I've tested LPS in the past. Their primary goal is to provide access to your "enclave" (remote access services offered by your command) while leaving no trace on the local machine. So you could be staying at the Omni Hotel in Belgrad and still check your command email from their business center.
As a practical matter, it verges on completely useless for any serious business. Note the screenshots don't include evidence of Citrix running, or even a web browser. There's no package management. You couldn't install it if you wanted to. As I recall, I never got networking up. That was a snapshot release from ... March, I believe.
I'm glad to see someone in US government working on desktop Linux. I would love to say goodbye to Windows XP. That said, for the advertized purpose, I've found an Ubuntu thumbdrive much more practical.
Hardware can be easily rigged. A keylogger can be installed on the real keyboard to capture the typing when LPS is running. It's better to carry Dod issued Netbook to do secure business.
I was asked to look at is, as I was also testing a Cr-48 at the time. I'm pretty sure I'm the target audience, and the target audience is offered many services via Citrix. Citrix has had Receiver for Linux for years. This project just isn't there yet.
The article doesn't specify what distinguishes this from a regular liveCD Linux distro. My guess is that the DoD has hardened the included kernel (possibly included SELinux) and curated the included packages for security, but article doesn't say. It also doesn't specify what if any special configurations it has made to the standard included packages to make this more secure.
One thing that distinguishes it, from the article, is that it doesn't mount the machine's hard drive.
Anyone can do essentially what they're doing just by using a live CD. They've gone a bit beyond that by not mounting the hard drive as noted, and whatever other changes they've made that the article doesn't specify.
Most LiveCDs don't mount hard drives unless you specifically tell it to do so, for example, by clicking on the drive icon. Perhaps this distro disables even that capability, so you can't leave any trace on the machine even if someone got you to run the latest Firefox exploit.
This distribution has stripped hard disk support from the kernel. It is intended as a relatively more secure browsing platform (with support for DoD two-factor authentication for email access, etc.). I provide it to my parents for browsing the web, and my tech support calls from home are gone.
correct. I played with this for a while and couldn't find a way to mount. You're booted in as a non-root user and don't know the root password. There's all sorts of stuff you can't do with this. I this may be primarily being developed as a counter-intel tool.
I'm really curious to know what this was originally designed for.
It has consumer-friendly "Windows XP" style UX and the user it logs into isn't root/sudo.
This all leads me to conclude the original purpose of this tool was for "normal people" to use, and so I'm left wondering whether it was for agents or informants to be able to communicate back to the mothership securely.
If this was for security personnel or those performing forensics on evidence, there wouldn't be cutesy UX and it would be logged in to root. If this was for 'rank and file' staff in CIA/FBI offices, they wouldn't need a portable distro.
This is intended for rank and file staff of the DoD (as a DoD product) to use along with their CAC to connect to various DoD sites using CAC authentication. The theory is that you can load this onto a thumb drive or CD, take it and a CAC reader with you and plug both into any internet connected computer, providing you with a simple terminal for mundane office tasks (read: email).
Even if the hardware isn't compromised, the OS running in RAM can be taken over as easily as a disk-based system can. It's just that the OS will be reset and 'cleaned' when the machine is rebooted.
The spi.dod.mil server is clearly overloaded and downloading this is difficult.
Can anyone who's downloaded this give us an MD5 hash on the files as I'm going to try to download this from a mirror (why the DoD hasn't published an official MD5 for these I don't know)
My thoughts were "That's probably a great project, but no one is going to use it because they'll be worried about a back door." Although it couldn't be that hard to find one - log traffic on startup, see if it makes any requests to servers not requested by the user. Unless the theorized back door is better hidden, such as by introducing a vulnerability into its SSL implementation (and whatever other encryption tools for network traffic it uses) that makes it much easier to decrypt intercepted traffic (not sure how viable that would be; it's not my field of study).
I can think of two very obvious ways two suborn lib_openssl (obvious in that a competent auditor would find them) after relatively little due diligence.
1. Cripple the random number generator similar to the debian bug from 2008, this would be difficult to spot through source inspection, but not hard to spot from active queries.
2. Include valid certificates in the trusted certificate store that allow the distributor to execute a man in the middle attack. This becomes even easier if the dns servers are hardcoded to be those of the attacker.
Basically, if you think the US Air Force has reasons to snoop your communications; don't use their software to communicate. Linux is freely available, build your own high security distro or use OpenBSD or write your own from scratch, don't assume software is secured unless you implicitly trust the person who claims it has been secured for the purpose you are using it; and even then they might be wrong.
Like the concept but kind of sketches me out that they're that good at running systems in RAM after reading about how stuxnet does exactly that. Take a little give a little I guess
As a practical matter, it verges on completely useless for any serious business. Note the screenshots don't include evidence of Citrix running, or even a web browser. There's no package management. You couldn't install it if you wanted to. As I recall, I never got networking up. That was a snapshot release from ... March, I believe.
I'm glad to see someone in US government working on desktop Linux. I would love to say goodbye to Windows XP. That said, for the advertized purpose, I've found an Ubuntu thumbdrive much more practical.