×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Secure OS For the Dalai Lama?

timothy posted about 5 years ago | from the one-that-works-only-at-high-altitudes dept.

Operating Systems 470

Jamyang (Greg Walton) writes "I am editor of the Infowar Monitor and co-author of the recent report, Tracking Ghostnet. I have been asked by the Office of His Holiness, the Dalai Lama (OHHDL) and the Tibetan Government in Exile (TGIE) to offer some policy recommendations in light of the ongoing targeted malware attacks directed at the Tibetan community worldwide. Some of the recommendations are relatively straightforward. For example, I will suggest that OHHDL convene an international Board of Advisers, bringing together some of the brightest minds in computer and international security to advise the Tibetans, and that the new Tibetan university stands up a Certified Ethical Hacking course. However, one of the more controversial moves being actively debated by Tibetans on the Dharamsala IT Group [DITG] list, is a mass migration of the exile community (including the government) to Linux, particularly since all of the samples of targeted malware collected exploit vulnerabilities in Windows. I would be very interested to hear Slashdot readers opinions on this debate here." (More below.)Jamyang continues: "Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot. People should choose a platform based on their productivity requirements instead of purely security. Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux. What do you think?

(While I have the floor I'd also like to take this opportunity to plug two initiatives where Slashdot readers can directly help the Tibetan tech community, either through sharing your expertise or your cash! Firstly, one of the obstacles to migrating to Linux for a Tibetan speaker is the lack of decent Tibetan font — can you help? Secondly, Avaaz is raising funds for projects that will help End The Blackout in Tibet, including a proposal to support the deployment of Psiphon's circumvention network. Thanks, or in Tibetan, thuk.je.che!"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

470 comments

FIRST POST (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#27630337)

Microsoft Windows

second post (-1, Troll)

Anonymous Coward | about 5 years ago | (#27630349)

lunix. Also, eat my asshole.

Re:second post (-1, Troll)

Anonymous Coward | about 5 years ago | (#27630769)

I thoroughly recommend Last Measure OS. Here is a preview [goatse.fr].

But how can one actually eat a hole, considering a hole is the empty space (surrounded by something)?

Do you twofo [twofo.co.uk]?

Lack of font? Design your own! (5, Informative)

Skinkie (815924) | about 5 years ago | (#27630363)

It is clear that if an entire community has a requirement for a certain font designing a new one is the most easy thing to do. Release it as free and you have a problem solved. Don't any Tibetan Typographers exist? So with a bit of Googling they do exist and can be found here: http://www.thdl.org/ [thdl.org]

Re:Lack of font? Design your own! (2, Interesting)

slashqwerty (1099091) | about 5 years ago | (#27631087)

In the same vane, Tibet has a few million people. They could get several thousand people working together to develop their own system, or barring that, put together their own Linux distro and audit every line of code. It's just a question of how seriously they take their computer security.

Re:Lack of font? Design your own! (3, Insightful)

belmolis (702863) | about 5 years ago | (#27631121)

Actually, designing a Tibetan font is rather difficult. Tibetan letters combine in complicated ways (somewhat like Devanagari, but worse), meaning that it is either necessary to produce very sophisticated rendering software/info or necessary to create a large number of pre-combined glyphs.

Re:Lack of font? Design your own! (3, Insightful)

erroneus (253617) | about 5 years ago | (#27631191)

And failing the thousands of monks having nothing better to do than to spend hours with FontForge, they could just import (read: infringe upon copyright) the fonts they like under Windows and place them into Linux.

The original notions put forward do mirror my initial concerns when moving from Windows to Linux. Among those concerns were a good Japanese language interface and input method, good fonts and printer support. The first two were addressed with some heavy pushing in that direction with SCIM and whatever it was that came before it... then it became as good or better than Windows. The other was just opening up some man pages or simply giving it a try... turned out not to be difficult in the slightest.

Moving to a different operating system is a seemingly daunting task to those who have never done it before and they are required, then, to think of computing in terms of what you need to do and how you might accomplish it... not something most people are accustomed to thinking about. (The same can be said about moving from Word Perfect to Microsoft Word and it was a BIG deal!)

Moving away from Windows is simply necessary judging by the kinds of attacks described. Another option might be Deep Freeze... has that been defeated yet?

One thing is for certain: one should not be stopped from performing a necessary task merely because it is "difficult." Just do it. If it seems impossible, give it a try anyway. But moving the religious leader and all his followers to Linux is definitely a workable thing to do.

Huh? (4, Insightful)

khasim (1285) | about 5 years ago | (#27630365)

"Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot."

First off, yes, that is a single sentence.

Secondly, exactly who is it who says (or can demonstrate) that cracking a Mac or Linux box is easier than a Windows box? My experience is exactly the opposite.

Re:Huh? (4, Insightful)

cjfs (1253208) | about 5 years ago | (#27630475)

Secondly, exactly who is it who says (or can demonstrate) that cracking a Mac or Linux box is easier than a Windows box? My experience is exactly the opposite.

The language is vague enough to be pointless. Does he mean when run by the user as root? Does he mean remote exploit vs something in the full install of ___ distro? Does he mean windows makes you click yes more times to run it?

Now half the comments will be off-topic due to that sentence.

Re:Huh? (-1, Troll)

OeLeWaPpErKe (412765) | about 5 years ago | (#27631147)

There are thousands of attack vectors into linux, far more than there are into any windows software.

How much source code have you verified on your linux install ? Your windows install has at least been verified by a known party. Anyone wanting to get into your system will have to get past microsoft first.

Now in theory getting into a linux system would require getting past redhat or canonical. In practice, as several breaches have demonstrated, compromising ANY widely used project (who accept volunteers as full comitting members merely for showing a bit of ability) would be sufficient.

How many chinese spies are working on the linux kernel. Improving it, yes, but also ... Do you dare to bet your life on the answer being zero ?

A full linux install being trustworthy is dependant on tens of thousands of coders all being trustworthy (since in practice, nobody checks one another's work, and no "real" security audits are being conducted. Checking personnel is considered heresy, refusing code based on lack of credentials is something that cannot ever be mentioned).

You want to be secure against chinese interference ? Go to microsoft or ibm. Not because they do not have chinese spies in their organisations, but because they most likely do not have 1000 chinese spies in them. Also, those spies have to get past at least a single code review (one hopes) before compromising all customer's security.

Sorry to break the news to you : open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done. It doesn't have to be the chinese. It's a matter of time before islamic terrorists compromise projects (they certainly have attacked quite high-value targets on the internet aplenty. Most attacks are stupid. Some (currently a very, very tiny fraction) aren't). It's a matter of time before India breaks into open source projects. Keeping the NSA out of linux systems ... can't be done.

And that's the best case scenario. A code compromise cannot be avoided if you can't trust the contributors. Trusting people means checking them first. Nobody's doing that.

Checking the contributions require you taking into account every other piece of software it might interact with. It's like playing a chess game with chinese hackers, only you can't see their moves, since other projects don't concern you, you can only see your own moves.

And to be completely honest ... are you seriously hoping to hide a large group of Tibetan exiles from China's billion people ? You need to downsize seriously, and split the organisation.

Hiding an entire government from a billion eyes inside free countries where Chinese can move without anything more thorough than a weapons check (in many countries not even a weapons check) ? Sorry but it can't be done.

Re:Huh? (5, Insightful)

maz2331 (1104901) | about 5 years ago | (#27630497)

Especially if the sysadmins take an active role in:

A. Customizing and minimizing the installed packages.
B. Configuring a very restrictive set of firewall rules.
C. Configuring a very tight SELinux policy.

The key to Linux is to not think of it as on Operating System so much as an "OS Toolbox" that lets you build just what is needed.

Re:Huh? (1)

Krapangor (533950) | about 5 years ago | (#27630499)

Secondly, exactly who is it who says (or can demonstrate) that cracking a Mac or Linux box is easier than a Windows box? My experience is exactly the opposite.

So you say. But I found that a sledgehammer works for cracking any system.

Re:Huh? (1)

Tubal-Cain (1289912) | about 5 years ago | (#27630509)

Secondly, exactly who is it who says (or can demonstrate) that cracking a Mac or Linux box is easier than a Windows box? My experience is exactly the opposite.

Cracking with a virus? Probably not very easy. However, I would imagine that it is much simpler to write a trojan script for *nix than for Windows (until PowerShell gains mindshare among Windows users). Education is the only defense against PEBKAC.

Historically... (2, Interesting)

kandela (835710) | about 5 years ago | (#27630813)

Correct me if I'm wrong but I thought one of the major reasons Linux was more secure than Windows, was because the community worked together in a co-operative way. Their is a lot of good will in the community, writing a worm to hack into a Linux system is not top priority for a hacker, they'd much rather hack into a Windows system: they'd find that more rewarding.

But what if the all the resources of the Chinese government were put into writing worms to infiltrate Linux systems? I would think they would have some success certainly, but I would also anticipate that the Linux community would work together fairly effectively to combat the new challenge.

Re:Historically... (2, Interesting)

Insanity Defense (1232008) | about 5 years ago | (#27631217)

I would disagree. It is more secure because of the design. It is designed using the same principles as Unix and Unix has had decades to debug the design. As part of that design is the use of limited user accounts.

Typically to compromise a Linux system you have to break into the user account then escalate to root privileges. It adds extra steps. Many methods of breaking in further require the user to actively cooperate.

Many Windows programs REQUIRE the use of an Admin account so if the user is compromised the whole system is already in the hands of the intruder. Even some games won't run unless you have Admin privileges. Add such things as Microsoft's penchant for integrating programs deep into the OS rather than leaving them segregated and you have more ways into the system.

Re:Huh? (0)

Idiomatick (976696) | about 5 years ago | (#27630829)

Macs are the easiest PATCHED windows and mainstream linux are hard. Look at all the hacking competitions, Macs go down then much later linux and windows...

The reason windows is so filled with holes is because windows is the Joe 6 pack OS. If you took any secure linux user and made him use a windows machine he'd never get a virus or hacked. Period, no arguing that. He'd probably also have less technical problems. The only reason there are so many technical problems in windows is because all of the stupid computer users have it...

Re:Huh? (0)

Anonymous Coward | about 5 years ago | (#27630981)

Wow, so many words, so little understanding of them.

So what OSes are currently capable of participating in a botnet again? Hint, Linux ain't one of 'em.

Re:Huh? (0)

Idiomatick (976696) | about 5 years ago | (#27631237)

Sorry, my punctuation was confusing at best. I meant Mac is the easiest to hack. And patched windows/linux are the hardest to hack.

Re:Huh? (1)

Insanity Defense (1232008) | about 5 years ago | (#27631267)

So what OSes are currently capable of participating in a botnet again? Hint, Linux ain't one of 'em.

Linux is quite capable of taking part in a botnet. The fact that no one has yet come up with a method to compromise enough systems to run a botnet is a different issue. I suspect that is partially Linux security, part the diversity of Linux systems and part the perception that there are not enough systems to be worth attacking even if you could come up with a successful attack.

Re:Huh? (1)

Zerimar (1124785) | about 5 years ago | (#27631127)

Agreed, an educated user is relatively secure on both Linux and a fully patched Vista x64 box. Keep your permissions in order and run as a non-priveleged user, and you should be pretty safe. I personally don't even run anti-virus on either platform - just a waste of performance. Can't comment on Mac OSX since I haven't used it.

Free Tibet! (4, Funny)

dj245 (732906) | about 5 years ago | (#27630367)

With purchase of Tibet of equal or lesser value.

Re:Free Tibet! (0)

Anonymous Coward | about 5 years ago | (#27630605)

...of equal or lesser?!

I wish they did that in real life!

