Live distributions of Linux that come ready to run on a single CD are incredibly useful. These days (and for the past 10 or so years) the smart way to use these systems is from a USB flash drive. The brilliant SystemRescueCd, for example, has been a real life saver for me and I carry it around everywhere when at work. The great thing about a live CD is that it can be booted on any computer instantly turning that machine from a brain dead Windows cesspit into a high functioning Linux system ready for professional use. You can troubleshoot networks and hardware or have a peek at what’s on the drives. When you shut down and remove the media, you can be very certain that no unauthorized changes were made to the normal system that lives on the computer’s permanent drives. Or you can make changes, fix broken things, reset passwords, etc. But you’re in control.

The down side of these systems is they are what they are. If you download an iso image for an Ubuntu live CD, you get what the Ubuntu people thought would be the best setup. For weird people like me, this is never satisfactory. Because of the extreme efficiency these systems require, it is difficult to make permanent changes to the system. The normal way this is supported is with a concept called "persistence". This basically uses some kind of union file system overlay to keep track of the changes you’ve made to the underlying stock system. This means that if you wanted to, say, remove LibreOffice from the Ubuntu image, you could do that in intention, but what would really happen would be a note would be filed that said, "The user deleted LibreOffice". When you looked for it subsequently, it would show you what it thinks you want to see, that LibreOffice is gone, but in fact, it will remain in the image untouched. This makes the persistence method slow and clumsy for all but the simplest of tasks.

My goal was to take a live Debian installation or some kind of similar live installation and truly modify it. This is not easy and it requires a separate system, meaning it is effectively impossible to change a running system with itself. This is important because it implies a safety advantage. If you need to guarantee that a good system is still good after some potentially corrupting activity, this is the perfect solution. If, for example, you were researching some security problem and you found a hacker web site that claimed to have information, you might want to check out that site but be absolutely certain that you would not have your system permanently corrupted by that activity. Since these live systems are practically immutable, simply rebooting them pretty much is guaranteed to reset everything to pristine condition. This can be useful for public terminals or kiosks too. I’m going to say that this method also makes the use case for Tripwire and intrusion detection systems much smaller.

Additionally, many of these systems have a toram option where the root file system is loaded into RAM before being mounted. This means that the boot media containing the OS can actually be removed. Therefore you can take a pristine known clean system, boot it, remove the boot media, let your adversary use the machine, and still be 100% sure that the next time you boot that system it will not be corrupt. Which is pretty cool. Brian Krebs has endorsed this concept for things like banking. (I agree though I would add the caution that you will lose your logs and HTTPS site preference history.)

How then can the base live CD system be changed so that when you boot it up, it is exactly the way you want it? I have written some technical notes describing the process in some detail which you can find here:

This photo shows two systems booted with the resulting custom OS.


There are several interesting things to note. First the time stamps are different; this is because this distribution creates the user on the fly from a skeleton. Note that there are no desktop icons (which I can’t stand) and the alias v is operation in a terminal which has no menu bar. (I got used to that v with Slackware on my first Linux installation and can’t live without it now.) You can also see my happy face prompt indicating the last exit status. Needless to say, the capslock has been corrected. These systems are well and truly perfectly customized for me to use immediately.

In general a custom Linux is not especially novel. What’s unique here is that both of these machines booted from the same flash drive. And they’re both running live concurrently. The flash drive they were booted from was actually lying on my desk when this was taken. The laptop is kind of a funny case because it only has 1GB of RAM total (RAM use shown in top center display). To put the entire OS media in RAM and then run on that is really pushing it. It struggles, but it does work! This laptop is quite old and its hard drive had failed long ago. I just recently physically removed it to save some weight. You’re looking at a hardened laptop running with absolutely no permanent storage media of any kind. Maybe Edward Snowden can put that to use.