Trusted End Node Security
Last Update: 2018-03-24 02:03 UTC
[Trusted End Node Security]
OS Type: Linux
Based on: Thinstation
Category: Live Medium, Privacy, Security
Popularity: 212 (34 hits per day)
Trusted End Node Security (TENS), previously called Lightweight Portable Security (LPS), is a Linux-based live CD with a goal of allowing users to work on a computer without the risk of exposing their credentials and private data to malware, key loggers and other Internet-era ills. It includes a minimal set of applications and utilities, such as the Firefox web browser or an encryption wizard for encrypting and decrypting personal files. The live CD is a product produced by the United States of America’s Department of Defence and is part of that organization’s Software Protection Initiative.
Popularity (hits per day): 12 months: 175 (47), 6 months: 212 (34), 3 months: 198 (36), 4 weeks: 165 (39), 1 week: 173 (41)
Average visitor rating: 6.88/10 from 8 review(s).
This was, as LPS, a “live CD” that I’d use if I wanted a pretty much secure disposable desktop for browsing on an alien machine, such as in a library or on a random PC at a worksite. It’s sort of a hardened Knoppix with less stuff in it. You get a browser, LibreOffice, and an encryption engine.
I’d expect it to be pretty much secure against most outside attacks, but I’d also expect there would be an NSA supplied backdoor in it somewhere (since it is being made publicly available and we just know the NSA would not want a sister agency locking them out of things…). So I’d not trust it to keep me secure and private from US Government TLAs. But it is pretty darned good for making that old PC in the corner into a “no tracking no malware” workstation for a day. Or, put it on a USB stick and you can have files persist over sessions.
I ran into this rebranding in an article here:
Why TENS is the secure bootable Linux you need
If you’re looking for a security-minded live Linux distribution, TENS makes desktop protection incredibly simple.
By Jack Wallen | October 3, 2018, 10:45 AM PST
TENS stands for Trusted End Node Security. TENS is a non-installable, bootable Linux distribution that creates a secure end node from trusted media on almost any Intel-based computer, before booting into the operating system. No hard drive is mounted, no installer is offered. It’s temporary, it’s easy to use, and it turns an untrusted system into a trusted network client.
Before you get too excited, TENS isn’t a pen-testing distro for admins to use to harden their network. TENS is a live desktop Linux distribution that gives the user a level of security they would not have with a standard desktop. That means it’s great to use in places where network security is questionable, or when you need to submit sensitive data, and you don’t trust a standard desktop operating system. In other words, anytime you need to use a network for the transmission of sensitive data, TENS Linux could easily be a top choice for users.
There are three different versions of TENS. Each edition is developed for (and used by) the US Department of Defence, but the developers do provide public versions. The three versions are:
TENS-Public is a safe, general-purpose solution for using web-based applications and accessing CAC and PIV-enabled web pages. This version of TENS includes a standard and Deluxe version. TENS-Public Deluxe includes the open-source LibreOffice software suite. Both the standard and Deluxe versions are available to download for free on the TENS Download Page. This version of TENS is not intended to be an obfuscation tool, but rather to be a safe operating environment for web-based activity. The Encryption Wizard Public Edition is included in TENS-Public.
TENS-Professional is similar to TENS-Public but is offered exclusively to non-DoD federal organizations. It is customized by TENS engineers to include specific applications, pre-configured settings for VPN and/or VDI, firewall configuration, web proxy, time zone, desktop background, browser bookmarks, etc. Encryption Wizard Government Edition is included in this build.
Bootable Media is the secure, DoD version of TENS. Bootable Media has a strong legacy of providing secure remote access to DoD civilian, military, and contractor personnel.
The article then does a test drive complete with screen shots and a short “HowTo” on encrypting files.
It would be a quick and easy way to exchange private messages. Boot this, type up the message, drop it into the encryption engine, then email the result to a friend who also boots a copy, then decrypts it. You just need an “out of band” password exchange. Such as by phone, or physically handing them a “one off book”, or just a pre-agreed strategy / system:
Use the King James Bible, I’ll say a page, line and word count. So 5-23-6 would be the fifth page, 23 line, first 6 words. Then maybe once a year or so you change the agreed book (send the ISBN in an encrypted file…) That kind of thing. Or just agree to use the name of the Playboy Bunny for each month ;-) (Though I’ve heard they are / have gotten rid of pictures, but have not confirmed that… I think internet porn has put a crimp in their former market…)
Note that “pen-testing” is short for penetration testing, where a systems admin boots a Linux with a load of hacking tools and looks for exposures and weaknesses. (Yes, I’ve done that. Got to review a list of exposures at a large site where I was employed as a PM Project Manager, then nag the folks until the exposures were closed.)
Since this installs nothing and saves nothing to your disk, should someone decide to confiscate your computer to see what you’ve been doing, they get nothing. Just don’t leave the USB stick laying around with the un-encrypted files on it… (I’d use a micro-SD card in a USB adapter and then put that dinky little chip somewhere easy to trash, hard to find. Like on top of an anvil with a sledge hammer near it ;-)
One amusing side note:
In Firefox, when I went to download TENS, I got a stern warning about how the certificate issuer was “unknown”!! Yes, the US Government Military is unknown… Now I know some folks have a jihad on against “self signed certificates” demanding everyone pony up money to the few ‘recognized’ cert issuing companies, but really…
Looking at the cert, it looked OK to me. Maybe I’m missing something, but I think it’s pretty clear it is just a US Gov self signed cert.