All right... (1)

ZarathustraDK (1291688) | about 5 years ago | (#27630633)

...we got white Tibet, black Tibet, spanish Tibet, yellow Tibet, we got hot Tibet, cold Tibet, we got (snuuuf) smelly Tibet, hairy Tibet, bloody Tibet, we got snappin' Tibet. We even got horse Tibet, dog Tibet...CHICKEN Tibet, c'mon you want Tibet, ? C'mon in Tibet-lovers, if we don't got you don't want it....

First thoughts (4, Insightful)

FooAtWFU (699187) | about 5 years ago | (#27630377)

it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if the attackers want your data, the entire move is moot.

As opposed to the anti-exploitation frameworks which were present in UNIX systems from the moment they were conceived? and continually updated since? You've been listening to too much Microsoft advertising if you think they're Superior. (Competitive? Maybe. Superior? Not a chance).

parent is not offtopic (0, Flamebait)

KwKSilver (857599) | about 5 years ago | (#27630677)

Looks like MS shills/apologists/marketers have mod points to burn. 3 ... 2 ... 1 ... mod me down, Windows-lovers.

Re:First thoughts (1)

vistapwns (1103935) | about 5 years ago | (#27630779)

Since unix was conceived? So I must have imagined the morris worm and world readable passwd files. I'm guessing you're in your early 20s right about now... Anyway, YOU and your cheerleading friend should read up on vista's security: http://en.wikipedia.org/wiki/Security_and_safety_features_new_to_Windows_Vista [wikipedia.org] - and also note, a lot of linux and mac os x do not have a lot of features listed, nor did they have them when they were 'conceived.'

Re:First thoughts (1)

shywolf9982 (887636) | about 5 years ago | (#27630935)

a lot of linux and mac os x do not have a lot of features listed, nor did they have them when they were 'conceived.'

Nor do a lot of Windows Vista installs. Can you have those features on Linux/Mac OS X? Yes (excluding parental control, and keeping in mind we are talking about "approaches" more than how a certain feature exactly works. Because MS has patented that exact method so no one else can legally use it).

In the end, the OS is as secure as the user keeps it. You can have a super secure Windows/Linux/Mac installation, or equally have a very loose one.

And effectively hardening your OS implies you have to understand you might lose some functionality (see all those apps on Windows that fire up unneeded UAC prompts by doing the very wrong thing, or those apps on Linux that are happily unaware of SELinux) and do not bitch about it with the wrong people (the OS makers).

Although I concede you that there has been a certain mindset of "I run Linux/Mac OS so I'm inherently secure" that needs to be eradicated ASAP

Back on the topic, it doesn't matter what OS you choose, but develop good policies and stick with them and you'll be reasonably secure.

Re:First thoughts (0)

Anonymous Coward | about 5 years ago | (#27631089)

Great ad hominem attack. Since you're obviously a M$ advocate, I'll try to use simple words for you..

Windows hacks FAR outnumber Unix hacks by like 100:1. Unix hacks are also patched far more quickly. I read up on Vista's (lack of) security and I saw nothing of any consequence to convince me to use it over Linux. Though I'm sure you're heavily into the DRM "security" so we obviously don't have the same needs.

Ever stop and consider that the reason other OSes don't have these great features you're touting might be because they don't need them in the first place?

Re:First thoughts (2, Informative)

dov_0 (1438253) | about 5 years ago | (#27630815)

Agreeing with parent. Even with all of the work that has gone into patching Windows, it's still the most hacked OS out there. A huge amount of work has gone into security on Unix/Linux also due to the long history of use on servers. Linux just doesn't have good advertising. Do a bit of reading on Linux security (SELinux, Apparmor, etc.) and you might be surprised.

On the matter of fonts, why the problem? Buy a Windows font and install it in Linux. It will work as long as you have the right (generally standard) packages installed. The Windows font installer will not work, but the TrueType fonts etc WILL. Same for any Mac fonts. My Dad had collected a huge amount of fonts on his Mac, but wanted them on Linux, so I installed them and they work just fine. Linux is very compatible with the rest of the world, don't believe the FUD.

Re:First thoughts (1)

Bert64 (520050) | about 5 years ago | (#27630945)

Many of the mechanisms MS has embedded, like ASLR and non executable pages were actually implemented in linux first...

http://en.wikipedia.org/wiki/Address_space_layout_randomization [wikipedia.org]

And the sandboxing they use for IE, it's been possible to use chroot on unix for years...

Coming first isn't always the best thing (4, Informative)

fluffy99 (870997) | about 5 years ago | (#27631163)

To bad MS has figured out how to implement it consistently. ASLR in Linux is a novelty and usually not the default. Just like selinux is a joke. It's high maintenance and just having it installed doesn't protect anything unless you carefully and manually tweak it. Ever look and see what it actually protects when you enable it on RHEL? Damn near nothing. A carefully setup system with a proper selinux config might be good for a secure, single purpose internet facing server but it usually ends up getting disabled on a desktop computer.

A secure OS for the office of HH the Dalai Lama (5, Informative)

AndyCater (726464) | about 5 years ago | (#27630383)

Talk to the Bhutanese Govt. They're now using a Debian variant with localised scripts for Dzongha. Debian includes some Tibetan fonts.

That should give you 20,000 apps to leverage :) Christian Perrier who co-ordinates some of the Debian translation work may know more.

Re:A secure OS for the office of HH the Dalai Lama (3, Insightful)

cpghost (719344) | about 5 years ago | (#27631057)

That should give you 20,000 apps to leverage

And each one with its own set of vulnerabilities.

If the only thing they run is windows... (5, Informative)

saleenS281 (859657) | about 5 years ago | (#27630387)

The only exploits they're going to discover are windows exploits. I hope you've made them well aware exploits exist for every platform, and if someone is directly targeting them rather than just being hit by run-of-the-mill worms, they're going to get in. You should focus your efforts on limiting the amount of damage someone can do once they do get in.

