back to article Indian armed forces gives Windows its marching orders, but only for desktop warriors

Indian mythology is rich beyond measure in tales of gods, demons, and humans doing battle. Deception, alliances, betrayal, supernatural weaponry, and devastating consequences tangle with morality and greed. If you think that sounds like today's global technology maelstrom, that's forgivable. So when the Indian Ministry of …

  1. xyz Silver badge

    All I'm saying is...

    I've seen this sort of "mentality" before and it doesn't end well. It's one thing building a secure system, say for example, airgapped up to TS with loads of skilled people with the necessary security clearances, and it is a whole other thing building a system for rabbit holes above that, where security restrictions reduce the knowledge pool and everything is compartmentalised.

    6 months will be the POC that someone is crowing about, which is another bad sign. The pen testers are going to be busy.

    1. Doctor Syntax Silver badge

      Re: All I'm saying is...

      In other words, if you want a secure system don't start with anything on the desktop. Is this what you're saying? Because when it comes to users they will behave the same whatever desktop OS they have.

      Having an OS which has proven sufficiently secure to run most servers on the internet is a good start.

      1. doublelayer Silver badge

        Re: All I'm saying is...

        Probably that you should be very careful about saying something's secure before you rely on it being secure. How many times have we had a three-day gap between someone claiming unhackability and a hacker proving them wrong.

        To some extent, lying will have helped them. Had this actually been a new OS, then I wouldn't have bought any security claims, whereas starting from something that people have been securing for years is a good way to get some security from the start. However, if someone told the Indian government that it was invulnerable and they believe it, they are still at risk.

  2. Reginald O.

    If you must drop Windows...

    Seems to me the way to go is MacOS and then staff have an awesome system that plays well with their iPhones and iPads.

    I don't know for sure if I am kidding or not.

    Can a business create a viable production network using Apple code?

    Would it play nice with Windows folks?

    What does Apple Inc. use?

    I simply don't know.

    But, I do know MacOS is Unix based and just really cool for individuals.

    1. This post has been deleted by its author

    2. ChoHag Silver badge

      Re: If you must drop Windows...

      > Can a business create a viable production network using Apple code?

      Apple can't.

    3. Anonymous Coward
      Anonymous Coward

      Re: If you must drop Windows...

      Yes.

      Ask IBM.

      The biggest issue with a Linux desktop isn't so much functionality (although it plays some part), it's the lack of viable/usable industrial strength desktop applications.

      As for the "Nor does Linux on the desktop do much to protect data held elsewhere in the infrastructure from phishing, supply chain attacks, criminality, and corruption." - I'm not convinced.

      A compromised desktop is usually the vector that breaks the "hard shell/soft center" approach that most companies deploy and establishes a penetration beachhead inside the organisation to host an APT, so I'd say here too a Linux desktop would offer substantially less risk.

      1. Boris the Cockroach Silver badge
        Windows

        Re: If you must drop Windows...

        Quote

        "The biggest issue with a Linux desktop isn't so much functionality (although it plays some part), it's the lack of viable/usable industrial strength desktop applications."

        Roughly translated

        Linux lacks m$ office

        if we can run our controls on Linux, why do we need windows? because the CAD package we use wont run on anything else (no matter how much we whine to the suppliers... )

        1. Doctor Syntax Silver badge

          Re: If you must drop Windows...

          "no matter how much we whine to the suppliers... "

          The Indian Government as a potential customer can probably whine a good deal louder than you.

      2. doublelayer Silver badge

        Re: If you must drop Windows...

        "A compromised desktop is usually the vector that breaks the "hard shell/soft center" approach that most companies deploy and establishes a penetration beachhead inside the organisation to host an APT, so I'd say here too a Linux desktop would offer substantially less risk."

        That substantially less risk is due to what? We're already positing an attacker that has malware running on the user's computer, so why would that computer running Linux instead of Windows do that much? In both cases, the malware can copy their files, inspect their actions, copy their passwords, intercept their mail, and access things on the section of the network their machine is on. Linux doesn't have different security policies on any of those things. It would have a different set of bugs between that machine and other things on the network, but that's no guarantee that an attacker can't find them, especially as there are plenty of successful attacks against companies that spread from Windows beachheads to Linux infrastructure, so spreading from Linux ones shouldn't be much more difficult. The largest asset is that attackers who already made a Windows loader malware will have to make a new version that targets Linux.

        1. martinusher Silver badge

          Re: If you must drop Windows...

          Pound for pound Linux is way more difficult to compromise than Windows. Its just a fact for life, has been for decades now. Its the design -- a lot of Windows design decisions are shaped by bad decisions that were made many years ago and can't or won't be changed.

          As for the lack of "industrial strength applications" I actually have run numerous versions of these, typically development environments of one sort of another. With no exceptions that spring to mind they're all really 'ix' applications running on top of environments such as Cygwin. Its true that the occasional Windows only utility turns up (rather inconveniently, IMHO) but you'd be surprised at the sheer amount of TCL, Perl and what-have-you that's floating around in these applications. It may even explain why M$ has been hot to introduce proprietary alternatives -- after years of refusing to supply a meaningful shell, just sticking people with DOS boxes, they 'invent' PowerShell, for example, which is lot like bash but with the usual 'embrace, extend, extinguish' tweaks for the sheeple to fall for.

          I've got nothing against Windows -- we get stuck with it because its a C-Suite mandate (they use Office so Office is the only application that counts.....). Its just that trying to get work done just gets more and more difficult. Its enough to make one retire.

          1. doublelayer Silver badge

            Re: If you must drop Windows...

            "Pound for pound Linux is way more difficult to compromise than Windows. Its just a fact for life,"

            This is heavily dependent on the configuration of the system. The comparison is not really viable either, as you can't enumerate the hacking potential. However, as I interpreted the original comment, we weren't talking about external penetration but the security of a box where the user has already executed an attacker's malware, in which case the initial infection stage has already passed.

            A lot of the attacks that work against Windows have direct parallels on Linux. For example, one way attackers find and infect computers are unsecured RDP ports left open to the internet. This is relatively easy to prevent, extremely easy to detect, and in most configurations it doesn't happen at all. The direct parallel on Linux is the open SSH port with password authentication, which is equally easy to prevent and detect. As anyone who has a Linux machine on the internet already knows, there are lots of attackers looking for those ports who will attempt to log into any server configured as such. In a lot of infections, the writers of the malware are relying on the user to install the initial infection, rather than finding an unauthenticated remote login method. Some of the tactics that are popular for infecting Windows will not work on Linux, but that is not the same as saying that Linux doesn't have vulnerabilities of that kind or that they're more resistant to exploitation.

            1. This post has been deleted by its author

            2. Anonymous Coward
              Anonymous Coward

              Re: If you must drop Windows...

              It's also a case of sensible, safe defaults. When you install a Linux desktop, the result is quite tight in that there's nothing running that would allow external access - depending on distro, even SSH needs to be enabled first before you have that path in. Secondly, you can 'just' run an executable, if it's not in the package manager it's much harder to do. Linux simply has far more barriers between delivering malware and executing it, and it's stance is safe by default - for instance, no distro will set you up to run a machine as root. It also need a heck of a lot less patching to stay safe.

              Windows comes from a different philosophy where not only the quality of the code is a lot less (judging by the GB of patches we need to download to the point that Microsoft had to establish patch Tuesday so the massive waste of man hours was less visible), but also implementation is unsafe. Unlike Linux, hooking up a newly formatted Windows machine to the Net is a risky proposition as you may end up it being infected before patches and antivirus are downloaded and installed, and no, Windows Defender doesn't, at least not that well. Add to the the astonishing array of loopholes that allow malware to execute and frankly, an honest evaluation of lost man hours and risk vs the cost of replacing it with something more sane would render replacing it with alternatives attractive.

              That's why a Microsoft TCO study never includes man hours and the cost of risk management.

              1. doublelayer Silver badge

                Re: If you must drop Windows...

                "It's also a case of sensible, safe defaults. When you install a Linux desktop, the result is quite tight in that there's nothing running that would allow external access - depending on distro, even SSH needs to be enabled first before you have that path in."

                Just as Windows doesn't turn on RDP unless you go into settings to enable it. It doesn't prevent someone from doing that, though, and if they do and don't focus on security, it is a wide open door.

                "Secondly, you can 'just' run an executable, if it's not in the package manager it's much harder to do."

                Do you use Linux? You know they have the concept of an executable as well? You can download an executable file and run it. You can download a shell script and run that. You have a few other languages that you can pretty much guarantee are present (I'm thinking of Perl and Python) and run those. None of that requires it to be in the package manager.

                I use Linux often, especially for systems where security is necessary. I like it because it is easy to audit the system for security risks and to change its operation to limit them. Linux is strong from a security perspective. What I dislike is the people who seem to assume that Linux is automatically the key to security and base this off incorrect understandings of what it provides and how easy an insecure Linux system is to compromise. They appear to believe that simply replacing Windows with Linux makes everything secure, and if enough people with this attitude actually get to do it, we'll give Linux an undeserved bad name as that system that everyone's been hacking these days because inexperienced people deployed it without looking at their risks.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: If you must drop Windows...

                  You can download an executable file and run it.

                  Not by accident, and nothing is actually executable by default - I would not say it's impossible but it's a tad harder than when using Windows and depending on settings even requires a rights escalation to install. It certainly won't, for instance, allow an infection via merely viewing an image - an example of a Windows problem that has persisted for literally decades.

                  What I dislike is the people who seem to assume that Linux is automatically the key to security and base this off incorrect understandings of what it provides and how easy an insecure Linux system is to compromise. They appear to believe that simply replacing Windows with Linux makes everything secure, and if enough people with this attitude actually get to do it, we'll give Linux an undeserved bad name as that system that everyone's been hacking these days because inexperienced people deployed it without looking at their risks.

                  Oh, I agree, but the two main differences between Windows and Linux are (1) safer defaults and (2) much easier to keep secure. In principle you can make any platform secure, what differs is the out of the box default and the amount of effort to secure it and maintain that state.

                  This is what annoys me most about Windows and Microsoft products in general: the vast amount of BS trying to justify what is increasingly no longer fit for purpose in a world where "hard shell, soft center" has become an outdated concept due to fairly intelligent APTs. If Microsoft would spend half the budget of what it spends on marketing its way around the deficiencies on actually fixing them I think you'd cut the number of hacked machines and number of successful ransomware infections probably in half.

                  1. doublelayer Silver badge

                    Re: If you must drop Windows...

                    "nothing is actually executable by default"

                    Yes, there's the execution bit to be set for some files. Most likely, the first file to be sent will be a shell script, which is much easier to execute because, although the execute bit is useful, it is not required. That script can download an ELF from somewhere and call chmod on it, then run it. It's not a complex bootstrapping process if you're dealing with the kind of user who doesn't recognize that the file called "report.docx.exe" is probably dangerous and clicks through the security warning Windows will show.

                    "I would not say it's impossible but it's a tad harder than when using Windows and depending on settings even requires a rights escalation to install."

                    What escalation are you referring to? If you mean to get root privileges, yes it will need that, just as a Windows program will show a UAC warning on all machines. On a corporate machine, the general user is unlikely either to have rights to root or admin privileges and will be unable to accept that escalation request. On a home machine, it should be clear enough that this isn't normal, but not all users have the experience to know that you don't just enter your password every time a screen tells you to. To install itself with the user's permissions, however, doesn't take that. The binary simply has to copy itself somewhere and add in something to start itself. A simple method is to put itself into part of the user's home directory and add itself to their login script, but depending on what access they have, there are a number of options such as adding a job to their crontab, to intercept some other program, etc. Persistence using the user's permissions is certainly possible. Once it has that, it will have to find some way to spread or elevate permissions, but Linux and the general utilities have had plenty of privilege escalation vulnerabilities, just like Windows does.

                    Now, with a properly configured system, these risks are not necessary. The user's home directory could be marked in such a way that ELFs can't be executed, although shell scripts still could. Maybe it's just me, but I don't much like shell scripts and I wouldn't like the idea of trying to write complex malware in that, so that's a defense. But before we praise Linux from making that option available, remember that Windows can do that too. The reason people don't do it for nearly every Windows box in existence is the same reason that, should they switch to Linux, they probably won't there either. The systems have options to secure things that aren't often used, so while it's great that they exist, we can't assume that this will mean they will be generally used.

  3. PhilipN Silver badge

    Warez

    Thanks for the reminder of an expression I have not seen used for a long time.

    As to what it actually meant - well what did you want it to mean? That was back when "-ware" was being tacked on to almost any prefix and "-z" was tacked on to anything that was suspect, or fun.

  4. Anonymous Anti-ANC South African Coward Bronze badge

    Good luck to the Indians.

    They will need it.

    1. Fruit and Nutcase Silver badge
      Coat

      At the very least Bollywood can make a song and dance film about it when it goes TITSUP

  5. StrangerHereMyself Silver badge

    First step

    Someone has to take the first step to kick Windows off the desktop. In my opinion the military should be the main drivers since their software is mostly bespoke.

    Software is these days much easier to port to Linux if its web-based (requiring no porting at all, essentially). But even native applications can usually be written to target multiple platforms using cross-platform frameworks like wxWidgets and Qt. You have to plan for it but it's certainly feasible.

    1. Anonymous Coward
      Anonymous Coward

      Re: First step

      Alas, where you will come unstuck is the lack of business applications for Linux.

      Sad but true.

      1. Doctor Syntax Silver badge

        Re: First step

        Do not confuse specific business applications with the functionality they provide.

      2. Anonymous Coward
        Anonymous Coward

        Re: First step

        >> Alas, where you will come unstuck is the lack of business applications for Linux.

        The majority of business applications are already web based (either on-prem or in the cloud, often running on a Linux instance already). And the business apps that aren't yet will likely be there in the near future.

        There are exceptions of course, like industry specific software which may not run on anything else. And if there's nothing to switch to then you're forked. Same if your business was stupid enough to buy into some proprietary shit that is built on top of MS Office, which was a stupid move and that business wholeheartedly deserves to be taken to the cleaners by those software vendors.

        But in general, there cases where a business really needs Windows are long gone. Most of the business preference for Microsoft's wobbly wares is simply due to the Stockholm syndrome.

    2. t245t Silver badge
      Linux

      Re: First step

      > Software is these days much easier to port to Linux ..

      Long ago there was something call cross compilers, code could be compiled on one platform to run on a different platform. As there was Java, the write-once-run-anywhere programming language.

      1. that one in the corner Silver badge

        Re: First step

        >> Software is these days much easier to port to Linux ..

        > Long ago there was something call cross compilers...

        Aside from the fact that cross compilers have never gone away (and I'd venture that more people are actually running them than ever before, given the continued growth in MCU usage, such as Arduino or the RP2040 boards), they were never that important to porting applications from one desktop OS to another. They can be useful, for example by allowing one run of the build system to generate all the target builds, or to (try to) have the same compiler front-end, quirks and all, be used for all the targets.

        The biggest contributing factor to ease of porting is what you have in place to handle the OS differences. Which can range from "nothing, this is a straightforward CLI application using the bog-standard RTL" up to "this is a huge GUI on top of a pile of local server processes, so we need a GUI framework, an IPC framework, a logging framework and a database server, all of which must be able to run on top of any of the target OSes". In this context, the word "framework" can also cover the use of 'alternate' programming languages - for example, you can code the bespoke parts of your application in Python or Lua or Tcl and rely on being able to access (or build yourself) the language runtime for all of your targets, including libraries to support all of the other framework items listed above.

        These days, based on ease of access to the required components, the easiest to port ought to be an application written in Python and your primary concern would about which GUI toolkit to use - and then mainly about whether you want "looks the same across all platforms" or "looks the same as other apps on that platform".

  6. Bebu Silver badge
    Windows

    And MayaOS is?

    Dr Duck gives a wikipedia entry which indicates its derived from Ubuntu Linux with some indigenous endpoint protection (a Mandiant fireeye/xagt clone?) called Chakravyuh which in turn apparently is some ancient Indian military defensive(?) formation resembling a circular labyrinth.

    If you were going the whole hog you would start with a provably secure (micro?)kernel and build out with a secure by design mandate even if it required custom hardware.

    The idea that battlefield systems are running on Windows seems as unlikely as running critical civilian infrastructure control system on Windows....

    1. Doctor Syntax Silver badge

      Re: And MayaOS is?

      There's no mention of battlefield systems. According to the report I read it's to be installed initially on all internet facing systems in an administrative building which includes the Prime Minister's office and Ministry of External Affairs (i.e. the equivalent of 10 Downing St & FCO) as well as the MoD with the MoD to go live first, deadline tomorrow.

      It's not difficult to cosmetically theme a Linux desktop in the style of any version of Windows you want so it's doesn't have to look very different. Very likely the main desktop applications will be word processing, spreadsheets and presentation. That functionality is well provided for on the Linux desktop. Apart from LibreOffice and OpenOffice there are at least two other cross-platform suites targetting the MS Office Ribbon work-alikes. Alternatively they may go for browser-based applications in which case they could be using OnlyOffice.

      Chromebook itself isn't going to be a good solution for a country trying to achieve data sovereignty which I assume it the objective although they could well come up with something self-hosted.

      It's a little surprising that they stared from Ubuntu rather then the Indian BOSS Linux used in Tamil Nadu.

      1. lockt-in

        Re: And MayaOS is?

        "Apart from LibreOffice and OpenOffice there are at least two other cross-platform suites targetting the MS Office Ribbon work-alikes. Alternatively they may go for browser-based applications in which case they could be using OnlyOffice."

        What about Collabora Office? Office suites that run LibreOffice Kit have native apps for more platforms than all other big companies.

        What about Collabora Online? It has significantly more functionality than other big companies, which is not hard.

        What about an office suite's country of origin/ownership, could that be part of the equation? Collabora Online and Office are developed in Cambridge UK. OnlyOffice is developed by Ascensio System SIA, a subsidiary of "New Communication Technologies", a company from Russia, but headquartered in Riga, Latvia.

        fyi: OpenOffice hasn't received a significant update in 9 years, it appears to be kept alive as a decoy to distract people from LibreOffice which is where development has continued.

    2. Anonymous Coward
      Anonymous Coward

      Re: And MayaOS is?

      The idea that battlefield systems are running on Windows seems as unlikely as running critical civilian infrastructure control system on Windows..

      .. and yet, they do. Windows for Warship exists, for instance, and process control moved to NT eons ago. Thankfully nobody has as yet dared to also stick it in ESD..

      1. Anonymous Coward
        Anonymous Coward

        Re: And MayaOS is?

        Well the "senior service" has always been a bit special. I can speak from personal experience that one of the largest defence companies (name starts with R), have all their current systems running on Linux. Those systems are mostly written in C++ - and to my surprise - Java.

        1. Anonymous Coward
          Anonymous Coward

          Re: And MayaOS is?

          I know of a device platform that had Microsoft Office rejected because they didn't want to offer the source code for inspection. So they went for OpenOffice :).

          As for C++, does anyone know what became of the Obfuscated C Contest? That encouraged some awesome things on the sidelines such as Toledo Nanochess.

          1. that one in the corner Silver badge

            Re: And MayaOS is?

            > does anyone know what became of the Obfuscated C Contest?

            Well, according to their own website (which is given in the Wikipedia article you pointed at) they are in the middle of a lot of housekeeping but plan to run the next contest Real Soon Now.

            Whether the lengthy housekeeping/retooling process is going to be worth the wait is a matter of opinion. But at the end of of they will be all Terrifically Up To Date, what with lots of JSON and relying on Github, so - yay, I guess? Maybe that will attract some of the cool kids to try their hand at it.

      2. t245t Silver badge
        Terminator

        Re: And MayaOS is?

        > .. Windows for Warship exists ..

        Sunk by Windows NT

  7. Doctor Syntax Silver badge

    "when policy rather than practicality has the upper hand, the results can be excitingly mixed.

    Let's stick to the practical for starters."

    When governments are concerned data sovereignty is, or should be, a matter that's as much practical as political. If this is what's concerning the Indian government I can only say good for them and wish governments closer to home would wake up to the same. If you want to self-host your data you certainly don't want the front end to depend on a desktop which seems to be heading in the direction of on-line subscription based as fast as Microsoft can push it.

  8. Anonymous Coward
    Anonymous Coward

    What were the alternatives?

    You know, deep down, that this isn't about replacing Windows 11 machines. What I expect is that the contract the Indian MoD has with Microsoft for Windows XP security updates is expiring soon, so they had three choices:

    1. Spend half their budget on another couple of years of XP support

    2. Spend half their budget rushing to get all their legacy XP-era custom software running on the newer OS

    3. Install Ubuntu and use Wine

    1. CAPS LOCK

      Re: What were the alternatives?

      4. Announce a migration to Linux and enjoy all kinds of Microsoft largess, including opening 'local offices' and taking decision makers to exotic locations for conferences and so on, with a large notional discount for Microsoft services at the end. Great Success! Trebles all round...

      1. BenDwire Silver badge

        Re: What were the alternatives?

        If Munich taught us anything then that fourth option looks the most likely to me.

        1. lamp

          Re: What were the alternatives?

          Actually, the Indian defence forces are significantly larger than the Munich authorities and would have more influence on software suppliers in their porting decisions. They might even fund the porting (that has been my experience when working for a leading database vendor years ago). Note also that a lot of software runs in the cloud nowadays so would only need to be deployed into an Indian data centre. I think this development is a great advertisement for Ubuntu, which is so much more secure than Windows. Personally, I have been using it exclusively for 20 years as my desktop environment, and I'm a big supporter.

  9. Zippy´s Sausage Factory
    Black Helicopters

    I have a sneaking suspicion that ditching Windows may be also have something to do with government paranoia. India's membership in the BRICS consortium and friendliness with China and Russia probably makes India believe that it's a top target for US surveillance - especially with their extensive use of English in government.

  10. t245t Silver badge
    Linux

    You can type this nonsence but ...

    > Maya OS is .. actually Ubuntu with a Windows-like front end and some extra endpoint security.

    Do you mean like Linux Mint.

    “Linux on the desktop is far less malware-y than Redmond's .. because there are fewer targets to attack with a Linux desktop”

    Is that you billg /s

    > Famously, the administration of Munich signed up to Club Penguin only to come sobbing back to Microsoft.

    Apr 2003: “Microsoft's Ballmer fights Linux in Munich

    Mar 2012: “Munich's mayor claims €4m savings from Linux switch

    Dec 2018: “During Ude’s term of office Munich’s city parliament in 2004 decided to migrate from Microsoft’s operating system and Office software to Linux, an open source software. Hailed by the free and open source community as a revolution, once Ude retired in 2014, his successor reverted the already completed migration, a decision which will cost the city’s taxpayers at least 89 million euros over 6 years.

    > Nor does Linux on the desktop do much to protect data held elsewhere in the infrastructure ..

    You can type this nonsence but ...

    1. Kiss

      Re: You can type this nonsence but ...

      Hmmm. From an overall Munich city perspective, maybe investing in a significant regional office that generates city income is more important than choosing a desktop OS, so no Windows = no investment. Just a high-level barter is the outcome. No sure this would be legal in many countries, but monopolies will always act ruthlessly whenever possible.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like