[lotuseclat79]

I have adapted my computer use to working exclusively in a Linux Live CD environment. I am now using Ubuntu version 7.10 (Gutsy Gibbon). In essence, I have secured my environment by several means.

One is by use of a restrictive iptables firewall initialization script. Since I only have a dial-up 56k account with my ISP, it is easy to connect and disconnect my computer from Internet access at anytime.

Another means in particular is that none of my disks (4) are exposed to the Internet when I am connected which is a security feature of my method. By exposed to the Internet, I mean that none of my disks are mounted into my environment.

A further feature is that I have installed a Linux command which can spin down all of my disks which makes them untouchable to any miscreant that makes it past my firewall.

I have 1GB memory (RAM) into which the Live CD is loaded and subsequently setup by init scripts after which I usually have on the order of roughly 200 MB of free space before I bring up my Firefox browser and connect to my ISP for Internet access.

After I boot up my system, I insert a CD disc into a second CD drive and copy a setup script into the root account. I then run it. The setup script determines which device holds my Live CD environment changes and transfers them from one of my hard drives into the memory of the booted Ubuntu OS and installs them onto the booted environment. This process is equivalent to booting up an installed OS with all of the changes, except in that scenario, the disks would be exposed to the Internet once connected. Once this is complete, I then set the UTC time according to my trusty atomic watch which is synced up to the NIST radio-controlled signal.

For each change I have made to my environment, obviously there is some work to do in order to retain the persistence of the newly installed change over subsequent boots which all result in the vanilla Live CD environment. Each time I reboot, although I start over by reinstalling the changes, it is nothing more than taring the files involved onto the loaded OS environment. The setup script transfers another init script which does all the work which takes less than a minute to complete. A separate script reinstalls my saved Firefox profile mostly including add-ons and bookmarks. My firefox history is kept to a minimum before saving it.

As an alternative, I am now working on rebuilding a customized Live CD so that I can boot up to an equivalent installed computing environment. Note that the current limitation of 1GB memory requires that I trade-off function vs installation for what I choose to install - one example of this is that I choose not to install Wine - why would I ever need any Windows software anyway? Increasing the amount of memory would no doubt allow more enhancements to be tractable in this environment, like the Compiz Fusion cube.

For now, I can surf the Internet essentially secure - free from the cost of AV, AS, AT, HIPS, or any other security software that costs money, and the OS is free.

If any malware is able to get past my firewall, when I power down, the malware is destroyed as it can only reside in memory.

-- Tom

[tomdkat]

So you have two CD-ROM drives? One to boot the CD and the other for CD with the setup script.

Peace...

[lotuseclat79]

Hi tomdkat,

Thanks for asking that question - I just made an edit to clarify that point based on your comment.

Yes, in fact I do have two CDROM capable drives - one is a DVD-RAM drive I use to boot Ubuntu, and the other is a regular CDROM drive that I use to transfer the setup script. At the moment, my 3.5 floppy drive is toast and needs replacement - I have one to install but just have not gotten around to it. Otherwise, I could have put the setup script onto a floppy.

As it turns out, on bootup of Ubuntu, the floppy drive access issues two error messages, but once it just kept looping and I hit the power button to power down and then rebooted - all was well after that.

-- Tom

[tomdkat]

Gotcha. Thanks for the clarification!

Peace...

[DarkMan89]

hiya Lotuseclat79 could the same idea be placed onto a flash drive(locked) or some other locked usb drive and run? as i am intrested in the concept, but do not have two cd-rom drives, have 2gb ram, but could a script run from the lacked usb/flash drive to load things into ram and still retain the hard drives being powered down safe from the internet? is it possable to have a look on how you scripted the cd's
thanks
Dave.

[lotuseclat79]

Hi Dave,

One of the things I am working on is making an equivalent, compatible environment that is USB flash drive based. As I understand it, the Live CD is not writeable - I could be wrong.

So far, I have made a persistent 2 GB USB flash drive environment with Ubuntu 7.10 on it. It is simply a vanilla version with no special updates from me on it at this time. The persistence is a feature to be able to retain the changes once made to survive between reboots - just like saving to disk normally accomplishes.

Yes, I believe it is possible that the environment once created up-to-date from what I have done so far for the Live CD environment on a USB flash drive could load itself into RAM, and, of course, one of the requirements would be that the hard drives be able to be unmounted which is necessary and sufficient to protect them from the Internet. Being able to power them down saves on use of electricity, but is a further protection that is probably not necessary with the drives unmounted.

