The Dark Visitor

If you don’t read Chinayouren, you should.  Hell, I didn’t even know that “anonymous” netizens had planned an attack on Chinese censors.  Chinayouren is one of those people who is not only a fantastic linguist but also very well  attuned to the current social issues on the Chinese net.  He certainly knows more about the mechanism of censorship inside of China than just about anyone I know.

The article on the failed attack on Chinese censors is a must read and his analysis of those “anonymous” netizens will probably surprise you.  Click the links inside the post to get the full story.

KnowSec is sharing the database and also reports finding more than 100 trojan downloaders a day.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said.

A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

During the Olympics Games, a secret organization was formed by a Chinese hacker named Wang Zi to protect Olympic websites against foreign hackers and while they won’t say, reprisals were probably taken against offenders.

This article, from the People’s Daily, details Wang Zi’s efforts to bring back the patriotic spirit of the Red Hacker Alliance.

“The Tao that can be described in words is not the true Tao. The Name that can be named is not the true Name,” – the first two sentences of Tao Te Ching are the slogan of hong ke that appear on the new union’s new homepage.

After the Olympics, Wang Zi’s group retired from the web for a short time, and then on the first day of this year, the group made a bold new announcement.

The blurb on their newly-launched website reads, “Hong ke culture is back. We will hold and transmit hong ke spirit focusing on justice, pioneering and love for the motherland.”

Lin Lin, the leader of Evil Octal (another Chinese hacker organization), refutes Wang Zi’s claim to the title of new leader:

“Lion is the spiritual leader of the hong ke union,” Lin Lin, a leader of hacker group Eviloctal Security Team, told the Global Times. “And without him, no hong ke organization can be regarded as a reorganization of the original.

The article goes to great lengths to distance the organization from being government sanctioned:

Wang Zi says his union is a purely non-governmental organization. They could not register the union’s name with the Ministry of Industry and Information Technology until they deleted “Zhongguo” (China) from it.

H/T: Mark

Received an interesting e-mail from one of our readers named Mark who suggested I take a look at an article dealing with Chinese fears of US hackers and the possible threat to its cyber sovereignty:

In that context, the article I came across in the English-language China Daily was an eye-opener. The title was “China at the mercy of global hackers.”

Early in the article, a Chinese academic expert on cyber warfare said: “In a worst-case scenario, a security breach could result in the breakdown of the energy supply and collapse of the financial system, not to mention a collapse of the national defense capability.… The capability to defend China’s information and cybersecurity is extremely weak, and many of its online applications remain vulnerable to assault.”

First, thank you to everyone who sent an e-mail asking if everything was okay.  Yep, we are fine with the exception of a few missing images that will be replaced as time permits.  Second, Chinese hackers did not take us down, it was a combination of the upgrade to WP 2.8 and Godaddy.  Long story but the hero for returning the site to normal is of course, Jumper.

Also, sorry for the long delay in posting.  Just returned from a two-week trip to China, visited the cities of Beijing, Xi’an, Nanjing and Shanghai.  Returned to a ton of work,  a zillion e-mails, broke the blog and had the flu.  Pretty full week.

We really do appreciate your patience and concern, things should be running close to normal again.

While placing the US flag in front of the house today, I thought of all that it meant and those who sacrificed so much to defend it.   Soldiers were giving out poppies in front of the PX and my little one got a stuffed “Buddy Poppy.”  A little dog covered with red poppies, it really touched me.

We cherish too, the Poppy red
That grows on fields where valor led,
It seems to signal to the skies
That blood of heroes never dies.

Well, a large portion of it anyway. A DDoS attack on one domain server created a cascade reaction that left five provinces struggling to get online:

This is what happened during the DNSPod incident, however, it triggered a chain of unexpected events, which led to network congestions for the carrier networks. DNSPod’s servers happen to be used by Baofeng, a highly popular Chinese video streaming service. Once the millions Baofeng users fired up their desktop application, all the requests bounced off on the ISP servers, which did not know how to process them.

The intense traffic on the high-level servers caused bottlenecks, slowing everyone’s Internet connection down to a crawl. In addition to the users in the five aforementioned provinces, who were severely affected, customers in Henan, Anhui and Gansu have also reportedly experienced problems.

Hey guys, just got back from China and picked up a couple of books that should be of interest.  The book on the left is International Situation and Security Strategy by General Xiong Guangkai.   I read about the book in China Daily and went all over Beijing to find it.  General Xiong is considered “the ultimate insider” with knowledge of policy-making in China.

The second book is Internet Wars (Win the Internet, Win the Future) and the author is described as an internet researcher with a background in policy.

Oh, I am now certified Swine-Flu free in three countries.  Mom is awful proud.

…must sleep now.

Update 3 (May 21, 0130 GMT): Apparently there is another more recent version of Kylin out there.  A TDV reader commented that although the site (www.kylin-os.com) is down, the Kylin v3.0 based on a 2.6 Linux kernel does in fact contain some security features including MAC, RBAC and file system ACLs.  The information in the Google cache is limited but it appears that this is a lot closer to what was described in the Washington Times article.  I tested the kylin-os.com website from a proxy in the PRC to be sure that it wasn’t just blocked outside of the mainland and it appears to be down there too.  Thanks a lot to Spath for pointing out the gaping hole in my research.

So… There has been a lot of hype about the supposedly secure made-in-China OS called Kylin.  I’d like to take a moment of your time to explain the backstory and provide some of the details that I was able to find out after downloading it and taking it for a spin.

This all started with a May 12 Washington Times article titled “China blocks US from cyber warfare” by Bill Gertz.  The article starts off with a compelling bit:

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing’s networks impenetrable to U.S. military and intelligence agencies.

I found this to be very interesting because it was the first time I had ever heard about this effort.  I was aware of Red Flag linux and Asianux but hadn’t heard of any made-in-China operating systems designed for security.  I was intrigued for sure and surprised to find out that the operating system can be downloaded in two iso files from kylin.org.cn.  It took about four days to complete both of the downloads and about ten minutes to install in a VM.

For a more complete back story, check out this article by Jonathan D. Abolins.  One thing to note is the reference to the dancefire.org site that compares the Kylin kernel to FreeBSD and indicates that the two are practically the same.  It isn’t clear what version of Kylin the dancefire.org blogger was working with on this comparison but Kylin 2.1, which is presently available for download is Linux 2.4.  Perhaps earlier versions of Kylin used FreeBSD with Linux compatibility but the only version available for download at present is Linux:

The interface is a themed Gnome similar to Microsoft Windows.  The menus look more like KDE to me but Gnome is the only manager running.

Kylin 2.1 also has RPM installed so it is probably a Red Hat derived Linux.  It has some interesting things installed in the base install like tripwire and webalizer.  Apache 2.0.46 is installed but it doesn’t start automatically.  The sshd starts at boot and is version 3.6.1p2.  There doesn’t seem to be anyway to get updates for Kylin through something like yum or synaptic.  In fact, there aren’t any updates posted to the kylin.org.cn website to download even.

The kylin.org.cn website gives us a glimpse into the activity level behind the OS.  There hasn’t been a new bug report filed in at least two years.  The forum has some recent activity but there have been long periods without any posts on the forum.  Many of the forum posts are related to complaints about how much English is used in the OS and posters seem to want an OS that is more in touch with Chinese culture and language.  There are a number of technical areas of the forum but there isn’t a lot of recent activity there.  The news page on the kylin.org.cn website is updated frequently with general news about technology in China.

So it seems that this operating system is not really what is was presented as.  The Washington Times article references Kevin G. Coleman, an advisor to the government, as the primary source for the Kylin information.  I doubt that it was an intentional misrepresentation but it is difficult to imagine presenting Kylin as anything to be concerned about when it didn’t take very much effort to figure out that it isn’t worthy of anyone’s attention.  Not only is it not widely deployed, it isn’t new, unique or in any way innovative in terms of security.

Update: This whole article was based on my very limited analysis of Kylin 2.1.  Kylin 3.0 contains several security features similar to what is found in the SELinux extensions.  Kylin 3 sounds much more like what Kevin G. Coleman was talking about in the hearing.  I was not able to download Kylin 3 and didn’t find out about it until long after this post was made.

Update: After some comments on other blogs and forums, I took a closer look at the kernel files and this is clearly FreeBSD with linux binary compatibility.  Everyone knows what happens when you ass-u-me…

Update 2: Here is a screenshot of the partitioning stage of the installer for Richard:

Tags: 863, Kylin

First, I want to thank J.D. Abolins for taking the time this week to school me on cyber warfare.  Needed to get up to speed on the latest and greatest in current thinking on the subject and J.D. provided me with chapter, line and verse.  As I recall, he was also one of the first people to link to this blog.

So, how do you repay someone who took time out of their busy schedule to do you a personal favor? Manners dictate that you steal their detailed research on Kylin of  course! Yep, we here at TDV just roll that way.

J.D. Abolins on Kylin Secure OS

Thanks J.D.

Tags: J.D. Abolins, Kylin