 I'm staying for the next to last talk on the last day putting up with the fire marshal and the Jesus Freaks in there and and all that. I'm a nurse and I'm here to talk about NMRCOS. It's a distribution of Linux that the Nomad Mobile Research Center developed. Nomad started this project a long time ago and it never really got off the ground but that's you know we we've been working pretty hard on it after the events that Nomads talked about yesterday at our panel. Overall goals for the project you know we want a stable secure trusted system. Users we were initially we were gonna make this you know kind of like as hard to install as we possibly could. You know we basically provide you with a floppy and you'd get a shell and then you know tell you I'm tired of this file or some shit like that. We changed that when we realized that we wanted to target we wanted to make it more accessible to people that weren't really that knowledgeable about security so that you know it comes up locked down and you you don't so that the the administrator just has to unlock things in order to get access to the to the internet and everything so that it's more security intended uses things like you know human rights activists and stuff like that although if you heard Phillip Zimmerman's talk at Black Hat I probably shouldn't say that because now I can't use that in court to get out of shit so anyway like I said Nomad came up with this idea his first idea was to use a slack wear install and kind of hack through things and and hodgepodge it together it never it never really got off the ground. I think what I think what the problem was is that it was it was a little it was like to there's too much overhead required to get it out the door so when I came on I said well hey what you know why don't we start with something else you know and we talked about several different distributions you know red hat and Debbie and stuff like that we ended up we ended up going with Debbie and and reason why we decided to do that was because I've had several problems with red hats red hat before and the quality of Debbie and just seem to be far and above the best of any distribution that I could I could find their their documentation was up to date they they had everything about how to make us a derivative CD it was just a really high quality distribution and so we decided to go with that now the other thing is you know why not just start from scratch and and do a completely completely new distribution we thought about that as well but in the end you know the only the only real rationale for that would be just you know bragging rights you know we would have to we have to make our own installer would have to make our own you know CD creation you know system and everything and so it just really didn't seem to be that that big of a problem you know to take one that already exists I mean that's one of the hacker tenants use what's out there right so that's what we did all right so we got a Debbie and based OS we got a tweaked kernel that's still running kernel 2.2 that's how old this project is nomad is you know I didn't do everything on the project took all of us to do it nomad was the guy that did most of the kernel work so I'll talk about that here we got 2.2.25 right now I think we got an update to that the open wall patch the haplenix pass trusted path and forest and we got random IP IDs we didn't go with the GR security patch because nomad thought that it would be a little more they had some cool stuff in there but nomad thought that it was more difficult to set up so we ought to stay with what we got here and later on move on to to that if we could now I should note it I should note that this isn't the idea for this coming out now with a 1.0 release there's certainly going to be a lot of problems and I'm sure you I mean you guys you're going to find a lot I'm sure but the idea is kind of like why we're and why we're releasing encrypted and covert you know to get you guys to think and to try and come up with new ideas that may you know avenues we haven't even thought of of how to lock the box down how to do things so when I talk about things like why we for instance we see here but why why we and one of the goals of the project is we're trying to enforce not to help not just the security of the administrator the security of the users the privacy of the users as well that's why we have encrypt on there we're planning on having cryptographic file systems we don't have it yet we want to get this out to you guys so that you can use it see what's wrong see what you think can be improved get it back to us and you know away we go we have some customized applications pine I think is it still four dot five six it might have been updated but we tweak that so that the headers come back all screwy so you you don't know what's sending it and send me all eight dot twelve dot nine we went with that that if you're familiar with Debbie and they have three mini distributions within itself it's stable testing and unstable currently at the time of this writing send mail eight dot twelve that nine was an unstable so you may ask why we use unstable in our shipped shipped version well we found a couple problems with security problems with it and nomad felt safer going with send mail eight dot twelve that nine as opposed to what's currently in Debbie and yeah that right what the question was why did we use send mail as opposed to something else Debbie and by default installs ex I am I think and so why do we why do we even bother selling some by default well the reason for that is because it came down from the mountain on a tablet from from nomad he said we're going to install send mail so if you don't like send mail blame him and we also he that that's what he's most familiar with and I haven't really I'm not really a mailer guy so I said you know what the fuck we'll do that the other thing we do is we auto run Bastille by default during the second stage install assuming that you choose to install Bastille at auto runs I think I think we're the only distribution that does that on install by default the other things we got going on installs and boots up in a lockdown state we've we've done the tests where we install the operating system we have another system hooked up we run in map against it repeatedly make sure that everything's locked down and it it comes back everything's clean locked down by default you open it the administrator opens it up they if they feel like they want to have a particular application running we have a snort bit on there that's also installed if you go through the the task selection and select that as I mentioned before we have encrypt and then covert which nomad talked about yesterday I was going to do this and I'm really sorry I can't do it but I was timing it and I I would go way over if I tried to do this and explain every step to you guys and I'm really sorry there's just no time to do a live demonstration of it now you may be wondering like how do we how do we maintain that well we have a package repository set up just like Debbie and the system is nrcos.nrc.org that is also set up in your app set up whenever you whenever you install the the system it should automatically go out there and look for for package updates we don't have anything out there yet when we get back we're going to throw in encrypt and then covert and a few other goodies the thing about apt it lets us graft on to Debbie and we don't have to customize