From: todd@lgt.com (Todd Glassey)
Date: Thu, 2 Nov 1995 00:13:30 +0800
To: cypherpunks@toad.com
Subject: Re: Please send cash
Message-ID: <v02110100acbd41b59c95@[204.156.156.4]>
MIME-Version: 1.0
Content-Type: text/plain


Yo Fred, nobody said you wer not right on the money, just that these issues
clearly have fixes and are part and parcel to a pre-adolesencent product,
not a mature one.

Yes, you get two points for posting the bug report, but lose one for
soap-boxing about the woes of the product in general... Keep up the good
work, just drop the proslitizing and we all wouldn't mind hearing your rap.


BTW - If your or your friends are up for a game of speed-chess... I'm
willing, I used to be *rated* until I dropped off the circuit a few years
ago... Winged Benoni, Classical Ruy, or maybe an Accellerated Dragon (for
those who play the black)... I won't even charge you the nominal 5$ fee...

>I just picked this up from the Risks forum:
>
>> Date: Mon, 30 Oct 1995 16:14:59 -0500
>> From: Drew Dean <ddean@CS.Princeton.EDU>
>> Subject: HotJava 1.0 alpha 3 security issues
>>
>> We have found several security problems in the 1.0 alpha 3 release of
>> HotJava from Sun Microsystems.  The two most important problems are that
>> HotJava does not enforce the stated limits on where an applet can connect to
>> (an applet can talk to any place with which you have IP-level connectivity),
>> and HotJava is vulnerable to a man-in-the-middle attack, where someone can
>> watch your web-surfing, both seeing your requests, and the content that you
>> receive.
>
>Two of the Java attacks I outlined in this forum and got abuse for.
>
>> While HotJava prevents applets from actively opening connections that
>> violate the user-selected security policy, it allows an applet to accept
>> connections from anywhere.  At this point, an applet only has to use any one
>> of a number of channels to communicate where it is, and have the remote end
>> do the active open.
>>
>> HotJava also allows an applet to set the proxy servers that the browser
>> uses.  This opens up a huge hole for anyone concerned about the privacy of
>> their web surfing.
>
>Attacks 31-49 work here.
>
>> Please note that these bugs are specific to the 1.0 alpha 3 release, and are
>> _not_ bugs in the Java language itself, nor do they apply to Netscape 2.0
>> beta 1J, which doesn't permit network connections.  We have notified Sun of
>> these problems, and are presently writing a paper on these and other issues.
>> We will make more information available on our Web page after we hear back
>> from Sun.
>
>Drat - Sun doesn't offer awards.
>
>>
>>     http://www.cs.princeton.edu/~ddean/java/
>>
>> Drew Dean                             Dan Wallach
>> ddean@cs.princeton.edu                        dwallach@cs.princeton.edu
>
>Inquiring minds want to know.
>
>--
>-> See: Info-Sec Heaven at URL http://all.net
>Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Regards,

T. S. Glassey
Chief Technologist
Looking Glass Technologies
todd@lgt.com

(415) 324-4318


-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQB1AwUBMFu5E6gNRnWhagU5AQHI+gL+Mwpcd3lAWd8FF06qcG6rnLhIYveHW71a
XC7xh1T0uu8qnYX31yMp17OG28jWpKUbWec1IM9/eXOi+gInA7rKICWczV8zo9Z0
0puxjRRN7yO4KfRb3cPpk+r0p6pDg01Y
=bTYb
-----END PGP SIGNATURE-----