Also of interest, their users manual was last updated in 2015 and still calls it LPS (61 page pdf):
They seem to have the same “stuff” up at a couple of URLs. Here’s the “home page” that Distrowatch points at:
Trusted End Node Security
Trusted End Node Security (TENS™) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). TENS™ boots a thin Linux operating system from removable media without mounting a local hard drive. Administrator privileges are not required; nothing is installed. TENS™ turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity or malware can be written to the local computer. Simply plug in your USB smart card reader to access CAC and PIV-restricted US government websites.
TENS™ differs from traditional operating systems in that it isn’t continually patched. TENS™ is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot TENS™ immediately before performing any online banking transactions. TENS™ should also be rebooted immediately after visiting any risky websites, or when the user has reason to suspect malware might have been loaded. In any event, rebooting when idle is an effective strategy to ensure a clean computing session.
TENS™ is updated on a regular basis. Be sure to update to the latest version to have the latest protection and most recent drivers.
Each of the TENS™ products (TENS-Public, TENS-Professional, and Bootable Media) was created to address particular use cases.
TENS-Public is a safe, general-purpose solution for using web-based applications and accessing CAC and PIV-enabled web pages. TENS-Public Deluxe includes the open-source LibreOffice software suite. Both operating systems are available to download for free on the TENS™ website, as we contribute to the open source community. CAC middleware is integrated into the TENS™ operating system. TENS-Public is not intended to be an obfuscation tool; it is designed to be a safe operating environment for web-based activity. Encryption Wizard Public Edition is included in TENS-Public. Customizations are not available for this product.
TENS-Professional is similar to TENS-Public but is offered exclusively to non-DoD federal organizations. It is customized by TENS™ engineers. Customization options include selecting specific applications, pre-configured settings for VPN and/or VDI, firewall configuration, web proxy, time zone, desktop background, browser bookmarks, etc. Encryption Wizard Government Edition is included in this build. TENS-Professional is currently used by several Federal organizations, primarily to help remote users securely connect to their organization’s private networks.
Bootable Media is the secure, DoD version of TENS™. Bootable Media has a strong legacy of providing secure remote access to DoD civilian, military, and contractor personnel. Bootable Media is the TENS™ flagship product and has a supported user base numbering in the hundreds of thousands. Development, sustainment, and configuration is centrally funded by DISA, so each DoD organization doesn’t need to pay for this product. Customization is available and completed for all the features included in TENS-Professional, in addition to including DoD-specific accreditation controls. Bootable Media has an Authorization to Operate (ATO) for DoD networks.
In order to use TENS™, you need:
A computer system with x86 processor supporting Physical Address Extensions (PAE). TENS™ is supported on standard PCs and Intel-based Macs. Beginning with the next major release, TENS™ will be a 64-bit-only OS and thus will be incompatible with 32-bit hardware.
1 GB RAM (1.5 GB for Deluxe). Remember that system RAM will be used for the in-memory filesystem as well as for running whatever software you use.
For networking, any of (a) wired Ethernet, (b) wireless (Wifi) connectivity, or (c) tethered cellular broadband, is supported. We highly recommend providing some kind of DHCP service.
The ability to boot from either USB or CD/DVD; TENS™ is usable from either medium. This may require changing BIOS settings and is not something that TENS™ can perform automatically.
For accessing CAC/PIV-enabled websites,
a CAC/PIV (the TENS™ office does not provide these)
a USB CCID-complient smartcard reader with updated firmware
For printing, either a networked or a local USB-connected printer.
Configure your BIOS to either ask which boot media to use (often pressing F12 or F9 during boot) or to always attempt to boot from USB or CD-ROM. Ensure that the boot media is inserted. Power up or boot the computer.
Once booted, you will be presented with a desktop environment with a Start menu. The applications may be started either from the menu or by double-clicking desktop icons. The Firefox web browser is a good place to begin using TENS™.
These are the instructions for using USB sticks, either for storing your own data while running TENS™, or for booting TENS™ itself from a USB device. We also have some introductory notes on burning the ISO image to a CD.
And while the Distrowatch page points to this “download mirror”:
A web search sent me to this location (also a .mil site):
I suppose if I cared enough I could download from both sites and compare the binaries to see if they are, in fact, identical. But I don’t care that much. I rarely use any i86 machines anymore. I have saved a copy of the recent release as they state it is the last one that will support 32 bit CPUs. The next one will be 64 bit only. So this is the last one that will work on all-but-one of my old PC boxes.
The distrowatch package list includes SystemD, but under init system it says “other”. Not sure what that means. I may see if one of the older releases is pre-SystemD (though it would be lacking recent security patches…). Then again, for a live CD or USB Stick, I’m not really going to be configuring it and doing maintenance on it, so if it is SystemD I’ll generally not interact with that part. For a “disposable system” I likely don’t care that much what init it uses.
If you have an Intel based PC or use one in a public place (one where you can reboot it onto your supplied OS…) this can be a nice way to “leave no fingerprints” on the file system of the machine.
It is likely to support a fairly broad set of computers as the DOD expects this to be used all over the place on who knows what hardware.
I’d not use if for anything that a Government Three Letter Agency might consider “of interest”, at least not without checking if it does any kind o “Phone Home” at start-up (put a sniffer on the network or have your IDS / IPS tattle on it…); or just use it with the network unplugged and copy the encrypted file to another machine for the sending of email.
I would be quite happy to use it as a simple way to send email that Google Gmail and others can’t snoop into.