DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Closed Thread
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd February 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default Jggimi - LiveCD for travel

@Jggimi
This article in the NYtimes

and recent livecd release by the Dept of Defense Computer Security

made me wonder if your live cd's would also be a good means to maintain internet access when traveling.

Two quick questions:
1) Is the 001bind patch in the livecd's?
2) Would you consider a CD in the mode of the DoD possibly with abiword/gnumeric/epdfview/firefox?

Thanks for providing the livecd's

Last edited by J65nko; 24th February 2012 at 02:09 AM. Reason: misspelled jiggimi
  #2   (View Single Post)  
Old 23rd February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thanks for asking, Shep.

1) The bind patch is not on these images. They are 5.0-release, as advertised. For two reasons: BIND is not running on them, so it is not applicable, but more importantly these were never intended for production use.

2) You can certainly take live media with you, when you travel. There is no encrypted information on them, so they should be able to clear customs and immigration everywhere. You may freely permit security services to make copies, they are BSD licensed. However, a USB stick version is not currently available. They are CD9660 filesystems with El Torito boot blocks.

-----

I have been considering USB images that, like the optical media, would remain read-only. Easy enough to create them, though I do not have any tools for Windows users to use to write them to USB device. I could use a recommendation or two, here, since I've never written drive images to sticks from Windows.

---

I have been considering removing the "heavy" images -- XFCE, KDE, and Gnome. They are larger than CD, and due to the use of uncompressed CD9660 filesystems, are so slow as to be difficult to really use. As a proof that general purpose workstations could be deployed with OpenBSD, they showed it was possible, but with CD filesystems, are not practically useful.

If I were to make these "usable" I am considering adding some functional, general purpose tools -- and even though abiword/gnumeric are lighter weight office automation than LibreOffice, I'm thinking about the possiblity of the latter. There is better integration with open and de facto document standards. I'm also considering leaving them out, and just providing a browser. A browser-only solution is available now, for those who would use cloud based office automation services.

If I add apps like that, usability with read/write media will have to be considered. And, I will have to alter my scripts to make it easy for non-OpenBSD users to connect to WiFi networks. Today, that's left to the user, my scripts do not handle nwid, wpakey, or nwakey requirements.

I've just started building 5.1-release and packages for live media this week. I've still got XFCE, KDE, and Gnome pathnames in my dpb(1) subdirlist, and I have not put any office automation in the list. No decisions have been made, yet.

---

My images are downloaded frequently from the countries mentioned in the Times. I don't think there is a direct correlation.
  #3   (View Single Post)  
Old 23rd February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

@Jgimmi , thankI wish you the best of luck with this great contribution ..

gnumeric/abiword/xpdf/xfe/fvwm/ ..... keep it fit .. I rememeber when I first used GnoBSD .. that was so cool but unfortunately so slow too and even more slower to insall ..
I wonder if your livecd is installible via UNetbootin .. I used to use it on windows but only to install live gnu-linuxes (wattOS/lubuntu/gOS/slax) .. usually a liveOS user expects responsivity and net features more than the rest ..
I already have a copy of my teacher's livecd .. basic .. :-) .. as I have jibbed .. (pentoo is history now .. though it did the job well)

Last edited by daemonfowl; 23rd February 2012 at 05:18 AM.
  #4   (View Single Post)  
Old 23rd February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
I wonder if your livecd is installible via UNetbootin...
Thank you very much for the excellent suggestion!

I've never looked at the tool before. Having now skimmed their documentation, I would believe that the media I have published to date would not be able to be used, since it uses El Torito boot blocks, and the tool only handles hard drive and diskette images.

Should I decide to create USB bootable images, then they will have MBRs and PBRs and a solution like this might be useful for Windows users.

