The Living Thing / Notebooks :

Hardened desktop operating systems

Also amnesiac and/or anonymous

Usefulness: 🔧
Novelty: 💡
Uncertainty: 🤪 🤪 🤪
Incompleteness: 🚧 🚧 🚧

One escalation in information security is to harden your OS to minimise exposure to some of the more lazy ambient harvesting of confidential information certain gangsters/feds/gangster-feds/etc could do if you had come to their attention. This is probably something that is worth your time if you are, for example, a journalist in a free-press-hostile state. You might want a hardened mobile device also.

One tactic one might employ to achieve this, for certain risk profiles, is open-source hardened operating systems. It is harder, for now, probably, for states to inject spyware into open-source systems than into closed commercial ones because of the greater transparency. Presumably in this case they cannot simply ask a fiend at a major software company to install spyware on your computer, but must resort to zero day exploits and hardware hacks.

Anyway, let’s have a look at some in-principle ways to set up our machines for confidential uses, which we might suppose are at the very least troublesome to molest without a warrant. Some of these might be difficult to prove even for spies with a warrant.

I’m going to dump a bunch of stuff here while thinking it through. These will be nerdy notes, to be whipped into a more pedagogic introduction later. They will not be authoritative.

Quotes are taken from distrowatch.com unless otherwise stated. See their security-focussed distro list also.

Pre-rolled hardened OSes

Hardened distros try to avoid the default not-especially-secure setup of computers that are designed to be friendly and welcoming and easy to do things on. But perhaps you want to have a computer that only lets you do things that are secure?

Parrot

Parrot

ParrotOS (Parrot Security, ParrotOS) is a free and open source GNU/Linux distribution based on Debian Testing designed for security experts, developers and privacy aware people.

It includes a full portable arsenal for IT security and digital forensics operations, but it also includes everything you need to develop your own programs or protect your privacy while surfing the net

Qubes

qubes os:

Qubes OS is a security-oriented, Fedora-based desktop Linux distribution whose main concept is “security by isolation” by using domains implemented as lightweight Xen virtual machines. It attempts to combine two contradictory goals: how to make the isolation between domains as strong as possible, mainly due to clever architecture that minimises the amount of trusted code, and how to make this isolation as seamless and easy as possible.

Is this very much better than ordinary hardened distros? Not sure. It certainly burns lots of CPU cycles in maintaining security.

Kickos

Kickos, is the hardened core of Whonix, below. I don’t know much about it without all the fancy anonymisation stuff for which Whonix (below) is famous.

Kali

Kali:

Veeery focussed on security professionals.

Alpine

🚧

Alpine Linux is a community developed operating system designed for routers, firewalls, VPNs, VoIP boxes and servers. It was designed with security in mind; it has proactive security features like PaX and SSP that prevent security holes in the software to be exploited. The C library used is musl and the base tools are all in BusyBox. Those are normally found in embedded systems and are smaller than the tools found in GNU/Linux systems.

This is not a hardened distro per se, but rather a pre-compiled one with a smallish attack surface. But that might be enough?

Pre-rolled anonymous OSes

Anonymous hardened OS are more paranoid than merely hardened OSes. They don’t just try to keep you safe from the nasties, they also try to hide who you are, by erasing distinguishing tells in the OS, and by using encrypted networks such as TOR. Maybe other stuff. They are also often also amnesiac which seems to mean that if you use one of these to do something, it will be hard afterwards to tell what you were using it to do.

Usually these systems are not designed to be your main or only OS, and indeed they are kinda annoying and slow to use. It’s for doing your confidential stuff, such as talking to journalistic sources, doing political organising, escaping your abusive spouse and purchasing controlled commodities etc and yes, presumably planning terrorism could happen by these means too.

Tails

tails:

The Amnesic Incognito Live System (Tails) is a Debian-based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.

Tails is low on features, but that might mean it’s harder to hack. If you don’t mind decreasing your security, you can install extra software. The basic idea is it runs on a USB and keeps as much as possible in RAM so it should forget what you were up to relatively quickly. So it is ideally also deniable.

