SECURITY FEATURES

Discreete Linux provides an isolated, local work environment that is not accessible to spyware (Trojan software). Therefore, sensitive data can be processed, encrypted, and stored securely and is protected against such surveillance and espionage attacks. Discreete Linux is only designed for this purpose and for people who need such a high level of data security.
Discreet Linux is only used to protect these sensitive data and keys, for all other tasks, the user can continue to use his previously used operating system as usual. Discreete Linux is a pure live system, i. it is not installed on the computer. Instead, any computer can be started from a Discreete USB drive, regardless of the installed software. Discreete leaves no traces on the computer and leaves the installed systems untouched. All user data are stored exclusively on removable media, which are encrypted using tried and tested methods (optionally LUKS or Veracrypt).
There are many ways to get infected by malicious software: either the attacker directs the user directly to execute malicious code, or he manages to exploit security vulnerabilities such as buffer overflow problems in software installed on the target system, with the aim of executing arbitrary code and escalating privileges to system rights. The malicious software can reach the target system in a variety of ways: manipulated downloads, e-mails, web pages, software updates, manipulated storage devices, harmless looking documents that exploit vulnerabilities in software used by the user.
Highly developed trojan systems can overcome common security measures such as virus scanners, firewalls, intrusion detection systems or even an air gap (separation of the system from the Internet).
The security architecture of Discreete Linux is based on the analysis of how Trojan software actually penetrates into systems, how it implants and hides itself there, and how it makes the stolen data accessible to the attackers.

This results in the three general successive safety lines of Discreete Linux against espionage trojans:

• Wall up the entrances
• Prevent spreading
• Wall up the exits

Discreet is based on two basic principles:

• Transparent development and free software
• User-friendly handling
  Despite the inevitably uncomfortable limitations that such a highly protected environment entails, even inexperienced users should be able to work and communicate effectively and easily.

These safety lines and principles are explained in more detail below.

Discreete Linux is an isolated offline working environment. The prevention of any kind of network connection has two meanings for security. On one hand, malicious software could infiltrate the system using network connections. On the other hand, already active malware could use network connections to transmit captured sensitive data to an attacker.
Lots of malware uses network connections to load additional components, e.g. to allow adapting to the configuration of the infected computer or to modify itself to avoid detection.
To achieve the goal of an isolated system, Discreete Linux prevents activation of present network hardware. To this end, we have removed support for Ethernet, WiFi, Bluetooth and IR hardware as well as PPP from the modified kernel.
An exact description of the changes to the kernel source is contained in the technical documentation.
Of course you could just unplug the cable from your Ethernet connection. However, for wireless networks it is not so easy for inexperienced people to determine whether their card is active or not. In many cases, deactivated WLAN cards can be reactivated in software, without the user noticing. The safest way is therefore to take away the possibility of enabling such hardware.
No system with Internet connection can be permanently protected against attackers like big secret services. The NSA project "QUANTUMTHEORY" is an example of highly developed and largely automated attacks over the net. It intercepts Internet requests of target persons or groups by means of a man-on-the-side attack, redirects the request to a manipulated page, and then uses this software to install trojan spyware onto the target computer.
In the slides published by Edward Snowden on the TURBINE project, the NSA states that that project is designed to control Trojan infections "automated in millions of computers" - and this was the state of 2009.
Discreete Linux considers a reliable and permanent separation of the data and cryptographic keys to be protected from non-trustworthy networks as an indispensable safety line against targeted "Advanced Persistent Threats".
Therefore the support for network hardware of all kinds has been removed from the system kernel of Discreete Linux. Through that, it is impossible to establish network connections with computers booted with Discreete Linux.
This is not only important as a protection against the intrusion of Trojan Software, but also for downstream security lines (see III. Wall up the exits: Network) The Discreete Linux workflow nevertheless offers the possibility to exchange encrypted data with communication partners (see IV. "user friendly)

Another penetration path for spyware into Discreete Linux would be via local hard disks, that already were infected under the installed operating system. This does not only concern malicious software on the hard drive, which could be accidentally executed by the user. An analysis of Kaspersky showed in 2015 how, for example, the NSA had already since the beginning of the century used manipulated firmware for harddisks of all large manufacturers for targeted attacks (for example http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/). The malware known as nls_933w.dll survived, because as firmware residing in the drives controller, even complete wiping of the hard drive itself and re-infect the operating system immediately after each fresh reinstallation. In this way, the penetration of malicious software into the Discreete Linux system would be conceivable even if the affected hard disks are not booted, but only mounted.