Re:If the only thing they run is windows... (5, Insightful)

edsousa (1201831) | about 5 years ago | (#27630689)

I would focus on teaching them security practices:
  • do not open attachments you don't know
  • don't store your confidential data on your laptop
  • keep and check if auto-updates are working
  • report any suspect of breach to IT

Most of all, make sure that anyone that uses a computer is aware of the risks. Even more sure with higher clearance levels.

Re:If the only thing they run is windows... (1, Insightful)

Anonymous Coward | about 5 years ago | (#27630887)

These are some of the best comments on here so far because they are underscored by the idea that ALL of your possible choices are going to have vulnerabilities.
While others debate the security records and architectures of various operating systems (and some may be better choices overall), only an idiot would claim that such-and-such a system is invulnerable, particularly when the attack is specifically targeted at you.

Yay thank you for that 'great' advice (0)

Nicolas MONNET (4727) | about 5 years ago | (#27630985)

# do not open attachments you don't know

That's a stupid advice, one that has been repeated since the first email worms, even though even the very first email worms forged the sender to trick the recipient into opening it.

This is really stupid advice.

(I'm inferring you mean "attachment from ppl you know", because "attachments you know" doesn't make any sense to begin with.)

# don't store your confidential data on your laptop

Yeah better let those on a publicly accessible server, you wouldn't want those chinese spy to have to waste time physically getting hold of the laptop.

Thank you very much for those advices. They really help. Really. Seriously. Hmpf.

Linux sounds perfect for this project (0)

Anonymous Coward | about 5 years ago | (#27630389)

A bunch of Tibetan monks using Linux? They probably get laid about as much as a normal Linux user.

The good news, for you, sir, is that for performing this service for the Dalai Lama, when you die, on your deathbed, you will receive total consciousness

Pull out the Commodore.. (1)

JoshDmetro (1478197) | about 5 years ago | (#27630391)

BBS anyone? I'd like to see some backdoors for the Commodore. The whole problem is people want fancy graphic interfaces. Blame the GUI not the platform.

The easiest way (0)

Anonymous Coward | about 5 years ago | (#27630403)

The least PITA way to go is to use OpenBSD.

The OS is set to be secure by Deafult - no tweaking necessary. That will probably work for the desktop machines.

The servers on the other hand might have to be configured by hand by someone who knows what they are doing.

ASLP (1, Interesting)

Anonymous Coward | about 5 years ago | (#27630461)

The mac doesn't have ASLR, so don't use that.

Linux has selinux, which is now (finally!) easy to use, and very strong.

No contest really.

Are you sure? (1)

SuperKendall (25149) | about 5 years ago | (#27630713)

This interview [tomshardware.com] seems to indicate Linux is currently on an equal footing with OS X Leopard, though they could have got the Linux bit wrong.

In any case Snow Leopard is due this year which will also resolve that issue. And in either case it still does not really address the biggest issue which is trojan attacks, it mainly helps prevent web based attack vectors.

Re:Are you sure? (0)

Anonymous Coward | about 5 years ago | (#27630901)

You do realise that no where on that page do they even mention selinux.
Selinux is very powerful, a strict policy basically sandboxes every application.
Apparmors main developer works at MS right now IIRC, so I guess we'll see a more secure windows in the next few years.
The biggest beef about selinux(or apparmor for that matter) is that you need a policy for every program you run and I just don't see MS working this out with 3rd party developers any time soon.

Single OS not good for Dahli Lama's computer (5, Funny)

multipartmixed (163409) | about 5 years ago | (#27630469)

If *I* was in charge of the DL's computer, I wouldn't put on *only* Linux or *only* Windows or what have you. I think the DL needs a multiboot machine, and would really appreciate it if you tried to make him one with everything.

Re:Single OS not good for Dahli Lama's computer (0)

Anonymous Coward | about 5 years ago | (#27630551)

Troll?

Seriously ... who ever rated this joke a Troll needs to be smacked into last week so they can find their lost sense of humour.

For the humour challenged the punchline is make him one with everything

Re:Single OS not good for Dahli Lama's computer (1)

NoobixCube (1133473) | about 5 years ago | (#27630643)

I think "last week" is a little generous. They obviously lost it a long time ago.

Somebody please mod this "underrated" (5, Funny)

e9th (652576) | about 5 years ago | (#27630975)

After all, this is the worst possible article in which to lose karma.

Paranoid Linux someday, NetBSD now. (5, Informative)

7Ghent (115876) | about 5 years ago | (#27630493)

http://paranoidlinux.org/ is a project to create a distribution which assumes the user is under assault from the government. Right now, it's a vaguely locked down version of Ubuntu, but someday this might be pretty cool.

In the meantime, just run NetBSD and full-disk encryption.

From wikipedia:
NetBSD provides various features in the security area. The Kernel Authorization framework (or Kauth) is a subsystem managing all authorization requests inside the kernel, and used as system-wide security policy. It allows external modules to plug-in the authorization process. NetBSD also incorporates exploit mitigation features, ASLR, MPROTECT and Segvguard from PaX project, and GCC Stack Smashing Protection (SSP, or also known as ProPolice) compiler extensions. The Verified Executables (or Veriexec) is an in-kernel file integrity subsystem in NetBSD. It allows the user to set the digital fingerprints (hashes) of files in the system to monitor by the Veriexec, and prevent the execution of them. For example, one can allow Perl to run only scripts that match the fingerprints. The cryptographic device driver (CGD) provides functionality which allows using the disks or partitions (including CDs and DVDs) for encrypted storage in NetBSD.

Re:Paranoid Linux someday, NetBSD now. (0)

Anonymous Coward | about 5 years ago | (#27630611)

OpenBSD...

Yesterday, Today, and Tomorrow!

Where all of OPs points come from, plus more!

Re:Paranoid Linux someday, NetBSD now. (1)

MichaelSmith (789609) | about 5 years ago | (#27630629)

I am a netbsd user myself, and this is probably what I would suggest too. But netbsd is designed towards portability ahead of other requirements. Openbsd is more targeted at security. Is it possible that openbsd would be a better choice in this instance?

Re:Paranoid Linux someday, NetBSD now. (0)

Anonymous Coward | about 5 years ago | (#27630871)

What about openbsd?

http://en.wikipedia.org/wiki/OpenBSD_security_features

Windows Server 2k3 fully patched/security hardened (-1, Troll)

Anonymous Coward | about 5 years ago | (#27630905)

See subject-line: It will do the job, securely (this often depends as much on the person(s) administrating the system &/or network around it, as much as staying current w/ systemcode security patches also), if one follows a guide for that (down to the workstation network node levels, from servers on down, to all endpoints) such as this one:

http://www.tcmagazine.com/forums/index.php?s=041749be01ad8c44e0f3e7ae54129780&showtopic=2662 [tcmagazine.com]

Where Windows NT-based OS' were shown to score (up from the default of 46.xxx/100, which Linux systems score by default as well) 87-99.058/100 scores, @ both the server and workstation levels on the CIS Tool multiplatform security compliance system.

Also, for stability, Windows has "made it" in that area, as well, per this evidence thereof:

Windows Server 2003 + SQLServer 2005 does, and has done for YEARS now mind you, a great job of being the official disseminator of trade data @ NASDAQ, running into the "fabled 5-9's" of 99.999% uptime for years now, 24x7, via failover clustering... that was back in 2006 (possibly earlier, as that is only the date of the article):

----

NASDAQ Migrates to SQL Server 2005:

http://windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com] [windowsfs.com]

----

Best of ALL? Hey, it's Windows!

(Which means you probably already own & are familiar w/ Microsoft + Win32 applications on every level of use there is...)

APK

P.S.=> One thing I like about Windows, @ least up to Windows Server 2003 (which installs by default, as a 'workstation/pro' desktop model, to which you add "back-office" enterprise-class apps onto, only if needed, later?)

Well mainly is that "Windows" has come a LONG ways since Windows 3.0, which was my first version I tried!

(Once they went w/ the VMS underpinnings design of NT 3.x, I knew they had a winner, & that ran pretty good on a 486 66mhz 32mb RAM machine)...

There are a couple things, mainly something done to the HOSTS file in VISTA mostly I don't like (no longer being able to use the more efficient 0 based Blocking IP address in a HOSTS file, vs. the larger, slower, & more bloating on disk 0.0.0.0, & worse so, 127.0.0.1 on all accounts), so, that's why I am not going to include it as a recommendation here...

(Others might cite things like DRM, messing around w/ OpenGL, the 3 driver/3 level defense in the IP stack on filtering being another, vs. VISTA/Server2k8/Windows 7 using the SINGLE layer based WFP instead (one I think is VERY debatable in fact), & as well as things I am not even stating that I could not think of @ least, offhand)... apk

Re:Paranoid Linux someday, NetBSD now. (2, Insightful)

AnalPerfume (1356177) | about 5 years ago | (#27631027)

The sarcastic response would be "try Red Flag Linux" but the serious response would be to look at a fully open *nix variant such as Debian, or one of the BSDs. I'm not familiar with any of the BSDs but I'm aware that security is a high priority with them. My reluctance with BSD is the lack of "rich entertainment" (for want of a better description) applications easily installable, which won't be an issue (I'd imagine) for the needs of the Dhali Lama.

For the BSD fans, this is NOT meant to flame, just to point out that for users who expect "modern" or "proprietary" stuff like Flash, mp3 support Linux is a better option. If you don't need those type of features then BSD is well worth a look. Any new OS will need new learning, in that regard BSD or Linux makes no difference.

Re:Paranoid Linux someday, NetBSD now. (3, Interesting)

MichaelSmith (789609) | about 5 years ago | (#27631185)

My reluctance with BSD is the lack of "rich entertainment"

I use netbsd on my servers and some workstations. The lack of a rich environment is a defence against PEBAK. The problem is selling it to the users.

Done properly, the users would need to specify up front exactly what they want their system to do, so that a solution could be designed from those requirements. A lot of the time these days, secure communication is a prime requirement and BSD can certainly provide that.

Key signing at your meet up (0)

Anonymous Coward | about 5 years ago | (#27630501)

When you have your face to face meeting of the various people in exhile, it would be a good idea to have a key signing party. The attendees would then be able to sign others' keys when they return to their homes in exhile.

Malware is the issue (2, Insightful)

voss (52565) | about 5 years ago | (#27630563)

Not encryption or top secret stuff.

Any of the major linux distros should work fine., unicode tibetan is supported.

Practical considerations and philosophical ones (5, Insightful)

funkapus (80229) | about 5 years ago | (#27630631)

First of all, converting the Dalai Lama to Linux is about the coolest IT project I've ever heard of, so congratulations

That aside, there are practical considerations and there are philosophical ones you'll want to consider. Practically speaking, no platform is 100% secure. Linux has historically been more secure than Windows. MS has made a lot of progress in the last decade or so.

The question is, do you prefer the closed-source approach or the open-source one? Would you rather the problems be hidden away, or laid out for all to find? In the closed-source scenario, knowledge of exploits may be less common, but that cuts two ways. Less attackers will be aware of an exploit, but less defenders will be aware of it as well. That may well result in the exploits that do occur being much more severe.

Beyond those practical considerations, which approach fits better with the values of the Tibetan community and the Dalai Lama in particular? In my mind, open source is the embodiment of non-attachment.

Greetings Dhali Lama... (3, Funny)

armer (533337) | about 5 years ago | (#27630639)

I am Suleman , IT Manager of Zenith Bank, Lagos, Nigeria. I have urgent and very confidential business proposition for you. On June 6, 1997, a Foreign IT consultant/contractor with the Nigerian National IT Corporation, Mr. Barry Kelly made a numbered time (Fixed) request for twelve calendar months, for a secure OS. Upon maturity, I sent a routine notification to his forwarding address but got no reply. After a month, we sent a reminder and finally we discovered from his contract employers, the Nigerian National IT Corporation that Mr. Barry Kelly died from an automobile accident. On further investigation, I found out that he died without making a WILL, and all attempts to trace his next of kin was fruitless. I therefore made further investigation and discovered that Mr. Barry Kelly did not declare any kin or relations in all his official documents, including his Bank Deposit paperwork in my Bank. This sum of US$26,500,000.00 has carefully been moved out of my bank to a security company for safe-keeping. Consequently, my proposal is that I will like you as an Foreigner to stand in as the owner of the money I deposited it in a security company in two trunk boxes though the security company does not know the contents of the boxes as I tagged them to be photographic materials for export. This is simple. I will like you to provide immediately your full names and address so that the Attorney will prepare the necessary documents which will put you in place as the as the owner of the boxes. The money will be moved out for us to share in the ratio of 60% for me and 40% for you. There is no risk at all as all the paperworks for this transaction will be done by the Attorney and this will guarantees the successful execution of this transaction. If you are interested, please reply immediately via my email address.And also send your Telephone and fax numbers so that we can have a smooth communication. Upon your response, I shall then provide you with more details and relevant documents that will help you understand the transaction. Awaiting your urgent reply via my email. PLS REPLY TO MY PRAVATE BOX suleman775@mailsurf.com Thanks and regards. Dr.Suleman .

Re:Greetings Dhali Lama... (4, Funny)

Tubal-Cain (1289912) | about 5 years ago | (#27630715)

Obviously fake. A real Nigerian scam would have more capital letters and misspelled words.

Less difficult to exploit linux? (1)

xulfer (1368787) | about 5 years ago | (#27630679)

It is not 'easier' to exploit Linux/UNIX than it is windows. If that were true you wouldn't see the number of exploits, and security advisories that you do every day. Just because the Microsoft CTO says it does not make it true.

Not only the DL (2, Informative)

DeltaQH (717204) | about 5 years ago | (#27630697)

Also the German government would be interested.
A very similar penetration was detected on IT infrastructure of several German govt. agencies no long ago.
Lots of internal information where uploaded to the internet before it was detected and stopped

An the trail seemed to lead... you know where.

Dear Your Holiness (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#27630707)

Dear Your Holiness,

I successfully reduced malware attacks on my computer by 80% last month, by

a) visiting porn sites less than three times a week
b) avoiding opening emails with titles like "More powerful than a vibrator!"

Hope it helps,
Pythonist

Dont blame the OS (1)

rivetgeek (977479) | about 5 years ago | (#27630723)

"Furthermore, most of the web servers broken into during these attacks (to be used as command and control servers) were not Windows, but Linux." The vast majority of webserver hacks have nothing to do with the OS. The most common attacks are remote file include, cross site scripting, and sql injection, all of which are platform independent.

Mac OS X or openBSD (3, Interesting)

zerobeat (628744) | about 5 years ago | (#27630757)

Mac OSX might be more secure than windows and may be easier for non technical people (if the TGIE is lacking expertise) to get up and running. Alternatively, use openBSD - quite hard to get fully functional, but the expertise to get it there means anyone who does should have requisite skills to keep the Tibetan Government safe from certain foreign governments. Also, you may find the openBSD people will gladly help with this poltical agenda. Z/

MacOSX is not more secure in itself (0)

Nicolas MONNET (4727) | about 5 years ago | (#27631047)

In fact it's probably much less secure than windows, since it doesn't deploy counter-measure such as non-exec stacks, address randomization and the like. However it gets much fewer malware because of lower marketshare.
So it looks more secure as far as generic, endemic malware is concerned; but it's going to be much easier to crack for an attacker with a specific agenda.
Linux has the same countermeasures as Windows and then some.

Something that helps (5, Interesting)

DeltaQH (717204) | about 5 years ago | (#27630775)

Boot always from an trusted, read only media, like CD/DVD or locked USB thumb drive.

Media should contain not only OS but applications in trusted configuration. No updates allowed from outside trusted entities

Use only boot media provided from trusted entity

Maybe use also something like tripwire to detect change in the OS/applications files checking changes by comparing sensitive file

Full encryption on sensitive data/drives

Use Yellow Hat GNU/Linux (2, Funny)

belmolis (702863) | about 5 years ago | (#27630781)

The obvious solution is Yellow Hat GNU/Linux [stallman.org].

Seriously, this is a great project. Surely the appropriate solution is a version of either GNU/Linux, such as SELinux, or OpenBSD [openbsd.org]. No system is entirely secure, but the idea that MS Windows could be as secure as GNU/Linux or BSD is wild.

Linux Tipping Point! (1)

Talkischeap (306364) | about 5 years ago | (#27630799)

If that happens, it will propel Linux onto hundreds of thousands of desktops world wide!

Judging from all the "Free Tibet" bumper stickers I see around here.

Oh, wait ... this is Mendoland [wikipedia.org], forget it.

Diversify! (2, Insightful)

uffe_nordholm (1187961) | about 5 years ago | (#27630821)

If it were up to me to decide, I would go for the broadest possible range of OSes: Windows, Mac, Linux, Unix, BSD, BeOS....

The reason is simple: if an outside attacker can't predict what they will meet, it's much harder to get in.

And if you can get the various OSes to masquerade as each other when replying to outside queries, so much the better: an attacker could be trying to use known Mac vulnerabilities to enter a machine that from the outside looks and behaves like a Mac, but actually runs Windows or Linux.

Tly Red Flag Linux (0)

Anonymous Coward | about 5 years ago | (#27630851)

http://www.redflag-linux.com/en/

I heard it's support for asian languages is excelent and any security hole may also be used against the attackers.

His Holy etc. (1, Insightful)

oldhack (1037484) | about 5 years ago | (#27630853)

Call him Dalai Lama. What's with all these his holy, etc.? Do we call the pope his holy whatsit? Or the English Queen? Even The One is simply The One.

Re:His Holy etc. (1)

Yacoby (1295064) | about 5 years ago | (#27631007)

Everyone is doing the setup lines for jokes like:
"Well, with a title like that, there are going to be security holes everywhere"

Ninnle, of course. (0)

Anonymous Coward | about 5 years ago | (#27630857)

Seriously, if you want a secure operating system, Ninnle Linux is the only choice.

fonts? (2, Informative)

belmolis (702863) | about 5 years ago | (#27630869)

I'm a little surprised to hear that there is no good Tibetan font. Here is a list of Unicode-encoded Tibetan fonts [alanwood.net], mostly both free and libre. Do none of them meet the need?

Re:fonts? (3, Informative)

zmrow (1516737) | about 5 years ago | (#27631297)

I'm a little surprised to hear that there is no good Tibetan font. Here is a list of Unicode-encoded Tibetan fonts [alanwood.net], mostly both free and libre. Do none of them meet the need?

I agree-- It appears they are possibly misinformed about fonts. There are at least 2 very good True Type Unicode Tibetan fonts-- "Tibetan Machine Unicode" and "Jomolhari", both of which are more attractive, as well as more advanced in their development than Microsoft's "Himalaya" font.

Wrong Answer (1)

Idiomatick (976696) | about 5 years ago | (#27630879)

It doesn't matter a huge amount what OS you install. You just need people to be educated. It doesn't matter how secure you are. If someone sends a e-mail saying "Click here to see topless..." Wait scratch that, hmmm Dalai Lama... "Click here to become one with the universe.exe" then you are screwed. Don't waste your time teaching people Linux or some other OS (feel free to switch for other reasons). Instead teach them self-restraint and discipline.... Which you think they would have. That and get a couple semi-decent admins to keep your servers updated/clean.

your assumptions are wrong (4, Informative)

Aurisor (932566) | about 5 years ago | (#27630907)

it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows

Why would it be more difficult to "write" (aka implement) exploits for one operating system than another? You should be worried about how hard it is to find exploits and how quickly they're fixed.

Assuming for the moment all you care about is the actual security of your software (excluding implementation details, mis-configurations, etc), the real metric you want to be looking at is the frequency of discovery of serious vulnerabilities and the span of time from first (non-public) discovery (which may not be knowable) and the appearance of a patch you could use. Looking merely at "remote root exploits / year" and "mean time to patch remote root exploit" might not be a bad place to start.

Also, you need to think about the actual design of the operating systems in question. Without tipping my hand too much, some might say that the Unix user/superuser distinction is something Microsoft could learn from.

That being said, though, I'll tell you my opinions.

Netbsd has one of the best track records in the industry with regards to server security. The security of *nix, in general, scales directly with the intelligence of the people managing it. You can get decently far with Windows and just doing things 'by the book,' but it's got all the typical problems of monoculture and a well-deserved poor reputation.

A group of very intelligent, very technical network admins are nearly unstoppable given linux and sufficient control. A group of very intelligent people can probably make do with Windows too. Windows configured by average people may in some cases be better than Linux configured by average people.

In any event, just from reading your question, I doubt you are technical enough to undertake this at a nuts-and-bolts level. You kind of came here asking "Is Linux or Windows more secure?" You bet your ass I have an opinion on the matter, but the problem is, so does everyone else. You need to find highly intelligent people, and then use your common sense and analytical thinking to weigh their arguments. In short, stop thinking as if the answer to your question would provide security; find smart people experienced in securing things and then evaluate the tools (operating systems) as they relate to your immediate ends.

The security plan I would implement: (2, Funny)

vistapwns (1103935) | about 5 years ago | (#27630933)

Upgrade to Vista, install the latest updates, leave auto-updates on, enable DEP for all processes adding exceptions to the DEP exception list if necessary (i.e. app crashes occur) - use IE8, lock down the internet zone so that all active-x and .net stuff is disabled, add trusted sites to the trusted sites zone that need those things, enable IE 'protected mode' for all zones, run users as standard users. Use strong passwords, teach users basic computer security, including no clicking on email links, no downloading anything from the web. Tell them to trust no one (and no web page,) make sure they understand that they are under siege from one of the most powerful governments on the planet, and so on. Give users 'tests' on this stuff, to make sure they understand it. There may also be security apps for windows that do more than signature scanning, something that cryptographically signs files and checks signatures, and alerts users/admins to any new processes that auto-start. Or perhaps writing/contracting one might be something you may want to look into. That's enough to get started, but the key thing is update to Vista, it has so many security features added that it's very hard to break into relative to most other feasible OSes.

Re:The security plan I would implement: (1)

Creepy Crawler (680178) | about 5 years ago | (#27631051)

Until a subversive deems it necessary to rescind the keys associated to His Holiness, The Dali Lama and his people.

I'm sure the Chinese government could make a deal with Microsoft to make multiple govt offices Vista Based (with appropriate studies to woo others) for a deal to shut down keys.

Secure and easily transitioned (0)

Anonymous Coward | about 5 years ago | (#27630937)

For all that you ask for it is safe to say the your needs will be met via Ubuntu Linux. It is currently the #1 most widely used and supported world wide. It also supports the Tibetan language, is Debian based (which means very secure), and it is easy to adapt to from a Windows stand point.
Any technical help just visit digitalvaldosta.com

This might have a big upside/downside for Linux (1)

thesaurus (1220706) | about 5 years ago | (#27630969)

Assuming that Linux is chosen, it might be extremely good publicity (especially that "free and open" sounds vaguely Buddhist anyways.

On the other hand, I can't think of a better way for Chinese hackers to start searching for holes in desktop Linux than this.

You are being destracted by the binary illusion (0)

Anonymous Coward | about 5 years ago | (#27630971)

It does not matter if the OS is secure if you do not own it. You will never be the owner of a binary you did not build, or can not build. How do you think they shut down the defense systems of Iraq before the war. They went to HP, produced custom firmware for their printers and broke in.
You will never be able to tell what Windows or MacOS will do for the people with the right influence. Period. Unless of course you have enough influence to get code escrow from Microsoft or Apple, for the binaries you run. Think about it. It can be the most secure OS in the world, but secure for whom.

controversial? (1)

Runaway1956 (1322357) | about 5 years ago | (#27631015)

"However, one of the more controversial moves being actively debated"

Settle this controversy: is it more important that mindless boobies have convenient access to system resources, or is it more important to be secure?

That settled, there is little controversy left. Maybe some squabbling over WHICH VERSION of Linux you should migrate to, that would be about it.

Assuming that Tibetans are literate, there should be little difficulty in customising your own fonts, and other requirements.

So, get cracking, customise Linux to your needs, and quit whining about Bill Gates inbuilt insecurities. If Tibetans aren't capable and literate enough, they can always borrow from http://redflag-linux.com.cn/en/index.php [redflag-linux.com.cn]

quick, to the xerox machines! (1)

Punto (100573) | about 5 years ago | (#27631065)

wow, "convene an international Board of Advisers", that is some proactive thinking. Are you sure you don't want to form a comitee to consider this first? maybe draft some resolutions? that sounds like such decisive action!

Windows 98 (0)

Anonymous Coward | about 5 years ago | (#27631073)

We suggest Windows 98.

Sincerely,
The Government of China

Trying to join "Infowar Monitor" mail list 404's! (0)

Anonymous Coward | about 5 years ago | (#27631103)

Hi Jamyang (Greg Walton) ,

Trying to join "Infowar Monitor" mail list 404's-bad karma. Here is a cug&paste

"Not Found

The requested URL /mailman/subscribe/infowar-list was not found on this server.
Apache Server at mail.citizenlab.org Port 80"

Please fix, so Buddhist Geeks can help out. :-)

Greekgeek :-)

Oh, so you're playing Devil's Advocate? (2, Informative)

anomnomnomymous (1321267) | about 5 years ago | (#27631123)

Now let me do a bit of that myself too, since I think that it's unjust that each time the Dalai Lama is mentioned, people think he's all for justice.
For a bit more balance in the whole story, have a look at this video [youtube.com].
Anyone willing to debunk this, you're welcome; As I still have quite a quarrel with each time the Dalai Lama gets mentioned as some sort of Saint.

(This does not reflect my opinion on the whole Tibet/China debacle; I think that's as bad as it is)

Re:Oh, so you're playing Devil's Advocate? (1, Informative)

belmolis (702863) | about 5 years ago | (#27631289)

It is true that the government of Tibet prior to the Chinese invasion had many faults. However, that does not in any way justify the Chinese invasion and colonization of Tibet. First, if the Chinese goal were merely to free the serfs etc., they could have done so and withdrawn. There would be no need to stay for fifty years, much less to introduce hundreds of thousands of colonists and suppress Tibetan culture. Second, the faults of the Tibetan government cannot be attributed to the Dalai Lama, who was very young when the Chinese invaded. He has consistently supported democracy, equality, and human rights. There is no reason to believe that Tibet under a restored Tibetan government led by the Dalai Lama would not be a progressive government. Third, while there have been some benefits of modernization under the Chinese regime, it is a dictatorship, not a democracy, without freedom of speech or most other human rights, and so in most respects no improvement over, or even worse than, the old Tibetan government.

In sum, sure, it is silly to believe that everything was just wonderful until the Chinese invasion, but that shouldn't be taken to justify Chinese imperialism.

It is about the process.... (2, Interesting)

SerpentMage (13390) | about 5 years ago | (#27631153)

The problem here is probably one of process and not operating system.

One of the ways that I manage my systems is to create a zone where hackers may go, and not go.

For example, I use a good firewall. That firewalls is allowed to communicate to another firewall. Between the two firewalls is my take down zone. This means if they happen to break through the firewall all they will get are servers that can be taken down anyways.

These take down servers are virtual machine based. So if a machine goes down, who shives a ghit because you just shut down the VM, copy the old one and restart it.

The second firewall is a non entry firewall. That means there is absolutely no way at all to get through it from the outside. Only those behind the second firewall may communicate outside. And if I need to communicate to a trusted source outside the first firewall I setup a VPN server between the two firewalls. If somebody manages to hack that VPN server, you just take it down, setup new keys, restart and away you go.

By not allowing any communication into the second firewall you stop outside hackers. Then to allow communications from the inside to the outside you setup proxy servers that are trusted to communicate to the outside. Only those proxy servers may communicate with the outside world. Without those proxy servers the inside users are cut off, but you have created a wall where you can control the entries and exits.

Doesn't matter (1)

fluffy99 (870997) | about 5 years ago | (#27631189)

China has some of the best hackers - just ask our on Military how good they are. Given China's political dislike of Tibet, they'll just divert some of their guys to focus on whatever boutique OS Tibet decides to convert to. In the meantime Tibet will struggle with the usual pains of changing and learning a operating system.

My vote is to simply educate their users and make sure they understand safe practices and keep their OSs up to date. Poor practices and unpatches systems matter far more than what OS you use.

Or they could just approach MS. MS would gladly provide support for the bragging rights that the DA is using their OS.

Old, not new news that OS X is insecure (0)

Anonymous Coward | about 5 years ago | (#27631251)

It's pretty well established Mac OS X is not only *not* more secure than Windows, it's the most insecure of Windows, OS X, and Linux.

This isn't exactly news. Apple's poor bugfixing and attention to security has been benefiting from the fact that almost nobody in real life used a Mac. Now that that's changing, they're going to get the full attention of the malware community and Apple's ads are going to have to get a lot less smug very quickly.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...