Difference between revisions of "ISXUbuntu/Developers"
Dsolomonoff (Talk | contribs) (→Milestone 3) |
|||
(10 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Developer Page= | =Developer Page= | ||
− | == | + | ==Project Schedule== |
− | * | + | ===Milestone 0=== |
+ | |||
+ | *Set up process for taking apart stock [http://xubuntu.org/ XUbuntu] image, making our changes, and rebuilding iso | ||
+ | *Set up security auditing proceedure which includes penetration testing with Nessus and checking file permissions. | ||
+ | |||
+ | ===Milestone 1: to be completed by January 1, 2009=== | ||
+ | |||
+ | # BASIC PLATFORM & TOR | ||
+ | ## Functioning Base level Platform of ISXubuntu | ||
+ | ## [http://www.torproject.org/ Tor] is functional when booting ISXubuntu | ||
+ | ## working with firewalls... | ||
+ | # Ad blocker | ||
+ | ##Currently using [http://www.privoxy.org/ Privoxy] but [http://adblockplus.org Ad Block Plus] may be better | ||
+ | ## Privoxy doesn't block all ads - beyond the actual ad blocking it's necessary to block tracking of a users web activity through DNS requests. | ||
+ | # Control over malicious Javascripts, cookies, etc. | ||
+ | ## [http://noscript.net/ NoScript] to block malicious Javascripts (Tor now seems to conflict with this although it didn't use to) | ||
+ | ## [http://www.customizegoogle.com/ Customize Google] to evade privacy-intrusive features of Google services | ||
+ | ## [http://richard.jones.name/google-hacks/gmail-smime/gmail-smime.html Gmail S/MIME] for encrypted Gmail | ||
+ | ## [http://www.bugmenot.com/ Bugmenot] to get around compulsory registration of websites | ||
+ | ## On-screen keyboard to block [http://en.wikipedia.org/wiki/Keystroke_logging keystroke loggers]. Is this enough - what else can be done'? | ||
+ | |||
+ | ===Milestone 2: to be completed by March 1, 2009=== | ||
+ | |||
+ | * Set up process for building from scratch (something like what Incognito does with Catalyst) | ||
+ | |||
+ | # Currently [http://opendns.org/ OpenDNS] is used to prevent [http://en.wikipedia.org/wiki/Pharming pharming]. When you attempt to go to a URL that doesn't exist you are redirected to a page of theirs. Disabling this requires setting up a free account with OpenDNS and having a static IP - or a domain name and registering with [http://www.dyndns.com/services/dns/dyndns/ DynDNS]. We need to discuss this further. | ||
+ | # OpenOffice word processor set to redact all revision history when saving files. The UK National Archives has a useful [http://www.nationalarchives.gov.uk/documents/redaction_toolkit.pdf article] on redaction. | ||
+ | # Encrypted persistent home directory using [http://www.truecrypt.org/ TrueCrypt]* | ||
+ | # Encrypted swap space* | ||
+ | # Secure deletion of memory on shutdown* | ||
+ | # [http://enigmail.mozdev.org/ Enigmail] for encrypted email with Thunderbird | ||
+ | # Spam and phishing protection | ||
+ | |||
+ | ===Milestone 3=== | ||
+ | *Resolve flash drive issues (can we make the user's home directory read/write while leaving everything else read only?) Info on [http://www.linuxconsultingteam.com/articles/2006/10/14/secure-filesystem-mount-points security issues with Linux filesystems] from LinuxConsultingTeam. | ||
+ | |||
+ | # [http://www.pidgin.im/ Pidgin] IM client with [http://www.cypherpunks.ca/otr/ OTR] for encryption | ||
==Things To Do== | ==Things To Do== | ||
===Project Planning=== | ===Project Planning=== | ||
====Security issues==== | ====Security issues==== | ||
− | We need to decide what | + | We need to decide what security issues we want to address, and what changes we will make to ISXUbuntu to address them |
+ | |||
+ | [https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened ubuntu-hardened] is a list about Ubuntu security issues. | ||
+ | |||
====Presentation and Usability issues==== | ====Presentation and Usability issues==== | ||
What other changes do we want to make? Should we worry about boot time? Hardware compatibility? Ease of use for Windows users? | What other changes do we want to make? Should we worry about boot time? Hardware compatibility? Ease of use for Windows users? | ||
Line 19: | Line 58: | ||
*modifying the default user and system wide setting to our liking | *modifying the default user and system wide setting to our liking | ||
*including our own content (do we make packages out of them?) | *including our own content (do we make packages out of them?) | ||
+ | |||
+ | It would be good if we could get a small server on a rack someplace - then everyone could help build and test things. We could use [http://xen.org Xen] or [http://www.virtualbox.org/ VirtualBox] for a sandboxed environment and [http://freenx.berlios.de/ FreeNX], to test drive each build remotely. We won't be doing much compiling but the uncompressing and compressing of the filesystem to make an .iso takes some CPU. | ||
+ | |||
+ | Linux Journal recently published a series of articles explaining step by step how to do what we're working on. I would have had an easier time of things if these articles had been available two years ago: | ||
+ | |||
+ | [http://www.linuxjournal.com/article/10038 http://www.linuxjournal.com/article/10038] | ||
+ | |||
+ | [http://www.linuxjournal.com/article/10076 http://www.linuxjournal.com/article/10076] | ||
+ | |||
+ | [http://www.linuxjournal.com/article/10099 http://www.linuxjournal.com/article/10099] | ||
==Documentation== | ==Documentation== | ||
Line 30: | Line 79: | ||
# [http://paranoidlinux.org ParanoidLinux] - a project that's still in the discussion stage | # [http://paranoidlinux.org ParanoidLinux] - a project that's still in the discussion stage | ||
# [http://iq.org/~proff/rubberhose.org/ Rubberhose] - a steganographic filesystem, not an OS but some interesting concepts we could consider | # [http://iq.org/~proff/rubberhose.org/ Rubberhose] - a steganographic filesystem, not an OS but some interesting concepts we could consider | ||
− | # [http://www.browseanonymouslyanywhere.com/incognito/ Incognito] - very similar but based on KDE | + | # [http://www.browseanonymouslyanywhere.com/incognito/ Incognito] - very similar but based on KDE and Gentoo Linux. ''This project is currently active'' (for a while it seemed as thought it wasn't)'' and we should integrate useful features from it when we can.'' |
# [http://labs.mozilla.com/2008/06/weave-status-update/ Mozilla Weave] - active but in a very early stage of development. Additional privacy and security for Web 2.0 | # [http://labs.mozilla.com/2008/06/weave-status-update/ Mozilla Weave] - active but in a very early stage of development. Additional privacy and security for Web 2.0 | ||
# [http://www.bouissou.net/knoppix-mib/doc-html/Knoppix-Mib.html#english_version Knoppix-3.2 MiB-11b Privacy Edition]- if this were an active project ISXubuntu wouldn't be necessary - but it's not | # [http://www.bouissou.net/knoppix-mib/doc-html/Knoppix-Mib.html#english_version Knoppix-3.2 MiB-11b Privacy Edition]- if this were an active project ISXubuntu wouldn't be necessary - but it's not | ||
+ | # What about privacy features of Internet Explorer 8's [http://www.microsoft.com/windows/internet-explorer/beta/features/browse-privately.aspx?tabid=2&catid=1 Private Browsing] and [http://www.microsoft.com/windows/internet-explorer/beta/features/stay-safer-online.aspx?tabid=2&catid=1 added security features], [http://www.google.com/chrome/intl/en/features.html# Google Chrome] and [Apple Safari's http://www.apple.com/safari/] "Private Browsing" mode? What is good about these and what is missing? |
Latest revision as of 10:11, 3 September 2008
Contents
Developer Page
Project Schedule
Milestone 0
- Set up process for taking apart stock XUbuntu image, making our changes, and rebuilding iso
- Set up security auditing proceedure which includes penetration testing with Nessus and checking file permissions.
