RE: secure live-cd

["Chris Serafin" <chris () chrisserafin com>]

You should look into using WHax or Auditor live linux cd's, I don't know how
secure they are out the box, but they are pen testing cd's; and rock at that
feature.  

Chris Serafin
IT Security / Voice Engineer
chris () chrisserafin com





-----Original Message-----
From: Stephen J. Smoogen [mailto:smooge () gmail com] 
Sent: Sunday, December 18, 2005 9:34 PM
To: alfonso () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: secure live-cd

On 14 Dec 2005 19:28:23 -0000, alfonso () yahoo com <alfonso () yahoo com> wrote:
> hello list,
>
>   I was looking for someting like a live cd to be used in secure
comunications over the internet from unsecure places like public computers,
internet cafes etc. The cd would contain applications like gaim with
gaim-encryptions, silc (client & server), email client with gpg encryption.
I don't know if there is such a distro and if it does exist how does it keep
the gpg jeys and all the other private keys safe...
>

Knoppix and similar tools would be your starting point. HOWEVER, there
would be the problem of the secret keys used by gpg, gaim, etc.
Burning them onto the cdrom would be problematic in that a) you would
need to have a cd per individual, and b) you would need to make sure
that the cdrom did not get lost as then the secret key would be
compromised.

Ways around this would be that you set up a centralized key authority
that requires the person to boot the cdrom, prove to a level of
confidence that she is who she says she is, and then retrieves the
keys to ram. Another would be to have on a USB or some other data chip
the secret keys and they can only be unlocked by a strong password.

At any point along this, you would need to keep your trust of any
individual/group using these disks to Knee Cap level. That is the
level where someone would give up the passwords to unlock their
passwords rather than having their knee caps wrenched apart.


--
Stephen J Smoogen.
CSIRT/Linux System Administrator

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------