Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Linux Software

kha0S Linux - It's all about Security 89

F1reF0x wrote to us with an interesting story on Linux Today about kha0S Linux-a distribution primarily based on creating the most secure distribution possible. You can check out kha0s.org. Due to the United States "interesting" crypto laws, 0.99-pre4 is not currently availible on the FTP site.
This discussion has been archived. No new comments can be posted.

kha0S Linux - It's all about Security

Comments Filter:
  • Poor planning involved here, I think. This type of project should be done in a FREE country, where one's work can be distributed as desired. I hope someone doesn't make this mistake again.

    p.s. - I am a US citizen


    And what if you decided to make a distro like this? Are you going to move to another country before creating just so you can distribute it when it's done?
  • I have seen alot of comments here about the 'lame' name, concerns on US export restrictions, backdoors in the code, auditing of code, BSD style development, etc, etc, etc. So, let's just try to address any and all concerns anyone may have.

    1. Export regulations. We do have developers in other places besides the US. We also have distribution points that are not located in the US. The project leadership does originate in the US, but that does not limit us from at all. All cryptographic components are worked on by developers outside the US, and distributed from sites outside the US. There is more to this distribution besides the cryptographic components, and therefore US developers are not hindered from helping out with the project. We do audit ALL source code that has been released, and we invite you to do the same.

    2. Backdoors and code auditing. Since we do audit the code, and invite you to do the same, there need not be any worries about backdoors. We are trying to PROMOTE security and the idea that linux is a secure OS. By putting backdoors in code this would not only hurt our credibility, but the credibility of the linux community in general.

    3. The 'lame name'. Ok. This one is not quite as complicated as you all may think. It comes down to several things really. First, as someone else has pointed out, the name is mainly based on myth and legend of the golden apple, inscribed with Kallisti. Planted by the goddes of dischord, or chaos. Now, whoever has lately tried to reserve a domain name can tell you, try getting chaos.org, or net, or whatever. So, we had to be creative. Does it sound a little bit 'script-kiddie'ish? Probably. Can the name change? Maybe. Does everyone like the name? Probably not. Do we care? Doubtful. It comes down to this: If you like what we are doing, great, if not, great.

    In closing, we are not asking anyone to trust us. In fact, we are hoping you don't. Be paranoid, check out our code. We invite you to, as we have.
    kha0s is not for the light of heart in this stage. In the future this will change as we add things to the distribution to allow seasoned professionals and newcomers alike to install, configure and run kha0s without having to worry about whether you did or did not forget to turn on ssh and disable rlogin.

    Should anyone wish to learn more about the project, or help in the development effort, you can subscribe to our mailing list. Send an email with the subject: Subscribe to kha0s-dev@kha0s.org and you will be subscribed.

    M. Adam Kendall
    mak@kha0s.org [mailto]
    http://kha0s.org [kha0s.org]
  • I'm always wondering what security tweak I missed when I set up a system. I'd rather try to use a service and get an authorization, authentication or permissions error that tells me I need to slightly relax paranoid security than have my permissive system compromised because I didn't know to edit /etc/inetd.conf.

    In the short run I'm sure this would result in FUD about functionality, but I bet it would be a strategic win for the reliability and security reputation.

  • Is it just my Imagination or does the site clearly state that the software ***********IS************ available for download in the NETHERLANDS. It is not available on their server, however, it is "AVAILABLE". Why this hype over US export laws etc.... it CLEARLY states that the distribution is available. Sorry for being so negative, but no one ever posts any of my submissions and then crap like this gets posted.
  • It's my understanding(and I could be wrong) that putting the distro on a server that is accessable by the world violates the encryption export laws. If there was a way to guarantee that only U.S. citizens could download it, then they could release it.
  • Indeed we are a bit 'lagged'. This the direct result of there being only a handful of developers currently working on the project. However, given this unexpected post on /. we seem to have caught the interest of quite a few potential developers.

    For those who are interested, the source tree is a bit sparse at the moment. Again, this is due to the fact that our snapshots have been primarily for 'in-house' use at this stage. This will be rectified over the weekend when it is tarred up and moved to the ftp sites.

    Scott Fallin
    saf@kha0s.org
  • Exactly that was done with unix (i don't remember which one) and it took quite awhile to find - i think it was over a decade
  • 9th circut's pretty dang big - a lot of people in Alaska and the northwest want to split of from california. But anyways, if you can distribute source to encryption, you could just make the distribution so the installer compiles everything as it's installed. Slow, but maybe even more secure...
  • by Anonymous Coward
    I'm just curious what their goals are- I didn't see C2 listed on their web page anywhere...and I wasn't sure from looking at it whether they were more concerned with internal violations (which would call more for a B2 style implementation) or external violations (ie., from the internet). If they are going for certification from the NSA, then they will need to do a ridiculous amount of work- more work than they can probably fund. I'd be fine without the certs, but it would certainly help their salability.
  • by Anonymous Coward
    Ok.

