I'm surprised that "security by obscurity" is touted as a way reduce attacks. This is almost guaranteed to lead to less diligence in the code — and more risks.
I wonder how much that has to do with human nature thinking "well this is obscure" so then they don't secure it as if it was 'customer facing' or less 'obscure'.... and thus leave it more open than ever.
I knew a place that assumed such things, crazy insecure. They also played the "well this shouldn't be exposed to the internet" game as well.
Obscurity isn't supposed to replace security, it just aids it. Note that the US government heavily practices this, with 'Suite A' cryptography. Most other governments have similar practices.
> In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.[9] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.
If they don't use Linux, I wonder how long it will take them to have something productive for the average worker.
I mean, Android took a decade to be usable, was built by one of the most talented and rich company on earth. Yet it is still limited in what it allows you to do: no office suite, limited driver support, weak multi-monitor, can use few FS formats, no RAID, etc. And that is despite Android actually wrapping a Linux Kernel.
Not to mentions they'll need to get so many basic tools ported.
No matter the high competence of the Chinese tech scene, their ability to brutally push an agenda and the number they can throw at it, I can't imagine a scenario where those resources wouldn't be better spent validating and customizing an existing distro.
However, I can imagine many reasons they would choose the harder road. And as a geek, I find it sane to remind myself that technical efficiency is not the goal of all entities.
My friends dual Pentium Pro system is capped out at 2GB of ram. Many older machines got maxed out ram wise if you bothered to upgrade them at all when previous gen ram goes super cheap.
"the average worker" doesn't just want to check their mail and watch videos. they want to use MS OFFICE suite, never see a terminal, backup/restore with ease, ask someone who isn't an IT pro how to fix something, also get support from their IT department, use the vast amount of legacy/proprietary enterprise software that their workflow is rooted around.
Not to pick on you, but why when the question of Linux as a Windows substitute comes up, do people always have to offer anecdotes about their mother. I'm no SJW or radical feminist, but honestly, let's move on from that.
My comment is about "the average worker", not friends and family / personal use. For which, in my highly uber technical group of friends and family, (where mothers are C++ programmers), maybe 1 out of 20 (generously) find a Linux desktop usable.
Only in this forum, where people recognize the horrid low contrast, gratuitous whitespace, excessive bloat of the latest javascript "framework", know the difference between modeless and modal dialogs, understand why the gmail UI keeps moving in the wrong direction -- only in this forum, where UX is understood as a real "science" that needs attention, will people actually also claim that the Linux desktop is usable. It boggles the mind.
If I can teach my aging mother(57) to use standard ubuntu 18.04 as her first computer ever then anyone can learn linux. Everything she needs is clearly presented in the bar of application icons and the ancient scanner/printer someone gave her works perfectly. Bonus points for when I go visit and there is a handful of .exe's hacked facebook friends convinced her to download sitting uselessly in the download folder.
Limited driver support? Android devices are typically highly integrated: they use custom SoC's (that you've never heard of) with drivers developed specifically for those SoC's and their blocks.
(Oh, your amazingly rare phone has a PCI slot, and your graphics card is not supported, bummer!)
Ubuntu with wine now days works with 90%+ of legacy apps. And with Valve putting it's muscle behind it many older games are running well as well now. So I don't think Chinese goverment would have much of a problem moving off windows
I read somewhere that Soviet Union fell because it spent all its funds on projects like this. I wonder if this is beginning of the end or if they will be able to pull this off?
It might be a good sales pitch for “US-hardened equipment”.
I'll just point out that "replace foreign vendors with domestic for security reasons" is exactly what the US is trying to do to Huawei. I think the US and China are equally capable of succeeding at this kind of project..
I'd say the Chinese are more capable of this than the US, if for no other reason than that's the place where almost all hardware and hardware components are already made.
Yes, but the Soviets were running their entire economy like that. China and the US do stupid thing like that with their military spending all the time but they're taking in resources from healthy civilian economies rather than sclerotic ones.
I would not be suprised if it is an offshoot of FreeBSD. That way they could get away from the GPL license altogether and wont violate any licensing agreements.
If they based it off Linux, unless it was avalible to download online, it would probably infringe on the GPL somewhere. Assuming they care about those things.
Because each of their copy of Windows is properly licensed now, and they wouldn't want to blemish their saintly compliance record when they switch to something else.
I could be wrong, but I thought the GPL basically said "anyone who has access to the binary must have access to the source code". This is why you're allowed to write a webserver with GPL libraries without having to worry about releasing the code to the users (unless it's AGPL), since the users don't have access to the binary, just the stuff that the binary is producing.
If that were the case, I think they'd be in the clear legally to use Linux as long as they offered to provide the source code to anyone in the military who had access to the binary, which wouldn't be the general public.
That said, just to avoid the headache, I'd probably choose FreeBSD as well if I were in charge of the Chinese military.
Ideally for improving security, they should invest on supporting open source software, hardware and standards. Open Design Principle is much better long term strategy than Security by Obscurity. But for developers in China, there are a lot of obstacles with contributing to open source communities worldwide, so I can see that probably not going to happen.
End of the day, policymakers are more educated with economics than cybersecurity and computer science. They probably still gonna use Microsoft products.
>They probably still gonna use Microsoft products.
Even if they did get rid of most MS products. Some senior guy probabbly fires up windows and installs a dozen search bars.
I knew a guy who served in the gulf, he was pretty high ranking, handled some security stuff. Got a request from someone important to basically break all the rules because important guy didn't want to walk too far from his CHU to make a call home.... but he was high enough ranking so they did it. It wasn't even a far walk.
If you do it right, you get all the core components without incompatibulities.
But you will have to do more by hand and yes, then there is also a chance that you mess up those patches and create new vulnerabilities. But if you have a big budget ... like if you are a big military and security really matters, than it is probably worth it.
I strongly suspect that this new OS will be coming from Huawei.
It makes sense that a Chinese company develops an OS for their own government. We are in the spyware era, afterall.
I wouldn't be surprised to hear, years later, that Huawei's "backup" effort was never to replace Android on consumer devices but to fork it for Chinese government use. It's too convenient an excuse to have so much work done on so many doomsday scenarios. Huawei, I think, was already tasked for the new OS(es) by China.
Similarly, their efforts to replace Windows[0] was to provide their government with a "homegrown" OS solution. Not unlike Sailfish in Russia[1].
As much as I like the idea of a new OS competing on the world stage, preferably based on Open Source... it's simply not going to happen coming from either Huawei or China. Control of data is the the overriding motivator among nearly every tech firm and government. When these transitions take place (gov and Huawei consumer), I might as well be running RedStar OS or a US-based commercial alternative.
Huawei is not developing desktop OS. It has been developing a mobile/IoT OS. And I don't think anyone would develop a OS from scratch given the obvious option Linux.
I am surprised that some comments state that it "has to be linux". Since they can't magically reduce the time it would take to develop something that complex nowhere near their time constraints, it obviously has to start with something that already exists. But Linux is not the only open source OS out there, folks. If I were charged with this task, i'd start with OpenBSD, given its focus on security. The fact that most of base is BSD licensed also helps because no changes would be legally required to be opensourced. It also can run modern web browsers and libreoffice, which is a significant part of what goes for "desktop" computing these days.
Why would a Chinese Linux derivative need be open source? It's not like you're going to go into China and force the government to comply with your license.
It would be legally required to be opensource, whereas with BSD it wouldn't. That's all I argued. Whether some country will try to enforce it via whatever means is another question altogether.
91 comments
[ 4.8 ms ] story [ 176 ms ] threadF*cking morons.
https://en.wikipedia.org/wiki/Security_through_obscurity
I wonder how much that has to do with human nature thinking "well this is obscure" so then they don't secure it as if it was 'customer facing' or less 'obscure'.... and thus leave it more open than ever.
I knew a place that assumed such things, crazy insecure. They also played the "well this shouldn't be exposed to the internet" game as well.
> In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.[9] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.
I mean, Android took a decade to be usable, was built by one of the most talented and rich company on earth. Yet it is still limited in what it allows you to do: no office suite, limited driver support, weak multi-monitor, can use few FS formats, no RAID, etc. And that is despite Android actually wrapping a Linux Kernel.
Not to mentions they'll need to get so many basic tools ported.
No matter the high competence of the Chinese tech scene, their ability to brutally push an agenda and the number they can throw at it, I can't imagine a scenario where those resources wouldn't be better spent validating and customizing an existing distro.
However, I can imagine many reasons they would choose the harder road. And as a geek, I find it sane to remind myself that technical efficiency is not the goal of all entities.
I'm nitpicking, I know, but do Google Docs/Sheets/Slides count? They're clearly inferior to MS Office, but they do exist.
Downloading from: https://mirrors.huaweicloud.com/
Download cancelled.
For all the reasons you said, it would take so long to get something usable, let alone security....
1: http://www.ubuntukylin.com/index.php?lang=en
1: https://en.wikipedia.org/wiki/Deepin
A: It shut down in 2014, after China refused to pay 40 million yuan to keep it going.
If the do use Linux, I wonder that.
Not being snarky. Linux is unusable for "the average worker".
The problems are mainly unsupported hardware and lack of software support. But if you stick with open alternatives then you can do just fine.
I recently tested Kubuntu 19.04 on a 20 year old desktop, it works perfectly and even had third-party drivers for the video card.
