From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 24 May 1996 14:21:43 +0800
To: mrm@netcom.com (Marianne Mueller)
Subject: Re: VIRUS ALERT: Java virus that affects Netscape 2.0 & 2.01.
In-Reply-To: <199605240129.SAA00250@netcom20.netcom.com>
Message-ID: <199605240220.WAA27452@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Marianne Mueller writes:
> In the "for what it's worth dept", the security breaches that have gotten
> so much press are fixed in JDK 1.0.2, our current release, and in NN3.0b4. 
> This includes the bug mentioned in the May 18 NY Times story. 

The problem, Marianne, is that Java security has become a total
industry joke.

When Java came out, we were assured it was secure. Then we were
assured it was Beta software but real Java as released would be
secure. Then we were told that it was mostly secure, and anyway bugs
are fixed quickly, and anyway they aren't serious in general, maybe.

In short, you are starting to look very defensive and very unreliable.

The bugs show up on a weekly basis. This is because the underlying
security model is flawed. No amount of denial on your part is going to
fix that.

Sadly, Java hype has become a giant industry, and the hype machine
assures that honesty about Java is going to continue to decline. Java
has become a major stock booster for Sun and other
companies. Congenital Java security holes aren't going to get serious
attention because whether one likes it or not Sun's stock is impacted
by the whole thing.

Perry