Linux Distribution: Lightweight Portable Security
Lightweight Portable Security is a LiveCD distro designed by the US Department of Defense to function as a secure end node, in other words, a safe environment from which to access the web or a remote desktop host. The focus is on security, and for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and a few other small tools.
The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the US Department Of Defense. The idea behind it is that government workers can use a CDROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker’s own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user’s activities behind.
If it all sounds a bit cloak and dagger, consider that anyone who wants to quickly establish a secure setup on a PC of unknown security status could have a use for a distribution such as LPS. For example, you may understand computer security, but does the staff of your local library or a hotel?
The first thing that greets you when you first launch the CD is the boot screen, the bottom area of which is dominated by the respective seals of The Department Of Defense, The Air Force Research Research Laboratory and the Anti-Tamper Software Protection Initiative. Helpfully, there is also a note telling you that hitting F2 brings up the startup messages, which mostly consist of a list of loaded Linux kernel modules. LPS supports WiFi interfaces but doesn't current have support for printers or sound hardware.
Following this, you are dumped into a very simple desktop that makes use of IceWM. The layout is the familiar combination of application launcher and task switcher bar along the bottom the screen. Perusing the installed applications reveals that this is a very minimalist desktop indeed. You are given the Firefox web browser, a text editor and a file manager that can manipulate files in the RAMdisk or a flash drive. There is also a remote desktop client that works with RDP or Citrix hosts and a tool to deal with files that have been AES encrypted.
There doesn’t seem to be any obvious scope for adding applications to the distribution. In fact, the website advises the user to contact the development team with feature requests, reasoning that if one person wants the feature, other people might also.
Loading up Firefox, I was a little surprised to find that it was a fairly up to date, stable build and it included the Flash plugin, but I suppose, most web workers need Flash at some point, these days. It also comes with plugins to change the browser agent string, send encrypted messages via Gmail, work with encrypted files and to synchronise bookmarks with an online server.
Conclusion
LPS is obviously a niche distro. If your needs are specific, and you just just need a basic web browser and a remote desktop client on a disc or to hand out to someone who might get lost with a more complex live CD, this might be the distro for you. It also offers an interesting insight into how organisations are creating custom Linux builds to meet niche requirements. The website itself goes into quite a lot of detail about the rationale behind LPS.
The LPS website.
______________________
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics. His byline has appeared in several technology publications.
The Magazine
The July 2011 Issue
Focus: Cool Projects
- Peppermint OS: Cloud Oriented Desktop Distro
- Speed up your downloads with Axel
- YAAAUU (Yet Another Article About Ubuntu Unity)
- Validate an E-Mail Address with PHP, the Right Way
- Boot with GRUB
- Writing a Simple USB Driver
- Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV
- Accessing Remote Files Easily and Securely
- Tech Tip: Really Simple HTTP Server with Python
- Drop Your Dropbox and SparkleShare Instead!
- Aria2
36 sec ago - Gnome 3 is stable, Unity is not
1 hour 56 min ago - "It's all about how new users
4 hours 16 min ago - Favorite OS
7 hours 25 min ago - My friend runs a little home
7 hours 28 min ago - Why Mark Stallworth is developing the Unity Desktop
9 hours 18 min ago - How is Mint? I think I will
10 hours 55 min ago - my favourite silly software
11 hours 27 min ago - I think that Slackware is the
12 hours 22 min ago - To their credit they did warn
12 hours 26 min ago
Comments
Hardware keylogger
Is Linux provide security to save our key stroke with both harware and software key loggers?
Has anybody found the backdoor?
sorry guys, but why should anybody trust them?
it would be ridiculous
Same ideal different OS
I have been using browser Linux a puppy decedent for the same purpose, but I just don't save the session at the end. I imagine this has better security though.
Special hardware?
Guys, why are you talking about USB CCID-compliant CAC/PIV smartreaders in the comments. I didn't see it mentioned in the article. Do you need this special hardware to run this distro then?
I was also wondering if this ran in some kind of VM on the current Windows OS? I mean the article indicates you can use it in hotel and library PCs, but I have a suspicion you'll have to boot this and I tell you, my library really wouldn't appreciate me waltzing in and booting my own OS from their machines. They'd be like, "Hey, you! GTFO!" :D
Not secure.
Running it as a guest of a compromised OS isn't going to provide much security. Beside providing no no defense against a software key logger, your standard windows machine that does a memory dump to hard disk whenever you run into an error. You will have your data easily available to inspection by those in the know. It would provide a small amount of data security, but nothing very strong.
Even this distro is still vulnerable to a hardware key-logger, or a BIOS key-logger, or a BIOS hack that dumps memory to hard drive every time you shut it off. It's vastly superior using a unsecured windows box to check security related e-mail, but not as good as having a machine which has always been in trusted possession.
Slap my head, Why didn't I think of that?
This is just too obvious, too simple! 'LPS is a simple Linux LiveCD that only runs in RAM and can't read/write the harddrive.' I get it!
Instantly one gets rids of Advanced Persistent Threats, keyloggers, malbots and all that other nasty malware, whether its in the PC's storage (avoided) or just downloaded (disappears when turning off). That protects me.