    So we just add a backdoor to the C compiler. It can tell when it's compiling another C compiler and adds the back door to it. It can tell when it's compiling, say, login, and adds a back door to that. Then you just throw away the original sources and compile a compiler with your new compiler. Include that compiler and its sources to your distribution.

    Just because you're paranoid doesn't mean they're not out to get you.
  • Speaking as a network security manager for a 10k user network and a former vicitim of hacking attempts and successes, I agree.

    However, speaking as a user, and having bosses that want functionality first and security second, I feel I can safely back up my claim that the general populace want security second. I don't care how secure it can be, if its difficult to use it won't be used or it will be used improperly. I am constantly arguing the benifits of an application level (proxy) firewall over a circuit (packet filter) based firewall. Its a lost cause, the monitary benifit will almost always outweigh your perceived gain in security.

    This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.

    Yikes! Now that is a scary notion. Microsoft, Sun, SGI, HP, Red Hat, etc... all fail at this. Even relying on Bug Traq and the like for your security measures is only a secondary response to a primary issue. If someone is good enough, they will get in. And a distribution like this will give people like yourself a false sense of security. You do what you can, where you can, when you can. And you keep doing it over and over. You build application architectures as securely as you can, and then limit access to those applications to only the people who need the access. Then you stick in your safe guards against those who would attempt to thwart those restrictions. A generic rule of thumb at best, yes.

    In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.

    How large a network do you work in? Did you build the network yourself or did you have to take it over? How large is your security team? Maybe you know something fundemental that I don't. Security isn't as easy, and when you talk to the bean counters, if the possible loss isn't high enough then security will be pushed under the rug.

    Again, I do think its nice that this distro is coming out, I do applaud thier efforts. But no one can make a secure Linux or *insert OS here* distribution that will make me any happier. The secure distribution that is best is the one you put together yourself for the job at hand. You do this by taking the one that is easiest for you to use (the one you feel most comfortable with) and shredding it to pieces. Leave nothing but what is absolutely needed, then secure it - first from the network, then from the users.

  • No, but...

    Think practical tracking. It's not hugely likely that the development of this distribution can be geographically traced. So, if they'd never announced that it had originated in the US then they could have probably got away with burning a CD, taking it over the border _then_ uploading it. One advantage for community development here -they can't necessarily tell where you are when you write something, but it's pretty obvious where the MS campus is...

    Greg
  • No, I'm not going to move. And I'm not going to make a distribution, either.

    But if I wanted to do what khaOs is doing, I'd have to choose between moving and not doing it. And I am unhappy about it, too. I used to think this was a free country, but when it doesn't allow me to share the product of my intellect even when it doesn't infringe on my neighbors' rights and freedoms...I declare those rights and freedoms to be gone.


  • I just want to know why the net-boy speak for the name of the distribution. Can you see the guys on irc #linux now:

    #m0j0f1ght3r> I run the fr33kin' kha0s, y0u w0n't b3 abl3 to crackz my a$$.


    That is why I think I might try one of the other secure distributions that were anounnced on BUGTRAQ.

    Than again, I could be dead wrong, and the name could be like danish or sweedish or something...


    -AP
  • How in the hell do you think a | looks like a K? You little freaks are reaching pretty hard on this one.
    --

    A mind is a terrible thing to taste.

  • The name script kiddies is not meant to demean people who use scripts ;-P It means the 'cool kids' who download some scripts off of the net, and, since they can run them and bring some poor 60 year old womans Windows box to a halt, they call themselves 'Hackers'.. Don't get me started on this one.. ;-P

    They tend to write things like /00|_!! and the such.. ;-P
  • Big mistake on these guys part to develop the crypto portion of the system in the U.S. I should be developed 100% out of the U.S.

    They should immediately release the code less the crypto log. subs. and develop those elsewhere to make a product that the U.S. export laws can't touch.

  • However, how can you guarantee that it is "made in the USA"?

    If you're talking about export regs, that question is irrelevant. If you have strong crypto code within the US, it is illegal to export it even if it was imported. The place of origin is irrelevant.

    BTW, NAI [nai.com] has a neat way of dealing with it. All these export regs do not apply to source code in the form of a printed book. Publish, scan, and compile. And, voila! Legally exported code. NAI does this to ship their code to their international site [pgp-international.com] in the Netherlands.