The operating system kernel of Discreete Linux has therefore been modified in such a way that ATA internally connected hard disks are ignored (ATAPI-connected CD / DVD drives continue to work). That is, it is prevented at kernel level, to access internally connected hard disks from a running Discreete Linux.
Attention: this does not apply to SCSI hard disks, because the SCSI subsystem is also needed for working with USB drives. SCSI disks are very rare in desktop systems these days.

This is not only important as a protection against the intrusion of Trojans, but also for downstream security lines, which shall prevent sensitive data processed in Discreete Linux from being saved (accidentally or by malware) on internal harddisks in plaintext unnoticed by the user. (See III. Wall up the exits: Harddisks) All user data is stored on fully encrypted removable media called „Cryptoboxes“, or on transport removable media used to exchange data, e.g. over the Internet (see IV. "Simple usability).

Removable disks are the only entrance and exit for data from the Discreete Linux system. Common attacks on systems that are protected by an "air gap", ie separated from the Internet, is to infect them with Trojan horses via removable media. Once infected, incoming new commands for the malicious software and outgoing stolen data can be transported via the removable media used as a connection to the Internet (this data can be saved on sectors invisible to the respective file system).

A well-known implementation of this concept is the FANNY worm, which used at least one exploit, which was also found in Stuxnet. Therefore it is believed that the "Equation Group" of NSA is involved. In order to prevent any malicious software that has been introduced via removable media to be executed, all file systems on removable media and cryptoboxes are automatically mounted non-executable ("noexec"). That is, the user can not inadvertently execute programs or scripts by a double-click, which may have been deliberately sent to him by an attacker.

(ATTENTION: Feature will first be implemented in Beta 2)
In BadUSB attacks, a manipulated USB device like a memory stick claims to be a USB keyboard and can then be used by the attacker to execute predefined commands, e.g. in an (emulated) terminal. The attack is by no means limited to Windows, but works basically the same way under Linux. The USB devices firmware could even recognize its host system based on the properties of the USB communication and select the appropriate infection routine.

In order to hamper BadUSB attacks against Discreete Linux, from the Beta2 version on, new USB keyboards are only to be accepted by the system after a manual confirmation by the user.

Beta2 is also planning to take measures against more exotic USB attacks, such as obtaining full memory access via DMA. In order to prevent memory access attacks via Firewire and DMA, as carried out for example by the commercial Trojan software "FinFireWire" of the company Gamma International, the firewire support is also removed from the kernel. For the future, solutions are considered, which only remove the DMA support from Firewire, but still allow data transmission.

As a live system, Discreete Linux is read-only. All changes made during a running session are written to OverlayFS, a translucent file system, but are irrevocably lost after the computer is powerd off. The system is consciously stored on a read-only ISO 9660 file system – not only on optical media, but also on removable flash drives. This prevents persistent manipulations from the running system.

In order to enable the users to work efficiently and comfortably, Discreete Linux saves user-specific configurations and data in encrypted removable media called "Cryptobox".

The Discreete Linux kernel will accept only kernel modules cryptographically signed from the Discreete Linux Team. Even if an attacker had overcome all previous security lines, he could still not load his own kernel modules, e.g. network modules to open a connection to the outside.

Unlike most live systems, Discreete Linux prohibits the regular attainment of root privileges. Both, the configuration of the Sudo mechanism and the PolKit authorization service are configured in such a restrictive way, that the user and the processes started by him only have normal user rights.

This usually means no inconvenience for the user, because for normal work with Discreete Linux elevated rights are not needed. But malicious spyware, that possibly has penetrated the system is effectively restricted.

If this is necessary for an extraordinary purpose, the user can start a Discreete session with unlimited sudo rights from the boot menu. A belated activation of root privileges after a normal boot is deliberately not possible.

