LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-16-2020, 04:15 AM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Rep: Reputation: 56
If updating frequently is good, why is TENS, the distro recommended to US military staff abroad, 10 months out of date?


Here is a distro recommended to US military staff abroad, to boot live on computers they do not own such as at cafes.

https://distrowatch.com/table.php?distribution=tens

There is no automatic update as far as I can see. You just download the latest version of the distro and burn it to a CD or USB flash drive. But the last version is 10 months old and the one before is 5 months older.

Is it possible they consider immediate updates a bad idea?
 
Old 03-16-2020, 04:30 AM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 4,590

Rep: Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336Reputation: 1336
I think this is clearly explained on the home page https://www.spi.dod.mil/lipose.htm. It's meant to be a thing client, not a general purpose PC. It's a live CD, nothing is saved to disk, malware can only be active during the session. Access to government web site is secured via smartcard, and nothing else can be done with this beast.
 
Old 03-16-2020, 04:59 AM   #3
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
Quote:
It's a live CD, nothing is saved to disk, malware can only be active during the session. Access to government web site is secured via smartcard, and nothing else can be done with this beast.
Surely it allows visits to other sites and getting exposed to man-in-the-middle attacks even if they only visit google or whatever. Remember, these users are a prime target for threats.
 
Old 03-16-2020, 05:06 AM   #4
rokytnji
LQ Veteran
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 19
Posts: 6,066
Blog Entries: 21

Rep: Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034
When I was in the USMC. It took them awhile to catch up to be hip. When it came to certain things not deemed important. Usually a gunny determined what was important. Gunnys could be ignorant when it comes to computers. Hence. You being irked.

It was one of many reasons I only served my legal limit.

To me. I don;t think the military is way hip on linux in general. Maybe a few specialists. But nothing in management.

Last edited by rokytnji; 03-16-2020 at 05:08 AM.
 
1 members found this post helpful.
Old 03-16-2020, 06:57 AM   #5
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,567

Rep: Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871
Quote:
Originally Posted by berndbausch View Post
I think this is clearly explained on the home page https://www.spi.dod.mil/lipose.htm.
Yeah, just to excerpt the relevant part:

Quote:
TENS™ differs from traditional operating systems in that it isn't continually patched. TENS™ is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot TENS™ immediately before performing any online banking transactions. TENS™ should also be rebooted immediately after visiting any risky websites, or when the user has reason to suspect malware might have been loaded. In any event, rebooting when idle is an effective strategy to ensure a clean computing session.
 
Old 03-16-2020, 12:59 PM   #6
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
We would all be doing our banking with live CD's if it were that simple. Must we rule out the possibility that continuous updates are in fact a vulnerability if a mitm attack is possible?

Last edited by Ulysses_; 03-16-2020 at 01:01 PM.
 
Old 03-16-2020, 10:42 PM   #7
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,567

Rep: Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871Reputation: 1871
Quote:
Originally Posted by Ulysses_ View Post
Must we rule out the possibility that continuous updates are in fact a vulnerability if a mitm attack is possible?
You can never 100% rule anything out. It sounds like you want a simple yes/no answer as to whether "TENS" is "more secure" than a "typical" distro. But it's not possible to give such an answer that will cover all possible situations. It's not even possible to answer with 100% certainty for a single person, since none of us knows which attacks we will face in the future.

Last edited by ntubski; 03-17-2020 at 06:50 AM. Reason: missed word
 
Old 03-16-2020, 10:50 PM   #8
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
I do wonder if TENS if more secure than a typical live distro but there is another more pressing issue:

Should we let the updates be done frequently, at any time and wherever we are located at that time?
 
Old 03-17-2020, 09:41 AM   #9
rokytnji
LQ Veteran
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 19
Posts: 6,066
Blog Entries: 21

Rep: Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034
I do updates frequently on some boxes that get used every day.

The others. sometimes 6 weeks or more before I dist-upgrade.

Those others take longer < more stuff to download and install than the others I do frequent like >.

I know the govt has you locked in to do as ordered.
I used to be sneaky in the military because of this.
Lots or article 42 < office hours >in my military past.
My luckout was the dude determining my punishment was my pilot.
He'd keep me broke. Not lock me up. But in the service.


Not sure how easy to set up a casperw partition in tails, tens, or whatever uncle sam says do.
But then. / is read only I guess. So no use in that.

Hence. Why I go with a distro that permits live usb changes to /. Like AntiX, or even Puppy Linux with it's .sfs file loading choices at boot.
Puppy can be pretty secure for banking on a pen drive because of this.

But all of this comes from the a dude at the end of a desert with no one really around.
Not a soldier in today's modern armed forces.
 
Old 03-17-2020, 12:03 PM   #10
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
Understood that today's armed forces may be somewhat different, but why do you add that no one is really around?
 
Old 03-17-2020, 05:43 PM   #11
rokytnji
LQ Veteran
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 19
Posts: 6,066
Blog Entries: 21

Rep: Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034Reputation: 3034
I live in the dark green area

http://www.txcercit.org/population_density.asp
 
Old 03-17-2020, 07:58 PM   #12
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,825

Rep: Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081Reputation: 3081
TENS is more of a hobby os than a real up to date distro.

It is possible for to update the distro but kind of a hassle. I modified it a few times but gave up.

I contacted them about a security issue and they fixed it in a few days. Not sure if they knew that or did what I suggested.

TENS did bypass a program version that had a huge hole in it. Not sure if they knew it or just fate.

If some non-secure access is needed to a government site then I'd guess this is way better than trusting a home users computer on vpn to base.
 
Old 03-18-2020, 12:59 AM   #13
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
Look what the Russian military are doing instead.

https://en.wikipedia.org/wiki/Astra_Linux

Maybe TENS is really a decoy for civilians and the real operating system the US military go for is a debian derivative.

Or maybe the TENS devs simply want something lightweight enough to run on third world hardware and nothing more, nothing mission critical.
 
Old 05-22-2020, 12:48 AM   #14
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,237

Original Poster
Rep: Reputation: 56
An interesting opinion on auto-updates:

https://digdeeper.neocities.org/ghos...s.html#updates

Quote:
What's wrong with auto-updates?

There is everything wrong with autoupdate, basically you are giving whoever controls the updates full control over your software and data, with autoupdates it is possible to:

Insert backdoors, spyware and malware.
Add unnecessary features.
Remove features.
Target a single user with shit like A/B testing, treating people like guinea pigs.
Make unwanted changes, like the dreaded UI changes.
Locking down content behind paywalls
Whatever else malicious developers want to do with you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Tens to be disappointed as Windows 10 Mobile death date set: Doomed phone OS won't see 2020 LXer Syndicated Linux News 0 01-20-2019 07:32 PM
[SOLVED] pacman says all up-to-date for 2 months now, firefox declares itself seriously out-of-date porphyry5 Arch 6 03-09-2018 11:56 AM
LXer: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Da LXer Syndicated Linux News 0 07-04-2008 09:50 AM
LXer: Serious Flash vulns menace tens of thousands websites LXer Syndicated Linux News 0 12-22-2007 10:50 AM
cannot receive data larger than several tens KB, fedora core 2 seraph123 Linux - Networking 1 08-11-2004 04:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration