Slashdot Mirror
A Secure OS For the Dalai Lama?
Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.)
Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?
(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"
(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"
It is clear that if an entire community has a requirement for a certain font designing a new one is the most easy thing to do. Release it as free and you have a problem solved. Don't any Tibetan Typographers exist? So with a bit of Googling they do exist and can be found here: http://www.thdl.org/
Support Eachother, Copy Dutch Property!
First off, yes, that is a single sentence.
Secondly, exactly who is it who says (or can demonstrate) that cracking a Mac or Linux box is easier than a Windows box? My experience is exactly the opposite.
With purchase of Tibet of equal or lesser value.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
As opposed to the anti-exploitation frameworks which were present in UNIX systems from the moment they were conceived? and continually updated since? You've been listening to too much Microsoft advertising if you think they're Superior. (Competitive? Maybe. Superior? Not a chance).
The World Wide Web is dying. Soon, we shall have only the Internet.
Talk to the Bhutanese Govt. They're now using a Debian variant with localised scripts for Dzongha. Debian includes some Tibetan fonts.
That should give you 20,000 apps to leverage :) Christian Perrier who co-ordinates some of the Debian translation work may know more.
The only exploits they're going to discover are windows exploits. I hope you've made them well aware exploits exist for every platform, and if someone is directly targeting them rather than just being hit by run-of-the-mill worms, they're going to get in. You should focus your efforts on limiting the amount of damage someone can do once they do get in.
If *I* was in charge of the DL's computer, I wouldn't put on *only* Linux or *only* Windows or what have you. I think the DL needs a multiboot machine, and would really appreciate it if you tried to make him one with everything.
Do daemons dream of electric sleep()?
http://paranoidlinux.org/ is a project to create a distribution which assumes the user is under assault from the government. Right now, it's a vaguely locked down version of Ubuntu, but someday this might be pretty cool.
In the meantime, just run NetBSD and full-disk encryption.
From wikipedia:
NetBSD provides various features in the security area. The Kernel Authorization framework (or Kauth) is a subsystem managing all authorization requests inside the kernel, and used as system-wide security policy. It allows external modules to plug-in the authorization process. NetBSD also incorporates exploit mitigation features, ASLR, MPROTECT and Segvguard from PaX project, and GCC Stack Smashing Protection (SSP, or also known as ProPolice) compiler extensions. The Verified Executables (or Veriexec) is an in-kernel file integrity subsystem in NetBSD. It allows the user to set the digital fingerprints (hashes) of files in the system to monitor by the Veriexec, and prevent the execution of them. For example, one can allow Perl to run only scripts that match the fingerprints. The cryptographic device driver (CGD) provides functionality which allows using the disks or partitions (including CDs and DVDs) for encrypted storage in NetBSD.
Not encryption or top secret stuff.
Any of the major linux distros should work fine., unicode tibetan is supported.
First of all, converting the Dalai Lama to Linux is about the coolest IT project I've ever heard of, so congratulations
That aside, there are practical considerations and there are philosophical ones you'll want to consider. Practically speaking, no platform is 100% secure. Linux has historically been more secure than Windows. MS has made a lot of progress in the last decade or so.
The question is, do you prefer the closed-source approach or the open-source one? Would you rather the problems be hidden away, or laid out for all to find? In the closed-source scenario, knowledge of exploits may be less common, but that cuts two ways. Less attackers will be aware of an exploit, but less defenders will be aware of it as well. That may well result in the exploits that do occur being much more severe.
Beyond those practical considerations, which approach fits better with the values of the Tibetan community and the Dalai Lama in particular? In my mind, open source is the embodiment of non-attachment.
