Russian Military Moves Closer To Replacing Windows With Astra Linux (zdnet.com) 95
An anonymous reader quotes a report from ZDNet: Russian authorities have moved closer to implementing their plan of replacing the Windows OS on military systems with a locally-developed operating system named Astra Linux. Last month, the Russian Federal Service for Technical and Export Control (FSTEC) granted Astra Linux the security clearance of "special importance," which means the OS can now be used to handle Russian government information of the highest degree of secrecy. Until now, the Russian government had only used special versions of Windows that had been modified, checked, and approved for use by the FSB. Astra Linux is a Debian derivative developed by Russian company RusBITech since 2008, the report says. "RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors."
Finally, the year of Linux on the . . . (Score:5, Funny)
Tank Top!
Going to war without a homegrown OS (Score:4, Insightful)
There really hasn't been a major western war since modern operating systems were invented. At some point when this happens will they use the same OS. At that point what happens? With Linux weaponized who will run the repository? IS it possible that a shortage of major OSs actually prevents war because you cant go to war without it but the technology isn't all within your control.
I note for example that because the key ingredients for cordite were imported to england from germany that had it not been for Chiam Wietzman's discovery of acetone production by bacteria that Britain would have lost in WWII.
Since vietnam wars have been skirmishes and proxy wars. Sure Saudi Arabia attacks yemmen using all equipment they purchased but this only underscores how nations that could control the tech choose not too. It exposes how deeply vulnerable the purchasing nation is. Likewise Iraq and now Iran builds it's military work off smuggled tech products or illiticit trade deal (Hauwei). Sure they do get away with it but it's a very vulnerable position and so the embargo are effective in that sense even if they don't stop the transfers.
Now we have some things like rare earths sourced from china. But in fact these are not rare. They are abundant. It's just the economics that make them sourced from china for now. large quantities of Lithium is more rare (bolivia). As is Helium. And Cobalt may be the next unobtanium (half of it is in congo). While oil is not in every country the market is pretty distributed, so it takes concerted pressure to shut it off.
But operating systems are truly rare. there's BSD, Linux, and Microsoft. Sure there's plenty of other ones. But if you want the major lineages thems it. So getting cut off from the main trunk of one of these could be interesting. You can fork it. And for a while you'll be fine. But your fork will drift and fall behind the main trunk.
Re: (Score:3)
Typo: WW I
Re: (Score:2)
There really hasn't been a major western war since modern operating systems were invented. At some point when this happens will they use the same OS. At that point what happens? With Linux weaponized who will run the repository?
It doesn't matter. Presumably if you depend upon it you've already mirrored the repos, including source. If there's a war, you maintain your fork until the war is over, then merge.
Re: (Score:3)
It doesn't matter if your OS drifts away from the root as long as it's good enough already. What you really need to ensure is that the attacks you design to use against your adversary can't turn around and be used against you. So some particular drift would be a positive benefit.
Re: (Score:1)
Thats called asymetrical warfare advantage. But it equally applies to trade protectionism.
We also know some Russians are using old typewriters - physically safe at all levels.
We know that windows has so much code, so many modules not been looked at for over 10 years modules - not even capping string overflows - that even having the source code is pretty useless. We know Intel processor flaws have amplified bad/sloppy coding opportunities.
We know most people need months and months to deploy fixes as side eff
Finally the year of Linux on the (Score:1)
Nuclear Wessels!
doesn't use selinux (Score:3)
https://xn--80ac3cm.xn--p1ai/w... [xn--80ac3cm.xn--p1ai]
What is interesting here is that they actually do NOT use selinux, but rather something else to achieve mandatory access control.
Re: (Score:3)
Re: (Score:2)
If you read the context, it is in place of selinux mandatory access control model using dac, but I agree it is not clear if, for example, they hook the selinux hooks with something really different, are actually doing something very different, or are simply using a different model/underlying implementation of mac than dac. The article suggests to me the latter, that they are likely using the hooks, but applying a different rules system. I was looking into this when I first noticed they referred on the ast
Re: (Score:2)
Re: (Score:1)
SELinux is developed by the NSA. I wouldn't use it if I wanted to make sure my Linux OS was secure against US hackers, either.
People do remember that it's an NSA project, right? It's the method the NSA used to backdoor Linux, in the name of "security."
Re: doesn't use selinux (Score:2)
Re: doesn't use selinux (Score:1)
Re: (Score:2)
Sorry, but the NSA has a dual mission (at least officially), and one of their missions is to safeguard US communications. I'll grant that the spying part seems to have become strongly dominant, but hopefully part of that is because they're just more newsworthy.
Re: (Score:3)
Assuming they are telling the truth about what their linux contains. Trust and Kremlin are never uttered positively in the same sentence.
One drawback... (Score:3, Insightful)
That is going to make Linux a bigger target for the US intelligence services (injecting vulnerabilities etc - and don't say that isn't easily possible), which is bad news for those of us for whom the Year of Linux on the Desktop came in the 90's.
It's a trope that there's no "security through obscurity"... except there actually is. Sometimes flying under the radar does in fact help.
Re: (Score:3)
Um, no. You may avoid statistically significant attacks, but, with full respect to the Debian team, it isn't uncrackable. Nothing is uncrackable, you just need the right hammer. Obscurity/reachability may inhibit, but doesn't prevent breaches.
Core kernels might be great. Any open port is a problem. Barring that, a nearby machine listens for adjacent clock variations. Sure, tougher and tougher, but dark budgets have few limitations no matter which side of what border is under consideration.
Re: (Score:1)
with full respect to the Debian team, it isn't uncrackable
I don't think I said it was. I can't see that we are actually disagreeing about anything here.
I'm only saying that there is going to be a stronger incentive for other (US/EU/etc) intelligence services to either discover, or plant, more vulnerabilities in Linux.
Re: (Score:3)
We agree except for the tense of your verb. Don't think that it's not already done, packed in a silo, updated like clockwork. There *has* been this effort and I have no doubt it's been continuing for a long time, and is not the only target.
Can another Snowden event be prevented? Tough to tell. Seems he's in Russia right now.
Re: (Score:3)
Resources? Bah. Cut and paste. Lots of stuff out there to give you a very bad day. Honeypots are hit typically 30K times a day, 24/7, each with a small warhead. Eventually, one of those warheads fits a lock that springs open a hole. Then the hole gets wider and finds other holes.
The zero-trust model helps make it rough to spread inside a network block. It's trivial to find assets, unless they're opaque, which then means someone must waste time spraying attack mindlessly until one of them gets a response, an
Re: (Score:2)
Yes and no.
Some rootkits are wise and stay very quiet and leave few or no traces. Some are stupid. But a daemon or its conf file is more likely to be damaged, quietly, syslogs erased, etc.
Obscurity has nominal validity as it's just one more hurdle to surmount. It's not a thick layer, but it's a layer.
Re: (Score:2)
Obscurity does bring security, but if you're depending on it you won't know when you're penetrated.
OTOH, I think it's a pretty safe bet that the Russians cloned the Astra Linux tree quite awhile ago, and since then have only imported patches. Patches that they could investigate carefully. So adding new vulnerabilities to the current Linux tree wouldn't help much. And they would be carefully investigating to remove any old vulnerabilities. If they find one they *might* tell us about it. Or tell us about
Re: One drawback... (Score:1)
Re: One drawback... (Score:1)
Re: One drawback... (Score:1)
Re: One drawback... (Score:1)
Re: (Score:2)
Re: (Score:2)
Good luck compiling docker
Perhaps they'll just skip Docker.
Re:One drawback... (Score:4)
Re: (Score:2)
I do wonder if they got rid of/dont use systemd. Apparently astra is downloadable, and some form of Debian, so it should be possible to actually find out.
Re: (Score:1)
Systemd isn't actually bad once you get to understand it properly.
Yawn... This Again (Score:1)
Spoiler alert.
They won't actually do it.
Why these "unknown" distros? (Score:2)
Re: (Score:1)
Because there must be someone within the borders who is responsible that there are no backdoors.
Re: (Score:2)
Re: Why these "unknown" distros? (Score:2)
Re: Why these "unknown" distros? (Score:2)
Re: (Score:2)
Too much overhead and bullshit. Systemd, AppArmor, Snapd....
Re: Why these "unknown" distros? (Score:2)
Re: (Score:2)
It claims to be based on/some form of Debian, actually. I am not sure offhand what Debian release it may be based on, or if it simply uses deb packages. They do not use selinux, though apparently have something "similar" in some way.
More reasons to lose American-owned software (Score:2, Insightful)
It's clear that Windows (and macOS) today serves as an important tool in retrieving information to the U.S. Not because Microsoft wants it that way, but because the U.S. government and its NSA can order it.
If you're working in government, technology, finance or banking, then most likely you may be a target for passive retrieval of data on your Windows machine. It's trivial to facilitate Windows into doing this, and all it takes it to identify whether a particular Windows machine is of interest or not, and t
Re: (Score:2)
Indeed the Huawei issue is pot and kettle, and only serves to remind/make others consider why they may not want US based products or services either.
Re: (Score:2)
Linux is only one alternative, albeit the easiest. A BSDUnix is another choice. If you're really paranoid you could grab an old Minix tree and develop from that, even though the Hurd never got anywhere with *their* microkernel.
I don't think anyone's masochistic enough to grab an old IBSYS tree and develop from that, though. But it's almost guaranteed that no current attack would work if you did.
Most of the other alternatives never got enough development to eliminate even the worst bugs. But Haiku https: [haiku-os.org]
Re: (Score:2)
Because the new trees may have had exploits slipped into them. (Probably not, but if you're paranoid enough to pick Minix, might as well be safe.)
GNU Seal (Score:3)
Re: (Score:2)
There are "patented" things bundled in this particular distro, so my initial inclination is to say very probably no.