  • There are two other secure linux projects, Bastille Linux ( www.bastille-linux.org [bastille-linux.org]), and an as yet unnamed "Secure Linux" ( http://www.reseau.nl/securelinux [reseau.nl], you can vote for a name there). They've both been in progress for quite some time.
  • how about telnetting on a box in a "free" country, and making the distribution there ?
  • Posted by _DogShu_:

    The US is free for US citizens, NO ONE ELSE. There are tens of millions of people detained and kicked out of the country every year for entering the country illegally, or simply for not having the appropriate paperwork. The US is hardly responsible for the freedom of people outside of the US.
  • Tries to speak for mental states.. Not physical.. ;-P
  • So compile the source on an otherwise identical system running a trusted copy of the compiler.
  • Disclaimer: I am not a US citizen, nor have I ever been a US citizen. I have not been to the US.

    Who said US was responsible for freedom to non-US citizens? The beyond-stupid export regulations bring more harm than good. IMHO the same applies to the constitutional right to possess a 12 gauge shotgun; sure it's every person's right to protect their home, but AFAIK gun-related deaths/accidents outnumber homes actually saved by having a gun in the house. Don't get me wrong. Surely the Congress or the House of Senate means well, but unfortunately things don't work the way they should.


  • i always wanted to see such a distribution and to see how it will perform against OpenBSD

    Way to go guys

  • What if these guys added back doors to their distribution.. Probably not but still for the paraniod.
  • Didn't I hear that some court had ruled against the export restrictions on crypto, on constitutional grounds? What has become of this? Are appeals in progress, or can we expect repeal of the (ridiculous) restrictive legislation?
  • the court ruling was not a Supreme Court ruling and is therefore only applicable to the district court in which it was handed down (chicago I believe).
    also the decision only pertains to source code or algorithms. as these are in (relatively) clear language they are subject to free speech protection. OTOH if it's a binary release it's still subject to current restrictions.
  • Poor planning involved here, I think. This type of project should be done in a FREE country, where one's work can be distributed as desired. I hope someone doesn't make this mistake again.

    p.s. - I am a US citizen

  • Linux is GPL'd, and if they keep everything open source then you can get the source and compile it youself.

    But if you are paranoid to this point you can do your own secure distro ;)
  • "kha0s"?? It sounds like something invented by script kiddies.
  • When such a distribution becomes available, I imagine that lots of people will be taking a very close look at the source, to check for back doors... that's one of the big strengths of Open-Source - it's very hard to "slip something in" without it being easily noticeable.



    ObMSbash: compare and contrast NT - do you trust all of Microsoft's programmers?


  • I would rather trust MS programmer's, they have a lot of good programmers, what i wouldn't trust is their high management.

    But in the case of crypto this is not only the management that is bad, but the state too. They must do edulcored versions of the encryptions algorithms to export their products.
  • of the rainbow.

    I applaud efforts such as these, and I hope the end up with a successful distro. But I doubt they will. No matter what the headlines read, people want functionality before security. And while I hope to enjoy the fruits of thier labor on such a project, I will most likely never use it in production.

    Instead I will end up looking at how it works, and taking the bits and pieces that I think I can gain the most secure functionality from. Possibly even repackaging them for easier installation on my own personal favorite distribution.

    A grand idea indeed. But I much prefer the right tool for the right job approach, then the use a flamethrower to light my cigarette approach.
  • Due to U.S. restrictions on the export of cryptographic material, 0.99-pre4 is not available at ftp.kha0s.org. We are working with an attorney in order to determine if and how we will be able to distribute kha0s from the Unitied States.
    But does ftp.khaos.org have to be in the USA? AFAIK ftp.kerneli.org is located in Norway to avoid restrictions on IPsec and other security stuff in the kernel. Why do Khaos have to use an american ftp site?
  • What if Bob slipped a back door in his software?
    By your reasoning any code can have a back door. Much of it may even. But at least with Open Source type stuff you get the code and can check if there are backdoors. Hey you could even use those same backdoors. Anybody could do it. Apple, M$, Amiga, SGI, Red Hat, Debian, any distributor could. If you buy the disk and run it straight from the box then you are implicitly trusting them not to have put an undocumented hole in your system. Or at least trusting them not to use that hole. Actually its possible that any software you install has this implicit hole. Well at least if you have to install it as root or the equivelevnt.
    If you are that paranoid then write your own OS or read all of the source. Otherwise you aren't truly paranoid :).
    -cpd
  • My guess: there name would make for a reasonably secure password.
  • exactly.......

    insanity is a stateof beingcommonly misunderstood by the masses as an undesirable trait.....

  • sorry... I've working since 5am.
  • The problem lies in the fact that it was developed in the US. Simply placing it on a server in another country won't do the trick, that's considered an export, and therefore is banned.

    Doug
  • Posted by FascDot Killed My Previous Use:

    I can imagine the need for a line by line examination and I know there was a project out there that was doing that, dunno if kha0s is. But why adopt the bsd-style development?
    ---
    Put Hemos through English 101!
  • Most of the cryptographic material that is illegal to export outside of the United States is done and distributed offsite. The article misquoted the website. Pre4 is not available on ftp.kha0s.org (which is u.s.). However, snapshots are available on ftp.replay.com (hosted in the Netherlands). Take a look at www.replay.com [replay.com]
  • I think it's about time the script kiddies had their own distribution!!!

    I ran it through the de-kiddigizer.
  • Functionality's great, but only if it's on a computer you use. This type of distro seems great for machines whose only duty in life is to shuffle around packets and store files. The only time I spend with these is reading the logs, so a little reduced functionality is fine.

    A little later in the dev cycle, I really want to try this distro out...

  • In every system you have to put your trust somewhere (or to recode all in hex like the precedent poster did). In this case I would rather put my trust in RMS and the FSF than in any closed source software.

    Of course you can do what you did (and this already have been done) but you can do a program that check for this kind of backdoor too I think. or you can compile the things in assembly language and then verify that their is no back door before feeding it to the assembler (don't know if this is the correct English word). Of course this can be the assembler that implement the back door...or this can be the linker that add the back door at loading time.....
  • i think the replacement(s) of o's with 0's and other "eleet" signatures may lead one to believe such a distribution to be unsafe. if you think this is wrong, then i am guilty, because i'm not touching this distro with a ten foot pole.

  • by Anonymous Coward
    Yes. The de minimis amount (the legal definition of the smallest measurable amount relevant) is 0%, so even if all of it was written outside of the US, you brought it in from abroad you cannot export any of it without a licence. I know -- I am trying to set up a US/Canada-only server for encrypted EXT2 Debian packages and I am having to a)get an "advisory opinion" from the Bureau of Export Administration on the definition of "export" and whether or not I am doing all legally needed to not be "exporting" and b)potentially get some sort of waiver for the same, as what I have is a restricted product (strong crypto). Now, the BXA has been nothing but cooperative and very nice, but it is lucky that I am not in a hurry, because the process is complicated and if I screw up, I go to jail for a long time.

    On the other hand, US/Canadian people with 128 bit ssl who don't mind leaving verified and logged data will be able to get those packages soon, and I think that I can get a written guarantee from the BXA that they will not ask to see the logs without a very specific subpoena. Not optimal, especially for the privacy advocates, but good enough for a start.

    And all of the stuff that I am working with was done outside of the US, too.

    This will pass y'all -- it is just a matter of time. WRITE YOUR CONGRESSMAN AND SENATOR ABOUT IT. Email gets you nowhere. Use good paper, too, and provide contact info. Make your voice heard on this and it will change.

    Then I won't have to worry about jail for trying to keep Linux on my Thinkpad with minimal security.
  • To paraphrase an old quote:
    "When they came for the Jews, I did not resist, as I was not a Jew.
    When they came for the Blacks I did not resist, for I had fair skin.
    When they came for the Muslims, I did not resist because I don't pray to Allah.
    When they came for the Atheists, I did not resist because I believe in a higher power.

    When they came for the Christians, I resisted, but no one was left to fight for me."
    Don't let shortsightedness condemn us all.
  • I'd rather have someone with a clue designing the OS, not a script kiddie. By definition, script kiddies don't really understand what they're doing; they use exploit scripts or programs written by other people.

    I know a number of people who are very capable of analysing systems for potential or actual security problems, yet I doubt any of them have broken into a system for years.
  • The defaults in some linux distributions are ridiculous. It's easy for a newbie to plug in a distribution, and have fingerd, telnetd, (anon) ftpd, rshd, and rlogind all going out of the box. And these services are kind enough to proudly and loudly announce the kernel version to any potential crackers. I hope this distribution will default to more paranoid settings, and use the convention that the user has to know what they are doing to turn a service *on*, not to turn it *off*.

  • you guys have a point.. grep "/bin/sh" *.c
  • people want functionality before security
    ...until the day somebody hacks into their computer.

    Security is important. And it is very nice to see a security oriented distro like this one come out. This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com [rootshell.com], et.al.

    That is of course only if I feel I can trust the kha0s people to do their side.

    Having a security oriented distro might also make RedHat, SuSE, Debian, etc. incorporate some of the ideas as well, and we will all be much happier.

