Almost four years ago, I posted about the Chinese "secure OS" called Kylin. I did not hear much about Kylin since then. That changed this week when Canonical announced it is teaming up with the China Software and Integrated Chip Promotions Centre (CSIP) and National University of Defense Technology (NUDT) to develop a new national OS for China.
While the name includes "Kylin", it appears that the Ubuntu Kylin will be quite different than the earlier Free BSD based Kylin OS. The new Kylin appears to be an Ubuntu distro strongly geared for the Chinese users. According to the Canonical announcement:
Ubuntu Kylin goes beyond language localisation and includes features and applications that cater for the Chinese market. In the 13.04 release, Chinese input methods and Chinese calendars are supported, there is a new weather indicator, and users can quickly search across the most popular Chinese music services from the Dash. Future releases will include integration with Baidu maps and leading shopping service Taobao, payment processing for Chinese banks, and real-time train and flight information. The Ubuntu Kylin team is cooperating with WPS, the most popular office suite in China, and is creating photo editing and system management tools which could be incorporated into other flavours of Ubuntu worldwide.
Although it will share the security traits associated with the Ubuntu Linux distros, there is no special claim being made that this a "secure OS". The plan is for Ubuntu Kylin to be eventually expanded to include other platforms, including servers, mobile phones, and tablets.
Ubuntu Kylin should be easier to obtain than the other Kylin. (I tried to find a reliable source for it but hit too many dead ends back in 2009.) Ubuntu Kylin is scheduled to released along with the Ubuntu 13.04 releases in April. When I know the official distribution URL, I'll post it.
Meanwhile, you can check out the project's Wiki at https://wiki.ubuntu.com/UbuntuKylin (English) and https://wiki.ubuntu.com/UbuntuKylinChinese (Chinese).
Other articles about Ubuntu Kylin:
- Ars Technica - "Goodbye Windows: China to create home-grown OS based on Ubuntu", http://arstechnica.com/information-technology/2013/03/goodbye-windows-china-to-create-home-grown-os-based-on-ubuntu/
- BBC - "China to create home-grown operating system", http://www.bbc.co.uk/news/technology-21895723
- Geek.com - "Canonical teams up with Chinese agencies on Ubuntu Kylin", http://www.geek.com/articles/news/canonical-teams-up-with-chinese-agencies-on-ubuntu-kylin-20130322/
Brina Krebs also noted that Jeffrey Carr, who tracks cyber-conflict issues, noticed that Chinese government sites tend to do the same thing. Carr said, “If you want a starting point for finding out what’s really going on in these countries, you have to use something like Google translate."
The Importance of Going Beyond English (or Whatever Language You Know)
Better yet, as you use tools like Google Translate, seek to learn the languages of the countries in which you're interested. If you can spend time time browsing their government and media sites to get a feel for certain keywords.
Look up up expressions of interests. For example, it can be helpful to get an idea of certain acronyms and jargon on the foreign sites. If dealing with Russian law enforcement & crime issues, knowing the acronym "ОПГ" (OPG) for "Организованная преступная группа" (Organizovannaya prestupnaya gruppa" - Organised Criminal Group) can be useful. (Here's a useful Glossary of Russian Police & Security Service Acronyms and Abbreviations [pdf])
Google Chrome is an excellent browser since it gives an option for translating the page you are viewing and allows you to easily go back to the original. I left some some useful tips on a Vere Software blog post about Google Tools for Investigators. See its comment section.
For this and other reasons, I highly recommend that people studying and going into the info security field learn another language.
Which one? Depends upon your interests, but there is no absolute must-study. Russian and Chinese are particularly useful. Arabic and Farsi might be quite fitting for other security concerns. But there are some interesting info security happenings in Spanish, Portuguese, German, and other languages. Just learning another language, especially one that is quite different from your native language is, in itself, a big help. It helps you to be more open to still other languages and how to use various tools. (It also helps to learn the limitations of the tools.)
Jonathan D. Abolins
It is an interesting development. Russia has been talking about a national operating system but that has not really gotten off the ground.
One problem I'm hearing is the uneasiness that a Russian national OS could isolate Russians from most of the world. But, with the right conditions, it is not necessarily as big of a risk. One hint might be the popularity of the new .рф country code top level domain for Russia, Rather than being seen as isolating Russian in a Cyrillic ghetto, the Cyrillic domain registrations have passed the 500,000 mark and, as this post, the current stats are approaching 700K. Perhaps, a key factor is that one can have both .рф and .ru domains, giving flexibility and retain world accessibility. (More info about the .рф ccTLD on my Internationalised Domain Names -IDN Info site.)
Between Putin's support for the move and it's phased transition, this attempt to move to open source OS might succeed. I also hope that the Russian GNU/Linux move will truly keep the code open.
- Cnews.ru article "Путин распорядился перевести власть на Linux"
- Plan (timetable) for the Russian Federal government transition to GNU/Linux 2011-2015 (.doc): "ПЛАН: перехода федеральных органов исполнительной власти и федеральных бюджетных учреждений на использование свободного программного обеспечения на 2011 - 2015 годы"
- Why SCADA Networks Are Vulnerable To Attack - Part 1: Unintended Consequences
- Why SCADA Networks Are Vulnerable To Attack - Part 2: The Weakest Link
- Why SCADA Networks Are Vulnerable To Attack - Part 3: Firewall Both Users AND Devices
- Why SCADA Networks Are Vulnerable To Attack - Part 4: Controlling What You Use
<<The technique can also be used to detect or rule out covert editing of audio. ENF analysis is made possible by the growing use of digital recording and its greater timekeeping accuracy over analogue.
ENF relies on frequency variations in the electricity supplied by the National Grid. Digital devices such as CCTV recorders, telephone recorders and camcorders that are plugged in to or located near the mains pick up these deviations in the power supply, which are caused by peaks and troughs in demand. Battery-powered devices are not immune to to ENF analysis, as grid frequency variations can be induced in their recordings from a distance.
At the Metropolitan Police's digital forensics lab in Penge, south London, scientists have created a database that has recorded these deviations once every one and a half seconds for the last five years. Over a short period they form a unique signature of the electrical frequency at that time, which research has shown is the same in London as it is in Glasgow.
On receipt of recordings made by the police or public, the scientists are able to detect the variations in mains electricity occuring at the time the recording was made. This signature is extracted and automatically matched against their ENF database, which indicates when it was made.
Digging further in my attempts to learn more about ENF, I searched for info about Dr. Catalin Grigoras, a Rumanian audio forensics expert whose research is the basis for London Met's continuing work.
Dr. Grigoras' Web site has useful links to his papers & presentations (some behind paywalls but few are cost-free): http://www.forensicav.ro/
I came acorss a cyberwar glossary that deserves to be a classic lexicon, just like Ambrose Bierces' The Devil's Dictionary.
Read the whole document. I especially like the concluding section where Richard "Rick" Forno notes:
Cyberwarfare indeed is a concern that must be addressed responsibly; however there is such a cacophony of ‘noise’ in public and private discourse on the subject that it is difficult for many to make sense of the actual cybersecurity issues we need to be thinking about as a Nation. Let’s burst the “cyber-bubble” and deal with the real issues, concerns, effects, and consequences of operating in the “cyber” domain instead of relying on and/or believing questionable analysis and dubious statistics presented in sensational reports, statements and oft-cited soundbites.
Better still, let’s all agree that if we want to be proactive in cybersecurity (or cyberwarfare protection) we must ensure our information assets not only are hardened and reinforced but designed with survivability and resiliency in the first place. Doing the former without the latter only will set us up to “lose” in the cyber domain. Our enemies recognize this and will act accordingly, so why don’t we?
Seriously, Amen to that!
One of the things I was tracking this summer was the July DDoS attacks upon South Korean and US sites. Very interesting how quickly some people were blaming North Korea for the attacks and even suggesting strong measures against the dictatorship. Cyber-attribution is a tricky matter and there's a big risk of "Ready, FIRE, oh, well, aim...." mishaps.
Another interesting thing I was look at this summer was the Internet activities following the disputed Iranian elections. This included net censorship and counter-measures, people (including me) "greening" their Twitter avatars, etc.
These two things often raised the "cyberwar" theme and I will address the topic in a few weeks.
Jonathan D. Abolins
|Today, I was in the midst of info security discussions about a Chinese operating system called "Kylin". |
This set of discussions was launched by a Washington Times article by Bill Gertz today, "China blocks U.S. from cyber warfare". The article claimed:
---(I was not able to find the RED SOS report online yet.)
Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!
This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows. Refer to our report - RED SOS.
Looking at my Twitter feeds throughout the day, I was seeing much tweeting about Kylin OS. Then, I mentioned the topic to Heike of The Dark Visitor blog about Chinese hackers. As I kept learning more about Kylin, it became clear that I should compile the information and post it on this blog.
The Kylin Web Site
Kylin's Web site is at http://www.kylin.org.cn/
[Rough rendition of the site into English via Google Translate]
By the way, some people have noted that, ironically, the site for a secure OS has an SQL injection vulnerability.
Kylin OS History
I learned that the Kylin OS has been around for several years, going back to 2001.
China Military Online, a Web site sponsored by the PLA Daily of the Chinese Peoples Liberation Army, reported in February 2005 of the development of Kylin as a the PRC's own operating system that could replace foreign OSes. The Kylin OS was developed by the University of Science and Technology for National Defense (affiliated with the PLA). The project began when...
---In December 2006, Xinghua reported about Kylin OS. One of the things this report mentioned was that the University had signed an agreement with the LENOVO for production and application of the Kylin system.
