A Secure OS For the Dalai Lama?
Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.)
Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?
(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"
(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"
Mac OSX might be more secure than windows and may be easier for non technical people (if the TGIE is lacking expertise) to get up and running. Alternatively, use openBSD - quite hard to get fully functional, but the expertise to get it there means anyone who does should have requisite skills to keep the Tibetan Government safe from certain foreign governments. Also, you may find the openBSD people will gladly help with this poltical agenda. Z/
What other people think of me is none of my business
Boot always from an trusted, read only media, like CD/DVD or locked USB thumb drive.
Media should contain not only OS but applications in trusted configuration. No updates allowed from outside trusted entities
Use only boot media provided from trusted entity
Maybe use also something like tripwire to detect change in the OS/applications files checking changes by comparing sensitive file
Full encryption on sensitive data/drives
My reluctance with BSD is the lack of "rich entertainment"
I use netbsd on my servers and some workstations. The lack of a rich environment is a defence against PEBAK. The problem is selling it to the users.
Done properly, the users would need to specify up front exactly what they want their system to do, so that a solution could be designed from those requirements. A lot of the time these days, secure communication is a prime requirement and BSD can certainly provide that.
http://michaelsmith.id.au
So what? China plays a long game, people could have been sent to immigrate to the US years ago. With travel to the China very common these days, could you be sure that China has not succeeded in planting spies?
Forget the kernel -- it's the compiler that is the key. Didn't someone show years ago how code could be inserted into a compiler and once it was there, there was no way to remove it -- apart from going back through the archives and finding a sufficiently old and uninfected compiler? If the compiler adds code to the kernel every time the kernel is built, you can spend forever vetting the kernel source code, but not find the vulnerability that the compiler inserted.
The real "Libtards" are the Libertarians!
It reminds me of how Bhutan's government has developed its own Debian derivative - Dzongkha Debian Linux - which supports their native language. They have made a font for it too. Costs: around $80 000. I'm sure Tibet can afford such a price.
Not the entire US Govt - just the state department. It was a political pissing contest over which contract was used and that Congressman Wolf didn't get a kickback if the contract went through Lenovo who was doing business out of New York. If Chinese made computers or Chinese controlled companies were the issue, they wouldn't have bought any computers. There are no computers made solely with US parts on US soil.
Computers aren't that big of a deal. You inspect for physical anomalies, wipe the HD and install the OS. You never use the default factory install as its untrustworthy. Same reason you wipe thumb drives on a standalone computer before issuing to your users.
Now if you want to talk about untrustworthy sources - there are legitimate reasons for the US govt to avoid Kasperasky A/V as the company is owned by an ex-KGB type and has connections to russian hackers.
Also, changing your society to match the capabilities of some software is -always- the wrong way.
Sorry to be so blunt, but that's bullshit. Europe made massive changes to its writing systems with the advent of new writing and printing technologies. And that was the right thing to do because it greatly increased literacy.
Tibetan literacy rates historically have been atrocious, and even today, they are worse than many other nations. Reform and simplification of the Tibetan writing system might well be the right thing to do, and the requirements of software generally coincide with sensible simplification.