1995-07-28 - Re: Java, Netscape, OpenDoc, and Babel

Header Data

From: Ray Cromwell <rjc@clark.net>
To: adam@bwh.harvard.edu (Adam Shostack)
Message Hash: 3d3eb3ca1e3808d806a8adec3e910dc490fd2dc4f46009916812d248e78828c7
Message ID: <199507281754.NAA11499@clark.net>
Reply To: <9507281717.AA09190@leonardo.bwh.harvard.edu>
UTC Datetime: 1995-07-28 17:54:29 UTC
Raw Date: Fri, 28 Jul 95 10:54:29 PDT

Raw message

From: Ray Cromwell <rjc@clark.net>
Date: Fri, 28 Jul 95 10:54:29 PDT
To: adam@bwh.harvard.edu (Adam Shostack)
Subject: Re: Java, Netscape, OpenDoc, and Babel
In-Reply-To: <9507281717.AA09190@leonardo.bwh.harvard.edu>
Message-ID: <199507281754.NAA11499@clark.net>
MIME-Version: 1.0
Content-Type: text/plain


> 
> Ray writes:
> 
> |   Object Oriented Superdistributed components are so useful an abstraction,
> | I think it's worth the security risk. HotJava solves some fundamental
> | issues with protocols. Right now the W^3 working groups have been struggling
> 
> 	Its nice of you to say that.  Its nice of Perry to disagree.
> Lets start using some concrete examples, so the source of
> disagreements become obvious?
> 
> 	I suspect Ray is working in an environment less security
> concious than Perry's.  Perry works on a lot of security-critical
> applications where a lot of money is at stake.  If I were going to go
> after financial institutions, I'd definetly look at which ones were
> using Java, and see what I could upload into their systems.  Getting
> copies of the recent files might be *very* informative.  I'd be
> worried if I were at Solomon brothers.

  If a business wants high security, they probably shouldn't be running
anything but mail. Even allowing users ftp access is dangerous
because someone could download a trojan horse. My college  took
the /exec function out of IRC for this very reason. If data can 
get  through a firewall by any means, DNS, mail, etc, it's possible to write
some kind of program to send stolen information on those channels. Hell,
there is a big enough problem with users bringing software from home
into work and infecting company networks with viruses.
  
  I work in an environment which is very security conscious (IBM Watson 
Research). You should see how paranoid their virus lab setup is.
And I'm frustrated by not being able to run stuff from work I run at
home because of the firewall. I probably shouldn't be running the
stuff at work anyway, but I can't pass up having access to a T1/T3
net connection on my desk. I have no problem with security, as long
as it is user friendly. If everyone had to manually run PGP from the shell
to post a message to cypherpunks, would there be many posts? 

  At home however, I have full control over my environment. I don't
avoid all potentially dangerous software, because for me, the benefits
outweigh the risks. I have never seen the source code to DOOM's
internet drivers, so I have no way of knowing if data is being stolen
or downloaded to my harddrive. I would rather choose to encrypt
the harddrive, and run the software in an alternate partition even though
this still doesn't guarantee safety. I know people who go farther such
as swapping HD's in-and-out depending on whether they are in "fun, 
experimental computer use mode", or "serious, money risking mode"
But ultimately that decision is up to me. Most of the people who will
be running HotJava are users in non-corporate environments. 

  Once you actually browse some HotJava web pages with HotJava, the
ordinary Web becomes static and boring. It's like the difference between
ftp and Netscape, or TinyMUD and LambdaMOO. There's just so much
potential, especially for crypto-clients. Because Java provides a
single development platform, single execution environment, GUI, and
network access.
 
-Ray
 





Thread