Here is an interview with Dr. Interview with Dr. Thorsten Schneider creator of DVL.
Questions 0 and 7 were added by the doctor himself. Thank you for the extra information.
0. What is "Damn Vulnerable Linux"?
Actually, it is a perverted Linux distribution made to be as insecure as
possible. It is collection of IT-Security and IT-Anti-Security tools.
Additionally it includes a full scaled lesson based environment for Attack
& Defense on/for IT systems for self-study or teaching activities during
university lectures. It's a Live Linux Distro, which means it runs from
a bootable CD in memory without changing the native operating system of
the host computer. It can also be run within virtual machine
environments, such as qemu or vmware. There is no need to install a
virtual machine if you use the embedded option. Its sole purpose in life
is to put as many security tools at your disposal with as much training
options as it can. It contains a huge amount of lessons including
lesson description - and solutions if the level has been solved by a
community member at crackmes.de.
Damn Vulnerable Linux (DVL) is meant to be used by both novice and
professional security personnel but is not ideal for the Linux
uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of
Linux as most of your work will be done from the command line. If you
are completely new to Linux, it's best you stop playing with this system.
1. Who should use your distribution?
The main idea behind Damn Vulnerable Linux was to build up a training
system to use within university lectures for my students. Damn
Vulnerable Linux is now used successfully within my university lecturers
and commercial training sessions! We wanted to design a Linux
system that was as vulnerable as possible to train anti-security topics such as
Reverse Code Engineering, Buffer Overflows, Shellcode development,
web exploitation, and SQL injection. Regarding to all the material out
there to train anti-security elements, you are always faced with old
tutorials, missing packages and similar. We wanted to build up a
plug-and-play system. Simply run Damn Vulnerable Linux in a virtual
machine, all needed tools installed, working training lessons included,
ready to go. Additional training videos are not included on the distro but at the
website to keep size of the distro assmall as possible. As one future plan Damn
Vulnerable Linux will be extended as a hacking wargame. Further information and
news are available at http://www.DamnVulnerbleLinux.org. We had over 600
downloads within the first 24 hours - seems that we had be right with
our idea!
2. What is one thing you would like your distribution to have or do that
no other distribution does?
Many more exercises with solutions solved by the community! There are
many security distros out there but most of them stay at "toolbox" level.
DVL has now everything included: tools and exercises. There are many security
and anti-security distros out there. One example is given with Knoppix-STD or the
hakin9 CD. However, all of them are mostly a hacking tool collection. Damn
Vulnerable differs by this. It not only contains all necessary tools but training
lessons as well. The addition of training videos at the Damn Vulnerable Linux
website makes this distro more complete than others. As I mentioned: all your
needs included, no more need to search. At the moment a few training
videos are available at the Damn Vulnerable Linux website. The training video
section will grown soon, however producing such videos takes much time so
the progress appears "slow" to some people. But we will try to things speed up.
Text tutorials depend on the community - the more the community helps, the
faster the tutorial section grows. However, people can add their own challenges via the
www.crackmes.de website. This spawns the Damn Vulnerable Linux tutorials
faster.
3. Why did you decide to make your own live security distribution?
See point 1.) There was no such system to teach students unique
IT-Anti-Security. Looking around there are many good distros out there.
Most of them include many many tools... too many for students. They
should focus on the relevant part. And as described in 2.) most of these
distros are toolboxes only. Where are the lesson to teach people? This
was the reason why we started the Damn Vulnerable Linux project.
Oh, I forgot: since we want to train attack and defense we needed a mostly
vulnerable system, so we decided do reduce the security of the system
step by step (wrong setup of php.ini, etc.)
4. How many man hours go into each release?
Some, never counted them. However the most work is going into the
training videos.
5. What is your favorite *nix distribution and why?
There is no "favorite" one. I am currently running on Xubuntu and
Ubuntu, but many others are good as well. I focus on Debian based
distros due their support and reaction time for critical fixes. But this
is philosophy (flame war?) and each should decide himself ;)
6. How do you see live security distributions evolving over the next few
years?
IT security in general is a growing topic. Management companies such as
Gartner promise security the most significant growth during the next 10
years.
At the moment I do not see security distros evolving. They add this or
that tool, but do not evolve at all. What is necessary is to include
much more. Similar to Damn Vulnerable Linux they should add tutorials,
training material or videos to support the community.
7. What is the biggest upgrade/addition that is planned for your
distribution?
The biggest addition planned for Damn Vulnerable Linux is the addition
of Kernel vulnerabilities. We will manipulate the Kernel to be more
attackable. The largest release during the next time will be in releasing many parts
of the commercial edition as free to public to support the security
community training, teaching, and self-study efforts!