LightweightPortableSecurity vs Puppy - Puppy wins

For discussions about security.
Message
Author
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

LightweightPortableSecurity vs Puppy - Puppy wins

#1 Post by Lobster »

Lightweight Portable Security is put out by the American Air Force Research Laboratory and is a live CD that boots straight to desktop.
http://spi.dod.mil/index.htm

It is designed for secure usage by civilians.
It runs as root. Distrowatch (where I read about it) is already complaining.

I am using it now straight to desktop and connected. Firefox working. Very good.
Looks like a very ancient xfree86 that Puppy used in the previous decade
(aprox ver 1 and before)
http://www.xfree86.org/

It contains mtpaint, flash, Leafpad and links to the US military complex.
It is very minimal and fast.

I would be interested if it is based on Linux from Scratch
or whether the US has another more secure version for infernal (ahem - internal use)?

I liked the encryption wizard and ease of use. It is very simple.

How does it compare with Puppy?
It is designed for a specific purpose and does it well.
We have a browser pup that is comparable.

It is very difficult to be objective but let me try.
Puppy is a lot better in every way - OK I tried :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#2 Post by nooby »

Can it boot in frugal install on NTFS or does one have to resize the HDD and make a partition? Which would ruin the recovery partitions function?

I don't have DVD so no use having a CD. Sure I can try boot using USB that would be proper for a rescue gadget to have in the pocket just in case it is needed.

But would it be safe if one used a USB memory thumb?
I use Google Search on Puppy Forum
not an ideal solution though

Lookinglass360
Posts: 79
Joined: Fri 22 May 2009, 13:50
Location: Largo, Florida USA

LPS

#3 Post by Lookinglass360 »

Hi nooby

I tried this about a year ago.

Seemed safe.

But I felt locked in, but with who?

Hope this helps.

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#4 Post by DPUP5520 »

@ Lobster
Yes there is another version of LPS if you look on their website the version that they release is LPS "public"

@ nooby
There is no frugal install, it is designed to run live and that's it, unless they've changed something in 1.21

As I mentioned in another thread the one huge advantage that LPS has over Puppy as far as im concerned is the ability to use a smartcard/cac reader, I tried for a few months to get this working in Puppy to no avail and i have seen that a few other people have tried too without much success.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

User avatar
myke
Posts: 102
Joined: Tue 15 Mar 2011, 16:20
Location: Québec

Smart Card Reader

#5 Post by myke »

If it is an RHS ENE Technologies smart card, then you need the keucr module.

Otherwise, you need to identify (use google) the brand of smart card reader that your computer uses and see whether the module source is available. If so, you will need to have the source compiled / compile the source yourself for the card reader you have and for the specific kernel the distro is using.
AA1 D255E-keucr slacko 5.3;luci;mijnpup; tw-os; with:Emacs,gawk,noteboxmismanager,treesheets, freeplane, libreoffice, tkoutline, Sigil, calibre, calendar. magic&Noteliner(wine), kamas (DOS)

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

dpup5520 "
There is no frugal install, it is designed to run live and that's it, unless they've changed something in 1.21 "

Puppy are designed to run live too???

I mean AFAIK Flash our ModAdmin he run it that way???
Knoppix on my HDD runs live too and Porteus does it too. Even latest TinyCore runs live on my HDD and them designed to allow it AFAIK?
But sure I can be wrong about it. I am truly computer challenged.
I use Google Search on Puppy Forum
not an ideal solution though

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#7 Post by DPUP5520 »

@ myke
It's not that simple, coolkey doesn't work in Puppy either and I haven't been able to get it to work and there are other modules aside from just the smartcard drivers and coolkey required to get a smartcard device working properly.

@ nooby
My bad, What I meant to say is it is designed not to be installed on a harddisk and only to run live whereas Puppy can have a save file and keep persistant changed LPS will not.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

ICPUG
Posts: 1308
Joined: Mon 25 Jul 2005, 00:09
Location: UK

#8 Post by ICPUG »

Nooby,

I downloaded last night and will be checking for frugal installability with ntfs!

