Based on | Debian |
System Type | Server&Gateway |
Desktop | No desktop |
Type | Protection & anonimization system & distributed services. |
Supported hardware | Odroid XU3 and C1 |
Architecture | ARMHF |
Gateway and torify any operating system | Yes |
Opensource | Yes |
Live DVD/USB | No |
Non-Anonymous Developers | Yes |
Persistence (applications&data survive reboot) | Full |
Threat | CageOS Protection |
---|---|
Several Exploit | GrSecurity |
Memory-based protection schemes | PaX |
Mandatory access control scheme | SELinux |
Cold Boot Attack | TRESOR |
Potentially hostile/injected code from non-code containing memory pages | KERNEXEC |
Threat | CageOS Protection |
---|---|
Toolchain compilation (fortify) | libc patches |
MAC Spoof | MAC Address randomizer |
Hardware Serial number identification | HDD/RAM serial number changer |
Vulnerable on bootloader | Bootloader password protection |
Vulnerable on boot partition modifications | /boot partition Read only. Needed to change only on kernel upgrades |
SSH root login directly | Disable SSH root login |
Physical reboot | Disable control+alt+del on inittab & /etc/acpi/powerbtn-acpi-support.sh |
Brute force attack on services | Fail2Ban |
ICMP Flood Protection | IPTables not answer ICMP requests |
Network accept all port connection | IPTables DROP policy by default |
Virus infection on other network OS | Clamav |
Intrusion Detection System | Suricata |
Hidden software exploits | RKHunter |
Software security holes | Debian Security repositories |
Untrusted Cronjobs | Block cronjobs for everybody in cron.deny |
Binaries with root permission | Disable unwanted SUID/SGID binaries |
Insecure network programs | Block rlogink,telnet,tftp,ftp,rsh,rexec |
IP spoof | sysctl hardening configuration |
IP spoof | Darknet preconfigure |
TOR extra security | SocksPort 9050 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr |
DNS leak protection | Usage of OpenNIC |
Hidden code on apps | Verifiable builds |
Take advantage of already logged in sessions | Bash usage of VLOCK and/or TMOUT to protect your bash login |
Direct access to HDD data | Full disk LUKS encryption |
Exploits of shared resources & hardware | Docker |
SSH Old protocol weak | SSH only protocol V2 allowed |
Computer stealing | Secured&encrypted backup on decentralized storage grid |
Rootkit | Use OpenSource & RKHunter |
Software backdoor | Use OpenSource |
Hardware backdoor | Use OpenHardware |
Packet Sniffing | Using HTTPS Everywhere |
Responsible for building Tor circuits | Tor client running on CommunityCube |
Exploit Quantum protection | Yes, suricata |
Intrusion Prevention System | Yes |
Browser exploit protection | Yes |
Protection against IP/location discovery | Yes & agent |
Workstation does not have to trust Gateway | No |
IP/DNS protocol leak protection | Only if you configure manually |
Operating System Updates | Persist once updated |
Update Notifications | Yes on LED and TFT display |
Important news notifications | Yes on LED and TFT display |
Decentralized System Updates | Using APT P2P |
Network/web Fingerprint | Maximum possible protection with Agent (pc (windows/linux/mac) & mobile (android/ios) |
Clearnet traffic | Routing model it's described in Network page |
Surf the deepweb with regular browser | Yes but not recommended |
Randomized update notifications | Yes |
Privacy Enhanced Browser | Yes, Tor Browser with patches |
Hides your time zone (set to UTC) | Yes |
Secure gpg.conf | Yes |
Enable secure SSH access | Yes, through physical TFT with external network disconnect |
Auto Disable logins | Only logins are possible on configuration mode, activated through physical TFT with external network disconnect |
Internet of the Things protection | Yes, it's described in Network page |
HTTP Header Anonymous | Yes |
Big clock skew attack against NTP | Tot blocked |
VPN Support | Configurable through TFT |
Ad-bloking track protection | Yes |
Root password configuration | Yes, mandatory on first boot and later on TFT configuration panel |
Wifi password configuratio | Yes, manadatory on first boot and later on TFT configuration panel |
Internal WIFI device without password or WEP encryption | No |