In 2001, the central government decided to assign the mission of developing an operating system with independent intellectual property right, a major special project of the state's "863 Hi-tech Program", to the Computer Science Institute of the National University of Defense Technology. Upon receiving the mission, the institute swiftly organized a strong scientific and technological task group to brave difficulties and hardships and make bold innovations. Eventually, the group succeeded in making breakthroughs in a series of core technologies and developed the first 64-bit operating system with high security level (B2 class)-the Kylin server operating system. The system is not only compatible with the mainstream operating systems in the world, but also supports several multiple microprocessors and computers of different structures. In addition, the system is also the first operating system without Linux kernel that has obtained Linux global standard authentification by the international Free Standards Group (FSG).
Information Warfare Monitor has a post "Kylin operating system plagiarized from the FreeBSD5.3?" and pointed to the Dancefire site with it comparison of Kylin and FreeBSD 5.3. The similarities between the two OSes reportedly reached 99.45 percent.
The interesting Kylin information is under the Dancefire site's News section, which is in Chinese. The good news for those of us who cannot read Chinese is that Google Translate does a passable rendition of the texts. (Kylin is rendered by Google as "Kirin". I don't think it has anything to do with the Japanese beer. Does it?)
ADDED 1 June 2009: Jumper at The Dark Visitor blog has been taking a look at Kylin and has a good posting there.
How "Secure" is This "Secure OS"? [added 13 May 2009]
Much of the reporting about Kylin, including the PRC's PR about the OS, seems to take the claims it is a "secure OS" at face value. But I have not yet come across any extensive security testing of Kylin. Also, I am wondering how much ongoing security support for Kylin is there. I mean things such as security patches, forums, etc.
Security researcher Dancho Danchev raises several excellent points that challenge the notions that the PRC's (or any other country's) "secure OS" poses a real threat to the US cyber-offensice capabilities. Danchev writes regarding the "re-branding" of FreeBSD as Kylin and about the limits of "national security OSes":
---Then, Danchev provides the example of a US penetration test of a US government site and found "763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders.” The assortment of applications on the systems and their complexity gave ample footholds for exploitation. Then, there are human factors, including human foibles, that can affect security. Although better designed or hardened OSes can help, they are but one component of security.
All warfare is indeed based on deception, especially when you’re re-branding.
The rush to participate in the “national security operating system” arms race is pretty evident across the world, with the European Union’s secure OS Minix, the U.S Air Force new ‘secure distribution of Windows XP‘ and Russia’s interest in a similar secure OS.What everyone appears to be forgetting is the fact that security is proportional with usability, and as well as the fact that complexity is the worst enemy of security.
So is the PRC's Kylin a Part of Cyber-Warfare, Cyber-Security, or Both?
It's both. (Note, I am leery of the cyber-warfare term. It can encourage massive, costly projects and bad analogies.)
I understand Mr. Coleman's concerns about cyberwarfare aspects and how the PRC's cyber-defence could hinder US cyber cababilities against their systems. But, we should not deem overall attempts to have more secure operating systems as "warfare" in a sinister sense per se. Improving cyber-security is something that we all should be doing. Being "peaceful" in the networked world does not mean having servers running unpatched Windows. The US, UK, etc. should be encouraging their government, corporate, and infrastructure systems to be better secured. (The US has done projects such NSA's work on Security Enhanced Linux. Some might call that as an example of US cyber-warfare.)
Special thanks to
- The Information Warfare Monitor [Web] [Twitter]
- "Heike" on The Dark Visitor
- Richard Stiennon for the @Cyberwar tweets on Twitter.
Added 13 May 2009:Stiennon has a good posting, "Kylin reports unsubstantial" on his Threat Chaos blog. That post references my post here.
Jonathan D. Abolins
My presentation is:
Lessons for the 21st Century from the 20th Century History of the Flu:Also speaking will be Heather Benamati, MPH, CHES, Health Services, Human Services Coordinator of the Bernards Township Health Department. She focus upon public health aspects of pandemic flu preparedness. There will be a third speaker who'll cover business contingency planning.
There were three major influenza pandemics in the 20th Century. The 1918-19 "Spanish Influenza" was particularly deadly, killing anywhere between 30 and 50 million people around the world. The 1957-58 Asian flu was not as deadly, but still killed about 70,000 Americans. The "mildest" pandemic, Hong Kong Flu of 1968-69, caused about 34,000 US deaths. Then there was the 1976 "Swine Flu" abortive pandemic and a nationwide vaccination program which some called a fiasco.
What lessons for today can we glean from these events decades ago? This presentation will point out lessons to help us to better prepare for future pandemics.
|Date:||Tuesday, April 21, 2009|
|Time:||9:30 am to 10:00 am - networking session|
10:00 am to 1:00 pm - the Chapter meeting
|Location:||AFFINITY FEDERAL CREDIT UNION|
73 Mountain View Boulevard
Basking Ridge, New Jersey
Parking will be available at the Credit
Union for attendees.