But it also protects MY NETWORK. If I could get my telecommuting co-workers to use this, then I'd no longer clean up all the crap they unknowingly infect my servers with AND the time-suck of reviewing logs of what people downloaded to their home PCs goes away.
Updates rolled regularly....
Noticed LPS distro's posted every few months, therefore I suspect that's how they update, but burning a CD for each build sux. The release notes suggested big smartcard (CAC and PIV) problems awhile ago but nothing recent - appears fixed; they advertise full capatibility. About licenses, its GNU GPL (Thinstation Linux) and plus a folder has many for its components - Citrix, Firefox, etc. Ran LPS in VMware and monitored its activity - noticed nothing suspicious, actually exceptionally very little. Typical scans don't show anything either. (Anyone notice anything?) What is odd, its from the AF Lab? Kinda strange a bunch plane & rocket scientists are publishing Linux and winning many awards (just google "Lightweight Portable Security LPS award"). The Labs invent stuff but don't retail like this. Digging into it, the already thin thinstation its really been stripped down more.
Why would you think there
Why would you think there would be anything suspicious in a Linux distro put out by the AirForce? They're on our side... And I can assure you the "plane & rocket scientists" aren't the one's who worked on this. The AirForce has a world class IT program.
The last time I tried this
The last time I tried this anorexic distro it did not fully support some standard CAC readers and there problems talking ICCD and CCID to smartcards. That coupled with the fact that there was no package manager or GCC made it pretty damn difficult to troubleshoot. Without CAC support it's pretty useless.
I'm surprised to find LJ reviewing it. Perhaps I'll give it another go.
No CAC support?
Now that I find very odd, especially considering it was developed by a group that pretty much has to use the CAC cards to go to the bathroom....
David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack
CAC
According to the site, it has CAC support.
http://spi.dod.mil/LPS-Public_for_DoD.htm
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics. His byline has appeared in several technology publications.
Interesting article but......
Looks pretty much like Puppy Linux to me.
Nice idea ... but I'll pass
I really like the idea of this distro but there is no way in hell I'm running software created by our government. I didn't see any mention of the license or the availability of source code.
It's GPL
It doesn't say what version, but the user manual (section 6.2) cites that it's GPL:
"LPS-Public uses free software components under the GNU Public License (GPL). The standard
LPS software can be freely distributed without restriction."
The AirForce is the one branch I actually do trust with this.
I'm not a Govm't fanboy but the AirForce is a very capable and trust worthy branch of the DOD. I'm excited to see the military show more interest in Linux. I've been advocating it for a couple years now. DOD wide. I personally think they need to make a DOD Linux for everyday operations. (This one isn't it... It's good for what it's used for...)
License
I noticed in the manual you will agree to a license to proceed during the loading process, I didn't see anything concerning what type of license or a link to review the terms in advance.
It may be too much to hope that it's a simple GNU GPL type.
Thanks you
Thanks for this article.
VPN
I'm just downloading this now and I've looked through the manual, I didn't see any mention of creating VPN connections though.
Does anybody know if they have set this up as an option?
Thanx!
VPN
This distro sounds interesting from a security perspective, with the usage of the smart cards and what not. Wish i has one of those USB Smartcard devices to learn and test it out.
They do also have a custom version that has a VPN capabilities. It is called "LPS-Remote Access", you have to make a request for it though.
https://spi.dod.mil/COOP/DoD_reg_SSL.htm
$10 smartcard reader
USB CCID-compliant CAC/PIV smartreaders are actually quite common & cheap, $10-$20 on Amazon /eBay, look for SCR331 and SCR3310. Even an old one will work since LPS has the OEM's firmware updater built in
Thank you...
Nice review.
I think you would be better served to Dl ANY of the many LIVE Distro's available! Update: Needs 1Gb RAM; looks official!
Looks alot like Windows Classic!
Got an award for it too! http://defensesystems.com/articles/2010/10/18/gcn-awards-air-force-light...
...I'm not just a "troll", but also a subscriber!
Good use of Linux
Thanks for writing about this, It's good to see the military putting some trust in Linux. Bypassing a malware-prone disk-based install is a good way to ensure your running system is clean when security is a primary concern.
Cheers!
United States Department of Defence or Defense?
Are we sure this is really made by the United States Department of Defense? You wrote "Defence" with a "C".
Is this a typo, or is that how they wrote it on their site?
I don't really trust it.
Of course, I'm a little paranoid when it comes to unfamiliar distros.
http://filmsbykris.com/
Everything you ever need to know about Open-Source Software.
Yes it's really is created by
Yes it's really is created by the AirForce/DOD. I use it at work.
Corrected
Corrected. As David says, I got a bit confused between the British and American spelling.
UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics. His byline has appeared in several technology publications.
It's a UK thing...
Given that Michael is a Brit, I suspect it is a typo...they spell defence correctly ;)
The LPS site is a US DOD military web site.
David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack
confidentiality
hello, j' would like to know how can one speak about sécuriter when one calls same upon google if c' is encrypté, knowing that google guard the user data X time!