Milestone 1: to be completed by January 1, 2009
- BASIC PLATFORM & TOR
- Functioning Base level Platform of ISXubuntu
- Tor is functional when booting ISXubuntu
- working with firewalls...
- Ad blocker
- Currently using Privoxy but Ad Block Plus may be better
- Privoxy doesn't block all ads - beyond the actual ad blocking it's necessary to block tracking of a users web activity through DNS requests.
- Control over malicious Javascripts, cookies, etc.
- NoScript to block malicious Javascripts (Tor now seems to conflict with this although it didn't use to)
- Customize Google to evade privacy-intrusive features of Google services
- Gmail S/MIME for encrypted Gmail
- Bugmenot to get around compulsory registration of websites
- On-screen keyboard to block keystroke loggers. Is this enough - what else can be done'?
Milestone 2: to be completed by March 1, 2009
- Set up process for building from scratch (something like what Incognito does with Catalyst)
- Currently OpenDNS is used to prevent pharming. When you attempt to go to a URL that doesn't exist you are redirected to a page of theirs. Disabling this requires setting up a free account with OpenDNS and having a static IP - or a domain name and registering with DynDNS. We need to discuss this further.
- OpenOffice word processor set to redact all revision history when saving files. The UK National Archives has a useful article on redaction.
- Encrypted persistent home directory using TrueCrypt*
- Encrypted swap space*
- Secure deletion of memory on shutdown*
- Enigmail for encrypted email with Thunderbird
- Spam and phishing protection
Milestone 3
- Resolve flash drive issues (can we make the user's home directory read/write while leaving everything else read only?) Info on security issues with Linux filesystems from LinuxConsultingTeam.
Things To Do
Project Planning
Security issues
We need to decide what security issues we want to address, and what changes we will make to ISXUbuntu to address them
ubuntu-hardened is a list about Ubuntu security issues.
Presentation and Usability issues
What other changes do we want to make? Should we worry about boot time? Hardware compatibility? Ease of use for Windows users? What would we want to include on the CD in terms of artwork, video clips, etc. ? Do we want to include persistent user directories? What happens if we run this from a USB stick? Are all user settings now persistent?
Hacking
We need to come up with processes for
- including software packages in the distro
- modifying the default user and system wide setting to our liking
- including our own content (do we make packages out of them?)
It would be good if we could get a small server on a rack someplace - then everyone could help build and test things. We could use Xen or VirtualBox for a sandboxed environment and FreeNX, to test drive each build remotely. We won't be doing much compiling but the uncompressing and compressing of the filesystem to make an .iso takes some CPU.
Linux Journal recently published a series of articles explaining step by step how to do what we're working on. I would have had an easier time of things if these articles had been available two years ago:
http://www.linuxjournal.com/article/10038
http://www.linuxjournal.com/article/10076
http://www.linuxjournal.com/article/10099
Documentation
The documentation needs to be filled out
Other Projects
Other projects we can learn and borrow from:
- AnonymOS andOlive OpenBSD- live CD versions of OpenBSD - not active
- ParanoidLinux - a project that's still in the discussion stage
- Rubberhose - a steganographic filesystem, not an OS but some interesting concepts we could consider
- Incognito - very similar but based on KDE and Gentoo Linux. This project is currently active (for a while it seemed as thought it wasn't) and we should integrate useful features from it when we can.
- Mozilla Weave - active but in a very early stage of development. Additional privacy and security for Web 2.0
- Knoppix-3.2 MiB-11b Privacy Edition- if this were an active project ISXubuntu wouldn't be necessary - but it's not
- What about privacy features of Internet Explorer 8's Private Browsing and added security features, Google Chrome and [Apple Safari's http://www.apple.com/safari/] "Private Browsing" mode? What is good about these and what is missing?