Whonix

Whonix is also a hardened OS, and anonymous It is designed for running as a virtual machine. It is not as amnesiac as tails, but slightly better at hiding your use of the anonymising network TOR, AFAICT, since it is easier to tunnel it over a VPN. Virtual machines are intrinsically more dangerous in this era of speculative execution bugs etc, but also they avoid some stupid nonsense like needing a whole spare computer to use. It has an amnesia VM mode, whonix-live and also an amnesiac non-VM mode (basically, imitating tails) called grub-live. For civilian use possibly one could just run an encrypted VM image and rely on the Stasi not dropping in while it was still in memory.

Heads

heads is admirably crazy paranoid and aims to one-up tails in this regard by being even less trusting.

heads is a privacy-focused Linux distribution designed to make it easy for users to access the Internet anonymously using the Tor network. heads is based on Devuan and features only free (libre) software. The Linux kernel has had non-free blobs removed.

However their release schedule is sluggish, and I suspect they don’t have the critical mass to add yet another confidential OS to the race.

Kodachi

Linux kodachi

Linux Kodachi is a Debian-based distribution which can be run from a DVD or USB thumb drive. The distribution filters all network traffic through a VPN and the Tor network, obscuring the user’s network location. The distribution attempts to clean up after itself, removing traces of its use from the computer.

Not sure about the provenance for kodachi or the weird built-in VPN. But if it were secure it would be very convenient. possibly install from source would be wise? But that claims to be version 3.7 not the version 5.5 now being distributed. Red flag.

DIY hardened OS

How much do you trust the distro package maintainer though for any of these projects? (Just one guy is credited for e.g. Kodachi.) Or indeed, any OS distro? Groups like the core infrastructure initiative aim to facilitate this. Note that it is hard to trust the build toolchain right now; with the best of intentions a maintainer cannot easily guarantee that the components they supply are secure even if the sources are, until deterministic builds and other technologies come online for linux distros.1

Would you rather build from source? In principle you can do this for any open source OS, but it’s a right pain in the arse in general. The chain of trust is long and has many links.

Distros like Gentoo/ funtoo and archlinux support user source builds in principle - but they require you to know what you are doing to ensure that you have actually set them up in a secure fashion, which is hard. Most of us are probably safer cargo culting a fancy secure OS and trusting that it is configured securely. But maybe it is worth it?

Gentoo

Gentoo Linux is a versatile and fast, completely free Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage. Portage is a true ports system in the tradition of BSD ports, but is Python-based and sports a number of advanced features including dependencies, fine-grained package management, “fake” (OpenBSD-style) installs, safe unmerging, system profiles, virtual packages, config file management, and more.

Funtoo

Funtoo is EZ-Gentoo.

Funtoo Linux is a Gentoo-based distribution developed by Daniel Robbins (the founder and former project leader of Gentoo Linux) and a core team of developers, built around a basic vision of improving the core technologies in Gentoo Linux. Funtoo Linux features native UTF-8 support enabled by default, a git-based, distributed Portage tree and Funtoo overlay, an enhanced Portage with more compact mini-manifest tree, automated imports of new Gentoo changes every 12 hours, GPT/GUID boot support and streamlined boot configuration, enhanced network configuration, up-to-date stable and current Funtoo stages - all built using Funtoo’s Metro build tool.

The list of sensible modern requirements being listed cutting edge features makes me nervous about vanilla Gentoo.

Arch

Arch Linux is an independently developed, x86_64-optimised Linux distribution targeted at competent Linux users. It uses pacman, its home-grown package manager, to provide updates to the latest software applications with full dependency tracking. Operating on a rolling release system, Arch can be installed from a CD image or via an FTP server. The default install provides a solid base that enables users to create a custom installation. In addition, the Arch Build System (ABS) provides a way to easily build new packages, modify the configuration of stock packages, and share these packages with other users via the Arch Linux user repository.


  1. Notably, this is not on the cards for Ubuntu or Redhat.