A Secure OS For the Dalai Lama?

Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.) Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?

(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"

Lack of font? Design your own!

[Skinkie]

It is clear that if an entire community has a requirement for a certain font designing a new one is the most easy thing to do. Release it as free and you have a problem solved. Don't any Tibetan Typographers exist? So with a bit of Googling they do exist and can be found here: http://www.thdl.org/

Re:Lack of font? Design your own!

But converting the religious leader and all his followers to Linux is definitely a workable thing to do.

Re:Lack of font? Design your own!

[g0at]

put together their own Linux distro

Dalai Linux!

Re:Lack of font? Design your own!

[javajawa]

Actually, There are about five free, unicode fonts that I know of for Tibetan and Dzongkha. Both Windows and Linux support these fonts, and many traditional texts have been typed in unicode. (OSX has a small problem, from what I've heard).

There are two produced by Chris Fynn TibetanMachineUnicode from THDL, and Jomolhari. Both UChen fonts.

CTRC produces four fonts (1 UChen and three Ume): CTRC-Uchen, CTRC-Tsumachu, CTRC-Betsu and CTRC-Drutsa

Additionally, Nithartha has made a proprietary unicode complying font called Sambhota.

There are also several legacy font systems which use several font files with prestacked characters and input programs.

This link http://www.aerifal.cx/~dalias/bodyig/fonts/ should give plenty more examples.

Re:Lack of font? Design your own!

[rtfa-troll]

You are trying to solve the wrong problem. You are assuming that you are facing random attacks from an attacker who just wants to go for some computer, any computer. In that case being on an uncommon system helps because the attacker sees less profit. However; in this specific case moving to a low usage system is the worst possible thing you can do. The attacker is the Chinese government and they have the resources and will to make special dedicated custom attacks. Moving to an OS that nobody else uses gives them several advantages.

A) the system is less likely to have had serious peer review so finding vulnerabilities should be easier for their Chinese enemies.
B) the Chinese attackers can minimise collateral damage:

note the Chinese do not want to cause needless trouble - if they release an exploit for a windows vulnerability they have a risk of damaging random US govt computers which might give a propaganda advantage to Pentagon people at the wrong moment. It's much more convenient for them if they have an easy way to identify a Tibetan computer. If only Tibetans use an OS, then attacking that OS is perfect.

Things that the Tibetans want within their system.

A) serious general stability and safety (==properly audited open source by people who take security seriously)
B) methods to recognise applications which have gone rogue (==mandatory access control per application)
C) proper systems for monitoring system changes (==tripwire etc)
D) variable security so that experts in their community can detect problems whilst others can still work (==security features such as SELinux which can be turned on gradually)
E) fully controlled but very rapid security updates (==apt / yum etc).

For me that means that they want to have serious mandatory access control / role based access so that they can build application specific traps for malware (as in SELINUX). They need to have a system they can basically trust (OpenBSD) They want to have file based intrusion detection (tripwire / OpenBSD's systems). They need to have a system where they can take updates under their own control, but mostly don't have to do that.

When it comes to what I would recommend for them that's an incredibly difficult problem. Windows is out because it fails to provide so many of the basics. OpenBSD I would love to recommend, but the impossibility of building automated updates and the lack of role based access control rules it out for me. Probably I would end up recommending a CentOS (for normal users/people without money)/RedHat (for places needing commercial support) based system with a custom update distribution in places where RedHat's update policy is insufficient or where attacks via RedHat are a fear.

One thing which is absolutely clear; Windows should be ruled out

A) The Chinese government has preferential access to the Windows source code. As such they will always know a vulnerability you don't. If you are their enemy then it can never be an acceptable system.
B) Windows is closed source and the build is under someone else's control; this means you can never be sure what is on your system and can never reduce it to just the components you need
C) Windows is closed source and won't publish the source after a security breach; this makes it impossible to isolate root causes for an attack and stop them happening again.
D) Windows is closed source and impossible to customise. This makes it impossible to set traps for malware with custom security systems and leads to a security monoculture.
E) Windows is run by a commercial entity with an interest in turning on functionality. This means that even secure systems very rapidly become insecure when used by less experienced users.

However there's one crucial problem

A,B,C,D...Z) If the user administrator is clueless they won't spot attacks so a total Linux newbie will be much worse than a Windows expert.

Overall, the advice to move to Linux isn't bad, but it's something which the Tibetan community will have to do in a very serious and planned way whilst at the same time building up the number of security experts in their community and doing serious work on this. Without that kind of effort the effect will be worse than their current situation.

A secure OS for the office of HH the Dalai Lama

[AndyCater]

Talk to the Bhutanese Govt. They're now using a Debian variant with localised scripts for Dzongha. Debian includes some Tibetan fonts.

That should give you 20,000 apps to leverage :) Christian Perrier who co-ordinates some of the Debian translation work may know more.

If the only thing they run is windows...

[saleenS281]

The only exploits they're going to discover are windows exploits. I hope you've made them well aware exploits exist for every platform, and if someone is directly targeting them rather than just being hit by run-of-the-mill worms, they're going to get in. You should focus your efforts on limiting the amount of damage someone can do once they do get in.

Re:If the only thing they run is windows...

[edsousa]

I would focus on teaching them security practices:

• do not open attachments you don't know
• don't store your confidential data on your laptop
• keep and check if auto-updates are working
• report any suspect of breach to IT

Most of all, make sure that anyone that uses a computer is aware of the risks. Even more sure with higher clearance levels.

Single OS not good for Dahli Lama's computer

[multipartmixed]

If *I* was in charge of the DL's computer, I wouldn't put on *only* Linux or *only* Windows or what have you. I think the DL needs a multiboot machine, and would really appreciate it if you tried to make him one with everything.

Paranoid Linux someday, NetBSD now.

[7Ghent]

http://paranoidlinux.org/ is a project to create a distribution which assumes the user is under assault from the government. Right now, it's a vaguely locked down version of Ubuntu, but someday this might be pretty cool.

In the meantime, just run NetBSD and full-disk encryption.

From wikipedia:
NetBSD provides various features in the security area. The Kernel Authorization framework (or Kauth) is a subsystem managing all authorization requests inside the kernel, and used as system-wide security policy. It allows external modules to plug-in the authorization process. NetBSD also incorporates exploit mitigation features, ASLR, MPROTECT and Segvguard from PaX project, and GCC Stack Smashing Protection (SSP, or also known as ProPolice) compiler extensions. The Verified Executables (or Veriexec) is an in-kernel file integrity subsystem in NetBSD. It allows the user to set the digital fingerprints (hashes) of files in the system to monitor by the Veriexec, and prevent the execution of them. For example, one can allow Perl to run only scripts that match the fingerprints. The cryptographic device driver (CGD) provides functionality which allows using the disks or partitions (including CDs and DVDs) for encrypted storage in NetBSD.

Re:Huh?

[maz2331]

Especially if the sysadmins take an active role in:

A. Customizing and minimizing the installed packages.
B. Configuring a very restrictive set of firewall rules.
C. Configuring a very tight SELinux policy.

The key to Linux is to not think of it as on Operating System so much as an "OS Toolbox" that lets you build just what is needed.

Practical considerations and philosophical ones

[funkapus]

First of all, converting the Dalai Lama to Linux is about the coolest IT project I've ever heard of, so congratulations

That aside, there are practical considerations and there are philosophical ones you'll want to consider. Practically speaking, no platform is 100% secure. Linux has historically been more secure than Windows. MS has made a lot of progress in the last decade or so.

The question is, do you prefer the closed-source approach or the open-source one? Would you rather the problems be hidden away, or laid out for all to find? In the closed-source scenario, knowledge of exploits may be less common, but that cuts two ways. Less attackers will be aware of an exploit, but less defenders will be aware of it as well. That may well result in the exploits that do occur being much more severe.

Beyond those practical considerations, which approach fits better with the values of the Tibetan community and the Dalai Lama in particular? In my mind, open source is the embodiment of non-attachment.

You must not have heard

[heybuddy]

Apparently this Vista thing is the most secure os on the planet.

Something that helps

[DeltaQH]

Boot always from an trusted, read only media, like CD/DVD or locked USB thumb drive.

Media should contain not only OS but applications in trusted configuration. No updates allowed from outside trusted entities

Use only boot media provided from trusted entity

Maybe use also something like tripwire to detect change in the OS/applications files checking changes by comparing sensitive file

Full encryption on sensitive data/drives

Somebody please mod this "underrated"

[e9th]

After all, this is the worst possible article in which to lose karma.

Red Flag

[McGiraf]

Red Flag Linux ? ;)

Or Ubuntu, because

[notionalTenacity]

it's like the soul of Debian, but reincarnated in a new body.

Re:Huh?

[dangitman]

Your windows install has at least been verified by a known party.

Yes, a known incompetent party, which has very little concern for security or the vetting of source code, but has rather different interests foremost.

Re:Huh?

[J+Story]

There are thousands of attack vectors into linux, far more than there are into any windows software.

How do you know this? A claim this large needs to be supported by something more than mere assertion.

Re:Huh?

[whoever57]

Microsoft knows the social security numbers, bank accounts, and in most cases close associates of all these people.

So what? China plays a long game, people could have been sent to immigrate to the US years ago. With travel to the China very common these days, could you be sure that China has not succeeded in planting spies?

I'm sure that were one to dig deep enough, you'd find that the xp kernel (like some central parts of the linux kernel) has been vetted by NSA experts.

Forget the kernel -- it's the compiler that is the key. Didn't someone show years ago how code could be inserted into a compiler and once it was there, there was no way to remove it -- apart from going back through the archives and finding a sufficiently old and uninfected compiler? If the compiler adds code to the kernel every time the kernel is built, you can spend forever vetting the kernel source code, but not find the vulnerability that the compiler inserted.

Re:Huh?

There are thousands of attack vectors into linux, far more than there are into any windows software.

How much source code have you verified on your linux install ? Your windows install has at least been verified by a known party. Anyone wanting to get into your system will have to get past microsoft first.

Microsoft verify its software so well that it doesn't even know what it's privileged services do. They had to create an "archaeological" team to discover how their CIFS redirector works, just to be able to write the documentation the EU antitrust mandated them to write as a remedy.

It is well known that they historically never created. much less used extensive test suites.
Proof is the number of regressions you can see in their server software from one release to the other. Their testing method has always just been to run a battery of clients with Office and other "important" application to make sure they did not "break".

Now in theory getting into a linux system would require getting past redhat or canonical.

In practice, as several breaches have demonstrated, compromising ANY widely used project (who accept volunteers as full comitting members merely for showing a bit of ability) would be sufficient.

And yet there is no evidence that any reasonably popular Linux distribution is compromised.

It's easy to fantasize on what could happen, but empirical evidence shows this is mere speculation.

How many chinese spies are working on the linux kernel. Improving it, yes, but also ...

And how many have been working for Microsoft, with the added "benefit" that nobody can review the code outside of said organization? (which as mentioned above has already demonstrated it doesn't know its own code?)

Do you dare to bet your life on the answer being zero ?

As much as I can bet my life on any other hw/sw system.

A full linux install being trustworthy is dependant on tens of thousands of coders all being trustworthy (since in practice, nobody checks one another's work, and no "real" security audits are being conducted. Checking personnel is considered heresy, refusing code based on lack of credentials is something that cannot ever be mentioned).

Man so much FUD in a single sentence is staggering.

1) any major (and certainly any security sensitive project) is checked. Every single checking is normally reviewed by at least another developer. This is true both for the kernel and many other projects. So the idea that nobody checks one another work is total bullshit.

2) not only code is checked by automatic checkers for defects, a lot of cryptographic and security software is routinely certified (FIPS and others) and reviewed both internally and by external organizations.

3) There is no need to refuse code on the basis of lack of credentials, because the code is *reviewed* first. So if you do something that is not simply stupid but that is malicious you can bet none of your code will never be reviewed again, much less committed.

4) Obviously you have never developed any major FOSS software ...

You want to be secure against chinese interference ? Go to microsoft or ibm. Not because they do not have chinese spies in their organisations, but because they most likely do not have 1000 chinese spies in them.

1,10,100,1000, does it make any difference?
What you need is 1, and only 1.

Also, those spies have to get past at least a single code review (one hopes) before compromising all customer's security.

Ya, rly ?

Sorry to break the news to you : open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done. It doesn't have to be the chinese. It's a matter of time before isla

Re:Huh?

[exponential]

Oh that wonderful little drama again.

Had you followed that event a bit more closely, you would have known that little snippet of code had zero (yes, none, zilch) possibility of getting into Linus' branch, where all the public releases are made. In fact judging from your post I'd say you have no idea of what really happened at all.

Do you seriously think they only introduced one problematic piece of code ?

No. I think it's one less than that. It might surprise you, but unlike some proprietary software, the big oss projects aren't big piles of mysterious crap, the developers really do understand their code.

News of successful incursions will, for obvious reasons, not be released until untold damage is done

With countless diligent people like you keeping a watchful eye, I'm sure any news of successful incursions into free/open source software will be promptly released when it happens. Or perhaps even earlier than that!

Re:Huh?

[RAMMS+EIN]

I agree with you that Linux in general isn't a very safe bet when you want to be secure, especially not if you are worried about targeted attacks.

However, that does not mean that ``open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done.''

There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.

Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.

Also, Debian has an audit process that looks not only at the base system, but also at the packages that are included in the distribution. This does not cover all packages, but goes a whole lot further than what many vendors (particularly Microsoft) offer.

On the whole, I think you are being overly negative about security in the open source world, and too optimistic about security in the closed source world. From personal experience, I can tell you from personal experience that the idea that code in closed-source projects has to make it past "at least one code review" is simply wishful thinking. By contrast, the idea that code has to pass at least one review before being accepted is an actual reality in at least some open source projects (including Linux and OpenBSD).

So, while certainly not claiming that using Debian or even OpenBSD is a panacea for security, I have much more faith in those projects than in any closed source project.

Rather than choosing a secure OS ...

[gd]

... you need to choose a competent admin. Remember, security is a process, not a product ...