every single application by providing our own app server you can run Debbie and version of X windows even though we don't provide it even though we don't may not you know support it you know essentially you have X windows and all the associated garbage that goes along with it developing for a number c.o.s. if you want to develop for a number c.o.s. creating a non kernel package is really simple and it's actually already taken again by by basing it off of Debbie and you can already you can just go to the Debbie website and check out the Debbie and developers reference which tells you exactly how to make a package if I had time to do the demonstration and I'm really sorry I would have shown you briefly how to do that creating the kernel package is very similar it's also very easy what you do is you use a Debbie and supplied tool kernel package that will tell you how to build it and install it and creates a dev for you there's really not not a whole lot you got to do it's it's they made it really easy when you distribute your package you can either send it to us or fdp it to the to your own website there's there's documents out there to tell you how to how to set up your own app repository if you want so you can have yours ours then Debian's and kind of graft onto ours that way creating your own distro we we have actually the Debian included tools to create a CD require that you have an entire mirror of the Debian archive or at least a section of it which makes it kind of makes it extremely actually disc intensive it's you know it's like it I don't know 80 gig for the whole thing I think right now we created some tools that allow you to to create a CD using a very minimal amount of disk space I think currently we're using like maybe 150 mag total for the creation to see and everything that's on there as an NMRC dash CD package so when you install that you can you can basically learn how to create your own NMRC OS based CDs and kind of do what we did to Debian let's see now there's a lot of future plans for this thing like I said we're going to implement a lot of a lot of things regarding privacy for the user not just privacy and security for the admin there's been a recent talk in the Red Hat community about opening up the the the the development process for Red Hat Linux and I've been playing around with that and I've got a semi working copy of an RPM Red Hat based version of this and so we were talking about having you know both or out there so that people that want to use an RPM or Red Hat based distro can do that as well and now I'm going to open this up to questions and follow up because I'm sure you guys have a quite a few anything yeah I'm sorry I can't hear you run back there oh yeah can I get a bit more specific about trusted path and other kernel mods as I said Nomad was the primary developer on kernel mods and stuff like that so I'm going to let him answer that that's all right hey the basically on the trusted path when essentially what it does is in the kernel it enforces that when you run an executable it has to be owned by roots it has to not be world or group writable it has to be in a directory owned by roots that is not world or group writable and this applies even to root that way as someone gets on your box and put some code in there and for some reason you've altered your path to actually execute from your current directory first for example which would be stupid but if you did that the thing has to be owned by root the whole idea is that if someone pops an account on the system then they're going to have to get roots to get their executable to run that doesn't kill everything I know someone's going to say does it handle the like say a pearl dashy and then put your gobbledygook in there no it doesn't take care of that but it does at least kind of you know raise the bar a little bit as far as the other mods go the main thing is the the openwall patch as well as I don't know how many people are familiar with the haplenix patch those are the two main things the haplenix patch mainly does some stuff for charooting and a little bit better like logging during a p tracing and stuff like that a little more control over what's going on there the haplenix patch where's it from from some guy named Hank I can't remember the URL off the top of my head Google is your friends if you look for haplenix you'll find the you'll find the patch I can't it's like a aims group comm slash something or other I can't remember the URL top my head so yeah we looked at the trust Debian project there's there's other secure versions of Debbie and out there trusted and some other things like that let me go up here and we looked at that and yeah you yeah you may want to you know why didn't we just you know join the Debian project and contribute that way why do we have to create our own our own distribution well the reason the reason for that is a couple reasons a a lot of us are extremely paranoid and we don't want to join any any other project Debbie and I think if I remember correctly requires that you actually physically meet someone in order to get your key signed and everything there's a lot of us that's just that just really frightens us the other thing is the reason why is because there's there's been some differences one of the one of things I talked about yesterday I forgot to mention today is that something as simple as clearing the screen whenever you log out was a difference between what we wanted and what the Debian wanted the latest Debian listed the mailing list archive that I saw was that they decided that by default bash and not clear clear the screen upon log out now I agree that you know security through obscurity never works however it you know if we're targeting this for people that may not know a lot about security it's just helps you know it's it doesn't hurt you know if they don't know what they're doing when they leave and they leave all the crap that they've been doing they could leave something there that could later on be used to break into the system so something as simple as that allows you know made us kind of think you know why don't we just go our own way we'll graft on the Debian and well that way we'll have complete control over what we want to override and how we want to produce this what we use for a firewall that's currently IP chains to two kernel IP chains so that's what we're using there and in the in the install there's an actual thing where it's where it sets it up and all that for you it's a GS to GS variant okay well cool thanks man I appreciate we'll take a look at that what's okay well let me let me talk to you after this and we'll we'll get we'll get okay okay cool thanks he was saying that there's a gen 2 kernel that has most of the features that we have in there and it's a lot faster the 01 batch scheduler whole bunch of other shit so so take a look at gen 2 all right yeah cool we'll do that really I am not aware of that I'm sorry I didn't know if we have we have some CDs to give out so and I've I think we tested every single one of them to make sure they boot so I'll make sure to get you one okay we provide source packages Deb source packages do we provide Deb source packages they are not on the CD we're uploading them to nrcOS.nrc.org so you can app get them just like all the other stuff so that that should be done we tried we had some problems accessing it from here so we're going to do it when we get back yes steg in the file system like a rubber hose