Update 3 (May 21, 0130 GMT): Apparently there is another more recent version of Kylin out there.  A TDV reader commented that although the site (www.kylin-os.com) is down, the Kylin v3.0 based on a 2.6 Linux kernel does in fact contain some security features including MAC, RBAC and file system ACLs.  The information in the Google cache is limited but it appears that this is a lot closer to what was described in the Washington Times article.  I tested the kylin-os.com website from a proxy in the PRC to be sure that it wasn’t just blocked outside of the mainland and it appears to be down there too.  Thanks a lot to Spath for pointing out the gaping hole in my research.

So… There has been a lot of hype about the supposedly secure made-in-China OS called Kylin.  I’d like to take a moment of your time to explain the backstory and provide some of the details that I was able to find out after downloading it and taking it for a spin.

This all started with a May 12 Washington Times article titled “China blocks US from cyber warfare” by Bill Gertz.  The article starts off with a compelling bit:

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing’s networks impenetrable to U.S. military and intelligence agencies.

I found this to be very interesting because it was the first time I had ever heard about this effort.  I was aware of Red Flag linux and Asianux but hadn’t heard of any made-in-China operating systems designed for security.  I was intrigued for sure and surprised to find out that the operating system can be downloaded in two iso files from kylin.org.cn.  It took about four days to complete both of the downloads and about ten minutes to install in a VM.

For a more complete back story, check out this article by Jonathan D. Abolins.  One thing to note is the reference to the dancefire.org site that compares the Kylin kernel to FreeBSD and indicates that the two are practically the same.  It isn’t clear what version of Kylin the dancefire.org blogger was working with on this comparison but Kylin 2.1, which is presently available for download is Linux 2.4.  Perhaps earlier versions of Kylin used FreeBSD with Linux compatibility but the only version available for download at present is Linux:

The interface is a themed Gnome similar to Microsoft Windows.  The menus look more like KDE to me but Gnome is the only manager running.

Kylin 2.1 also has RPM installed so it is probably a Red Hat derived Linux.  It has some interesting things installed in the base install like tripwire and webalizer.  Apache 2.0.46 is installed but it doesn’t start automatically.  The sshd starts at boot and is version 3.6.1p2.  There doesn’t seem to be anyway to get updates for Kylin through something like yum or synaptic.  In fact, there aren’t any updates posted to the kylin.org.cn website to download even.

The kylin.org.cn website gives us a glimpse into the activity level behind the OS.  There hasn’t been a new bug report filed in at least two years.  The forum has some recent activity but there have been long periods without any posts on the forum.  Many of the forum posts are related to complaints about how much English is used in the OS and posters seem to want an OS that is more in touch with Chinese culture and language.  There are a number of technical areas of the forum but there isn’t a lot of recent activity there.  The news page on the kylin.org.cn website is updated frequently with general news about technology in China.

So it seems that this operating system is not really what is was presented as.  The Washington Times article references Kevin G. Coleman, an advisor to the government, as the primary source for the Kylin information.  I doubt that it was an intentional misrepresentation but it is difficult to imagine presenting Kylin as anything to be concerned about when it didn’t take very much effort to figure out that it isn’t worthy of anyone’s attention.  Not only is it not widely deployed, it isn’t new, unique or in any way innovative in terms of security.

Update: This whole article was based on my very limited analysis of Kylin 2.1.  Kylin 3.0 contains several security features similar to what is found in the SELinux extensions.  Kylin 3 sounds much more like what Kevin G. Coleman was talking about in the hearing.  I was not able to download Kylin 3 and didn’t find out about it until long after this post was made.

Update: After some comments on other blogs and forums, I took a closer look at the kernel files and this is clearly FreeBSD with linux binary compatibility.  Everyone knows what happens when you ass-u-me…

Update 2: Here is a screenshot of the partitioning stage of the installer for Richard:

On May 1, a zip file was posted to wikileaks.org that contained several internal files that appear to be from Baidu.cn, the most popular search engine in the PRC.  There is an html file within the zip that contains several sections with a list of key phrases that will cause the search engine to filter the results.  Here is an automated translation of each category (after the jump):

Continue Reading »

Some Chinese hackers have been arrested for performing DDoS extortion attacks.  The hackers launched a successful denial of service attack on a well-known website and then send an SMS text message asking for 30,000RMB (about 4,400 USD).  At least one of the hackers was arrested on April 7th in Changsha City, Hunan Province.

See the rest here.

Things that freakin’ haunt you.  Once when I was in Beijing, a teacher asked me about the meaning of the phrase, “dressed to the nines.”  She was using the Madonna soundtrack, “Don’t Cry for Me Argentina” to help her class learn English:

Me: Oh, it means to be well dressed.

Her: (Horror!!!) What is the origin of this phrase?

Me: Well…it came from.. history…about…stuff.

Her: If you don’t know answer, that is okay.  I’ll ask someone else.

Me: No, I’m sure that is the meaning…really!

Okay now I know.  Still, a horrible feeling.

I often have this fear of not being able to answer simple questions about things I should know.

So, in the interest of useless knowledge, the origins of the word Baidu.

The link provided does a great job of translating the article on China’s Google Earth into English but fails to mention the security issues associated with a Chinese version. It also leaves out the fact that there will be a government edition, or a link (any link) to the original imagery.

This is not a criticism, I edit stuff all the time, leaving out the chunks I think you guys would probably find boring.  Plus, let’s face it, the average person really isn’t that into security related issues.  I’ve routed to the original imagery:

From the link:

The Chinese State Bureau of Surveying and Mapping recently launched the project proposal on a Chinese version of ‘Google Earth’ which is based on an existing program designed and implemented by Chinese scientists called ‘Geo Globe’.

…More on China’s Google Earth

Still keeping an eye on Baidu‘s top searches and noticed among this week’s top results the key term “Lantern Festival Text Messages.”  We saw pretty much the same thing happen during the beginning of Chinese New Year.

The experiment:

At least in my mind, part of studying the Chinese hacker community is learning how to think like they do; to anticipate their next move.  We know that holidays are a good time to attack online shopping, e-mails, cell phones and set up phishing sites.

So, as a Chinese hacker, how do I go about setting up a phishing site to get the best results?  My guess is that you have to be ahead of the curve on what is about to happen and understand the culture.  Valentine’s Day is just around the corner and if the trend holds true, a lot of people in China will be searching for that perfect text message to send.

Having this blog a little over a year, experience tells me that we get the most hits and are ranked highest when we post first.  If you report after something happens, keyword search results are much farther down the list.  You also want to have as many of the keyword phrases in your meta data and posts as possible:

情人节短信

• 情人节手机短信 [03-22]
• 情人节祝福 [10-11]
• 情人节搞笑整蛊短信 [荐][04-18]
• 情人节肉麻短信 [12-31]
• 情人节情爱短信 [01-07]

(NOTE: All the links provided run back through the original site where I found these Valentine’s Day text messages, so the owner won’t lose traffic.  Also, the links click through to the corresponding requests in the hope I don’t annoy people who did not sign up for some damn internet experiment.)

Obviously, I’m much too lazy to be a decent hacker because I’ve only provided a few possible text phrases and I’m not about to change the metadata on the blog.  The post is three days out from Valentine’s so that should put us higher in the search results.  What I want to see is how many possible victims we would attract with this very simple experiment.  I’ll post updates on the number of hits we get from search engine traffic with Chinese text.  That should eliminate all the results from direct traffic and most others.

Right now I’m sure there are plenty of professional search engine optimization people and honeypot researchers who want to just punch me in the face for doing something so stupid.

UPDATE: So far we have a grand total of: 10 hits

If you follow China’s online development or political movements, then you are probably aware of the anti-pornography campaign.  What you might not know is that Chinese netizens are pushing back with online activism and Beijing is responding.

Clothing Renaissance paintings…freakin’ priceless!

Yesterday, Jiangmin released their 2008 Computer Virus Epidemic report showing the top 10 viruses for 2008.  The report further noted that online organized crime elements were forming underground industrial chains to manufacture and disseminate viruses.

In 2008, there were 1.09 million viruses intercepted, representing an increase of over 200% from 2007.  The report also stated that over 28 million computers had been infected by viruses and this reflected a drop of 18.39% from 2007 due to enhanced security awareness.

Trojans accounted for 78% of all viruses intercepted, backdoor programs 10%, malicious advertisements 4%, worms 6%, and all others 2%.  Presenting the biggest problem, trojans and backdoor viruses increased 10% when compared to 2007 statistics.

China’s Top 10 Viruses for 2008

1. Trojan/PSW.OnLineGames
2. Trojan/PSW.GamesPass
3. Trojan/Agent
4. Checker/Autorun
5. Backdoor/Huigezi
6. Trojan/PSW.QQPass
7. Exploit.CVE-2007-0071
8. Trojan/StartPage
9. Trojan/DogArp
10. Win32/Infectrpcss

Just posted one of the breaking stories in China and now another is moving up the list of top searches in China.   A man in Guangzhou was killed when his cellphone exploded.  This was the 9th such incident reported since 2002.

She is called the “Xidan Girl” or “Guitar MM (MM stands for MeiMei, little sister).” Still trying to piece the whole story together but here is the gist:

She started out as something of a music prodigy in a small town in Sichuan playing the Chinese lute and singing.  At 17, the Xidan Girl outgrows her little town and heads for the big city, Beijing.  There she supports herself by playing in the bars and subway of Xidan District.  A typical scene is of of her sitting on a small blue stool playing the guitar.

Internet fame comes when a guy named “Li Er,” who received his notoriety by snapping pictures of girls without them knowing it, takes her photo and posts it in popular forums.  It makes the Net Ease top-10 list in 2007 and a fan club develops around her calling themselves the “stools.”  They even start an online forum dedicated to her.

(Gets fuzzy here) Apparently she tried to get into the Beijing School of Advanced Contemporary Music and hit a snag; afterward, she no longer went to the subway to play or sing.  This sent her fan club into a “human flesh search engine” frenzy trying to find her true identity.  They formed the “Surreptitious Picture Taking Organization” and held a meeting at Sanlitun in Beijing.

All the internet buzz lands her a meeting with an entertainment company but no word on the outcome.  In September of 2007, Jiang Hanning (her real name) starts attending an unidentified music school in Beijing.

Her name appeared at the top of Baidu today and there are also some news articles with video of her singing.  Compared to most of the human flesh engine search stories, this one appears to have a somewhat happy ending…so far.