[OSM-talk] Flash and open source
john whelan
jwhelan0112 at gmail.com
Fri May 21 00:23:30 BST 2010
I don't wish to get into a Unix versus Windows war about security. However
recognise that Flash is a plug in to a browser. Because of the way browser
plug ins work they have very few restrictions on what they can do. I
retired recently but before that was involved in protecting very sensitive
data for the Canadian Federal Government and as a result spent quite a
number of years studying threats. We ran some 1,400 servers including 400
Unix servers of one flavour or another. Within the security community it
was recognised that although UNIX could be tightly configured often it
wasn't. My party trick was a list of about 100 default userids and
passwords, I don't think any of the databases on Unix based servers were
secure against the list. At one demo I logged into about eighty SQL Server
databases without logging onto the network with full admin rights but then
Microsoft tightened up that loophole.
The US government has a procurement standard called POSIX which it uses to
identify UNIX systems in procurements. Windows NT was the first operating
system to qualify as POSIX compliant. Both have their roots in Multics and
Digital VMS and aren't that different once you get past the GUI. Windows
can also be tightly configured should you really wish to.
> Flash has never caused me any security problems on my Ubuntu desktop.
I think you should qualify that with "that you know about." I came across
one server that scanned fine but at 3 am each morning a few packets of
information were sent out on the Internet to an odd address. These were
detected by a network monitor and stood out because there was very little
traffic at that time and because of the address being sent to. The server
was subjected to heavy investigation but the rogue code was never found.
When the operating system was reinstalled the ip packets stopped.
The security community has reservations about JavaScript but these are not
so serious as the ones about Flash.
Personally from a security point of view I prefer using a tool like
Maperitive to render rather than use JavaScript.
I recognise that OSM has many enthusiasts who have been brought up on UNIX
on University courses and we depend on their enthusiasm but I think we also
owe a duty of protection to end users and to me that means recognizing that
using Flash does bring security risks.
Cheerio John
On 20 May 2010 10:35, Rory McCann <rory at technomancy.org> wrote:
> Nonsense!
>
> The article you cite suggests disabling JavaScript aswell. The main
> slippy map on OSM uses JavaScript. ergo, we should not be promoting
> dangerous javascript.
>
> Flash has never caused me any security problems on my Ubuntu desktop.
> Talk to your OS vendor if it's insecure.
>
> On 15/05/10 00:10, john whelan wrote:
> >
> www.zdnet.com/blog/bott/how-secure-is-flash-heres-what-adobe-wont-tell-you/2152
> > <
> http://www.zdnet.com/blog/bott/how-secure-is-flash-heres-what-adobe-wont-tell-you/2152
> >
> >
> > There are other web sites such as Symantec's site. Symantec's advice
> > corporate advice:
> >
> > "In order to reduce the threat of successful exploitation of Web
> > browsers, administrators should maintain a restrictive policy regarding
> > which applications are allowed within the organization. […] Browser
> > security features and add-ons should be employed wherever possible to
> > *disable JavaScript™, Adobe Flash Player, and other content that may
> > present a risk to the user* when visiting untrusted sites"
> >
> > Simply going to a web site these days is the most common way to get
> > infected, once infected then you lose your credit card details, and
> > Flash is a very weak link no matter which web browser it is run from.
> >
> > Cheerio John
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20100520/d21621b1/attachment.html>
More information about the talk
mailing list