The Air Force's secure Linux distribution
Summary: Linux has long had a close, working relationship with governments, but Lightweight Portable Security (LPS) is the first official U.S. Linux distribution.
Outside of the U.S., there are several "national" Linux distributions. These include China's Red Flag Linux; Turkey's Pardus, and the Philippines' Bayahnian. Other countries, like Russia, are on their way to moving their entire IT infrastructure to Linux and open-source software. In the U.S., the government, especially the military, makes use of Linux all the time. Indeed, Security-Enhanced Linux (SELinux), the most popular software set for hardening Linux against Linux is sponsored by the National Security Agency. But, there hasn't been a national American Linux desktop distribution... until now.
The Software Protection Initiative (SPI) under the direction of the Air Force Research Laboratory and the US Department Of Defense recently created Lightweight Portable Security (LPS). Like the name indicates, this is a small Linux desktop distribution that's designed for secure use.
LPS is designed to boot from a CD or USB pen-drive on any Intel-based computer. It doesn't install anything. It's designed solely to run solely in memory and to leave no traces behind when you're doing running it.
According to the SPI, LPS "allows general Web browsing and connecting to remote networks. It includes a smart card-enabled Firefox browser supporting Common Access Card (CAC) and Personal Identity Verification (PIV) cards, a PDF and text viewer, Java, and Encryption Wizard - Public." With it you can turn your untrusted Windows or Mac home or public system into a trusted network client. "No trace of work activity (or malware) can be written to the local computer."
It's not your usual operating system in other ways as well. "LPS isn't meant to be patched. When it's updated, you need to download a new virgin copy of the operating system. LPS is updated at least every quarter. To get the best possible protection the SPI recommends you simply download a fresh copy of the distribution with every update.
LPS has a very simple interface based on the IceWM desktop. More than anything else LPS looks like Windows XP. As you'd expect from a "safety first" distribution, it comes with a minimum of applications. These include the older, but still essentially secure, Firefox 3.6.22 Web browser, the Leafpad text editor, and the OpenSSH secure shell client and Citrix XenApp client for running remote desktop sessions.
For some reason, the distribution also includes Adobe Flash. Considering Flash's recent checkered security record, I wouldn't have included it had this been my distribution.
The encryption wizard is simple for anyone over the age of eight to use. When you launch it, you get a small window where you can drag-n-drop files to work on. Once there, you have three large buttons at to choose from: "Encrypt," "Archive," and "Decrypt." I think anyone can handle that! There's also a Deluxe version of the distribution that comes with OpenOffice and Adobe Acrobat.
Is this distribution for everyone? Heck no. But, if you want a secure desktop operating system you can carry in your pocket and use on almost any computer you're likely to find, it's well worth burning to a CD or USB drive.
Related Stories:
The Linux desktop is dead. Long live the Linux desktop.
The Five Best Desktop Linux Distributions
What's coming in Ubuntu's new Unity Linux desktop
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: The Air Force's secure Linux distribution
Thanks, guys.
~taxpayers
obviously, you missed the part that said...
[i] ???LPS isn???t meant to be patched. When it???s updated, you need to download a new virgin copy of the operating system. LPS is updated at least every quarter. To get the best possible protection the SPI recommends you simply download a fresh copy of the distribution with every update."[/i]
And the big 3 attack vectors (java, flash, pdf) for Linux is [i][b]a lot[/i][/b] different than the same for Windows.
Flash and Java vulnerabilities have not been exploited on the Linux desktop
SELinux
The Apps in this Distro are sandboxed (Linux Security Module: SELinux), so if there's a bug, it goes nowhere as SELinux simply will deny privilege escalation.
SELinux
Not ordinarily an issue
The nature of open source Distros is such that the repository maintainers ensure that an update reaches your PC if/as/when a patch becomes available--that goes for the underlying O/S as well as Apps. Always been that way.
Peace. Out.
Not ordinarily an issue
RE: The Air Force's secure Linux distribution
"OS with less than 2% market share."
This has nothing to do with market share. It's the architecture.
RE: The Air Force's secure Linux distribution
"This has nothing to do with market share. It's the architecture.
Yeah, right ...
kernel.org
linux.com
mysql.com
...
Linux servers play in the major league and they get hacked. Linux desktop users are safe because their market share is so low, not because Linux and the various distros built around it are secure. The malware miscreants simply don't care about the Linux desktop.
Like any OS: configuration + patching + monitoring. And one can still get pwned via 0-day exploits. Thus, monitoring.
For your reading pleasure:
http://www.amazon.com/Hardening-Linux-James-Turnbull/dp/1590594444
And for the Linux desktop, peruse some of the posts at The Invisible Things Lab's blog. Expand your mind.
RE: The Air Force's secure Linux distribution
RE: The Air Force's secure Linux distribution
Any memory encryption?
Re: freezing RAM
Ok, well, let's go ahead throw the "Military bases in the Arctic" out the window, because I'm sure those bases have walls, doors, heating units, etc... unless you're suggesting they just have rows and rows of terminals sitting on tables outside?
As far freezing the RAM, yep, you're right. All a would be hacker has to do is get the military tech to fire up a session of SEL, do their work...and when the military tech is done, the hacker can ask them to hold the screwdriver while the hacker freezes the RAM chips, takes them out, loads them up... then he's off to perform forensics.
...I'm sure the military tech won't mind.
RE: The Air Force's secure Linux distribution
Well, the nature of the military is that their bases do get attacked from time to time, whether they mind it or not.
RE: The Air Force's secure Linux distribution
http://www.engadget.com/2009/05/01/air-force-now-using-super-secure-version-of-windows-xp/
Also with anyone being able to throw code into linux there is no way to tell if its secure or not which is why we are always hearing about trojans on it. Its a big no-nix to linux for me.
RE: The Air Force's secure Linux distribution
LOL!
Love - I enjoyed the part of the article from 2009 - The custom build ships with over 600 settings bolted down, and a security patch turnaround of just 72 hours compared to the standard edition's 57 days. It is now 2011 the Air Force stopped using XP.
LPS is the only Department of Defense-approved remote access solution using non-Government-Furnished Equipment.
They're using XP, eh?
Maybe that's why WMDs were never found? ;)
Of course, Loverock, by pointing out that specially designed 'secure version' of XP...
what you're also saying is that all other versions are insecure, just by deductive logic. :(
RE: The Air Force's secure Linux distribution
RE: The Air Force's secure Linux distribution
Ludricous argument, there is no normal person in this world who is going to review 40 million lines of code to check for vulnerabilities, prior to using the os.
Windows is secure, there is no need to actually review the code to state this, it has proven it's security ever since they hardened it when they introduced Vista.
Last time I looked the linux foundation was still down, I guess even i. The open source community, reviewing of code isn't cottage industry either.
RE: The Air Force's secure Linux distribution
People review the code in Linux all the time, and many eyes make light work, and you would only have to view the code named _NSAKEY, but you can't so I guess you will just have to believe what M$ tells you.
And we are talking about the same windows right? the one that has hundreds and thousands of viruses and malware, not too mention TDL-4, I guess your definition of secure is different from mine.
And by the way my desktop isn't a server so I don't need to worry about someone hacking it.