COMP 3000 2011 Report: Liberté Linux

From Soma-notes

Background

In this day and age, anonymity, privacy and liberty are at the forefront of people’s minds. Whether it’s being able to surf the web anonymously and securely; access sites that have been arbitrarily blacklisted by various governments, or more importantly, the capability of communicating secretly in dire situations where anonymity is paramount for survival. If you're an activist or a spy, Liberté Linux is the distribution for you. <ref name="liberte">Kammerer, Maxim. DE(E)SU - Liberté Linux. DE(E)SU. Retrieved 17 October 2011, from http://dee.su/liberte </ref>

Liberté, which translates to freedom in French is supposed to exemplify this very concept. The notion of freedom of communication governs this particular distribution. To put it aptly, Liberté’s primary focus is to allow secure and reliable communication in hostile environment. <ref name="liberte"></ref>

It is interesting to note, the Liberté trademark (displayed on the left) is a composite of several different logos: <ref name="logo">Kammerer, Maxim. DE(E)SU - Liberté Artwork. DE(E)SU. Retrieved 17 October 2011, from http://dee.su/liberte-logo </ref>

  • The emblem of the United Nations
  • The flag of Anonymous
  • Blank globe, focus on Africa
  • The URSS aviation Kremlin Red Star
  • The Black Triforce (The creator mentions he was inspired by the triforce in Legend of Zelda) <ref>Kammerer, Maxim. DE(E)SU - Liberté Linux FAQ. DE(E)SU. Retrieved 18 October 2011, from http://dee.su/liberte-faq</ref>
  • Essays 1743 font (for the title Liberté)

Finally the motto encompassing the logo states: Anonymus / Ultima ratio libertatis / Nomen illis legio. <ref name="logo"></ref>

Liberté Linux is a Gentoo based Live CD/USB/SD distribution, created by Maxim Kammerer and can be easily obtained from sourceforge.

Installation/Startup

Live USB

(As a caveat, because Liberté Linux was installed in one of its native environments (USB) and not on a virtual machine, I was unable to provide personal screenshots. As such all screenshots in this section have been taken from the official liberte site.)

Liberté Linux takes up approximately 200mb of disk space, and requires no more than 192mb of RAM allocated, to run efficiently.<ref name="liberte"></ref> Very lightweight and an absolute breeze to install on a USB (Sandisk Cruzer 8GB) using a Windows machine. I installed the ZIP file, extracted it to the root of the USB, located the setup.bat, ran it as an administrator and then 10 seconds later...voila! The installation process was successfully completed.

Upon startup, I was prompted to set a LUKS passcode. Afterwards it took several minutes for an RSA key to be generated. As the distro was booting up, I was greeted with a Hammer & Sickle as my background (pictured to the right). What a glorious way to startup.

Once the desktop loaded, Liberte had issues identifying the battery charge percentage accurately. Whenever I’d unplug the laptop, I’d be greeted with a blinking popup warning me that my laptop had less than 5 mins of battery charge left, despite the fact that this was not the case. At this time, I have not been able to diagnosis the reason for this bothersome popup.

Basic Operation

It is important to note that Liberte's main design goal is security. As a result, all basic operations done on the platform have to be done securely. This includes, but is not limited to network traffic. Liberte improves on the Privacy Enhanced Live Distribution of Linux, which transparently routes traffic through tor (including DNS requests), by forcing applications to create connections on the loopback interface. The ultimate goal here is to not leak IP addresses. Therefore, browsing and general network traffic is kept anonymous. <ref>Kammerer, Maxim. DE(E)SU - Security and Anonymity in Liberté Linux DE(E)SU. Retrieved 14 November 2011, from http://dee.su/liberte-security </ref>

Since I'm neither a dissident or located in a hostile environment, I'm not the typical user that Liberte is targeted to. I attempted to use Liberte for relatively basic tasks.

I loaded up Midori, the secure web browser that comes installed with the operating system. On my first attempt, I tried to visit a popular social networking site. Once the page loaded, I was informed that javascript is automatically disabled. I went sifting through the browser settings to enable javascript. After five minutes of searching I was unable to do this trivial task. I was left with no choice, but to forgo my pride and navigate to the help option. Upon close examination of the online documentation I stumbled onto something about enabling "userscripts". Seemed like this was my ticket to javascript galore! After enabling the userscript add-on, I restarted my browser, and was happy to see that my current tabs were restored and no longer did I receive the remainder that I needed to enable javascript. Finally after logging into the popular social networking site, I was greeted with a lovely warning informing me that my account was locked, because I had accessed my account from an unrecognized device. I was prompted to answer several security questions in order to regain access. The first security question asked me to re-enter the text I saw displayed in the textbox...except for one problem. Where's the text? I frantically clicked on "try different words" and still. Nothing. My preference for security began to diminish at a rapid rate. Mainly because of the roadblocks I had encountered at every step of the way. After many failed attempts, I restored my account on another operating system. Apparently, as it turns out, the social networking site in question detected that someone had accessed my account from the Netherlands! Impressive, I dare say. This example perfectly illustrated the tor-enhanced traffic.

