[CoLoCo] Ubuntu Wins Hacker Contest
Paul Hummer
paul at eventuallyanyway.com
Mon Mar 31 16:43:02 BST 2008
> What's sad is that the actual "test" didn't prove anything. None of
> the system vulnerabilities were due to CORE applications that were
> part of the operating system, they were all extra applications.
Yes, but the requirement was such that it was the extra applications
that came pre-installed with the OS. So while the actual OS is secure,
what looks like the OS to an average user is MUCH more secure with Ubuntu.
> The fact that a vulnerability in ADOBE FLASH got Vista out of the
> ring, and Safari for OS X (which is used hardly ever anymore with
> firefox usage increasing greatly on the mac, at least according to
> what I see on the hundreds of mac computers on my campus), shows
> nothing more than poor programming by Adobe and Apple for a web browser.
This is true. And there are probably many other instances in open
source software that have vulnerabilities. But we've got a great
community of testers for Ubuntu who are willing to take an app and test
the hell out of it to make sure it's going to be stable. If it's not,
you have to install it after the fact.
And, out of the 15 Mac users I know, 4 of them use Firefox. The others
either don't have it installed, or complain that it's too slow. Mac
users are premadonnas... :)
> Granted, finding a bug or exploit in one of these programs should
> NEVER allow you access to your entire system, this doesn't
> necessarilly mean that Ubuntu wouldn't have been hacked eventually
> with the same luck of using Adobe Flash rather than Gnash or some
> similar alternate.
Yes, but an average user doesn't necessarily go out of the way to
install the non-free alternatives, and (hopefully) if you do, you fully
understand the risks you are taking, and take precautions (like adding
the NoScript firefox extension if you install the Adobe Flash plugin)
For the most part, you don't see these kinds of exploits work in Linux
because of the security model it uses. Userland can't get at the kernel
land (or shouldn't), and so you might crash the application, but you
won't crash the system. 0day exploits, however, are freak accidents in
coding, so it's quite possible in linux (although much more unheard) for
a browser to allow root level access.
Just my 1.9357892346987 cents
Paul
More information about the Ubuntu-us-co
mailing list