Thanks again!
  #5   (View Single Post)  
Old 24th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

I wish you good success in this !
Live usb technology is growing to become the best for live media .. pen sticks getting cheaper .. +rw , superfast performance on new usb hardware , noiseless , practical to carry everywhere , physically less fragile as to dust/humidity/sun .. :-) ..

a question :
some would argue that on usbs , the best filesystem to use is non-journaled .. fat32 or ext2 .. as less writing is imposed on the usb fragile sectors ..

to what extent is this true ?
I once used to use slax on fat32 formatted usb .. it ran well .. but I bet it's not a secure way since fat32 is accessible by all worlds OSes ..
how far can the came be done with the BSDs ? (aside from the security issue)
  #6   (View Single Post)  
Old 24th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Discussions of your two raised two issues -- solid state write considerations, and retaining privacy of data on portable media -- should be in their own threads. Both are worth discussing. But not here. It seems your habit of "hijacking" threads (your own threads, as well as those of others) continues.

Remember: one subject, one thread.
  #7   (View Single Post)  
Old 24th February 2012
backrow backrow is offline
Real Name: Anthony J. Bentley
Shell Scout
 
Join Date: Jul 2009
Location: Albuquerque, NM
Posts: 136
Default

Quote:
Originally Posted by jggimi View Post
I have been considering removing the "heavy" images -- XFCE, KDE, and Gnome. They are larger than CD, and due to the use of uncompressed CD9660 filesystems, are so slow as to be difficult to really use. As a proof that general purpose workstations could be deployed with OpenBSD, they showed it was possible, but with CD filesystems, are not practically useful.
My first introduction to Unix was Slax, which has a boot option to run everything from RAM. This results in a few more minutes to start up, but after that the full‐blown KDE environment was quite snappy on my little Thinkpad. I don’t know if you’ve considered (or already implemented) something similar in your LiveCDs, but it may be an option. Of course, it does require a fair amount of RAM—I think Slax needed 512MiB.
__________________
Many thanks to the forum regulars who put time and effort into helping others solve their problems.
  #8   (View Single Post)  
Old 24th February 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

An OpenBSD port contributor was providing live usb images for a while. I do not think unetbootin is available in OpenBSD and this does allow one to generate the images in an OpenBSD box
Another option for making live usb images
  #9   (View Single Post)  
Old 25th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Shep, thank you, but my thought was a tool would need to be recommended for Windows users to write disk images to USB mass storage devices. The rest of the world can use dd(1).
Old 25th February 2012
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Would rawrite32 be suitable for that?
Old 25th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Perhaps. Thank you, as well!
Old 25th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

maybe taking a look at linux-based live usb tools source code may help you as a hacker :
http://en.wikipedia.org/wiki/List_of...ve_USB_systems
Old 25th February 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Quote:
Shep, thank you, but my thought was a tool would need to be recommended for Windows users to write disk images to USB mass storage devices. The rest of the world can use dd(1).
My impression is that unetbootin writes an iso to a usb drive and adds the boot blocks to the usb drive and I thought your goal was to produce *.img files. It is a little confusing in the link as the author used the *.bin suffix for his usb image.
Quote:
Really easy. Watch out. Everything is done with qemu by Fabrice Bellard. Just install that package and blindly follow the instructions below.

# qemu-img create liveusb-miniX.bin 1000000

# qemu -hda liveusb-miniX.bin -cdrom install47.iso

(Install OpenBSD into the file store and whatever packages
you need but create only one partition wd0a)

Now change the line in /etc/fstab

/dev/wd0a / ffs rw 1 1

to

/dev/sd0a / ffs rw 1 1


That is it! You are ready to dd(1) now. See below.

