Michael posted about the NSA’s version of Android complete with its own app store. Well, the NSA is not the only government agency looking at bringing out their own version of an open source product. The Department of Defense has one too in the form of a über lightweight version of Linux called Lightweight Portable Security or LPS Linux.
I created a virtual machine using Virtual Box intending on doing an install, but LPS Linux is a live Linux distribution. That means, you either burn the freely downloadable image to a CD or you make your own bootable USB drive following instructions on the LPS project website. So you can even try this distribution on your main PC without destroying its installed OS.
What comes on the image? Well you get Firefox, A file encryption wizard, PDF viewer, Calculator, Citrix Reciever, Windows Remote Desktop Client, a text editor, SSH and a terminal emulator program. For the true Linux geeks, this all runs on top of a Linux kernel (version 2.6.27.56 to be exact) and BusyBox which is used in many Linux-based devices like routers and phones. It’s not a fully functional desktop, but I don’t think the DoD wanted it to be. They wanted to have a way to boot up a secure system in seconds with some useful utilities and LPS has just enough for it to be useful.
Since the disk comes without an installer, it’s not easy to get this installed on your system but it is possible. It’s a handy Linux distro to keep on hand if you need to do something sensitive using someone else’s computer.
Now why would the ATSPI Technology branch of the Air Force Research Laboratory do this? Well, from their site:
The Need for SPI’s Application of Intellectual Property Centric Security
Deliberate targeting of DoD technology is ongoing
Network / OS security is a hard problem
– Insecure end nodes
– Patch management problems and zero day exploits
Insider threat and theft continues
Commercial solutions fall short of DoD requirements
In layman’s terms, the fact that Linux is open source allows them to make their own distribution of Linux that satisfy their stringent requirements.
I applaud the DoD for undertaking such an initiative. I’d like to see even more use of open source software in our government agencies as it could help them realize a cost savings over the long-term.
Citrix and the Remote Desktop programs give away a bit as well. Talking to the NSA system administrator at work the other day, he told me that NSA and other security-minded DoD organizations are increasingly doing without full-featured clients and moving to thin-client architectures. Can’t be much thinner than a live distro that discourages installations entirely. 🙂
Oh, and we’re using a lot of Linux on-base as well – Red Hat Enterprise Linux, because the security certifications don’t work if you don’t have a liable service provider. My servers and workstations are RHEL, and one of the courses is also entire RHEL. For those who aren’t running Linux, they use a significant number of Unix programs via a Java-based emulation/X virtual box system. The actual client OS is becoming largely irrelevant.