However, usage will be limited due to its lack of persistence.

There is a deluxe version with Open Office as well. Quite how one configures that program to your liking without persistence is beyond me!

Even if the linux turns out to be no good I do like the idea of the download, system requirements info, quick start guide, faq, user guide all available from one page of the web. Puppy could learn something here!

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#9 Post by nooby »

Thanks to all for answering my naive questions.

I guess the most important thing for them is to make a CD or DVD that can be used in a secure way.

Booting from USB or HDD maybe is not part of their goals?
I use Google Search on Puppy Forum
not an ideal solution though

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#10 Post by DPUP5520 »

you can boot from usb but only as a live usb, as far as i know anyway
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

ICPUG
Posts: 1308
Joined: Mon 25 Jul 2005, 00:09
Location: UK

#11 Post by ICPUG »

Testing complete.

DPUP5520 may say there is no frugal install and the documentation may say it does not install to hard disk and is designed to run live but ...

LPS runs as a frugal install on an NTFS partition. Just have to do it manually.

Couldn't test on my FAT32 desktop but I am sure that wouldn't be a problem either if I had enough memory.

Copy vmlinuz and initrd from the iso to a folder on your partition.

I use folder lps121 in the first logical partition in the extended partition.

the bits to add to the menu.lst for grub4dos are:

title Lightweight Portable Security 1.2.1
kernel (hd0,4)/lps121/vmlinuz load_ramdisk=1 ramdisk_blocksize=4096 root=/dev/ram0 ramdisk_size=524288 console=ttyS3 splash=silent vga=791
initrd (hd0,4)/lps121/initrd
boot

Note: the bold bit is all one line

You obviously change (hd0,4)/lps121 according to partition and folder name.

LPS is interesting but limited by its lack of persistence. Configuration changes stick only for the current session. Being provided by the American Air Force it assumes users are American with American keyboards and speaking American. It worked with my laptop intel 855 graphics and basic touchpad functionality. Touchpad scrolling was not available.

It does not appear to use compression which means the whole iso is larger than Puppy for very little in terms of applications. It also means the memory requirements are silly, compared to the Pup. It would not run on my 128MB dsesktop because the main file (initrd) was bigger than that. The System requirements suggest 512MB RAM for the public version and 1GB for the Deluxe version.

It includes flash but no other multimedia codecs and the flash is only playable within the browser.

I'm told it includes Java but I have not tested that.

In my opinion its usage is for a browser based OS. I would not use the deluxe with Open Office because the lack of persistence would undoubtedly limit what I could do with such a complex package.

One thing I would say. It is slightly more secure than Puppy when operated as a frugal install. Puppy will mount the partition where the frugal is installed and it must remain mounted during the session. LPS does not mount the partition. In fact, I found it impossible to mount any hard drive partition. It may be possible but I don't have the knowledge. My USB stick was recognised and mounted when plugged in so a mount facility exists but how to mount a hard drive partition is beyond me.

Running as a Live CD, LPS is no more secure than Puppy.

All the documentation accessible from the LPS home page is also available in the OS.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#12 Post by nooby »

ICPUG much appreciated test and info based on it then. A true Gem indeed.

I mean Air Force them would not put in back doors or something on that software :)

I have tested it now on my small Netbook Acer D250.
Very interesting that them have done it so well that everything just worked. Okay did not test using wireless or Cam or such.

But it found the IP through the Router directly and the resolution and it booted real fast too. I did not test if it could do the streaming of local TV station though.

Ooops I am a poor reader of text. Now I finally see this part. Haha

"In fact, I found it impossible to mount any hard drive partition."

Yes indeed that seems not to be allowed. I asked whoami and it answered root but no access to hdd at all.

So it is a secure thing but not a rescue thing then. So it is for secure browsing and that is a good thing too.

Edit I have read more at their site now and it is for being more secure when one browse so no need to access hard disk :)

But one had to agree to something. I have not read that one. Do them keep record of us using it?
I use Google Search on Puppy Forum
not an ideal solution though

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#13 Post by DPUP5520 »

@ICPUG
appriciate the testing on the new version of LPS and have gotten around to confirming your results. LPS does have some silly requirements but for me is a great os for se urely browsing using a smartcard which is its main purpose anyway.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#14 Post by CLAM01 »

LPS appears to be a focused-purpose system, with secure communication its purpose focus. It is for its purpose focus it is more restricted than puppies, and for it, too, it appears, that it has SmartCard capability. The SmartCard reading is for CAC (Common Access Card) capability, which allows the card-owner to access a specific network per instructions on the card. In the case of LPS DoD (U.S. Department of Defense) networks.

The LPS system allows secure access from any computer by ignoring everything on the computer except the RAM and CPU. Everything saved is saved to RAM, in what is essentially a ram tmp file. It appears that where LPS is run from an iso installatiion on a harddisk partition the partition is mounted, so saved files might be manually movable from ram storage to the partition, or a file made on it? The LPS recommended save method is save to a separate USB stick. the stick auto-mounts and appears available when inserted. It is not the stick the OS is running from, when it is run from USB. I don't know if the separate save device is enforced (the whole LPS OS stick being formatted read-only) of if it's recommended. USB sticks can be formatted into partitions, so a second partition might be usable as a save stick. The stick-save feature is apparently left-over from before DoD protocols made saving to sticks verboten (for security against WikkiLeakers, among others, it is presumed).

The FAQs, available through the "troubleshooting" link are interesting. One answers if LPS can be installed to another operating system, saying, in part, "LPS is a turnkey solution that uses a Linux bootable CD to turn your existing computer into "virtual GFE" (Government-Furnished Equipment) by booting a trusted operating system and not mounting the local hard drive."... Does this mean your computer becomes "government property" for the duration???

The security advice they offer is good: The system is for security, not comfort, so personalization is minimal, and nothing is saved, except what the operator deliberately saves (at least on the machine piggy-backed on, in a twilight-zone computer-rack in the Pentagon somewhere...who knows...). The recommended first-line security maneuver is to reboot, restart without any vermin that may have climbed aboard. Because Puppies run from a virtual ramdisk (copied from the main SFS) this works with Puppies, too, with the additional caveat that for you have to flea-bomb your save-file, too, for a total and positive cleaning.

The LPS developers might be good for info to get SmartCard capability for puppy, since they have set it up for CAC. CAC capability, being usable for security (opening a virtual tube) would be a good idea for any computer that connects to a network through the net.

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

lps

#15 Post by cowboy »

CLAM01 wrote:LPS appears to be a focused-purpose system, with secure communication its purpose focus...

The FAQs, available through the "troubleshooting" link are interesting. One answers if LPS can be installed to another operating system, saying, in part, "LPS is a turnkey solution that uses a Linux bootable CD to turn your existing computer into "virtual GFE" (Government-Furnished Equipment) by booting a trusted operating system and not mounting the local hard drive."... Does this mean your computer becomes "government property" for the duration???
Don't think so, but you've given a fine synopsis. I would think the GFE item is a bit of legalese, assuring the user that they are operating in a government approved manner on whatever machine they happen to be using, and not, one supposes, to be held responsible for any security breach.

LPS is interesting. Boots right to desktop, connect to internet automagically through ethernet, and miracle of miracle, has sound right off the bat. (one of the few persistent criticisms of more recent Puppies). Some items from the FAQ:

What other utilities are included with LPS-Public?

LPS includes some useful minor personal productivity utilities with graphical interfaces:

* PCMan File Manager – file explorer
* Leafpad – text editor
* gpicview – image viewer
* xPDF – PDF file viewer
* Adobe Reader – PDF file viewer (Deluxe only)
* LXRandR – monitor configuration tool
* galculator – desktop calculator
* mtPaint – pixel-based paint program
* OpenOffice – office productivity software (Deluxe only)

We have also included some connectivity software:

* OpenSSH – secure shell, allows command line access to remote systems
* rDesktop – remote desktop
* Citrix Receiver (ICA manager) – Citrix client
* NetworkManager – network manager

Why is LPS secure?