Monkeytreats
I am Suleman , IT Manager of Zenith Bank, Lagos, Nigeria. I have urgent and very confidential business proposition for you. On June 6, 1997, a Foreign IT consultant/contractor with the Nigerian National IT Corporation, Mr. Barry Kelly made a numbered time (Fixed) request for twelve calendar months, for a secure OS. Upon maturity, I sent a routine notification to his forwarding address but got no reply. After a month, we sent a reminder and finally we discovered from his contract employers, the Nigerian National IT Corporation that Mr. Barry Kelly died from an automobile accident. On further investigation, I found out that he died without making a WILL, and all attempts to trace his next of kin was fruitless. I therefore made further investigation and discovered that Mr. Barry Kelly did not declare any kin or relations in all his official documents, including his Bank Deposit paperwork in my Bank. This sum of US$26,500,000.00 has carefully been moved out of my bank to a security company for safe-keeping. Consequently, my proposal is that I will like you as an Foreigner to stand in as the owner of the money I deposited it in a security company in two trunk boxes though the security company does not know the contents of the boxes as I tagged them to be photographic materials for export. This is simple. I will like you to provide immediately your full names and address so that the Attorney will prepare the necessary documents which will put you in place as the as the owner of the boxes. The money will be moved out for us to share in the ratio of 60% for me and 40% for you. There is no risk at all as all the paperworks for this transaction will be done by the Attorney and this will guarantees the successful execution of this transaction. If you are interested, please reply immediately via my email address.And also send your Telephone and fax numbers so that we can have a smooth communication. Upon your response, I shall then provide you with more details and relevant documents that will help you understand the transaction. Awaiting your urgent reply via my email. PLS REPLY TO MY PRAVATE BOX suleman775@mailsurf.com Thanks and regards. Dr.Suleman .
A Secure OS For the Dalai Lama?
I have absolutely no idea what Slashdot will say to a question like that.
Also the German government would be interested.
A very similar penetration was detected on IT infrastructure of several German govt. agencies no long ago.
Lots of internal information where uploaded to the internet before it was detected and stopped
An the trail seemed to lead... you know where.
Apparently this Vista thing is the most secure os on the planet.
Mac OSX might be more secure than windows and may be easier for non technical people (if the TGIE is lacking expertise) to get up and running. Alternatively, use openBSD - quite hard to get fully functional, but the expertise to get it there means anyone who does should have requisite skills to keep the Tibetan Government safe from certain foreign governments. Also, you may find the openBSD people will gladly help with this poltical agenda. Z/
What other people think of me is none of my business
Boot always from an trusted, read only media, like CD/DVD or locked USB thumb drive.
Media should contain not only OS but applications in trusted configuration. No updates allowed from outside trusted entities
Use only boot media provided from trusted entity
Maybe use also something like tripwire to detect change in the OS/applications files checking changes by comparing sensitive file
Full encryption on sensitive data/drives
The obvious solution is Yellow Hat GNU/Linux.
Seriously, this is a great project. Surely the appropriate solution is a version of either GNU/Linux, such as SELinux, or OpenBSD. No system is entirely secure, but the idea that MS Windows could be as secure as GNU/Linux or BSD is wild.
Correct me if I'm wrong but I thought one of the major reasons Linux was more secure than Windows, was because the community worked together in a co-operative way. Their is a lot of good will in the community, writing a worm to hack into a Linux system is not top priority for a hacker, they'd much rather hack into a Windows system: they'd find that more rewarding.
But what if the all the resources of the Chinese government were put into writing worms to infiltrate Linux systems? I would think they would have some success certainly, but I would also anticipate that the Linux community would work together fairly effectively to combat the new challenge.
Conservation of angular momentum makes the world go round.
If it were up to me to decide, I would go for the broadest possible range of OSes: Windows, Mac, Linux, Unix, BSD, BeOS....
The reason is simple: if an outside attacker can't predict what they will meet, it's much harder to get in.
And if you can get the various OSes to masquerade as each other when replying to outside queries, so much the better: an attacker could be trying to use known Mac vulnerabilities to enter a machine that from the outside looks and behaves like a Mac, but actually runs Windows or Linux.
I'm a little surprised to hear that there is no good Tibetan font. Here is a list of Unicode-encoded Tibetan fonts, mostly both free and libre. Do none of them meet the need?
Why would it be more difficult to "write" (aka implement) exploits for one operating system than another? You should be worried about how hard it is to find exploits and how quickly they're fixed.
Assuming for the moment all you care about is the actual security of your software (excluding implementation details, mis-configurations, etc), the real metric you want to be looking at is the frequency of discovery of serious vulnerabilities and the span of time from first (non-public) discovery (which may not be knowable) and the appearance of a patch you could use. Looking merely at "remote root exploits / year" and "mean time to patch remote root exploit" might not be a bad place to start.
Also, you need to think about the actual design of the operating systems in question. Without tipping my hand too much, some might say that the Unix user/superuser distinction is something Microsoft could learn from.
That being said, though, I'll tell you my opinions.
