From: Ray Cromwell <rjc@clark.net>
To: perry@piermont.com
Message Hash: c25e4588b3c80b11ba8d735d8571754b672478369adea23426d99190526efdd4
Message ID: <199507281624.MAA11581@clark.net>
Reply To: <9507281410.AA07271@snark.imsi.com>
UTC Datetime: 1995-07-28 16:24:38 UTC
Raw Date: Fri, 28 Jul 95 09:24:38 PDT
From: Ray Cromwell <rjc@clark.net>
Date: Fri, 28 Jul 95 09:24:38 PDT
To: perry@piermont.com
Subject: Re: Java, Netscape, OpenDoc, and Babel
In-Reply-To: <9507281410.AA07271@snark.imsi.com>
Message-ID: <199507281624.MAA11581@clark.net>
MIME-Version: 1.0
Content-Type: text/plain
>
>
> Ray Cromwell writes:
> >
> > Just a quick note to chime in. The OSF just did a deal with Sun
> > to port Java to several platforms. The OSF is opening a "web mall"
> > where you can grab software objects and run them. Expect to Java
> > *really* take off in about 2-3 months. Every business on the net is going
> > to want a Java shopping-client-basket on their web-mall/web-store.
> > (Web Consultants! Learn Java!)
>
> As a security consultant, I'm very happy about Java because once the
> holes are found in it and massive, Morris style worms are launched
> with it, I'll be laughing all the way to the bank.
Holes have already been found in CERN HTTP. The GETS() style bug
was in the first few versions allowing attacks to overwrite the
process stack. Any mail server written in perl is susceptible
to weird attacks. For instance, if you ever eval/exec any variable
that is double-quoted, rather than single quoted, it is possible to
run shell commands via backtics or shell subprocesses in variable names.
In fact, can you even prove that elm or pine don't have some obscure
bug wherein a certain message, say with malformed headers, can
overwrite the stack and allow Morris style attacks? The "Good Times"
virus may actually be possible.
Security is very nice to have. it's nice to rely on. But sometimes
there's a need for some liberty. Make everything as secure as you
can, but if security prevents you from doing something that you want
to do, it's not helping you. The internet would be a very cold and
barren place if the only application people ran was mail.
Object Oriented Superdistributed components are so useful an abstraction,
I think it's worth the security risk. HotJava solves some fundamental
issues with protocols. Right now the W^3 working groups have been struggling
to define URI/URCs and a whole host of other web protocols. They've been
doing it for years, but they suffer from Xanadu like problems as far as
I can tell. They don't want to saddle the web with a bad protocol, so
they search to define a perfect one. Hence, no prototypes are ever
deployed, because if they were, the user community might make them
a defacto standard and lock them into it much like MS-DOS locked
PCs into the Dark Ages. With Java, you define all the protocols you
want. If your browser doesn't understand how to fetch a protocol,
it can fetch a protocol handler. There's no need for a kitchen
sink application that understands every protocol in existence.
And with HotJava, you don't NEED to automatically fetch an application
and run it. You can just use it as an extension language. If someone
defines a new application or protocol handler for it, and this person
is fairly trusted on the net, you can decide to run it (kinda like
turning off autoload images), and even review the source code first.
This is no less secure than ftping software from some site and compiling
it.
Maybe for you, the issue is protecting corporate networks behind firewalls.
That's good, well then don't let employees run HotJava. However, I look at
it from the home slip/ppp'ed user standpoint. I think over the next two
years, slip/ppp'ed users will displace corporate/academic users as the
largest group on the net.
There will be worms and viruses. Just like there are nowadays. And there
will be fixes. And there will be yet another arms race between virus
writers and people who write anti-virus software. No doubt, there will
be HotJava based worm/virus scanners, etc. A new market will come into
being. You'll make money off of fixing holes. I'll make money off
custom java clients business web pages. It's the price that should be
paid, that is always paid, with any new technology. I'm not advocating
being careless. I'm just saying that paranoid security hampers
development of more robust and better software. HotJava is a piece
of low-hanging fruit. As more people use it and more problems are found,
better fruit will be found.
-Ray
Return to July 1995
Return to “tcmay@sensemedia.net (Timothy C. May)”