Usage Evaluation

There is no doubt that Liberté Linux meet its design goals. It allows a user to browse and communicate anonymously and securely in the most hostile of regions. In that sense, you can claim that liberté linux is a success. To meet this goal, the Liberte Linux distribution comes prepackaged with a wide variety of secure tools, such as: Midori (with tor enhancements), Claws Mail (with cable communication built in -- discussed later in the report) etc.

Security enhancements aren't just limited to the applications that are provided but also right down to the kernel (the very core of the operating system). <ref name="liberte"></ref> The author of this distribution has provided wide range of modifications and enhancements to the hardened gentoo kernel to protect the operating system from attacks and subsequently from its user. <ref name="github">Kammerer, Maxim. Github Liberté Repository.Github. Retrieved 16, November, 2011 from https://github.com/mkdesu/liberte </ref> The ability to perform administrative actions on the system were a nuisance (if you want to make any modifications, that is). For example, if you want to enter root mode, you need to restart the operating system in a different mode with a two minute limit on your root access. Moreover, if you want to install additional applications you must completely rebuild the operating system image every time. This distribution is clearly not intended for the average user, because of all the figurative hoops you have to jump through to perform basic operations. In summary, Liberté is a solid security-based operating system, and for its intended purpose it's superb. That being said, I don't recommend it for the layperson.

Software Packaging

Liberté is a gentoo-based operating system using the portage package management system. Portage consists of two main parts: the ebuild system and emerge. The ebuild is responsible for compiling and installing packages, while as emerge is responsible for managing dependencies and the ebuild repository. Portage is a command line package manager, but several frontend applications exist, such as Porthole and Portato


Major Package Versions

Package Name Liberte Version Upstream Version Upstream Source Modified by Author Information/ Reason
Hardened Gentoo (kernel) 2.6.39 3.0.4 source Yes, for bug fixes and security reasons<ref name="github"></ref> Hardened Gentoo was chosen because of it's secure nature.
Grsecurity/PaX (kernel) 2.2.0 2.2.2 source No Patches to enhance the security for the kernel.
Unionfs (kernel) 2.5.10 2.5.10 source No Efficient file system.
Fbcondecor (kernel) 0.9.6-2.6. 0.9.6-3.0 source No Standard console decoration (I assume the author could have picked any other).
GTK+2 2.24.5 3.0.12 source No Commonly used and supported graphics toolkit. Many applications (listed in this table) require GTK support.
Midori 0.4.0 0.4.2 source Yes, because browser connections are all tor-ified Standard open source browser.
Claws Mail 3.7.10 3.7.10 source Yes, with cables communication (a liberte feature) <ref name="liberte"></ref> Provides a secure and anonymous channel of communication for email.
NetworkManager 0.8.4.0 0.9.2.0 source No Popular network package for linux
Bash 4.1.9(2) 4.2 source No Popular shell
Pidgin with OTR Pidgin - 2.10.0 / OTR - 3.2.0 Pidgin - 2.10.0 / OTR - 3.2.0 source (Pidgin) source (OTR) No Pidgen is a popular open source client, and the OTR plugin was chosen for it's privacy enhancement.
Gedit 2.30.4 2.30.2 (site indicates this is the latest stable release) source No Popular open source text editor
ls 8.7 coreutils-8.9 source No Standard Linux tool
Laptop Mode tools 1.5.5 1.6 source No Enables laptop mode in linux, and saves power/reduces the number of spin downs.

Initialization

During startup, all scripts in the /etc/runlevels folder are executed. First the subdirectory /boot scripts, and then the subdirectory /default scripts are executed. "Usually the scripts are executed in alphabetical order, but some scripts have dependency information in them, telling the system that another script must be run before they can be started." <ref>Gentoo Linux Documentation-- Initscripts. (n.d.). Gentoo Linux -- Gentoo Linux. Retrieved November 15, 2011, from http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=4</ref>

Five major programs that are executed upon startup:

  1. alsasound - loads drivers.
  2. consolefont - sets font for the console.
  3. consolekit - starts the consolekit daemon.
  4. identity - sets the user's anonymous identity and randomizes the MAC address.
  5. liberte - sets the OTF partition
  6. NetworkManager - utility for networks
  7. Privoxy - "non-caching web proxy" <ref>Privoxy - home page. Privoxy. Retrieved November 16, 2011, from http://www.privoxy.org/</ref>
  8. Spindown - spins down and quiets down hard drivers.

All programs and their respective descriptions were found using the ls command to search through the specified /etc/runlevels folder, unless otherwise noted.

References

<references />