On Sun, 30 Mar 2008 15:48:27 -0300 (ADT) "George N. White III" <aa056@xxxxxxxxxxxxxx> wrote: > On Sun, 30 Mar 2008, Chris wrote: > > > Manuel Aróstegui wrote: > >> El sáb, 29-03-2008 a las 12:24 -0400, Jim escribió: > >>> Read article > >> > >> That's cool, but it's far to be the real scenario we face everyday. > >> I guess that Linux box was secure but the truth here, as far as > >> I've been able to see is that either Windows or Linux (I have no > >> mac experience) are both pretty insecure if they're been running > >> by a dumb administrator. > >> It is clear that a Linux, out of the box, has less chances to be > >> hacked than a windows in the same situation. > >> > >> But for me, this hacking contest does not represent a real > >> scenario. > >> > >> Anyways, I'm glad Linux survived, do not take me wrong :-) > >> Manuel > > > > Let's also not forget the most important part of the article - it > > mentioned something about Java allowing MS security to be > > circumvented. > > > > That leads me to think that if Java was not installed on that box, > > would it have been hacked? > > If you don't want to install Java you need to tell us what > alternative is going to provide better security. Many developers use > Java because the work needed to implement the functionality > (including the attention to security issues) would be prohibitive. I still feel that if Java was not installed on the MS box, it still raises the question, would the box have been hacked? Java is not part of the default install (afaik) XP, Vista, etc. One might ask, perhaps the folks that setup these boxen, did they knowingly install Java with the pre-thought that that would be a way in. > MS was chosen for this attack because the person who knew the Java > exploit also happened to be familiar with MS. Such attacks often > proceed in stages: Here again, this seems unfair. These tests should have been done on boxen that did not have 3rd part apps etc. Still seems like a tainted test. > 1. get user-level access via a browser, java, etc. > 2. elevate to "admin/root" privileges, which is where knowledge of > the specific OS comes in. > > Often the 1st step works on multiple platforms. Assuming the multi-platforms are setup with as close to the same programs as possible. > > > Perhaps not. So, I think the article is very misleading. To me, I > > could care either way. as pointed out else where in this thread, a > > properly patched and managed box (under any OS) can be very > > difficult to hack. > > Or not, if you happen to know of an unpatched vulnerability. > > > I wonder why (at least in this article) OpenBSD was not mentioned. > > Perhaps it was just a session that was betwix Linux & MS. > > OS X was the first to fall (via safari), so the BSD camp didn't fare > very well. > As you do know, I specifically mentioned OpenBSD. I would like to see them folks go against an out of the box install of Linux (any distro) and OpenBSD - that would be a telling tale indeeed. In any event, as we all also know, these sorts of tests and results can be manipulated to reflect any ones agenda - I for one, have never been a fan of these things. It really proves nothing. -- Best regards, Chris "There's no place like 127.0.0.1"
Attachment:
signature.asc
Description: PGP signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list