Slashdot Mirror

← Back to Stories (view on slashdot.org)

Indian Military Organization To Develop Its Own OS

Posted by timothy on from the there-are-drawbacks-to-this dept.

An anonymous reader writes "Several newspapers have reported that DRDO (the defence R&D organization of the Indian military) is planning to create an OS. The need for this arose due to the cyber security concerns facing India and that all [conventional] operating systems are made outside India. About 50 professionals in Bangalore and New Delhi are expected to start work on this operating system." At least one of the linked articles says the new OS, though home-grown, would run Windows software.

12 of 466 comments (clear)

  1. Re:Confusion by icebike · · Score: 4, Insightful

    Mod parent insightful.

    If you are going to run windows software you can bet they will start with with a Virtual Machine approach or Wine, and neither one buys them much security without diligence.

    he idea that a government funded military lab would develop from the ground up and achieve something that would run windows but wasn't as vulnerable seems highly unlikely.

    Budgets lapse. People Come and Go. It would be a mess.

    --
    Sig Battery depleted. Reverting to safe mode.
  2. Why not do *BSD or Linux code review and use it? by ad454 · · Score: 5, Insightful

    I know this is obvious, but come on...

    Seriously, why not take a *BSD or Linux OS release and do a full source code review on it? It will take a lot less effort than creating anything from scratch, plus they can submit bug reports and code fixes back to the corresponding opensource projects. (Everybody wins!!!) Any mature OS would not be plagued by bugs that commonly occur in large new code bases. After reviewing and approving the OS, they can simply track changes of future releases in order to maintain trust.

  3. Re:Who can be trusted? by JSBiff · · Score: 5, Insightful

    Don't use Binary Blobs, I agree, absolutely, if you care at all about your Sovereignty. Get the source tree for an already very well secured OS like, say, OpenBSD, or perhaps Linux (though OBSD is, I believe, generally developed with practices that encourage better security - less focus on feature, more on audits and exploit finding/fixing). Have your 'trusted' developers from your nation go over every line of code, to make sure no trojans/backdoors/intentional exploits were added, then build it all yourself.

    Of course, there is still always the possibility you have a hacked C compiler. Man, I can't remember the name of it now, but sometime in, I think it was the 80's, someone made a pretty famous presentation/paper about putting a self-perpetuating trojan into a compiler. You could give the compiler source code, and the binary of the compiler to the 'mark', but you could completely remove the exploit from the source code, as long as the exploit was coded to compile itself into subsequent builds of the compiler; that is, the binary was infected, but the source was not, but it didn't matter since the infected binary could build a copy of itself into the next build of the compiler. The exploit could then additionally do something like whenever it built other binaries or libraries, add some exploit code to them as well.

    I suppose you need your own people to do a dis-assembly of the compiler to verify that. Or, build your own assembler in machine language, then build your own compiler with your assembler. Once you've done that, if you have a trusted compiler, and verified source code, you don't really lose security by using Open Source. If anything, it'll *probably* be more secure, if it's popular enough to have a lot of devs analyzing it and fixing problems.

  4. Re:Why not do *BSD or Linux code review and use it by thoughtsatthemoment · · Score: 5, Insightful

    Simple reason: "Everybody wins" is not an option in real wars.

  5. Re:The Wheel by HoldmyCauls · · Score: 4, Insightful

    HAH! 'Tired' -- good pun!

    --
    Emacs: for people who just never know when to :q!
  6. Re:Who can be trusted? by simcop2387 · · Score: 5, Insightful

    Of course, there is still always the possibility you have a hacked C compiler. Man, I can't remember the name of it now, but sometime in, I think it was the 80's, someone made a pretty famous presentation/paper about putting a self-perpetuating trojan into a compiler. You could give the compiler source code, and the binary of the compiler to the 'mark', but you could completely remove the exploit from the source code, as long as the exploit was coded to compile itself into subsequent builds of the compiler; that is, the binary was infected, but the source was not, but it didn't matter since the infected binary could build a copy of itself into the next build of the compiler. The exploit could then additionally do something like whenever it built other binaries or libraries, add some exploit code to them as well.

    That would be Ken Thompson.

  7. Re:Who can be trusted? by Logic+Worshipper · · Score: 5, Insightful

    What the fuck? A government checking the code it runs on computers with sensitive data is "national socialist"? You think the United States government doesn't do this on CIA and DOD computers? Or are you a nut against building roads?

    We're talking about doing this only for government computers used for sensitive government data.

  8. Less Secure by Doc+Ruby · · Score: 4, Insightful

    It seems to me that an OS developed by an org that's never made an OS before, by 50 people, that isn't examined by many people around the world in many different contexts and from many different approaches, is going to be less tested and less secure than other OS'es. Not to mention the lack of applications, and the burden of creating all the applications from scratch, and a developer community for them, and again the smallness and isolation of that community and its apps leaving security to a very few very busy people.

    If I were responsible for protecting India's IT infrastructure, I might start an Indian state project to create an OS. But I'd just start with Android or Linux, and assign the people I have to investigating its open code for security holes and starting applications needed by essential Indian users. A lot less work, a lot more global partners to use (and many to omit from trust without losing everyone). Leveraging the English speaking skills of educated Indians to partner with people around the world to secure India.

    Reading the press, it seems they're really talking about a component in their new line of spy and military satellites. They mention they've got orders from other countries. So probably this venture is not at all calculated on security rissk, but rather on a perceived market opportunity. In which case it is even more likely to totally fail, but not after wasting a lot of time and money better spent on actual Indian security risks.

    Probably some general's nephew thinks he can sell some Linux clone to the government, and so the rest of the state and media apparatus starts talking it up.

    --

    --
    make install -not war

  9. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  10. I'm in awe. by Tumbleweed · · Score: 4, Insightful

    Obviously, they're not going to develop any such thing. Ever. This is one of the most brilliant job security moves I've ever seen in the computer industry. Kudos!

  11. Re:Have you ever met? by Panaflex · · Score: 4, Insightful

    Yes I have met some amazing Indian developers out there. There are also many H1B visa programmers who may be lacking in experience and are desperate to succeed in a foreign country which, lets be honest, considers them outsiders. They make half the pay in many situations and can be fired and sent home in the span of a week for any petty job disagreement.

    True innovation requires the ability to make mistakes, learn from them, and try something new - which is contrary and alien to the H1B "cog developer" system. I doubt many Americans could be as disciplined and work under such pressures and situations.

    Back home, India is building a truly amazing scientific pool of talent. Expect to see major challenges to American engineering & science - the population numbers game almost guarantees 3x the genius-level talent waiting to be discovered and educated.

    --
    I said no... but I missed and it came out yes.
  12. Re:Already an open source alternative to windows by v1 · · Score: 4, Insightful

    At least one of the linked articles says the new OS, though home-grown, would run Windows software.

    Brilliant. If you're into security, there's one rule of thumb you can always count on. Don't develop your own. Invariably you'll overlook something obscure and subtle and will create a weakness big enough to fly a 747 through. Stick with time-proven methods that have been under the microscope for years and have withstood the test of time and had all the bugs, shortfalls, and subtle problems worked out of them. Basically, you're not smarter than all the people that have contributed to making the currently available selections as secure as they presently are.

    If they're going to create an entirely new os themselves, in-house, for the sake of security, they're about to re-learn the above lesson.

    And sorry, but runs Windows? The whole security problem there to begin with is its never-ending craving to run old software that just wasn't bothered to be written securely. Look at the giant headache that was the breaking of windows software when XP came out. Then when Vista came out. Then when 7 came out. This is going to be a whole new level worse. They may say it can run Windows software, but either it won't run MOST of it, or they're just going to be defeating one of the primary purposes of writing their own secure OS to jimmy it to run any sizeable portion. If they're insisting on making their own OS, they may as well expect to have to write their own software too. In for a penny, in for a pound.

    --
    I work for the Department of Redundancy Department.