Microsoft Hyper-V floats Chinese military Linux Microsoft's virtualisation stack is being updated to run a flavour of Linux built for China's national defence and other government systems. The world's largest software maker has signed a development and marketing agreement with China Standard Software Co (CS2C) to target China's cloud market . The focus is to make the …
It's pretty unwise for a defense institution to choose MS Windows Server as their host OS. Here's a few reasons why:
1) the code is closed (enough already not use it right here), the development and maintenance can't be controlled by the customer;
2) MS Windows' the OS because of its architecture peculiarities is not secure due to its lack of permissions and setuid/setgid model, and existence of very vulnerable protocols like RPC;
3) as a consequence of 2) any MS Windows Server host requires a 24/7 running resources-hungry antivirus software;
4) MS Windows products are not as easy configurable as their Linux/BSD-based counterparts....
1) The code is available to corporate/government customers who sign NDA.
2) You don't understand windows security architecture
3) I run av on non-windows machines
4) Seriously? I'm a Windows, Linux and UNIX guy - unless you only know one OS and try to configure others like it (ie: try to treat Windows as if it's UNIX, or vice versa) I have never heard anyone claim Windows is more difficult to configure than any other OS, I have heard - and experienced - Linux being harder than Windows.
#1 - How can you tell the source code you look at under NDA is the same code that has been compiled for your machine ? Oh, and if you don't like that little nifty feature phoning home to MS headquarters, what you are going to do about it ?
#2 - Windows security architecture ? You mean that thing where you can check the allow and deny boxes at the same time ? And after all this you still find Linux is hard ?
#3 - I called you Mr. Windows for the only reason that you're running anti-virus on a Unix machine, it shows you don't really understand what a.v. is for.
#4 - You are no doubt a competent Windows sysadmin forced to take care of non-Windows servers and this is why you find Linux being harder.
With all due respect....
1) this still means "closed", if you buy an MS product, do you have to hire a whole team of highly qualified IT eng. capable of dissecting giabytes of code? Are you allowed to tweak the code to your needs? As a Linux or whatever guy you know how modular the non-windows software is. This helps tremendously in isolating bugs and problems. How much modularity is there in Windows? Can one simply run a (headless) Windows server without the .. windows, i.e., gui libs ...sorry, dlls?
It's not I do not understand the Windows security model, no one understands it, hence the multi-million antivirus industry. It is even Microsoft does not understand it, since their holding on to RPC (stuxnet & conficker, to name a few), AutoRun/AutoPlay default features, "file extension" vs." file permissions " model. Is there such a thing or an analog of /etc/group and /etc/passw ? Instances when a system "gets infected" by an accidental link clicking (a script is downloaded and run, as a result system files are being changed ) is hard to imagine on my Debian or FreeBSD. Just got rid of such a virus on a friend's Vista.
2) I do not and the majority do not run antivirus software on Linux/BSD machines. Most exceptions are made when such a machine is a server with Windows client machines, e.g., googlemail
3) Compare configuration (a very nice) Far with that of mc file managers.
Again these are just very few reasons, I would not run MS Windows as a host, as a matter of fact M$ VT modules are not compiled into all of the kernels I use, so I pretty much immune to M$ bugs there :)
I've not run antivirus on my win box for several years (at least 4) because I know how to lock things down, combined with being careful. I've never had a problem.
Windows has plenty of security. If *you* can't use it then you can't really blame windows. If holes which can be closed, aren't, blame *yourself*.
BTW I think you are deliberately trolling. Else you are more stupid than i realised.
I hate trolls.
You happen to be almost unique in that habit of dispensing with the av on MS Windows.
Even Microsoft recommends running antivirus software, but you are not trolling, therefore you outsmarted Microsoft and everybody else! If you want to know the Chinese translation of the "get the f** out of here", advise their Defense agency to follow you in this wisdom.
>>3) I run av on non-windows machines
RedHat, Debian, Free(Open,Net)BSD never even mention running any type of av on the Gnu/Linux or BSD machines, unless connected to MS Windows clients. But you do!
You seem to hate the logic as well. Well, trolling might be counterintuitive even for a " Windows, Linux and Unix" guy. So do not hate yourself.
I agree with your sentiments but not necessarily your conclusion...
1) the code is closed (enough already not use it right here), the development and maintenance can't be controlled by the customer;
Are customers savvy enough to understand the code to "control" it...? Also, with a closed OS, the addition of malcode is significantly less likely than open source where *anyone* can edit it. Remember the unconfirmed NSA claim a few years back they put backdoors into Linux...?
2) MS Windows' the OS because of its architecture peculiarities is not secure due to its lack of permissions and setuid/setgid model, and existence of very vulnerable protocols like RPC;
Hm. There are plenty of hacks that leverage "S" or "G" to elevate privs. Also windows does have a full permissions model that has more functionality and granularity that anything I have seen except VMS. Regarding RPC, the protocol is not insecure. All the bugs in DCERPC are related to implementation or design faults of a particular interface. Implementation bugs are also not related to MS code. What about the rash of OpenSSH vunls that came out 5-6 years ago...? In reality, both Linux and MS offerings are likely to have implementation bugs. That is why testing is so important.
3) as a consequence of 2) any MS Windows Server host requires a 24/7 running resources-hungry antivirus software;
Hm.
A hypervisor shouldn't need to run an AV product. No-one should be using the hypervisor itself. all it does is schedule access to resources for guest VM's.
4) MS Windows products are not as easy configurable as their Linux/BSD-based counterparts...
YMMV. GPolicy is very powerful especially with AD but the concept *is* difficult to catch. However once you have it, it is arguably easier than the messed up config files on a Linux / BSD box...
I have not seen the MS System Centre solution but the rumour I heard surprised me about what it could do.,
For my opinion, I think HyperV is worthy of consideration. Your arguments present one point of view from a pro open source standpoint.
I'm a security guy and MS is no longer the automatic bad guy.
I am not an MS or Linux fanatic. I just use them for my job and this means living in the real world where often the reason for making a particular choice is financial or political.
>>There are plenty of hacks that leverage "S" or "G" to elevate privs. Also windows does have a full permissions model that has more functionality and granularity that anything I have seen except VMS.
And this out of the box? How many Windie admins know how and use this indestructable power of security... and hence abstain from antivirus software? That would mean that there should be virtual user/groups routinely created to run different jobs , like www-data or ? Right? How does a system look at a file with the extension exe, by defaultt?
>>Regarding RPC, the protocol is not insecure. All the bugs in DCERPC are related to implementation or design faults of a particular interface. Implementation bugs are also not related to MS code. What about the rash of OpenSSH vunls that came out 5-6 years ago...?
You tell this to 80 million victims of conficker. According to netcraft and others WinServer is run on less than 30% of all web servers today, the rest is mostly Linux and variants of BSD often utilizing open-ssh. And BTW, that particular Open-SSH vulnerability hit how many machines on the net?
It seems unlikely that MSFT would give their souce code to anyone in China, although perhaps the Chinese could get the source through other means (hint, APT).
But this seems like an excellent outcome for the US: crappy broken software running on Chinese military computers must make it easier for the US to find out what the PLA are up to.
@AC #4: I've never heard of a serious Linux and UNIX guy who considered Windows comparable to either.
Yeah but: Most Mainframe guys think everything else is rubbish, I know Tandem guys who laugh at Mainframe, Solaris guys who rubbish Linux, Windows guys who think HP-UX is awful, etc. etc. etc.
Guess what? Most OS users/admins think that all other OSes are rubbish for one reason or another, 99% of the time this is just because they don't know the other OS and rubbishing something, rather than learning it is far easier.
Ahem cough...
Recall the Chinese got access to the source code.....
http://www.guardian.co.uk/world/us-embassy-cables-documents/214462
and from the pre-Wikileaks era...
http://www.informationweek.com/news/software/operating_systems/225400063
http://news.cnet.com/2100-1016_3-5083458.html
ad infinitum... just do a web search.....
For such a large deployment, the Chinese will get access to Microsoft Consultancy who will build a secured environment to spec. The problem is that most admins from ma and pa outfits eg their standard info from MCP books which is just not up to the job required here.
I have worked in Network engineering at Tier-1 and Tier-2 ISPs for the last 10 years and I tell you the Windows guys barely understand basic TCP/IP, ARP, traceroute etc.
Windows is still relatively young compared to Unix but I would proffer that more often than not it is the lack of skills with the operator and not the underlying OS.
inb4 blah blah blah
The big question here is why is MS helping China update its defense systems?? China is going to be the biggest military threat to the west since the soviet union in the 21st century. Do we really want to help then upgrade that threat just for a few pieces of silver? Its already a known fact that the Chinese government has been involved in cyber attacks and espionage against western companies yet here is MS having is tummy tickled and being given some dog food to help this country. Frankly I believe there should be a ban on any western country doing business with China where that business involves anything to do with defense.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
