Having recently read about the lack of security of Active X controls, I was wondering if I could get some specifics about its lack of security versus the security of JAVA. Also about the security of JAVA under Linux. I understand that MS''s concept of security is a) investigate the vendor, b) issue a certificate of authority, 3) vendor is now trused to do anything (fox guarding the hen house!). 1. How insecure is Active X? 2. How much more secure is Java than Active X (active X controls)? 3. How much more secure is Linux than NT? Than Win95? Especially when using a user account to browse the WWW (e.g., Col Base). 4. What about corporate use of Active X controls versus Java on a sensitive Intranet? I have decided to use Linux for all WWW access, via a user account. Any sensitive information I have (e.g., financial) resides on a ZIP disk which is physically removed from the system when on the Internet. Any comments/suggestions/flames? This would make a great mini howto! -- Wade Hampton whampton@staffnet.com Use Linux -- Check out http://www.caldera.com -- Wade Hampton whampton@staffnet.com Use Linux -- Check out http://www.ssc.com
Christopher Hicks
1997-Sep-22 01:13 UTC
Re: [linux-security] Active X versus Java, Linux versus NT
On Sun, 21 Sep 1997, Wade Hampton wrote:> I understand that MS''s concept of security is a) investigate the vendor, > b) issue a certificate of authority, 3) vendor is now trused to do > anything (fox guarding the hen house!).You''ve got it right. And it is scary.> 1. How insecure is Active X?There is no security to it at all. Active X applets that shut down your computer and transfer money from your bank account using quicken have been demonstrated. Active X code is just x86 code running raw. It can do anything to your machine that it wants to.> 2. How much more secure is Java than Active X?Vastly. It has a real security model. You can control which files each applet can access. It runs in a controlled environment (the JVM).> 3. How much more secure is Linux than NT?Again, vastly. Why does NTBUGTRAQ have more traffic than the BUGTRAQ that covers EVERY other operating system? The number and frequency of bugs is absolutely incredible. I had to install SP3 on all the machines at one of the places I consult with because NT 4.0 would crash when reading from the floppy drive or a CD-ROM. 1997 and we can read from the floppy right. It sends shivers down my spine. Of course, WINNUKE and similar programs allow the wily hacker to crash pre-SP3 machines across the net. And syn-flooding still provides an easy denial-of-service attack. Publicly available source code is tremendously important for security. It allows many people to work on fixes for bugs. It allows the whole world to study the code to ensure its correctness. And ignoring certain chunks of elisp, I can say categorically that code people write that''s publicly released is vastly better than stuff people write which they don''t ever expect anyone to read. (I''ve done code reviews for some Windows applications. Boy, were people surprised when I told them to rewrite atrocious code.)> Than Win95?95 is a version of NT that''s stripped down enough that its worthwhile for games. (That''s not technically true, but its a good rule-of-thumb.)> Especially when using a user account to browse the WWW (e.g., Col Base).If you''re just web browsing, why not run linux? I would thing that the security issues would be less of a concern than the amount of effort to manage Microsoft machines. Old Windows Disease is pretty rampant. OWD causes Microsoft machines to gradually slow down over the period of a year or so until they''re unusable. Most of my clients schedule reinstalls (down to formatting the hard drive) on an annual basis. Its the only cure for the dreaded OWD.> 4. What about corporate use of Active X controls > versus Java on a sensitive Intranet?For an intranet, development time is probably more of an issue than security. Java is a lot easier to code than C++. Portability is the second thing I''d consider and Java wins that issue handily.> I have decided to use Linux for all WWW access, via a user account.Good idea.> Any sensitive information I have (e.g., financial) resides on a ZIP disk > which is physically removed from the system when on the Internet.If you''re really neurotic you might worry about things left in memory buffers and the swap file.> Any comments/suggestions/flames?Edit /etc/inetd.conf to eliminate unneeded daemons. Look at the output of ps -aux to see if anything unnecessary is running. Use ipfwadm to eliminate connections coming in on the ppp connection. You may wish to allow identd to work on the ppp connection. But its doubtful anything else should. Use netstat to determine which ports are in LISTEN mode to make sure you''ve got rid of everything you thought you got rid of. Reboot and see if the netstat is different. </chris> Customer: "I''m running Windows ''95." Tech Support: "Yes." Customer: "My computer isn''t working now." Tech Support: "Yes, you said that."