Hi,

I'm looking for a Linux distro to use for checking secure online accounts, such as banking. What I'd like is to install it on my MacBook Pro's SSD for dual-booting with OS X, set it up as necessary (eg. bookmarks, preferred browser, stored passwords for frequent wifi hotspots, firewall etc.) and then freeze the whole install and make every subsequent boot run entirely in RAM without any kind of persistence.

Because I only have a 120GB SSD in my MBP, I'd like to make the Linux partition as small as possible. If the distro were also bootable without having to set up a hybrid MBR (ie. by using Boot Camp to prepare the drive), that would be even better.

I don't want to use any external drives (eg. pendrive) for the linux distro, because it's just something else to remember to carry with me. I don't want to use an optical disc for it because it's also something else to carry, as well as slow to boot.

Anyone able to suggest something suitable?

Many thanks

Good options would be:

Slitaz ( http://www.slitaz.org/en )
Porteus (http://www.porteus.org )
Knoppix (http://www.knoppix.net , look for the CD version)

I like to carry a tweaked LiveUSB with Knoppix with me. You can "install" the CD version if you have 700 Mb or so. Slitaz will take 30 and Porteus around 300.

I tend to favor Knoppix where possible, but the others can be convenient.

Any Live GNU/Linux distribution can be installed to a partition in frugal mode, so the computer "thinks" the partition is a CD and boots it Live. Tweaking and man pages reading might be necessary.

1 members found this post helpful.

Thanks BlackRider. I'll check these out and post back if I have any questions.

Moved: This thread is more suitable in the Linux Distributions forum and has been moved accordingly to help your thread/question get the exposure it deserves.

The way a live cd works is the data on the cd is mixed with part of the ram to make a faux hard drive. The OS thinks it is running on a real drive until you shut it down.

So you could basically take any hybrid iso that is meant to be copied to a usb and use it.

Your issue with the mac is out of my experience so I can't say about that.

You might be able to get this to work. http://www.spi.dod.mil/lipose.htm


Almost all live cd's are not built to be secure. They tent to have some poor choices like running in root so I can't say for sure it would be more secure than a hardened OS running in a virtual machine. You may simply wish to boot a virtual machine to an image of a live cd. It might get past your mac issues if there is a vm for mac's.

Nearly all banks want to track you....so the first key is to have a distro where you can easily get the latest web browser and its security patches

Option 1....firefox can be downloaded to your home folder and run off it....and can be updated

2) I am wondering if you are concerned about intrusion? for your request for ram and no persistence

puppy (root mode) uses squashfiles which are kind of non-changeable while in use and ram mode

tinycore uses ram mode and its packages are kept "unpacked" until used which offer pristine-ness

is that the kind of thing you are looking for?

3) otherwise there are dedicated live cds that claim to be non-trackable. eg

https://tails.boum.org/download/index.en.html

My main objective is to have a system that I can trust to have no viruses, trojans, keyloggers, worms etc. running in the background that might compromise online security for critical accounts (most especially, but not limited to, those related to banking). The idea is to find a suitable Linux distro, set it up to be as appropriate to my needs as possible (eg. with essential bookmarks and network settings), and then freeze it entirely, such that no further changes can be made to anything. Jefro mentions VMs; what I'm looking for is something similar to what Parallels Desktop calls "Undo Disks", whereby changes made during any session (ie. between boot and shutdown of the VM) can be kept or discarded. If I choose to discard, then on next launch of that VM everything is identical to when it was last launched.

I would do this in a VM (I have Parallels and VMWare Fusion) but I'm of the belief that that would only double the vectors for security breaches: I'd have to lock-down the VM _and_ the OS the VM was running in (OS X Mountain Lion). Hence the dual-boot to Linux. By the way, if I'm wrong in this assumption, please illuminate me, because running Linux in a VM would make this a whole lot easier

At the moment, I'm using my iPhone where I can for certain things because the number of programs that can run in the background is severely limited, both in terms of quantity and purpose. But I can't use my iPhone for all the secure online tasks I have in mind, so a fully-fledged desktop/laptop OS will be necessary.

I know I'm not the first to ask for such a thing, but the idea of installing it to my SSD is a new one (to me at least) which is why I ned the advice of others here.

I hope I've explained things a little better now. Thanks for the responses so far

EDIT: Jefro - LPS looks excellent. Its description makes it sound like just what I'm looking for. Now, I just have to find out what installing it to my SSD would involve…

Read-only media only ensures the initial state of the OS. On its own it doesn't mitigate any vulnerabilities and it doesn't prevent any accumulation of whatever one could encounter during a session. What's worse using read-only media would prevent critical browser updates and implies no or negligible logging, meaning no audit trail at all if anything goes awry. Flash scripting and Javascript fun, unsolicited sharing of information, social engineering, spoofed or otherwise malicious links and websites, traffic snooping, identity theft might be on the list but viruses definitely aren't. Encryption of storage at rest, per file encryption to protect information when the encrypted file system is mounted, in-flight encryption of traffic, two-factor authentication, a restricted egress access policy using white listing, restrictive MAC rules, extensive logging but most of all the discipline to only visit crucial sites during a session could help curb risks.
I think you should first consider the threatscape in terms of what you actually need to protect against, the risks of what you can't protect against (remote problems), how you can mitigate things and then draw a plan.

1 members found this post helpful.

Moved: This thread is more suitable in the Linux Security forum and has been moved accordingly to help your thread/question get the exposure it deserves ;-p

1 members found this post helpful.

I am with unSpawn, even when he has spoken in such an intimidating manner (haha).

A good combo for a domestic user who wants to keep the kind of security you describe would be:

>Subscribe to Debian's security list.
>Use Knoppix in frugal install mode. It is readonly, of course.
>Make a partition for keeping the DEB packages you will be using for updating.
>Write a shell script that install all the updates you have saved on the partition at boot. The partition must be read-only. This script could be used to raise a firewall, harden the networking kernel parameters etc.
>Place yourself behind a good firewall (most domestic routers have one, whenever they are a crap or not is another question).

---------SECURITY MODEL:

You will boot the Live System only to access banking pages which are unlikely to attack your browser when you hit them.

You will regularly read the Security List of Debian in other to find the new security fixes which are released. When needed, you will download them and place them in the partition you have set for the task.

Save your system logs in a USB device before shutting down if you feel in the paranoia mood (this should be always, I guess).

You'll buy a gun, sword, bunch of greneades, dog or nuke and destroy anyone who tries to get physical access to your computer!!

-------------------

And that's it. Your system will have security updates, the initial state of the OS will be known and you will be accessing pages unlikely to attack you, while you are being covered by a firewall.

CONS:

You have to set this up.
Inconvenient.
You could still have security problems by attacks not coming form the external Internet.
I might have forgotten something :-)

1 members found this post helpful.

No, you run a security VM with no hard drive. You use an iso image to boot the VM and run it that way.

Any computer connected to the internet is subject to attack and there has been one proven hole in VM's.

I'd run the dod iso from a vm. No need to make any shared drives or add in any tools to cut and paste. Dunno what parallels calls it but like guest additions.

1 members found this post helpful.

slax, which probably is similar to other systems, can save all changes to flash drive, including updated packages, so, with a live cd, select updates, you could run an almost entirely stateless machine. if you have the capability, grab a used hard disk, something small, use it for swap to speed things, it'd be wiped nicely with reboot.