Slashdot Mirror


A Secure OS For the Dalai Lama?

Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.) Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?

(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"

11 of 470 comments (clear)

  1. second post by Anonymous Coward · · Score: -1, Troll

    lunix. Also, eat my asshole.

    1. Re:second post by Anonymous Coward · · Score: -1, Troll

      I thoroughly recommend Last Measure OS. Here is a preview.

      But how can one actually eat a hole, considering a hole is the empty space (surrounded by something)?

      Do you twofo?

  2. Windows Server 2k3 fully patched/security hardened by Anonymous Coward · · Score: -1, Troll

    See subject-line: It will do the job, securely (this often depends as much on the person(s) administrating the system &/or network around it, as much as staying current w/ systemcode security patches also), if one follows a guide for that (down to the workstation network node levels, from servers on down, to all endpoints) such as this one:

    http://www.tcmagazine.com/forums/index.php?s=041749be01ad8c44e0f3e7ae54129780&showtopic=2662

    Where Windows NT-based OS' were shown to score (up from the default of 46.xxx/100, which Linux systems score by default as well) 87-99.058/100 scores, @ both the server and workstation levels on the CIS Tool multiplatform security compliance system.

    Also, for stability, Windows has "made it" in that area, as well, per this evidence thereof:

    Windows Server 2003 + SQLServer 2005 does, and has done for YEARS now mind you, a great job of being the official disseminator of trade data @ NASDAQ, running into the "fabled 5-9's" of 99.999% uptime for years now, 24x7, via failover clustering... that was back in 2006 (possibly earlier, as that is only the date of the article):

    ----

    NASDAQ Migrates to SQL Server 2005:

    http://windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

    ----

    Best of ALL? Hey, it's Windows!

    (Which means you probably already own & are familiar w/ Microsoft + Win32 applications on every level of use there is...)

    APK

    P.S.=> One thing I like about Windows, @ least up to Windows Server 2003 (which installs by default, as a 'workstation/pro' desktop model, to which you add "back-office" enterprise-class apps onto, only if needed, later?)

    Well mainly is that "Windows" has come a LONG ways since Windows 3.0, which was my first version I tried!

    (Once they went w/ the VMS underpinnings design of NT 3.x, I knew they had a winner, & that ran pretty good on a 486 66mhz 32mb RAM machine)...

    There are a couple things, mainly something done to the HOSTS file in VISTA mostly I don't like (no longer being able to use the more efficient 0 based Blocking IP address in a HOSTS file, vs. the larger, slower, & more bloating on disk 0.0.0.0, & worse so, 127.0.0.1 on all accounts), so, that's why I am not going to include it as a recommendation here...

    (Others might cite things like DRM, messing around w/ OpenGL, the 3 driver/3 level defense in the IP stack on filtering being another, vs. VISTA/Server2k8/Windows 7 using the SINGLE layer based WFP instead (one I think is VERY debatable in fact), & as well as things I am not even stating that I could not think of @ least, offhand)... apk

  3. Re:Huh? by OeLeWaPpErKe · · Score: -1, Troll

    There are thousands of attack vectors into linux, far more than there are into any windows software.

    How much source code have you verified on your linux install ? Your windows install has at least been verified by a known party. Anyone wanting to get into your system will have to get past microsoft first.

    Now in theory getting into a linux system would require getting past redhat or canonical. In practice, as several breaches have demonstrated, compromising ANY widely used project (who accept volunteers as full comitting members merely for showing a bit of ability) would be sufficient.

    How many chinese spies are working on the linux kernel. Improving it, yes, but also ... Do you dare to bet your life on the answer being zero ?

    A full linux install being trustworthy is dependant on tens of thousands of coders all being trustworthy (since in practice, nobody checks one another's work, and no "real" security audits are being conducted. Checking personnel is considered heresy, refusing code based on lack of credentials is something that cannot ever be mentioned).

    You want to be secure against chinese interference ? Go to microsoft or ibm. Not because they do not have chinese spies in their organisations, but because they most likely do not have 1000 chinese spies in them. Also, those spies have to get past at least a single code review (one hopes) before compromising all customer's security.

    Sorry to break the news to you : open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done. It doesn't have to be the chinese. It's a matter of time before islamic terrorists compromise projects (they certainly have attacked quite high-value targets on the internet aplenty. Most attacks are stupid. Some (currently a very, very tiny fraction) aren't). It's a matter of time before India breaks into open source projects. Keeping the NSA out of linux systems ... can't be done.

    And that's the best case scenario. A code compromise cannot be avoided if you can't trust the contributors. Trusting people means checking them first. Nobody's doing that.

    Checking the contributions require you taking into account every other piece of software it might interact with. It's like playing a chess game with chinese hackers, only you can't see their moves, since other projects don't concern you, you can only see your own moves.

    And to be completely honest ... are you seriously hoping to hide a large group of Tibetan exiles from China's billion people ? You need to downsize seriously, and split the organisation.

    Hiding an entire government from a billion eyes inside free countries where Chinese can move without anything more thorough than a weapons check (in many countries not even a weapons check) ? Sorry but it can't be done.

