Menu

Use Disklessian

Dirk Krause
← Previous ↑ Home ↑ Live Systems Next →

Use Disklessian for online banking

Install Disklessian on read-only boot media only, I suggest a USB thumb with hardware write protection.

For installation allow write access. Deny write access when running Disklessian.

Use Disklessian either for online banking or as surf station, not for both purposes at same time!

For online banking and other privacy related purposes use Disklessian from write protected boot media only.
Do not use a netboot Disklessian. Netboot uses insecure protocols DHCP and TFTP and an NFS protocol version without encryption and integrity checking.

  • Boot
    Boot your computer into a Disklessian from write-protected USB drive.
     
  • Internet connection
    Establish the internet connection, i.e. using Ethernet or WiFi.
     
  • Web browser
    Start your favourite web browser.
     
  • No general internet surfing!
    Do not use the Disklessian session for general web surfing before you start banking.
     
  • Disable browser telemetry
    [2021-09-20]
    In Firefox 78.14.0esr use the “Edit” / “Preferences” menu item to open the preferences. In “Privacy & Security” there is a section “Firefox Data Collection and Use”. Disable all options.
     
  • Open banking web application
    Directly proceed to the banking web application provided by our bank.
    Type the URL manually into the URL field in the top of the browser window, not in a search engine text field. Do not use search engines, auto completion or other mechanisms suggesting URLs.
    The URL must be a "https://" URL.
     
  • No general internet surfing!
    Do not use the Disklessian session for general web surfing while banking.
     
  • Check certificate
    Right click on the text (not an image or form field) of the web page. From the context menu choose “View Page Info”. In the “Security” tab click the “View Certificate” button.
    The “Fingerprints” section shows the certificates SHA-256 and SHA-1 hashes. Compare the hash values against the values the bank has sent to you.
     
  • Log in, banking
    Log in and use the banking application as needed.
     
  • Log out
    Make sure to log out from the banking web application.
     
  • No general internet surfing!
    Do not use the Disklessian session for general web surfing after you finished banking.
     
  • Shutdown / Reboot
    Shut down or reboot your computer.

Visiting web sites not related to your bank can result in drive-by attacks. These attacks can not harm your computer (access to internal disks is disabled) or the boot media (write protection is active). But a drive-by attack can harm the running system, i.e. by starting key loggers to obtain your banking login or searching for artifacts (authentication related cookies not deleted by the banking web site).
So Disklessian booted from local write-protected boot media must be combined with the discipline not to use the Disklessian session for general web surfing to keep you secure.

Use Disklessian as surf station

You can use netboot or write-protected boot media to start Disklessian for use as surf station.

But do not using it for banking at same time!

FAQ

General FAQ

What's the purpose of Disklessian?

Disklessian attempts to provide a secure environment for online banking.
It provides minimal functionality, just banking in the browser.
There are no comfort features like banking software or persistence.
Disklessian can be used as a base to build live systems providing more comfort to the end user.

Which users is Disklessian for?

Users should have some general experience in using a computer. Linux experience may be helpful, but is not required.

Why doesn't Disklessian use convenience feature …XYZ…?

I want to keep the archive contents as small as possible so users can inspect/review all contents before using the scripts to build the live system.

How does Disklessian attempt to provide a secure environment?

No access to internal disks
Access to internal disks is disabled in the kernel. If there is no way to access internal disks from Disklessian, malicious software probably present on these disks is not executed from within Disklessian.

Write protection on boot media
You should use Disklessian only from write protected boot media to avoid unintended boot media modification.

What are the limits of Disklessian's protection?

BIOS/UEFI
The BIOS or UEFI software is executed before any operating system — i.e. Disklessian — is started. So Disklessian can not protect against malicious software run from BIOS or UEFI.

Internet surfing
In a correct Disklessian installation a drive-by attack while visiting a web site can not modify the the Disklessian boot media (hardware write protection on USB stick should be turned on) and can not modify the system on the internal disk (disk access is disabled in the kernel).
But malicious software — i.e. drive-by attacks while visiting web sites — can infect the running system.
So you should never use the web browser in Disklessian for general internet surfing, neither before nor while nor after banking. After booting into Disklessian, proceed directly to your banks web application. After finishing banking shut down or reboot the computer.

Disklessian Build FAQ

How do I add WiFi access?

Security note: Create images containing WiFi access data only for yourself or for use by specific persons or on specific computers.
Publishing an image with included WiFi access data discloses your WiFi access data!

Many (most ?) WiFi devices do not work without non-free firmware files. Probably you want to set

ALLOWNONFREE=yes

in custom/dklivesys.conf.

  • Create a live system without WiFi access first.
  • Run the live system.
  • Manually connect to WiFi, enter the WiFi key/password when asked.
  • Connection data is stored in a new file in the /etc/NetworkManager/system-connections directory in the live system. Copy that file into the /home/user/livesys1/custom/root/etc/NetworkManager/system-connections directory of the virtual machine used to build the live system.
  • Correct file ownership and permissions: Only root should have permission to read or write the file.
  • Now create a live system once again:
cd /home/user/livesys1
rm -fr livesys
dklivesys-build-livesys disklessian

How do I add my banking web sites to the bookmarks

Set the BOOKMARKURLS option in the custom/dklivesys.conf file, i.e.:

BOOKMARKURLS=One Bank|https://www.one-bank.com/|Other Bank|https://www.other.com/

Bookmark items are separated by “|”.
Each bookmark item contains Bank name and URL separated by “|”.

Usage FAQ

How do I connect to the internet?

Cable
Plug the ethernet cable. You computer automatically retrieves IP address and other information from the router.

WiFi

  • Click on the network symbol next to the text “Debian Live user” in the upper right corner.
     
  • Choose your WiFi by name.
     
  • Type authentication credentials (i.e. the pre-shared key for WPA2) into the text field(s).

How do I start the web browser?

Use the menu item in the application menu or the globe button in the Xfce bar on the screen bottom.

How do I use a USB stick?

Attach the stick. An icon is shown on the desktop. A double-click on the icon opens a file manager.

How do I remove a USB stick?

Users with Linux experience: Unmount the stick using the desktop icons context menu, as root use the udisksctl (or udisks) command to detach the stick, remove the stick.

Users without Linux experience: Do not remove the stick until the computer was shut down and powered off.

How do I shutdown or reboot?

Click on “Debian Live user” in the upper right corner. From the menu choose “Shutdown” or “Reboot”.

← Previous ↑ Home ↑ Live Systems Next →

Related

Wiki: Live Systems

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.