Archive | India RSS feed for this section

System security and fascination with homegrown solutions

Not long ago, there was the news flash that the India government is in the process of kick-starting a project to build “our own operating system”. According to V.K. Saraswat, Scientific Adviser to the Defence Minister and DRDO Director-General,

We do not have our own operating system. Today, various bodies, including banks and defence establishments, need security. Having our own operating system will help us prevent hacking of our systems.

(…)

With a home-grown system, the source code will be with us and it helps in securing our systems.

Dr. Saraswat seems to have expanded on the plan by going beyond the operating system. At Aero India expo he is reported to have added the network to the plan:

“Cyber security is a major challenge for us as all our operations are going to be on the network centric system, which is dependent on information and communication technologies,” scientific adviser to defence minister V.K. Saraswat told reporters.

Admitting that securing the network centric system would be a major problem, Saraswat said the country would have to build robust systems and platforms with proprietary software to make sure the networks were safe and almost invincible.

The mention of proprietary software is confusing since it is not clear whether Dr. Saraswat is referring to the non-open source software ecosystem that includes the likes of Microsoft and others or whether he means a “made in India” indigenous software. Give the earlier emphasis on home grown operating system, I would venture a guess that it is the latter.

The goal of coming up with a home grown operating system and network defense framework is noble and even commendable, but not for the reason expounded by the scientific adviser. Given the ease with which trojans and traps can be inserted into a software (and hardware), it would seem logical that an internally developed piece of code would be more trustworthy. In a world where few understand the intricate details of the implementation of cryptographic primitives in code, it is not just about whether the code is open source or not, not when allegations like that against the OpenBSD IPSec stack cannot be dismissed easily. Software building involves a lot of reuse and in the case of open source code, it also involves donated code. Granted that these codes are there for everyone to see and audit, there is a dearth of expertise to actually such a meticulous analysis, especially when we are taking in the realm of cleverly hidden side channel attacks.

Given all this, software developed in a relative clean room, like what Dr. Saraswat aims to have, should be more trust worthy. Except that, clean rooms can only be “clean” up to a point. At what point can one safely say that re-using an idea, component or, for that matter, a standard would not destroy the pristine nature of the development? The less one can reuse, the more one has to re-invent and re-develop, the costlier and error prone the whole process is going to be.

This may seem like a lost cause but that is only because one assumes that there is a single silver bullet. In system security, there is never a silver bullet. Instead what we see succeeding in a practical world is a risk assessment based analysis of the systems and the implementation of the simple but powerful concept of defense in depth.

Comments { 3 }

Egypt disappears

Given the unrest that has flooded Egypt, it was just a matter of time before something like this happened – most of Egypt’s internet connectivity to the online world has been severed. According to BGPMon,

Looking at BGP data we can confirm that according to our analysis 88% of the ‘Egyptian Internet’ has fallen of the Internet.

(…)

Yesterday there were 2903 Egyptian networks, originated from 52  ISP’s. Transit was provided via 45 unique isp’s. Today at 2am UTC, the numbers look quite different, there were only 327 Egyptian networks left on the Internet. These were originated 26 by ISP’s.

This behavior is something that we have been seeing more and more frequently. The latest was the crackdown on the use of Internet during the Tunisian and Iranian unrest. As the penetration and ubiquitous nature of the Internet deepens, we will see it playing a critical role of being the major dissemination and organization medium. Countries in which Internet filtering is currently implemented at a nation-wide level will find it a very “attractive” option to severe the connectivity as a measure of denying the organisers of the “unrest” their medium of choice. This has happened (passively) for years in China, recently in Iran, Tunisian and Egypt and could happen in a majority of Middle Eastern nations where such infrastructure exists.

The OpenNet Initiative map on Internet filtering is very interesting in this aspect. A study done by the same organisation in 2008-2009 found no presence of systemic Internet filtering in place in India, unlike in China, Burma and Vietnam (in Asia). A healthy and unfiltered Internet is turning out to be a key driver for a robust democratic set up. Indian lawmakers should be very cautious when dealing with any proposed plans to place filtering systems on Indian part of the cyberspace.

On a side-note, it is interesting to observe that according to the research conducted by the same OpenNet Initiative, countries like Tunisia uses software developed by American companies for the filtering mechanism. While the export of cryptography is controlled in the US, there does not seem to be any plans to have similar regulation regarding export of software that endangers freedom of expression.

Comments { 2 }