I don't wish to get into a Unix versus Windows war about security. However recognise that Flash is a plug in to a browser. Because of the way browser plug ins work they have very few restrictions on what they can do. I retired recently but before that was involved in protecting very sensitive data for the Canadian Federal Government and as a result spent quite a number of years studying threats. We ran some 1,400 servers including 400 Unix servers of one flavour or another. Within the security community it was recognised that although UNIX could be tightly configured often it wasn't. My party trick was a list of about 100 default userids and passwords, I don't think any of the databases on Unix based servers were secure against the list. At one demo I logged into about eighty SQL Server databases without logging onto the network with full admin rights but then Microsoft tightened up that loophole.
The US government has a procurement standard called POSIX which it uses to identify UNIX systems in procurements. Windows NT was the first operating system to qualify as POSIX compliant. Both have their roots in Multics and Digital VMS and aren't that different once you get past the GUI. Windows can also be tightly configured should you really wish to. > Flash has never caused me any security problems on my Ubuntu desktop. I think you should qualify that with "that you know about." I came across one server that scanned fine but at 3 am each morning a few packets of information were sent out on the Internet to an odd address. These were detected by a network monitor and stood out because there was very little traffic at that time and because of the address being sent to. The server was subjected to heavy investigation but the rogue code was never found. When the operating system was reinstalled the ip packets stopped. The security community has reservations about JavaScript but these are not so serious as the ones about Flash. Personally from a security point of view I prefer using a tool like Maperitive to render rather than use JavaScript. I recognise that OSM has many enthusiasts who have been brought up on UNIX on University courses and we depend on their enthusiasm but I think we also owe a duty of protection to end users and to me that means recognizing that using Flash does bring security risks. Cheerio John On 20 May 2010 10:35, Rory McCann <r...@technomancy.org> wrote: > Nonsense! > > The article you cite suggests disabling JavaScript aswell. The main > slippy map on OSM uses JavaScript. ergo, we should not be promoting > dangerous javascript. > > Flash has never caused me any security problems on my Ubuntu desktop. > Talk to your OS vendor if it's insecure. > > On 15/05/10 00:10, john whelan wrote: > > > www.zdnet.com/blog/bott/how-secure-is-flash-heres-what-adobe-wont-tell-you/2152 > > < > http://www.zdnet.com/blog/bott/how-secure-is-flash-heres-what-adobe-wont-tell-you/2152 > > > > > > There are other web sites such as Symantec's site. Symantec's advice > > corporate advice: > > > > "In order to reduce the threat of successful exploitation of Web > > browsers, administrators should maintain a restrictive policy regarding > > which applications are allowed within the organization. […] Browser > > security features and add-ons should be employed wherever possible to > > *disable JavaScript™, Adobe Flash Player, and other content that may > > present a risk to the user* when visiting untrusted sites" > > > > Simply going to a web site these days is the most common way to get > > infected, once infected then you lose your credit card details, and > > Flash is a very weak link no matter which web browser it is run from. > > > > Cheerio John > >
_______________________________________________ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk