A Secure OS For the Dalai Lama? 470
Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.)
Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"
Lack of font? Design your own! (Score:5, Informative)
A secure OS for the office of HH the Dalai Lama (Score:5, Informative)
Talk to the Bhutanese Govt. They're now using a Debian variant with localised scripts for Dzongha. Debian includes some Tibetan fonts.
That should give you 20,000 apps to leverage :) Christian Perrier who co-ordinates some of the Debian translation work may know more.
If the only thing they run is windows... (Score:5, Informative)
Paranoid Linux someday, NetBSD now. (Score:5, Informative)
http://paranoidlinux.org/ is a project to create a distribution which assumes the user is under assault from the government. Right now, it's a vaguely locked down version of Ubuntu, but someday this might be pretty cool.
In the meantime, just run NetBSD and full-disk encryption.
From wikipedia:
NetBSD provides various features in the security area. The Kernel Authorization framework (or Kauth) is a subsystem managing all authorization requests inside the kernel, and used as system-wide security policy. It allows external modules to plug-in the authorization process. NetBSD also incorporates exploit mitigation features, ASLR, MPROTECT and Segvguard from PaX project, and GCC Stack Smashing Protection (SSP, or also known as ProPolice) compiler extensions. The Verified Executables (or Veriexec) is an in-kernel file integrity subsystem in NetBSD. It allows the user to set the digital fingerprints (hashes) of files in the system to monitor by the Veriexec, and prevent the execution of them. For example, one can allow Perl to run only scripts that match the fingerprints. The cryptographic device driver (CGD) provides functionality which allows using the disks or partitions (including CDs and DVDs) for encrypted storage in NetBSD.
Not only the DL (Score:2, Informative)
A very similar penetration was detected on IT infrastructure of several German govt. agencies no long ago.
Lots of internal information where uploaded to the internet before it was detected and stopped
An the trail seemed to lead... you know where.
Re:First thoughts (Score:2, Informative)
Agreeing with parent. Even with all of the work that has gone into patching Windows, it's still the most hacked OS out there. A huge amount of work has gone into security on Unix/Linux also due to the long history of use on servers. Linux just doesn't have good advertising. Do a bit of reading on Linux security (SELinux, Apparmor, etc.) and you might be surprised.
On the matter of fonts, why the problem? Buy a Windows font and install it in Linux. It will work as long as you have the right (generally standard) packages installed. The Windows font installer will not work, but the TrueType fonts etc WILL. Same for any Mac fonts. My Dad had collected a huge amount of fonts on his Mac, but wanted them on Linux, so I installed them and they work just fine. Linux is very compatible with the rest of the world, don't believe the FUD.
fonts? (Score:3, Informative)
I'm a little surprised to hear that there is no good Tibetan font. Here is a list of Unicode-encoded Tibetan fonts [alanwood.net], mostly both free and libre. Do none of them meet the need?
your assumptions are wrong (Score:5, Informative)
Why would it be more difficult to "write" (aka implement) exploits for one operating system than another? You should be worried about how hard it is to find exploits and how quickly they're fixed.
Assuming for the moment all you care about is the actual security of your software (excluding implementation details, mis-configurations, etc), the real metric you want to be looking at is the frequency of discovery of serious vulnerabilities and the span of time from first (non-public) discovery (which may not be knowable) and the appearance of a patch you could use. Looking merely at "remote root exploits / year" and "mean time to patch remote root exploit" might not be a bad place to start.
Also, you need to think about the actual design of the operating systems in question. Without tipping my hand too much, some might say that the Unix user/superuser distinction is something Microsoft could learn from.
That being said, though, I'll tell you my opinions.
Netbsd has one of the best track records in the industry with regards to server security. The security of *nix, in general, scales directly with the intelligence of the people managing it. You can get decently far with Windows and just doing things 'by the book,' but it's got all the typical problems of monoculture and a well-deserved poor reputation.
A group of very intelligent, very technical network admins are nearly unstoppable given linux and sufficient control. A group of very intelligent people can probably make do with Windows too. Windows configured by average people may in some cases be better than Linux configured by average people.
In any event, just from reading your question, I doubt you are technical enough to undertake this at a nuts-and-bolts level. You kind of came here asking "Is Linux or Windows more secure?" You bet your ass I have an opinion on the matter, but the problem is, so does everyone else. You need to find highly intelligent people, and then use your common sense and analytical thinking to weigh their arguments. In short, stop thinking as if the answer to your question would provide security; find smart people experienced in securing things and then evaluate the tools (operating systems) as they relate to your immediate ends.
Oh, so you're playing Devil's Advocate? (Score:3, Informative)
For a bit more balance in the whole story, have a look at this video [youtube.com].
Anyone willing to debunk this, you're welcome; As I still have quite a quarrel with each time the Dalai Lama gets mentioned as some sort of Saint.
(This does not reflect my opinion on the whole Tibet/China debacle; I think that's as bad as it is)
Coming first isn't always the best thing (Score:5, Informative)
Re:Oh, so you're playing Devil's Advocate? (Score:2, Informative)
It is true that the government of Tibet prior to the Chinese invasion had many faults. However, that does not in any way justify the Chinese invasion and colonization of Tibet. First, if the Chinese goal were merely to free the serfs etc., they could have done so and withdrawn. There would be no need to stay for fifty years, much less to introduce hundreds of thousands of colonists and suppress Tibetan culture. Second, the faults of the Tibetan government cannot be attributed to the Dalai Lama, who was very young when the Chinese invaded. He has consistently supported democracy, equality, and human rights. There is no reason to believe that Tibet under a restored Tibetan government led by the Dalai Lama would not be a progressive government. Third, while there have been some benefits of modernization under the Chinese regime, it is a dictatorship, not a democracy, without freedom of speech or most other human rights, and so in most respects no improvement over, or even worse than, the old Tibetan government.
In sum, sure, it is silly to believe that everything was just wonderful until the Chinese invasion, but that shouldn't be taken to justify Chinese imperialism.
Re:fonts? (Score:3, Informative)
I'm a little surprised to hear that there is no good Tibetan font. Here is a list of Unicode-encoded Tibetan fonts [alanwood.net], mostly both free and libre. Do none of them meet the need?
I agree-- It appears they are possibly misinformed about fonts. There are at least 2 very good True Type Unicode Tibetan fonts-- "Tibetan Machine Unicode" and "Jomolhari", both of which are more attractive, as well as more advanced in their development than Microsoft's "Himalaya" font.
Re:First thoughts (Score:2, Informative)
"...also note, a lot of linux and mac os x do not have a lot of features listed, nor did they have them when they were 'conceived.'"
Wrong and laughable. Here's a feature comparison of Vista security features from that list and similar Linux / Unix technologies.
UAC - standard Unix multi-user model separates privileges; sudo or pfexec allows access by regular users to admin-level commands according to strict rules. Available for years ...
Drive Encryption - old news on *nix systems; luks + aes can do full drive encryption with usb key.
Firewall - pf, sunscreen, iptables, take your pick.
Defender - lulz; we don't have an equivalent in the *nix world; I wonder why ?
Parental Controls - I don't know about this one
EFS - my swap is encrypted on running workstations via luks
ASLR - available for some time (since an early 2.6 kernel I believe). Add-on packages offer increased protection. Also, ASLR is not enabled for IE7 (http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx). Nice.
DEP - (via processor-supported NX bit) available in Linux kernel since '04
DRM - HAHAHAHA! No thanks
Application isolation & Windows Service Hardening - CHROOT jails, or light-virt options like Solaris Zones, BSD Jails, openvz, virtuozo, etc. have existed for years and years. And, of course, most services have application-level access control mechanisms.
Authentication - Radius is possible, smartcard support is possible; PAM is pluggable and has included these protections for a long, long time.
Crypto API - Linux kernel has long supported ECDSA and other advanced crypto.
Network access protection - I don't want or need this kind of bloatware on my networks
It is noteworthy that such comparisons are probably spurious: we rely on Microsoft to tell us about Windows' security features because we can't examine the source and come to our own conclusions. Unix and Linux security is enhanced through research and development performed by an entire community of hobbyists, researchers, corporations, and others. It seems to me that effective security policies and technologies can only come out of such an environment. As with most of the items in the above list, Microsoft seems to be constantly playing catch-up.
Re:Huh? (Score:3, Informative)
You bring up a very important argument : trust. Who do you trust in the cases of you being the Dalai Lama and you're using linux or windows.
Windows : you're trusting Microsoft, the State of Massachusetts and the Federal Government of America. All of these organizations vet their people, every step up the ladder means more thorough checks. This means that Microsoft has the option of ratting out just about everything you know to the chinese
Linux : you're trusting everyone, everywhere with the basic smarts of getting code accepted in an open source project.
This is the story of a "slightly better than average" attempt at backdooring the linux kernel was thwarted :
http://www.securityfocus.com/news/7388 [securityfocus.com]
http://www.linuxtoday.com/news_story.php3?ltsn=1999-01-22-005-10-SC [linuxtoday.com]
http://www.opennet.ru/base/sec/p52-18.txt.html [opennet.ru]
How can this be prevented ? Simple : vet your contributors BEFORE accepting code from them.
Re:Lack of font? Design your own! (Score:4, Informative)
Yes, I would say that it is more difficult than Arabic. In the case of Arabic you've just got positional variants of most letters, but they don't actually combine in particularly complicated ways, with a few limited exceptions that can be treated as ligatures, e.g. alif-lam. The problem in Tibet in is that you not only have vowel diacritics like in Devanagari but complex stacks of consonants.
Where is OpenBSD? (Score:2, Informative)
Not to mention OpenBSD has been auditing their code file-by-file since 1996. They also employ the following technologies:
strlcpy() and strlcat()
Memory protection purify
Privilege separation
Privilege revocation
Chroot jailing
New uids
ProPolice
And since OpenBSD is based in Canada you get all the cryptography [openbsd.org] you would ever desire.
Font is not a problem... (Score:3, Informative)
yum install tibetan-machine-uni-fonts
Of course you may hate YUM but the package is available for other distros as well. Even if you are using Windows (download the font from the url: http://www.thlib.org/tools/#wiki=/access/wiki/site/26a34146-33a6-48ce-001e-f16ce7908a6a/tibetan%20machine%20uni.html [thlib.org])
Re:Lack of font? Design your own! (Score:5, Informative)
Actually, There are about five free, unicode fonts that I know of for Tibetan and Dzongkha. Both Windows and Linux support these fonts, and many traditional texts have been typed in unicode. (OSX has a small problem, from what I've heard).
There are two produced by Chris Fynn TibetanMachineUnicode from THDL, and Jomolhari. Both UChen fonts.
CTRC produces four fonts (1 UChen and three Ume): CTRC-Uchen, CTRC-Tsumachu, CTRC-Betsu and CTRC-Drutsa
Additionally, Nithartha has made a proprietary unicode complying font called Sambhota.
There are also several legacy font systems which use several font files with prestacked characters and input programs.
This link http://www.aerifal.cx/~dalias/bodyig/fonts/ [aerifal.cx] should give plenty more examples.
SIL Graphite Smartfont? (Score:4, Informative)
Unfortunately, the default font rendering toolkit in Linux, Pango [sil.org] is not a smart-font technology.
However, the pango-graphite [ubuntu.com] library supports the smartfont technology if fonts are authored with the appropriate tables.
I think that people need to share their experiences with designing [sil.org] smart fonts. This way, more projects know what are their options.
Re:Huh? (Score:5, Informative)
I agree with you that Linux in general isn't a very safe bet when you want to be secure, especially not if you are worried about targeted attacks.
However, that does not mean that ``open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done.''
There is a project called OpenBSD [openbsd.net] which does exactly what you suggest open source projects don't do: conduct security audits [openbsd.org] of their whole system.
Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features [openbsd.org] that limit the impact of any vulnerabilities not caught by the audit process.
Also, Debian [debian.org] has an audit process [debian.org] that looks not only at the base system, but also at the packages that are included in the distribution. This does not cover all packages [debian.org], but goes a whole lot further than what many vendors (particularly Microsoft) offer.
On the whole, I think you are being overly negative about security in the open source world, and too optimistic about security in the closed source world. From personal experience, I can tell you from personal experience that the idea that code in closed-source projects has to make it past "at least one code review" is simply wishful thinking. By contrast, the idea that code has to pass at least one review before being accepted is an actual reality in at least some open source projects (including Linux and OpenBSD).
So, while certainly not claiming that using Debian or even OpenBSD is a panacea for security, I have much more faith in those projects than in any closed source project.
Re:Lack of font? Design your own! (Score:5, Informative)
You are trying to solve the wrong problem. You are assuming that you are facing random attacks from an attacker who just wants to go for some computer, any computer. In that case being on an uncommon system helps because the attacker sees less profit. However; in this specific case moving to a low usage system is the worst possible thing you can do. The attacker is the Chinese government and they have the resources and will to make special dedicated custom attacks. Moving to an OS that nobody else uses gives them several advantages.
A) the system is less likely to have had serious peer review so finding vulnerabilities should be easier for their Chinese enemies.
B) the Chinese attackers can minimise collateral damage:
note the Chinese do not want to cause needless trouble - if they release an exploit for a windows vulnerability they have a risk of damaging random US govt computers which might give a propaganda advantage to Pentagon people at the wrong moment. It's much more convenient for them if they have an easy way to identify a Tibetan computer. If only Tibetans use an OS, then attacking that OS is perfect.
Things that the Tibetans want within their system.
A) serious general stability and safety (==properly audited open source by people who take security seriously)
B) methods to recognise applications which have gone rogue (==mandatory access control per application)
C) proper systems for monitoring system changes (==tripwire etc)
D) variable security so that experts in their community can detect problems whilst others can still work (==security features such as SELinux which can be turned on gradually)
E) fully controlled but very rapid security updates (==apt / yum etc).
For me that means that they want to have serious mandatory access control / role based access so that they can build application specific traps for malware (as in SELINUX). They need to have a system they can basically trust (OpenBSD) They want to have file based intrusion detection (tripwire / OpenBSD's systems). They need to have a system where they can take updates under their own control, but mostly don't have to do that.
When it comes to what I would recommend for them that's an incredibly difficult problem. Windows is out because it fails to provide so many of the basics. OpenBSD I would love to recommend, but the impossibility of building automated updates and the lack of role based access control rules it out for me. Probably I would end up recommending a CentOS (for normal users/people without money)/RedHat (for places needing commercial support) based system with a custom update distribution in places where RedHat's update policy is insufficient or where attacks via RedHat are a fear.
One thing which is absolutely clear; Windows should be ruled out
A) The Chinese government has preferential access to the Windows source code. As such they will always know a vulnerability you don't. If you are their enemy then it can never be an acceptable system.
B) Windows is closed source and the build is under someone else's control; this means you can never be sure what is on your system and can never reduce it to just the components you need
C) Windows is closed source and won't publish the source after a security breach; this makes it impossible to isolate root causes for an attack and stop them happening again.
D) Windows is closed source and impossible to customise. This makes it impossible to set traps for malware with custom security systems and leads to a security monoculture.
E) Windows is run by a commercial entity with an interest in turning on functionality. This means that even secure systems very rapidly become insecure when used by less experienced users.
However there's one crucial problem
A,B,C,D...Z) If the user administrator is clueless they won't spot attacks so a total Linux newbie will be much worse than a Windows expert.
Overall, the advice to move to Linux isn't bad, but it's something which the Tibetan community will have to do in a very serious and planned way whilst at the same time building up the number of security experts in their community and doing serious work on this. Without that kind of effort the effect will be worse than their current situation.
Re:Huh? (Score:5, Informative)
You have little clue about the reality of oss code checking etc. I implore you to submit a patch to a random major oss project that causes a vulnerability and see if it becomes accepted.
Within projects there are hierarchies of developers, everyone checks eachothers code up the chain, and the lower people can check the upper chains patches also, of course with little recourse over the source tree except to perhaps fork, but people will be notified if anything malicious happens at the upper echelons.
As for you shouldn't trust any author with oss, check all code yourself, how is that any different from saying 'you shouldn't trust any proprietary code, you should check it all in a debugger and reverse engineer it yourself'?
at least oss has transparency, and you can see the trails of who has done what. I agree the packagers almost always trust upstream, but why shouldn't they? upstream will have clean packages or they will fall from grace when it is discovered by a curious third party. It is in upstreams best interest to thoroughly ensure the source is clean.
It is very non-trivial for a new developer to have a large patch accepted in a major oss project, entirely because of all of the checks and balances upstream (the people who write the software).
at the core of any successful oss project, is typically a few (2-20) core people that oversee, check everything and are dedicated to making the project a success, putting backdoors in does not help that goal.
Re:If the only thing they run is windows... (Score:2, Informative)
Re:Oh, so you're playing Devil's Advocate? (Score:1, Informative)
Re: No, a Trusted OS For the Dalai Lama (Score:3, Informative)
Yes, these levels of security from the 'orange book' is what I was thinking about when I made an earlier post that recommended an OS from Green Hills Software. They sell an 'A1' level OS, called 'Integrity'.
Re:Oh, so you're playing Devil's Advocate? (Score:1, Informative)
a) Chinese propaganda.
b) The fact that Tibetan society had many flaws prior to the invasion does not in any way excuse the invasion and *after 50 years continued* colonization of Tibet.
c) So... no torture or abuse in Chinese occupied Tibet or China proper, eh?
And what's with the goons modding everything pro-Tibetan as "troll" and everything pro-Chinese-government-propaganda as "insightful"?