Due to the lack of network and local hard disks, there are no outputs through which stolen data or keys can be transported to the attacker. The Trojan is trapped in the sealed off Discreete Linux system.

The Cryptoboxes are not opened outside of Discreete Linux, so the attacker does not get anything to write information there. A flow off of data is only possible via unencrypted transport drives, but on those the data can be easily discovered by attentive users. To make this easier, the user will be prompted automatically if he wants to delete any files in the recycle bin, when unmounting removable media. In addition, transport drives from Beta2 on will also display hidden files by default.

Data secretly written directly to the blockdevice of the transport drive below the file system level (as for example "Fanny" does, an anti-air gap worm developed by the NSA / "Equation Group") is more difficult to detect. On the one hand, however, this writing process on the blockdevice would require non-existent root privileges in Discreete Linux, on the other hand an infection of the internet computer used by the victim with software, which knows how to retrieve this information again.

Discreete Linux is less aimed at IT experts than whistleblowers, political and trade union activists, journalists, lawyers, human rights activists and other people who are threatened by targeted Trojan monitoring. It must therefore be easy to learn and to operate and, at the same time, it must prevent that inexperienced users Accidentally override the security through false behavior.

For the easiest and for beginners best-suited method to work with Discreete, only one removable drive is needed: After the first booting from the discreete boot media (eg USB drive or SD card), a Wizzard can create a so-called Cryptobox on the the remaining drive space, Ie an encrypted partition which not only serves as a storage space for the user data, but also automatically stores the user-specific configuration without the user having to worry about it. E.g. GnuPG keys and settings, LibreOffice settings, Evolution calendar and contact lists, password manager data, password for screen lock, etc.

During each future boot process, the user is automatically prompted for the password and, after its correct input, is immediately in his individually configured working environment with access to all encrypted data. To maintain the high level of protection, the Cryptoboxes may only be opened in the secure Discreete Linux environment.

To exchange files with other people, transport USB drives are used. Files to be transmitted can be encrypted with the GnuPG key of the recipient, saved to the transport USB drive and later sent as a mail attachment from a system with Internet access. The import of received mail or new GnuGP keys into the Discreete system works accordingly exactly the opposite way.

This method allows data to be exchanged over the internet without ever being accessible in plaintext outside the secure Discreete Linux Cryptobox. The system has been optimized to make this for many people unusual workflow, as simple as possible. This is why e.g. the Discreete Linux project has an own GnuPG front end, which makes manual file encryption much easier than with Gnome's own front-end seahorse.

The system provides all the necessary crypto software: Cryptsetup/LUKS and Veracrypt for symmetric volume or container encryption, GnuPG for (mostly) asymmetric encryption of files and for cryptographic signatures, OpenSSL for generation and administration of certificates in a secure environment. For some more exotic needs, software is also on board, with which the "Shamir's Secret Sharing" algorithm can be used to divide secrets to several "instances", and only a certain subset of these entities is required to reconstruct the secret.

An automated backup function can back up the content of your Cryptoboxes to special backup cryptoboxes, which can also are encrypted with Veracrypt or LUKS. When a normal Cryptobox gets closed and such a backup volume is connected to the system, Discreete Linux automatically detects this and asks the user if he wants to make a backup into the encrypted backup cryptobox. This is done incrementally and keeps the last five versions.

A system for security-critical applications such as Discreete Linux in our opinion should only be developed in an open, transparent process based on the principles of free software. Signed ISO images are available for download.

If you for security want to control the build itself and how the final ISO is composed (or make changes to it), your can also build Discreete Linux yourself. The project explicitly encourages this and offers on its website a guide for this task. It shows how to use all the software required from the GitHub repository (https://github.com/Discreete-Linux) and the Debian package repository of Discreete Linux.

All software, configurations and instructions for building the system are free software and released under the GPL. Discreete Linux is based on Debian. In 2011 the project had carried out and published its own analysis of Truecrypt – which was used under the predecessor project UPR – and publicly debated it. An analysis of the Linux encryption software LUKS / Cryptsetup followed in 2012 which can be downloaded here. The project is open to criticism, suggestions for improvements and new collaborators.