It's just a matter of familiarity. She just want to check her mail et watch videos, after all.
Not to pick on you, but why when the question of Linux as a Windows substitute comes up, do people always have to offer anecdotes about their mother. I'm no SJW or radical feminist, but honestly, let's move on from that.
My comment is about "the average worker", not friends and family / personal use. For which, in my highly uber technical group of friends and family, (where mothers are C++ programmers), maybe 1 out of 20 (generously) find a Linux desktop usable.
Only in this forum, where people recognize the horrid low contrast, gratuitous whitespace, excessive bloat of the latest javascript "framework", know the difference between modeless and modal dialogs, understand why the gmail UI keeps moving in the wrong direction -- only in this forum, where UX is understood as a real "science" that needs attention, will people actually also claim that the Linux desktop is usable. It boggles the mind.
Sorry to go off on a rant, forgive me.
It took her an afternoon with me to figure it out.
Stop spreading this nonsense.
I have one phone from 2012. Wow ... so easy to do everything.
- no swipe first to unlock the screen: directly to pattern
- input method switching easy and convenient
- settings buried less deeply
- ...
Limited driver support? Android devices are typically highly integrated: they use custom SoC's (that you've never heard of) with drivers developed specifically for those SoC's and their blocks.
(Oh, your amazingly rare phone has a PCI slot, and your graphics card is not supported, bummer!)
Getting a hisilicon soc up and running is a joy compared to working on a qcom or Samsung soc. Upstream Linux often works out of the box.
If North Korea can pull that off, you can be sure China is well on the way. I would be quite amazed if that wasn't in the works all along already.
I think Ubuntu founder is still barred from entering US so he probably doesn't care...
It might be a good sales pitch for “US-hardened equipment”.
What's wrong with a little harmless fun?
If they based it off Linux, unless it was avalible to download online, it would probably infringe on the GPL somewhere. Assuming they care about those things.
If that were the case, I think they'd be in the clear legally to use Linux as long as they offered to provide the source code to anyone in the military who had access to the binary, which wouldn't be the general public.
That said, just to avoid the headache, I'd probably choose FreeBSD as well if I were in charge of the Chinese military.
> unless it was avalible to download online, it would probably infringe on the GPL somewhere.
The GPL does not mandate redistribution; it imposes conditions on redistribution, if/when redistribution happens.
Good luck imposing conditions on what China does "in-house" with some pieces of freeware.
End of the day, policymakers are more educated with economics than cybersecurity and computer science. They probably still gonna use Microsoft products.
Even if they did get rid of most MS products. Some senior guy probabbly fires up windows and installs a dozen search bars.
I knew a guy who served in the gulf, he was pretty high ranking, handled some security stuff. Got a request from someone important to basically break all the rules because important guy didn't want to walk too far from his CHU to make a call home.... but he was high enough ranking so they did it. It wasn't even a far walk.
A "security expert" at a F500 once showed my a web page on his laptop. Only 40% of the page was visible due to his 7-8 search bars.
Better would be both. You have a strong, open base, like Linux, but you modify it, so you habe a second level of defence.
But you will have to do more by hand and yes, then there is also a chance that you mess up those patches and create new vulnerabilities. But if you have a big budget ... like if you are a big military and security really matters, than it is probably worth it.
Okay. Good luck with that.
If they base it on Linux (didn't see evidence of that but didn't get that far in to the article) then that'll give them some head start.
It is Windows-compatible.
I strongly suspect that this new OS will be coming from Huawei.
It makes sense that a Chinese company develops an OS for their own government. We are in the spyware era, afterall.
I wouldn't be surprised to hear, years later, that Huawei's "backup" effort was never to replace Android on consumer devices but to fork it for Chinese government use. It's too convenient an excuse to have so much work done on so many doomsday scenarios. Huawei, I think, was already tasked for the new OS(es) by China.
Similarly, their efforts to replace Windows[0] was to provide their government with a "homegrown" OS solution. Not unlike Sailfish in Russia[1].
As much as I like the idea of a new OS competing on the world stage, preferably based on Open Source... it's simply not going to happen coming from either Huawei or China. Control of data is the the overriding motivator among nearly every tech firm and government. When these transitions take place (gov and Huawei consumer), I might as well be running RedStar OS or a US-based commercial alternative.
[0] https://www.scmp.com/tech/big-tech/article/3011660/microsoft...
[1] https://nokiamob.net/2019/02/09/sailfish-os-is-now-aurora-os...
It's for the military, not consumers. It won't need driver support or features like a consumer OS.
The more foreign the layout probably the better as you can train new habits more easily when the environment for old ones doesn't exist.
Have a feeling the end result will be the same, "We built it!"
spy leaks code hacked