolutely assume that every effort is being made to make such an OS "transparent" to the various programs the NSA is operating.
Even if you do trust the government that much, the NSA putting back doors into everything has seriously compromised the overall security to the extent that foreign governments and organized cyber crime can use the exact same exploits.
That's the real gift that keeps on giving from the NSA. Fundamentally compromised security that makes everyone suspect everything and crippling the US economy going forward in the technology sectors. I honestly believe we've only seen the beginning in that regard.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by EETech1 on Tuesday April 08 2014, @12:50AM
I wonder if it validates SSL properly?
No one else can seem to...
(Score: 0) by Anonymous Coward on Tuesday April 08 2014, @02:44AM
Psst.. mista, I got Linux CD here from North Korea - better trust than USA version...
(Score: 3, Insightful) by edIII on Tuesday April 08 2014, @04:29AM
North Korea could have information on every single one of us and it would be no different than a homeless person having it.
The people to worry about being in possession of that information are your fellow countrymen.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by VLM on Tuesday April 08 2014, @01:34PM
To some extent its the other way around.
A local cop has more info on me, but at least in theory if he sold it, he could be in trouble. Won't in practice, but at least it could happen. So the price won't be high, but there will be a price of sorts.
Some NK bureaucrat? No one here can do anything to him, civil, criminal, or otherwise, so the price is going to be a little less than a local cop would charge to maximize profit.
So you're slightly worse off with NK having your CC number (or whatever) than a local cop. Not much, but some.
(Score: 1) by bookreader on Tuesday April 08 2014, @11:53AM
While I do agree with you, there is the valid option where DOD would like its employees better use department's own little secure OS than anything downloaded from the Intertubes.
(Score: 2) by VLM on Tuesday April 08 2014, @01:30PM
Although you might be implying "because its more secure" the real reason might be "because its way harder to monitor and log our employees every action if they use Debian"
(Score: 2, Insightful) by bookreader on Tuesday April 08 2014, @02:08PM
All I am trying to say is that this is a good move for DOD's management. Whether one would use or not DOD's version of secure OS depends on how much they trust the people who run DOD.
Imagine this is a business case. There is a lot of talking in the public media last couple of years about security - Wikileaks, Snowden, and so on. Many people who never cared before start thinking they should be more 'secure'. So there is a demand for secure platforms. And DOD is supplying a product to this market (for free as in beer). There are certainly people who trust DOD and would prefer their product - goal accomplished for DOD. While here on SoylentNews almost nobody would be in this group, this does not mean DOD's decision to release their 'secure OS' is stupid and meaningless.
(Score: 3, Interesting) by VLM on Tuesday April 08 2014, @02:34PM
One interesting problem neither of us have mentioned so far, is we can assume that "secret pwonage technique #2326" has been embedded in the OS by the DoD to make it easier for them to monitor and track the activities of their own people... And that helps security if you assume only the DoD knows "secret pwonage technique #2326". But how do you know the Chinese secret service and russian private hackers don't know about that technique, perhaps completely independently? Or the same guy who they paid to seed a random function or weaken some other function didn't spill the beans to someone?
TLDR is even if you trust the DoD, they're not omniscient gods. Its quite likely someone else knows the same hacks they haven't publicized yet. No such thing as being wide open to the DoD and no one else.
This is aside from double agent type stuff, where one group tells one local guy to "invent" "secret pwonage technique #2326" because they've got the perfect countermeasure to firewall it or perfect way to detect or block it or whatever.
So you think you're safe from everyone on the planet except for the DoD... however Boeing employees would be idiots to trust this if it turns out the French govt independently can pown those machines using the same technique as the DoD, and it wouldn't be the first time a private company like Airbus got some "extra help", we do it all the time and so do they.
And everyone assumes the DoD powned it, so its going to get a lot of attention from other groups looking for new techniques, so using it is like holding up a big sign saying "fun free stuff here". Or is using it like "hey heres a honeypot"?
(Score: 3, Informative) by tangomargarine on Tuesday April 08 2014, @01:50PM
Technically the whole point is that you *don't* install it...
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Informative) by RamiK on Monday April 07 2014, @10:31PM
SystemRescueCd ( www.sysresccd.org ) is mostly up to date regarding drivers and kernels and comes with all the tools I end up using for the most part.
Kali Linux ( www.kali.org/ ) is very useful since you won't find many of those tools in most distributions but you REALLY need them when someone loses a password or when some weird networking problem creeps up.
compiling...
(Score: 4, Informative) by BsAtHome on Monday April 07 2014, @11:41PM
Indeed, and many more Live-CDs can do exactly what LPS can do and more.