  4. Windows Server 2k3 fully security hardened/patched by Anonymous Coward · · Score: -1, Troll

    See subject-line: It will do the job, securely (this often depends as much on the person(s) administrating the system &/or network around it, as much as staying current w/ systemcode security patches also), if one follows a guide for that (down to the workstation network node levels, from servers on down, to all endpoints) such as this one:

    http://www.tcmagazine.com/forums/index.php?s=041749be01ad8c44e0f3e7ae54129780&showtopic=2662 [tcmagazine.com]

    Where Windows NT-based OS' were shown to score (up from the default of 46.xxx/100, which Linux systems score by default as well) 87-99.058/100 scores, @ both the server and workstation levels on the CIS Tool multiplatform security compliance system.

    Also, for stability, Windows has "made it" in that area, as well, per this evidence thereof:

    Windows Server 2003 + SQLServer 2005 does, and has done for YEARS now mind you, a great job of being the official disseminator of trade data @ NASDAQ, running into the "fabled 5-9's" of 99.999% uptime for years now, 24x7, via failover clustering... that was back in 2006 (possibly earlier, as that is only the date of the article):

    ----

    NASDAQ Migrates to SQL Server 2005:

    http://windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com] [windowsfs.com]

    ----

    Best of ALL? Hey, it's Windows!

    (Which means you probably already own & are familiar w/ Microsoft + Win32 applications on every level of use there is...)

    APK

    P.S.=> One thing I like about Windows, @ least up to Windows Server 2003 (which installs by default, as a 'workstation/pro' desktop model, to which you add "back-office" enterprise-class apps onto, only if needed, later?)

    Well mainly is that ,b>"Windows" has come a LONG ways since Windows 3.0, which was my first version I tried!

    (Once they went w/ the VMS underpinnings design of NT 3.x, I knew they had a winner (when I tried NT 3.51), & that ran pretty good on a 486 66mhz 32mb RAM machine)...

    There are a couple things, mainly the HOSTS file in VISTA mostly I don't like (no longer being able to use the more efficient 0 based Blocking IP address in a HOSTS file, vs. the larger, slower, & more bloating on disk 0.0.0.0, & worse so, 127.0.0.1 on all accounts), so, that's why I am not going to include it as a recommendation here...

    (Others might cite things like DRM, messing around w/ OpenGL, the 3 driver/3 level defense in the IP stack on filtering being another, vs. VISTA/Server2k8/Windows 7 using the SINGLE layer based WFP instead (one I think is VERY debatable in fact), & as well as things I am not even stating that I could not think of @ least, offhand)... apk

  5. Re:Huh? by OeLeWaPpErKe · · Score: 0, Troll

    I'm not claiming there aren't Chinese spies inside microsoft. I'm claiming there are probably not enough to corrupt the kernel, and the critical people are being watched too closely to succeed in coordinating a successful subversion attempt.

    On linux, freebsd, ... nobody's even seriously attempt to check people. Chinese (or Indian, or muslim, or just plain criminals or even bored adolescents) literally don't have to get up from their desk chair to do what would require organizing a coordinated effort right in the middle of America while being watched by several powerful institutions whose mission is nothing else than preventing that sort of thing.

    Also the consequences of a failed attempt for the individual inside microsoft are none too pleasant, probably involving several decades in a little box with no windows. In the open source case, the consequence of a failed attempt is probably a few months work building a new nickname's coding reputation, if even that.

    God knows I've spent many a week restoring linux servers that had been backdoored in some stupid way. It's not hard.

    At the very least, it's not hard enough.

  6. Re:Practical considerations and philosophical ones by geekoid · · Score: 1, Troll

    Yes, using linux to help restore an oppressive religious regime..go Linux!

    You people might want to actuall read up on what life was like in Tibet before the Chinese came in and made it better.
    Yes, the Chinese pale next to what the monks did to the people.

    Hey, an elite class governing on there whim and not by law, nothing could possible go wrong~

    Stupid bumper sticker hippies.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  7. Re:Oh, so you're playing Devil's Advocate? by shutdown+-p+now · · Score: 0, Troll

    Congratulations, it looks like you've Slashdotted the site you linked to.

    I have to ask, though... how do we know that whatever content is there is factual, and not just Chinese propaganda? I know the pre-occupation history of Tibet, and I, too, have considerable reservations about the Tibetan freedom movement led by its aristocracy figures in light of that, but I also know the history of my own country, when it still was the USSR, and how happily it could twist facts and straight out lie to promote the party line.

  8. Re:Logical suggestion... by Hognoxious · · Score: 0, Troll

    Just avoid led frag rinux.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  9. Re:All right... by Hurricane78 · · Score: 0, Troll

    You mean: If you buy a Tibet here, you will get another Tibet for just one penny! If you can find a cheaper Tibet anywhere... INVAAADEEE IIIT!

    (Yes, I know. Very insensitive. Tibetans: I'm with you!)

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
  10. Re:Lack of font? Design your own! by Anonymous Coward · · Score: -1, Troll

    Tibetan monks with their discipline, devotion, and sometimes super human feats working on Linux... I think I just had a Nerdgasm