Creating a LiveCD is more work because you need a read only OS. No such issue with writeable USB memory sticks.
I did a quick search and found this Arch USB Installation Media Wiki that lists a number of options for Windows users
Old 25th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you for the correction and the clarification and the additional links!
Old 29th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I have polled my little mailing list, and received a few positive, and no negative responses, to the following proposed changes for 5.1. In brief:
  • Reduction of X Windows platforms

    Drop XFCE, Gnome, KDE. These integrated environments are too big for CD use, and impractically slow on DVD. Retain Fluxbox and the built-in fvwm and cwm window managers. Add scripted choice between window managers.
  • Add hard disk (USB stick) images

    Retain read/only iso9660 (cd9660) filesystems and "ramdisk" read/write filesystems so that the image may remain "clean" and have no private or encrypted information. Include a FAT32 MBR partition to share storage with other OSes, and management scripts to ease the mounting of this partition and other foreign filesystems on other drives.
  • Add WiFi NIC connectivity

    Scripted solution needed to eliminate the need for manual ifconfig/dhclient commands.
  • Add xpdf, LibreOffice, mutt, and Thunderbird

    Office automation for those who do not have or want browser-based services.
----


This would take the configuration into a "production workstation" role, something it has never been before.
Old 29th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi Jgimmi !! How are you doing ?
I don't know if my opinion counts .. anyway .. I hope, for the new Jgimmi LiveCD that you will:

* drop libreOffice in favour of light pair {gnumeric+abiword}
* Include small but useful utilities like dictd client,gopher,snownews,mutt,transmission,xchm,xpdf
* Include keyboard-aware window manager (ion or ratpoison) but set fvwm as default ..
* of course those timeless bsdgames :-)
* lynx+dillo definitely
* xfe
I've read avira linux version is installible on unixes .. so if it is included too mayeb it'll add an extra functionality as when one wants to scan windows executables or something ..
later on if you decide to implement a liveUSB .. that'll be even more useful .. if avira is not a choice , then maybe clamav+updates is a possible alternative .. a livecd with some antivirus always helps ..
and so , Jgimmi's livecd becomes multifunctional .. secure .. lightweight .. OBSD-vigous flavour .. and I'll be among the first who would want to try it ..

(I'll be mad to ask you to include geany too .. lol .. it just came across my
mind as well .. )
Old 29th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by daemonfowl View Post
* drop libreOffice in favour of light pair {gnumeric+abiword}
See my comments regarding LibreOffice compared with the Gnome tools earlier in this thread.
Quote:
* Include small but useful utilities like dictd client,gopher,snownews,mutt,transmission,xchm,xpdf
Both xpdf and mutt were just mentioned in my most recent posting, directly above. Regarding the other tools, please read this Q/A in my FAQ. If you want your own set of applications, please read OpenBSD FAQ 14.17.3. Follow that set of instructions to create your own "LiveUSB" with whatever you want. It will not be a read/only OS, however.
Quote:
* Include keyboard-aware window manager (ion or ratpoison) but set fvwm as default ..
I just mentioned cwm in my most recent posting, directly above.
Quote:
* of course those timeless bsdgames :-)
These have been part of my Basic image for years, since I began creating live media, as they are part of OpenBSD. The only fileset not included is comp*.tgz.
Quote:
* lynx+dillo definitely
Lynx is part of the base. I plan continue to provide FF as the only graphical browser. Regarding dillo, please see my comments about application requests I've already made in this reply.
Quote:
* xfe
I have no plans to add a graphical file manager at this time. I may, or may not elect to do so. Otherwise, please refer to my answers above in this post, regarding application suggestions.
Quote:
I've read avira linux version is installible on unixes ..
I will not port any applications to OpenBSD specifically for my live media images.
Quote:
...maybe clamav+updates is a possible alternative
See my comments on application suggestions, as above.
Quote:
(I'll be mad to ask you to include geany too .. lol .. it just came across my
mind as well .. )
As above. This is NOT to be all things to all people. (Or all things to our favorite devilish bird.)

