linux security - Sep 1997 - Active X versus Java, Linux versus NT

Having recently read about the lack of security
of Active X controls, I was wondering if I could
get some specifics about its lack of security
versus the security of JAVA.  Also about the
security of JAVA under Linux.  I understand that
MS''s concept of security is a) investigate the
vendor, b) issue a certificate of authority, 3)
vendor is now trused to do anything (fox guarding
the hen house!).

1.  How insecure is Active X?

2.  How much more secure is Java than Active X
    (active X controls)?

3.  How much more secure is Linux than NT?  Than
    Win95?  Especially when using a user account
    to browse the WWW (e.g., Col Base).

4.  What about corporate use of Active X controls
    versus Java on a sensitive Intranet?

I have decided to use Linux for all WWW access,
via a user account.  Any sensitive information I
have (e.g., financial) resides on a ZIP disk which
is physically removed from the system when on
the Internet.

Any comments/suggestions/flames?

This would make a great mini howto!
--
Wade Hampton	whampton@staffnet.com

Use Linux -- Check out http://www.caldera.com

--
Wade Hampton	whampton@staffnet.com

Use Linux -- Check out http://www.ssc.com

On Sun, 21 Sep 1997, Wade Hampton wrote:
> I understand that MS''s concept of security is a) investigate the
vendor,
> b) issue a certificate of authority, 3)  vendor is now trused to do
> anything (fox guarding the hen house!).
You''ve got it right.  And it is scary.
> 1.  How insecure is Active X?
There is no security to it at all.  Active X applets that shut down your
computer and transfer money from your bank account using quicken have been
demonstrated.

Active X code is just x86 code running raw.  It can do anything to your
machine that it wants to.
> 2.  How much more secure is Java than Active X?
Vastly.  It has a real security model.  You can control which files each
applet can access.  It runs in a controlled environment (the JVM).
> 3.  How much more secure is Linux than NT?
Again, vastly.  Why does NTBUGTRAQ have more traffic than the BUGTRAQ that
covers EVERY other operating system?  The number and frequency of bugs is
absolutely incredible.  I had to install SP3 on all the machines at one of
the places I consult with because NT 4.0 would crash when reading from the
floppy drive or a CD-ROM.  1997 and we can read from the floppy right.  It
sends shivers down my spine.  Of course, WINNUKE and similar programs
allow the wily hacker to crash pre-SP3 machines across the net.  And
syn-flooding still provides an easy denial-of-service attack.

Publicly available source code is tremendously important for security.  It
allows many people to work on fixes for bugs.  It allows the whole world
to study the code to ensure its correctness.  And ignoring certain chunks
of elisp, I can say categorically that code people write that''s
publicly
released is vastly better than stuff people write which they don''t ever
expect anyone to read.  (I''ve done code reviews for some Windows
applications.  Boy, were people surprised when I told them to rewrite
atrocious code.)
> Than Win95?
95 is a version of NT that''s stripped down enough that its worthwhile
for
games.  (That''s not technically true, but its a good rule-of-thumb.)
> Especially when using a user account to browse the WWW (e.g., Col Base).
If you''re just web browsing, why not run linux?  I would thing that the
security issues would be less of a concern than the amount of effort to
manage Microsoft machines.  Old Windows Disease is pretty rampant.  OWD
causes Microsoft machines to gradually slow down over the period of a year
or so until they''re unusable.  Most of my clients schedule reinstalls
(down to formatting the hard drive) on an annual basis.  Its the only cure
for the dreaded OWD.
> 4.  What about corporate use of Active X controls
>     versus Java on a sensitive Intranet?
For an intranet, development time is probably more of an issue than
security.  Java is a lot easier to code than C++.  Portability is the
second thing I''d consider and Java wins that issue handily.
> I have decided to use Linux for all WWW access, via a user account.
Good idea.
> Any sensitive information I have (e.g., financial) resides on a ZIP disk
> which is physically removed from the system when on the Internet.
If you''re really neurotic you might worry about things left in memory
buffers and the swap file.
> Any comments/suggestions/flames?
Edit /etc/inetd.conf to eliminate unneeded daemons.  Look at the output of
ps -aux to see if anything unnecessary is running.  Use ipfwadm to
eliminate connections coming in on the ppp connection.  You may wish to
allow identd to work on the ppp connection.  But its doubtful anything
else should.  Use netstat to determine which ports are in LISTEN mode to
make sure you''ve got rid of everything you thought you got rid of. 
Reboot
and see if the netstat is different.

</chris>

Customer:   "I''m running Windows ''95."
Tech Support: "Yes."
Customer:   "My computer isn''t working now."
Tech Support: "Yes, you said that."