One of the issues is to make the USB flash drive secure. Securing USB flash drives will take some security software that I have not yet settled upon.

I did not script the Ubuntu Live CD - it is the original from Canonical, and next month the Hardy Heron LTS (8.04) will be released (I think on the 24th?).

What I have done is locate on one of my hard disks, all of the changes I have made to my Ubuntu environment, i.e. all of the software updates via the Synaptic Package Manager. I have written scripts to setup the Live CD environment with those changes.

The process I use is straightforward to me (as a system software engineer), but takes some amount of patience (as the boot time is probably just a little bit more than most people would tolerate). Luckily, I know what I have done, and it is easy to deal with. My hope is that the USB flash drive will speed up the process by eliminating the need for the CD and encase the updates via its persistence so that the hard drives are no longer necessary either.

Here is the process I use:
1) boot up with Ubuntu 7.10 Live CD (when Hardy Heron arrives, I will just substitute the new CD and it should work with some minor changes), but to be realistic I will probably have to go back to square one and insure that everything I made updates to is updated within the new OS context - as both a safety, and a security precaution. In fact some things may not even work.

2) Since I only have a dialup 56k modem, at this point I am not connected to the Internet and if the scheme I use is being tried on a 24/7 connected interface - I would recommend it be disconnected in order to allow the initialized environment to be fully prepared for the Internet (this mostly means "installing the updates" and initializing the iptables firewall). By installing the updates, I mean copying bzipped tarballs of the changes I have made and extracting them into the proper locations on the system. The last task in the system setup is to manually set the UTC time on the system (I use my trusty Timex atomic watch which is synced to the NIST radio controlled signal).

3) The last update I install is the Firefox profile which I save every day after each session is over. This is different than the actual Firefox release software itself which is taken care of in the previous step. I do this step as the regular ubuntu user, whereas all of the previous modifications are made from the root account. Still unconnected from the Internet at this stage.

4) All is set to dialup the Internet which I do with wvdial. I have some 10 phone numbers programmed if one seems to not be working or too busy. As you might guess, there is more underneath the skin to make it all work.

One issue currently that I have been putting off is my BIOS. It seems in order to boot from the USB flash drive, I have to change the BIOS entry in the order of devices to boot from where the USB flash drive takes the place of the bootable hard drive. Doing so apparently does not allow the hard drive to be in the order - i.e. the substitution is one-for-one. So, currently, when I place the USB flash drive into the USB socket from a powered down state, and boot up, the USB device is seen (but since I have not modified the BIOS) it will not boot - i.e. until I make that change.

I have investigated my BIOS and downloaded and burned the latest version to it should I need to get things running - naturally, I have not done this and won't until I know it is needed, otherwise, I will leave it alone for now.

Sometime in the next couple of weeks, I will pick this development up again, and hopefully finish it before Hardy Heron arrives late next month.

When I initiate a Terminal window, the commands I give are:
$ sudo -i
# cp /media/CDROM/* ~
# ./setup.sh gutsy
# date -u mmddhhmm (in 24 hour time compensating for EDT+4 for UTC time)
# exit

The script setup.sh, probes the (4) hard drives and determines which device the software is on, and mounts and pulls the initialization script over to the root account directory and then executes it which pulls over and installs the updates and initializes the iptables firewall.

-- Tom

P.S. You can find some of my scripts posted here at TSG, though I do not recall the threads so you would have to search for my posts in this forum of which there are many.

The main initialization script does nothing more than pull over updates to packages I have installed via the Synaptic Package Manager to Ubuntu + a few little tricks that need to be done to the Linux environment since they are not done by default at least not yet anyway.

As my scripts otherwise are a work-in-progress at this time and I am working on documenting them I don't feel I have the time to be able to explain all that I do, and am not currently predisposed to release them to anyone, but I will try to answer any questions you have - just ask.

[DarkMan89]

thank you very much for the reply, i will take the time to find some of the scrips as i am intrested in where this can go. before i go any ferther i should read up on iptable firewalls as it looks like the main security modual i do not understand fully. lots of reading i guess. i will be looking out for any update on the subject. as again thanks for your time explaining your development so far.
Dave.

[monckywrench]

Booting an .iso image of a live CD with a persistent home from flash memory is common and easy to do. The Damn Small Linux folks and others have info in their forums.

Some live CDs like Puppy Linux allow writing back to the CD itself.

For BIOS that dislike USB drives, a simple IDE or SATA Compact Flash card adapter is cheap and an easy solution. I run my m0n0wll router using one.