    In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.

  • I think the name has a certian style.....

    certianlymore interesting than say Red Hat, or caldera

  • "The new snap is up. It can be obtained at the following sites:

    ftp.replay.com

    Due to U.S. restrictions on the export of cryptographic material, 0.99-pre4 is not available at ftp.kha0s.org
    "
    this is from their own site...www.kha0s.org, and the ftp site they mention there, ftp.replay.com DOES have the .4.....
    weird eh?
  • I like the idea that the distribution has, but I can't see why they had to pick a name with obvious script kiddy and warez pup appeal. Ah well, names can always be changed. Maybe a Discordian reference for a name? Kalisti Linux? :)

    Anyway, I would like to see this thing offer GPL alternatives to SSH 2.0 and PGP, along with all the tools that come with the two floppy distribution, Trinux.

    I wonder if Packet Storm Security [harvard.edu] has posted a link to this yet...
  • Hear, hear. I would have to agree heartily with this. I've become annoyed that I get rlogin/rexec/etc in inetd when choosing the net-tools and/or telnet packages for a distribution. Garbage. Its become customary for me to set up SSH and disable every daemon I don't use. Soon I will make it a practice to disable telnet as well. Now I just need to figure out how to configure samba, so I can share an SSH client for windoze for my friends without a clue (or URL).
  • woops. i just visited the site and was pretty impressed. i take back most of what i said. i am sorry.
  • I see the problem. However, how can you guarantee that it is "made in the USA"? Since we are talking mainly OpenSource software, there is a great chance that some part of almost every component has been made/modified outside of the US.

    Take SSH. I assume it will be in this distro. SSH is currently located in Finland. Putting it in an american based distro is import, not export. (Why are there no legislations on importing things the american government don't want to be exported?)

    But since a distro is basically a collection of software, how can anybody say for sure that it was collected in the USA? If say, i log into an ftp server in Belgium on a shell account, and then downloads the software packages from servers in Finland, Norway, Iran, whatever to that computer. Bundles them together and call them a distro. Even if I do that from the US, I still haven't exported anything, since none of it has come through the US.

  • script kiddies eh! is it me or do the scripts alow you to not waste your time manualy entering commands or dictionaries by hand.

    To me it sounds like you are just angry that they may be just rying to come up with yet another viable Linux Distro. apparently you are a programmer according to your web site. Download it try it and then complain about what they may be. Im sure you dont write all of your code by hand either.
  • I don't know, maybe it has something to do with www.chaos.org, www.cha0s.org, and www.khaos.org already being taken. Ya think? Let someone name it what they want. Hackers (I'm not one) get all pissy about being lumped in with crackers, so why not just judge this on its merits. A novel idea I'm sure. Feel free to use whatever you want, however, choice is good.
  • Ok OK, yall totally missed my point. would you rather a person who knows nothing about breaking into systems build a so called solid os or would you rather a group of "Hacer,Cracker,Script Kiddies" design and implement the version that may just be as secure as a BSD release. BSD alos written by security experts aka. White Collar Hackers. Give them some credit for even taking on this type of feat.

  • err, standard unix passwords are supposed to be 6 characters or more. you could replace standard with default in that statement...or better yet the standard default setting...
  • the openbsd project has reviewed every line of code it distributes. unless these folks are prepared to do the same and adopt a bsd-style development model, this is pointless.

    sc
  • it's kind of a funny story, in a dark, terribly sad sort of way.

    www.attrition.org has all the juicy details.
  • Your user name is also CrAzYjOn, though.

    =)

    -awc
  • It is possible to do secure X connections if you use SSH for all your remote connections. The ssh daemon spawns a "Xserver" on the remote machine you connect to, and forwards all the X communication to this "server" through a secure link to your display. This way, you can remove some of the most basic X security problems.
  • I heard that Packet Storm had gone down due to some copyright mess. Of course, I heard that on alt.2600, so take it in context, eh?

    -awc
  • Heh, Unfortunately, this isn't entirely accurate. I can't remember who did this, but one little fun thing that is possible and has happened: Modify the compiler to alter login with a back door. Modify the compiler to alter itself on a self compile to insert the code required to continue this behavior. Distribute this binary, and uninfected compiler and login source. Pretty sneaky. The goals of the distro seem to be pretty good. Build in good crypto protection, compile all SUID programs / Daemons with stackguard to protect against buffer overflows. That will take care of big chunks of intrusion protection. A good overall design will help out with authorized user protection. Now someone just needs to find a good way to protect against heap overflows.

"Summit meetings tend to be like panda matings. The expectations are always high, and the results usually disappointing." -- Robert Orben

Working...