The purpose has been rescue, hardware testing, and OS familiarity. What is intended, and will be new, is the option to have general office automation, travel without private data, shared filesystem on hard drive (USB stick) images, and some additional scripting. That's all.
Old 29th February 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Quote:
Add WiFi NIC connectivity

Scripted solution needed to eliminate the need for manual ifconfig/dhclient commands.
@Jggimi you are probably aware of this this effort for a wiconfig script but if not perhaps it would be a good place to start

Quote:
Add xpdf, LibreOffice, mutt, and Thunderbird

Office automation for those who do not have or want browser-based service
I agree that OpenOffice/Libreoffice are more capable in dealing with MSoffice filetypes. On the other hand OpenOffice/Libreoffice pull in the qt3 libs whereas the goffice based apps are strictly gtk. From the standpoint of a traveler concerned about security, I have an unconfirmed thought that being a little out of the mainstream and having some diversity might be good. Although I do not have abiword/gnumeric on my desktop I do carry a webkit based brower along with firefox. XXXterm is more stable than Midori but the user interface for XXXterm is not as intuitive as Midori.
Old 1st March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you. I am aware of the "wiconfig" discussion; it won't meet this particular requirement.

Thank you for your thoughts on the office automation. Alternatively, users may avoid a thick client and choose a browser based solution if needed.
Old 12th May 2012
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Along the lines of Security Focused Live CD a new offering from Russia.
Quote:
System

Kernel: Hardened Gentoo 3.2.11 with grsecurity/PaX + Unionfs
System requirements: x86 Pentium Ⅲ+ with PAE, ≈192 MiB RAM, ≈210 MiB on bootable removable media (USB key, SD card, …)
Laptop Mode Tools handle power management; hard disks are switched to quiet acoustic mode and spun down
Extensive Ethernet and Wi-Fi network devices support
Extensive autoconfiguration, including X server and audio mixer channels setup
Smooth integration as a VirtualBox (including clipboard), VMWare, QEMU guest
NetworkManager manages Internet connectivity, with PPTP / OpenVPN / Cisco VPN support
Static and removable devices are available via udev+AutoFS-based automounting (includes VirtualBox and VMware shares)
No user interaction is required during boot, except for OTFE password entry
User's important configuration changes are archived to OTFE encrypted volume upon shutdown
Applications are preconfigured and ready to use

Applications

Fully modular X server, with TrueType-only fonts for all uim-supported languages
LXDE- and GTK-based desktop with lightweight applications: no GNOME/KDE libraries
Multilingualization using uim: all input languages that are supported by m17n-lib, native Japanese support with anthy, and Florence virtual keyboard
Application-level UI internationalization: all unicode locales are available; locale, timezone and keyboard layout are easily switched with a custom tool
Basic: LXPanel, Openbox, PCManFM / emelFM2, FileRoller, Sakura / LXTerminal
Editors/Viewers: gedit, AbiWord, Gnumeric, Evince (with DjVu support) / ePDFView, FBReader
Internet: Epiphany (with HTML5 video), Claws Mail (with integrated cables communication), XChat (with SASL), Pidgin (with OTR), gFTP, uGet
Audio/Video: Totem, Audacious, Geeqie / GPicView, GraphicsMagick, Cdrtools, Speex audio clips encoding custom tool
Extras: GNU Privacy Assistant, Figaro's Password Manager 2, Qalculate!
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hello any one have Jgimmi OpenBSD LiveCD? eurovive Other BSD and UNIX/UNIX-like 9 18th February 2010 06:54 PM
freeBSD LiveCD ccc FreeBSD Installation and Upgrading 10 14th September 2009 04:06 PM
Using a LiveCD to gather info phreud FreeBSD Installation and Upgrading 9 15th November 2008 12:43 AM
start KDE on OpenBSD LiveCD ccc OpenBSD Installation and Upgrading 5 3rd November 2008 10:24 PM
dd slow, 1500KB/s (OpenBSD LiveCD) Carpetsmoker OpenBSD General 4 3rd October 2008 10:33 AM


All times are GMT. The time now is 07:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick