On Sun, 2008-03-30 at 14:07 -0500, Chris wrote: > On Sun, 30 Mar 2008 15:48:27 -0300 (ADT) > "George N. White III" <aa056@xxxxxxxxxxxxxx> wrote: > > > On Sun, 30 Mar 2008, Chris wrote: > > > > > Manuel Aróstegui wrote: > > >> El sáb, 29-03-2008 a las 12:24 -0400, Jim escribió: > > >>> Read article > > >> > > >> That's cool, but it's far to be the real scenario we face everyday. > > >> I guess that Linux box was secure but the truth here, as far as > > >> I've been able to see is that either Windows or Linux (I have no > > >> mac experience) are both pretty insecure if they're been running > > >> by a dumb administrator. > > >> It is clear that a Linux, out of the box, has less chances to be > > >> hacked than a windows in the same situation. > > >> > > >> But for me, this hacking contest does not represent a real > > >> scenario. > > >> > > >> Anyways, I'm glad Linux survived, do not take me wrong :-) > > >> Manuel > > > > > > Let's also not forget the most important part of the article - it > > > mentioned something about Java allowing MS security to be > > > circumvented. > > > > > > That leads me to think that if Java was not installed on that box, > > > would it have been hacked? > > > > If you don't want to install Java you need to tell us what > > alternative is going to provide better security. Many developers use > > Java because the work needed to implement the functionality > > (including the attention to security issues) would be prohibitive. > > I still feel that if Java was not installed on the MS box, it still > raises the question, would the box have been hacked? > > Java is not part of the default install (afaik) XP, Vista, etc. > One might ask, perhaps the folks that setup these boxen, did they > knowingly install Java with the pre-thought that that would be a way > in. > > > MS was chosen for this attack because the person who knew the Java > > exploit also happened to be familiar with MS. Such attacks often > > proceed in stages: > > Here again, this seems unfair. These tests should have been done on > boxen that did not have 3rd part apps etc. Still seems like a tainted > test. > > > 1. get user-level access via a browser, java, etc. > > 2. elevate to "admin/root" privileges, which is where knowledge of > > the specific OS comes in. > > > > Often the 1st step works on multiple platforms. > > Assuming the multi-platforms are setup with as close to the same > programs as possible. > > > > > > Perhaps not. So, I think the article is very misleading. To me, I > > > could care either way. as pointed out else where in this thread, a > > > properly patched and managed box (under any OS) can be very > > > difficult to hack. > > > > Or not, if you happen to know of an unpatched vulnerability. > > > > > I wonder why (at least in this article) OpenBSD was not mentioned. > > > Perhaps it was just a session that was betwix Linux & MS. > > > > OS X was the first to fall (via safari), so the BSD camp didn't fare > > very well. > > > > As you do know, I specifically mentioned OpenBSD. I would like to see > them folks go against an out of the box install of Linux (any distro) > and OpenBSD - that would be a telling tale indeeed. > > In any event, as we all also know, these sorts of tests and results can > be manipulated to reflect any ones agenda - I for one, have never been > a fan of these things. It really proves nothing. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Well, to my knowledge, Microsoft adds their own version of Javascript (or at least used to) and did at one time make changes to Java which made it less secure, first by providing a file access process that was not part of the original specification by Sun. Now I don't know what was on the Microsoft system, nor do I know if the attack was actually by Java or Javascipt, which is often confused by even technical media, although they are entirely different languages with different means of employment. But without further knowledge, I suspect that they used a normal users configuration, and that would include Microsoft's default installs, whatever they are, and maybe Java was added to be representative. Have you tried browsing lately without Java? I therefore expect that Java was also on the Linux box as well. However gaining admin level via Java or Javascript on a linux box is more difficult than the standard installation of windows as used by home users. Regards, Les H -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list