Netbsd has one of the best track records in the industry with regards to server security. The security of *nix, in general, scales directly with the intelligence of the people managing it. You can get decently far with Windows and just doing things 'by the book,' but it's got all the typical problems of monoculture and a well-deserved poor reputation.
A group of very intelligent, very technical network admins are nearly unstoppable given linux and sufficient control. A group of very intelligent people can probably make do with Windows too. Windows configured by average people may in some cases be better than Linux configured by average people.
In any event, just from reading your question, I doubt you are technical enough to undertake this at a nuts-and-bolts level. You kind of came here asking "Is Linux or Windows more secure?" You bet your ass I have an opinion on the matter, but the problem is, so does everyone else. You need to find highly intelligent people, and then use your common sense and analytical thinking to weigh their arguments. In short, stop thinking as if the answer to your question would provide security; find smart people experienced in securing things and then evaluate the tools (operating systems) as they relate to your immediate ends.
Upgrade to Vista, install the latest updates, leave auto-updates on, enable DEP for all processes adding exceptions to the DEP exception list if necessary (i.e. app crashes occur) - use IE8, lock down the internet zone so that all active-x and .net stuff is disabled, add trusted sites to the trusted sites zone that need those things, enable IE 'protected mode' for all zones, run users as standard users.
Use strong passwords, teach users basic computer security, including no clicking on email links, no downloading anything from the web. Tell them to trust no one (and no web page,) make sure they understand that they are under siege from one of the most powerful governments on the planet, and so on. Give users 'tests' on this stuff, to make sure they understand it.
There may also be security apps for windows that do more than signature scanning, something that cryptographically signs files and checks signatures, and alerts users/admins to any new processes that auto-start. Or perhaps writing/contracting one might be something you may want to look into.
That's enough to get started, but the key thing is update to Vista, it has so many security features added that it's very hard to break into relative to most other feasible OSes.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
After all, this is the worst possible article in which to lose karma.
Red Flag Linux ? ;)
And each one with its own set of vulnerabilities.
cpghost at Cordula's Web.
Now let me do a bit of that myself too, since I think that it's unjust that each time the Dalai Lama is mentioned, people think he's all for justice.
For a bit more balance in the whole story, have a look at this video.
Anyone willing to debunk this, you're welcome; As I still have quite a quarrel with each time the Dalai Lama gets mentioned as some sort of Saint.
(This does not reflect my opinion on the whole Tibet/China debacle; I think that's as bad as it is)
When you shoot a mime, do you use a silencer?
The problem here is probably one of process and not operating system.
One of the ways that I manage my systems is to create a zone where hackers may go, and not go.
For example, I use a good firewall. That firewalls is allowed to communicate to another firewall. Between the two firewalls is my take down zone. This means if they happen to break through the firewall all they will get are servers that can be taken down anyways.
These take down servers are virtual machine based. So if a machine goes down, who shives a ghit because you just shut down the VM, copy the old one and restart it.
The second firewall is a non entry firewall. That means there is absolutely no way at all to get through it from the outside. Only those behind the second firewall may communicate outside. And if I need to communicate to a trusted source outside the first firewall I setup a VPN server between the two firewalls. If somebody manages to hack that VPN server, you just take it down, setup new keys, restart and away you go.
By not allowing any communication into the second firewall you stop outside hackers. Then to allow communications from the inside to the outside you setup proxy servers that are trusted to communicate to the outside. Only those proxy servers may communicate with the outside world. Without those proxy servers the inside users are cut off, but you have created a wall where you can control the entries and exits.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
To bad MS has figured out how to implement it consistently. ASLR in Linux is a novelty and usually not the default. Just like selinux is a joke. It's high maintenance and just having it installed doesn't protect anything unless you carefully and manually tweak it. Ever look and see what it actually protects when you enable it on RHEL? Damn near nothing. A carefully setup system with a proper selinux config might be good for a secure, single purpose internet facing server but it usually ends up getting disabled on a desktop computer.
it's like the soul of Debian, but reincarnated in a new body.
His Holiness merely needs to look inside his heart, and ask himself; "What is the sound of one server booting?" and then he will know the answer to which platform he should choose. Personally, I think he should go with Amiga. After all, Guru Meditation is what the Lama is all about.
... and then they built the supercollider.
Or the English Queen?
Do you mean Her Majesty Elizabeth the Second, by the Grace of God, of Great Britain, Ireland and the British Dominions beyond the Seas Queen, Defender of the Faith, Duchess of Edinburgh, Countess of Merioneth, Baroness Greenwich, Duke of Lancaster, Lord of Mann, Duke of Normandy, Sovereign of the Most Honourable Order of the Bath, Sovereign of the Most Ancient and Most Noble Order of the Thistle, Sovereign of the Most Illustrious Order of Saint Patrick, Sovereign of the Most Distinguished Order of Saint Michael and Saint George, Sovereign of the Most Excellent Order of the British Empire, Sovereign of the Distinguished Service Order, Sovereign of the Imperial Service Order, Sovereign of the Most Exalted Order of the Star of India, Sovereign of the Most Eminent Order of the Indian Empire, Sovereign of the Order of British India, Sovereign of the Indian Order of Merit, Sovereign of the Order of Burma, Sovereign of the Royal Order of Victoria and Albert, Sovereign of the Royal Family Order of King Edward VII, Sovereign of the Order of Mercy, Sovereign of the Order of Merit, Sovereign of the Order of the Companions of Honour, Sovereign of the Royal Victorian Order, Sovereign of the Most Venerable Order of the Hospital of St John of Jerusalem?
It's bad enough using this shorthand without her non-regnal titles.
Hardly any exploits at all.
Oh you wanted a USABLE OS? Well you'll need to tell me what it's going to be used for.
These posts express my own personal views, not those of my employer
This entire article smells like flamebait to me. I'm going to sit back and watch it burn.
Power does not corrupt - power attracts the corrupt.
Just look at one of the BSD's they have a track record for being secure and no messy cert issues like debian had. Also you might want to consider that the OS isnt the only attack vector.
The first thing you need to determine is just how secure you want your Linux to be, how much control you want, and how much expertise you can muster to implement those security policies. If you want total control and have a staff with high technical expertise, then you may want to go with Linux From Scratch. You'll have total control (and total responsibility) for everything, but it's going to require a lot of work.
On the other end is (K)ubuntu, PCLinuxOS, Mandriva, and other easy to use Linux distributions. Setup and maintenance are very easy, but they are managed outside of your direct control. You can always boot from read-only media or run the system (slowly) from CD or DVD, though. Outside of creating your own operating system and applications, though, you're probably going to have to compromise on total control. In that case, any of these distributions are more or less on equal security footing; all of them are good choices.
How paranoid you are will go a long way towards deciding which distribution you want to use.
Not to mention OpenBSD has been auditing their code file-by-file since 1996. They also employ the following technologies:
strlcpy() and strlcat()
Memory protection purify
Privilege separation
Privilege revocation
Chroot jailing
New uids
ProPolice
And since OpenBSD is based in Canada you get all the cryptography you would ever desire.
I just call her HRH E2R. Although sometimes I mistake that name for a postal code.
Do daemons dream of electric sleep()?
OpenBSD is one of the labels of this article, but I, too, am surprised as to how infrequently it has been mentioned. The first thing that came to my mind when I read the title was "OpenBSD."
At the time of posting, CTRL+F shows the following:
By contrast, OpenBSD has just 12 matches.
When you've read OpenBSD's /etc/rc.conf, you'll know what secure means. I love Archlinux, but Linux does not compare to OpenBSD in terms of security.
yum install tibetan-machine-uni-fonts
Of course you may hate YUM but the package is available for other distros as well. Even if you are using Windows (download the font from the url: http://www.thlib.org/tools/#wiki=/access/wiki/site/26a34146-33a6-48ce-001e-f16ce7908a6a/tibetan%20machine%20uni.html)
Colorless green Cthulhu waits dreaming furiously.
Buddhabuntu perhaps?
Not the entire US Govt - just the state department. It was a political pissing contest over which contract was used and that Congressman Wolf didn't get a kickback if the contract went through Lenovo who was doing business out of New York. If Chinese made computers or Chinese controlled companies were the issue, they wouldn't have bought any computers. There are no computers made solely with US parts on US soil.
Computers aren't that big of a deal. You inspect for physical anomalies, wipe the HD and install the OS. You never use the default factory install as its untrustworthy. Same reason you wipe thumb drives on a standalone computer before issuing to your users.
Now if you want to talk about untrustworthy sources - there are legitimate reasons for the US govt to avoid Kasperasky A/V as the company is owned by an ex-KGB type and has connections to russian hackers.
ASLR in Linux is a novelty and usually not the default. Just like selinux is a joke.