LPS allows you to use the network without relying on a potentially compromised operating system. LPS does not include drivers for accessing the local hard drive, so LPS is insulated from any malware locally present. LPS runs a modern Linux kernel with minimal services. In the remote event that LPS is compromised, either directly or by visiting a site that exploits the software, remediation is as simple as a reboot.

Why do you permit USB storage?

LPS-Public was originally created as a demonstration of our security tenets before the DoD flash memory ban. The primary use case for LPS-Public originally was for people to use their home computers to conduct sensitive personal transactions, such as home banking. To permit users to save local files, we included the capability to use personal flash sticks. CAC support was included later as more people requested it.

and yes, I'm posting this from LPS. It's kind of a one trick pony, really, and you won't be doing many of the things you can do with a good Puppy from a Live CD, the apps simply aren't there. But I was able to check Gmail, Yahoo News, and watch some video reports on the Tour de France site as well as the BBC. LPS is what the stylish spy-about-town should have in their CD case circa 2011.
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#16 Post by CLAM01 »

Cowboy,

I should have put a string of emoticons after my question-marks, ending with the one I can never find, a smiley with a tin-hat on... LPS being developed by government for government, its FAQs are written for in-government readers, not us out here, so the "virtual GFE" means "a virtual computer a government employee can trust as a government owned and issued machine". I was spinning it out of context a bit...

I like especially LPS's feature to ignore everything except CPU and RAM for security. And the advice given in the FAQs and manual, telling the user how to maintain security, as, for example, for making secure banking transactions to start up, or reboot and connect to your bank immediately, before visiting anywhere else that you could pick up a kibitzer or companion. I like also that they seriously inform the user of their repo security, emphasize the importance of knowing where software you put in your computer was made and provide full hash data.

I've downloaded the "deluxe" version, with open office, adobe, etc. to try out. If it works as I expect, with the basic productivity apps and installed on a USB stick it should provide a take anywhere and just add computer fully secure personal pocket field-os.

Maybe the foundation, or inspiration, for a Paranoid Pup build...

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#17 Post by Lobster »

Puppy from a Live CD, the apps simply aren't there.
Boot. Connect. Run.
You can do this with both
In fact many distros now boot live, if a little slowly

Some distros are more complete.

Those interested in a 'bank mode' might wish to develop Fido
http://bkhome.org/blog/?viewDetailed=02240
and incorporate GROWL or use Wardog
http://puppylinux.org/wikka/security

:)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#18 Post by CLAM01 »

Lobster,

Puppy's primary security weakness is its unrestricted and unpoliced repositories structure. Anything can be built into a puppy, a pet or a puppy sfs. Users installing and using install and use what is in the package.

Puppy's second security weakness is the woof build system, because it provides a seemingly secure collection of system programs for all puplet builders to download and install. As with the unrestricted and unpoliced repositories, the woof system is potentially insecure, for being potentially, intentionally, misguidedly, "for security", or accidentally infected with malware, spyware, etc.

See, for instance, the "freedesktop" application, which is in woof, masquerading as a "bookmarking" app, but which appears to be more an event logger, which records what files a user accesses and where they are in a file owned by freedesktop, which can outload to a couple of http locations on the freedesktop site. I have not found any real bookmarking functionality in freedesktop, except bookmarking what I access in local files for freedesktop to be able to find for their having my local locations logged to their site.

Puppy's "root" user is not a security problem in itself because while puppies have two roots, "/" and "user-root", as all linux systems have, the "/" root is firewalled in the main sfs, essentially read-only, and loads fresh to ramdisk each boot. user-root can't modify "/" root. It can only black and white list and add accessory apps and mods by adding them to its pup-save, which tailors the "/" file in the virtual ram install. Viruses, malware, etc. slough on reboots, unless they have been saved to pup-save, which can be "rebooted" by delete-all emptying it, since puppy will refill it with unmodified, from the main sfs.

For this, puppy users' real dangers come from inclusions in things that are user-saved and let accumulate and things a builder may wittingly or unwittingly include in a build, or that may be in a program he's used in a build.

For an example, Lighthouse pup includes a compromised Firefox browser, which writes home on start up and permits botting (it appears to be some U.S. gov agency's compromise, from the way the botting is used). Open source, of course, means one may freely add spyware, too, if one wants to.

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

lps thoughts

#19 Post by cowboy »

CLAM01 wrote:Cowboy,

I should have put a string of emoticons after my question-marks, ending with the one I can never find, a smiley with a tin-hat on... LPS being developed by government for government, its FAQs are written for in-government readers, not us out here, so the "virtual GFE" means "a virtual computer a government employee can trust as a government owned and issued machine". I was spinning it out of context a bit...

I like especially LPS's feature to ignore everything except CPU and RAM for security. And the advice given in the FAQs and manual, telling the user how to maintain security, as, for example, for making secure banking transactions to start up, or reboot and connect to your bank immediately, before visiting anywhere else that you could pick up a kibitzer or companion. I like also that they seriously inform the user of their repo security, emphasize the importance of knowing where software you put in your computer was made and provide full hash data.

I've downloaded the "deluxe" version, with open office, adobe, etc. to try out. If it works as I expect, with the basic productivity apps and installed on a USB stick it should provide a take anywhere and just add computer fully secure personal pocket field-os.

Maybe the foundation, or inspiration, for a Paranoid Pup build...
CLAM01, sorry I didn't catch the humor in your first post, and you obviously know a good deal about security. Your "tin hat" reference is interesting, as often, if one does discuss security vis-a-vis Linux, immediate inferences are often made about the metallic headware. Yet there are concerns, primarily, for me, about software. I like the way you write about, and approach, security. Nothing too wacky, or alarmist, and with a good dose of common sense. Could use that around.
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

User avatar
cowboy
Posts: 250
Joined: Thu 03 Feb 2011, 22:04
Location: North America; the Western Hemisphere; Yonder

lps continued

#20 Post by cowboy »

CLAM01 wrote:
...Puppy's primary security weakness is its unrestricted and unpoliced repositories structure. Anything can be built into a puppy, a pet or a puppy sfs. Users installing and using install and use what is in the package.

Puppy's second security weakness is the woof build system, because it provides a seemingly secure collection of system programs for all puplet builders to download and install. As with the unrestricted and unpoliced repositories, the woof system is potentially insecure, for being potentially, intentionally, misguidedly, "for security", or accidentally infected with malware, spyware, etc.

...Puppy's "root" user is not a security problem in itself because while puppies have two roots, "/" and "user-root", as all linux systems have, the "/" root is firewalled in the main sfs, essentially read-only, and loads fresh to ramdisk each boot. user-root can't modify "/" root. It can only black and white list and add accessory apps and mods by adding them to its pup-save, which tailors the "/" file in the virtual ram install. Viruses, malware, etc. slough on reboots, unless they have been saved to pup-save, which can be "rebooted" by delete-all emptying it, since puppy will refill it with unmodified, from the main sfs.

For this, puppy users' real dangers come from inclusions in things that are user-saved and let accumulate and things a builder may wittingly or unwittingly include in a build, or that may be in a program he's used in a build.

Clam this ought to be stick-ied. You've summed up the biggest issue with Puppy security (the repository), and given one of the best defenses of running while root I've ever seen on the forum.

The repository issue is one that has always concerned me. I get around it pretty much by simply running stock Puppy. I rarely add anything to the initial release. On the rare instances I add a program, I only use the "official" repository on ibiblio, for whatever that is worth. However, one of the security features of Linux is supposed to be, well, eyeballs. The eyeballs of hundreds (thousands?) of developers skim over Ubuntu, or Slackware, or Arch, one supposes, and the nasties are put to the sword. I'll admit I'm unsure of the Puppy vetting process.
[i]"you fix what you can fix and you let the rest go.."[/i] - Cormac McCarthy - No Country For Old Men.

Post Reply