I've been using Linux Mint Live-CD in a VM for all my banking for years. Once in a while I upgrade the CD image. The average session time is often less than 1 hour and 2..3 sites visited.
SystemRescueCD is *the* tool to fix a system because it has all the extra (fix-it) tools readily available. Having multiple sticks lying here (and two in my pocket).
(Score: 1, Interesting) by Anonymous Coward on Tuesday April 08 2014, @12:44AM
Mint hasn't been able to fit on a CD for several releases.
What's your secret? Your own RemasterSys'd respin? Gutknecht's respin of v13(LTS)? [linuxmint.com]
A distro that I like to point to, which once dabbled with DVD-sized releases and quickly reverted to CD-sized ISOs, is antiX (pronounced "Antiques").
antiX will even work on near-nothing hardware. [google.com]
The chief dev, anticapitalista, insists on including LibreOffice in the main build.
-- gewg_
(Score: 2) by tangomargarine on Tuesday April 08 2014, @01:54PM
Yeah, because I want to be running an antique OS. What could possibly go wrong?
I thought last I heard it was supposed to mean "antics"?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday April 08 2014, @07:46PM
an antique OS
...which is supported until 2017. [googleusercontent.com] orig [linuxmint.com]
Your reference is cryptic.
Are you referring to the 13(LTS) version, released in May 2012? [linuxmint.com]
Note that any one of these has better hardware support than a EULAware OS.
...and if your hardware is -really- bleeding-edge stuff, thereare options to cover that. [soylentnews.org]
(The addition of older device drivers to a Linux distro does NOT preclude the presence of newer devices.)
Perhaps you're referring to something else entirely. You aren't very clear.
I realize that when it comes to technology, you are not very adept, [soylentnews.org] but do try to be a bit less opaque.
antics
That's the great thing about Free(dom) Software: You have the freedom to call it whatever you like; some will even use the very unimaginative "Anti X".
Any way you slice it, antiX supports very old kit AND very new stuff.
A distro that will fit on a CD tends to have that sort of capability.
-- gewg
(Score: 0) by Anonymous Coward on Monday April 07 2014, @11:01PM
Community, community, community!
(Score: 1, Informative) by Bartman12345 on Tuesday April 08 2014, @12:42AM
Hirens [hiren.info]
(Score: 1) by coolgoob on Tuesday April 08 2014, @02:01AM
Don't know how I never knew about this. Going to add this one to my list of tricks and will try it out.
(Score: 2) by Subsentient on Tuesday April 08 2014, @03:26AM
Uhh, that OS is NOT secure. Read NSA scandal/prism. DOD seems like it's going to likely be compromised too. Oh, and fuck SELinux, even though I am a Fedora user.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 5, Insightful) by AnythingGoes on Tuesday April 08 2014, @06:32AM
I would say that this should be ok for any trusted hardware, but if you cannot guarantee that the hardware is safe, then all other mitigation factors are moot!
(Score: 2) by tangomargarine on Tuesday April 08 2014, @02:24PM
How would a home user even do that? I thought there were ways to get around all the BIOS-level protections e.g. drain/swap the CMOS battery.
Unless you've always got an eye on your hardware, the hardware isn't safe, so we might as well give up on security.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Insightful) by egcagrac0 on Tuesday April 08 2014, @04:28PM
Just because someone can throw a brick through the window, that doesn't mean we shouldn't make a point of locking all the doors.
Turning a doorknob is easy. Breaking a window and climbing in is slightly harder, but that difficulty may be enough to deter an attacker only looking for low-hanging fruit.
Most of the time, you don't have to outrun the bear.
(Score: 0) by Anonymous Coward on Tuesday April 08 2014, @07:53PM
BIOS (firmware) and CMOS (SRAM) are completely different chips.
-- gewg_
(Score: 0) by Anonymous Coward on Tuesday April 08 2014, @08:06PM
On-screen keyboard [touch-base.com]
Perhaps the distro in question doesn't include that, but the carry-it-in-your-pocket distro that YOU spin can.
The USA gov't's distro can still be useful as an app list, if you need that.
-- gewg_
(Score: 2) by MrGuy on Tuesday April 08 2014, @05:31PM
Until "Secure Boot" renders your ability to boot an alternative OS from separate media an impossibility.
Y'know, like "the present."
(Score: 2) by etherscythe on Tuesday April 08 2014, @09:42PM
...or at least, the very near future [microsoft.com]. Windows 7 has stopped shipping to the retail channel and that is one of the reasons I, as a retail technician, have recently kicked my job search into overdrive.
"Fake News: anything reported outside of my own personally chosen echo chamber"