Yes, and there's a reason for that: the Linux community apparently doesn't want them and doesn't find them useful. If enough people wanted them, they'd be on by default in the major distributions.
To bad MS has figured out how to implement it consistently.
Yes, and that pretty much tells you what's wrong with Microsoft: it's a bunch of managers deciding top down what security mechanisms Windows should use, and then they direct their masses of programmers to implement that "consistently", and finally it gets shipped with the next major release, whether users want it or not.
The trouble with the Microsoft approach is that nobody in the world is smart enough to design security correctly in such a top-down way. Based on a bunch of papers half a dozen years ago, Microsoft may have jumped onto the ASLR bandwagon, but that doesn't make it a good security solution.
And this top-down, planned approach is the reason Microsoft keeps screwing up and why they need to spend so much money developing software that other people develop with a fraction of the investment. It sounds good on paper, and control-freaks love it, but it simply isn't a good way of creating a complex software system.
Remind me again please which OS the botnet runs on? Thank you.
MS embeds all kinds of code from third parties. Drivers, libraries etc etc. It has been shown time and time again that there are huge security holes in MS code, holes that are actively exploited. It ain't for nothing that when the NSA wanted to make a proof of concept secure OS they choose linux.
You got a point, how can you trust any OS if you have not checked the code. Where you take a dive of the deep end is that you then suggest that MS can be trusted to check the code for you. Not trusting say Red Hat blindly that they checked all the code is sensible, trusting Microsoft that they checked all theirs is just plain silly. If they had, they wouldn't have so many bugs. And your fate in your goverment is bordering on the insane.
Anyway, that same goverment checks linux code. So either both are to be trusted or neither is.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Graphite is an open-source technology, designed for the specific purpose of non-Roman fonts with complex behaviors like contextual shaping, etc.
Unfortunately, the default font rendering toolkit in Linux, Pango is not a smart-font technology.
However, the pango-graphite library supports the smartfont technology if fonts are authored with the appropriate tables.
I think that people need to share their experiences with designing smart fonts. This way, more projects know what are their options.
Does it include Enlightenment?
... you need to choose a competent admin. Remember, security is a process, not a product ...
gd
It's not about the OS. I've had Windows servers remain safe for years, and Linux servers be subverted in days.
Security is an eco-system, not an OS, for example:
- granting and removing access rights, in a very conservative and up-to-date manner
- keeping an audit trail of every access
- locking confidential info so it never gets onto a laptop's HD
- having backups
- securing every cog and wheel of the system: client PCs, routers, servers, backups, admin stations...
- locking down the weakest point: users (weak passwords, copied files, printouts, espionage...)
- and many more issues.
In the big picture, the OS is fairly irrelevant. It's only a very small part of the whole system. The whole "we need to be safe - let's switch to Linux" is wrong and shows a tremendous lack of understanding of the issues.
The Cloud - because you don't care if your apps and data are up in the air.
and avoid Microsoft as it is an American corporation with deep connections to the American Government... who would love to have a backdoor into computers used by other governments... and the means to remotely force "upgrades" onto those machines...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
What I would try and convince the people of who you are working with is that security is a continuum running from almost totally secure to almost completely insecure (to the extent that there is such a thing), so in reality pretty much no OS will be completely secure. What is interesting, I think, is that usability is inversely related to security. If you imagine that an OS which wouldn't allow you to write to the disk and wouldn't allow you on the internet you can imagine that when security is that high you'll get almost no usability.
with that in mind I would advocate trading a lot of usability for security - you could have an encrypted disk and run a terminal with something like nano and lynx installed - this would be pretty damn secure especially if you were running it on fairly secure hardware (did Intel ever fix the security issue that theo de raat was talking about in the Core 2s?) with something like OpenBSD as the core. This, I think would allow you (after some modifications) to allow pretty robust security. A downside though is that I'm pretty sure you might be compelled to run in English as I'm not sure how good the language support is for this sort of thing (with no GUI I can't imagine it would be great). Even so, I think if your data security is important (and lets face it, in this situation it probably is) then the trade-off might be worth while.
Of course, perhaps the more gaping hole in security is the user themselves, who could always reveal all the information they had to anyone... XKCD said it better - http://xkcd.com/538/
*''I can't believe it's not a hyperlink.''
Yes, these levels of security from the 'orange book' is what I was thinking about when I made an earlier post that recommended an OS from Green Hills Software. They sell an 'A1' level OS, called 'Integrity'.