From: anonymous-remailer@shell.portal.com
Date: Fri, 10 Nov 1995 07:41:11 +0800
To: cypherpunks@toad.com
Subject: Re: Java insecurity - long - argumentative - you are warned.
Message-ID: <199511092241.OAA14102@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, 6 Nov 1995, Ray Cromwell wrote:

> > WARNING - THIS MESSAGE CONTAINS INFORMATION THAT MIGHT BE CONSIDERED AS
> > A FLAME BY SOME READERS - IT IS LONG AND TEDIOUS - YOU ARE WARNED!
> > 
> > >From the Java Web pages (as combined in Firewalls/BoS):
> > 
> > > The language's security features (not just applets):
> 
> [Long list of bullshit deleted]

I don't think that this is *bullshit* ... the questions I mean ... but,
I for one am tired of people promoting products in a manner which flies 
in direct contravention of expert consensus.

No one would accept a pharmaceutical company that says a product is X, 
if it is in fact Y.  And no one would question if a researcher came 
forward, and corrected the company and set the record straight.

This is generally called ETHICS ... not bullshit.  The problem is not in 
the messenger, it's in the organization that is simply willing to 
roll the dice when it comes to public safety and security.

>  "Dr" Cohen. If you want to criticize Java, why not read the technical
> papers rather than spewing questions and assertions based from ignorance.

I've got a better suggestion.  Why don't companies like Sun ensure 
that their sales and technical material is reviewed for gross 
inaccuracies and/or misrepresentations?

> When you want to criticize a piece of engineering, you don't look
> at the feature list or white paper. As is made clear in your post,
> you don't know the meanings of phrases used in the Java paper, nor do
> you understand how the machinery works. (e.g. byte code verifier)

I won't speak for Dr. Frederick B. Cohen, but I will speak for myself,
and provide this list with but a single example.  And I won't quote
from a white paper, but will instead quote from some Sun literature
which crossed my desk the day before yesterday, literature that Sun
provided as part of their worldwide introduction of Ultra workstations.

What they called a "breakthrough for network computing".

What follows is not "technical commentary", but is simply what they
provide as information to MIS managers, Sun resellers and invited
press. This copyrighted brochure, which looks like it was printed
11/95 makes the following verbatim comment on the "Java Internet
Application Language".

> Java has an extensive library of routines for coping with TCP/IP 
> protocols such as HTTP and FTP.  Java applications can open and access 
> objects across the net via URLs with the same ease that programmers are 
> used to when accessing a local file system.
>
> Java is intended to be used in networked/distributed environments.  
> Therefore, much emphasis has been placed on security.  The product 
> enables programmers to create virus-free, tamper-free systems through 
> public-key encryption authentication techniques.

Hmmm, maybe I'm confused, but this is grossly overselling a product's
capabilities, and is setting absolutely unrealistic expectations --
expectations which are doomed from the start never to be met, let
alone exceeded.  This expectations/satisfaction gap will ultimately
lead to customer dis-satisfaction.

Then again ... the solution to virus-free, tamper-free systems with
TCP/IP protocol "coping" has always been a problem that's been waiting
for a "product solution" to help all of us to enable our programmers.

God help us all.

As part of my copious spare time, I might make a personal comment
which hopefully gets to some of the powers that be at Sun.

Firstly, I wasn't aware that HTTP was a TCP/IP protocol.  I didn't
even think that there was a draft RFC on it.  I thought that all that
there was, was an internet-draft, which is a different kettle of fish.
I never realized that HTTP was on standards track, and part of the
appliction protocol.  It really is news to me.  But that's a quibble,
and I'm really behind on my reading, so, I could be wrong.

My second comment is perhaps more actionable.  I would much rather
that a product clearly and definitively state what it has implemented.
Maybe something like the following.

Implementation of the following IETF (Internet Engineering Task Force)
protocols :IP (RFCs 791, 894; MIL-STD 1777); UDP (RFC 768); TCP (RFC
793, MIL-STD 1778); ARP (RFC 826); RARP (RFC 903); ICMP (RFC 792);
BootP (RFCs 951, 1048); RIP (IDEA004); DNS (RFCs 1034, 1035); Internet
Subnetting (RFC 950); and Internet Assigned Numbers (RFC 1010). Maybe,
also that the product complies with Requirements for Internet Hosts
Communications Layers (RFC 1122) and with A Standard for the
Transmission of IP Datagrams over IEEE 802 Networks (RFC 10..
something or other).

This is far more informative (ironically) than saying that:

> Java has an extensive library of routines for coping with TCP/IP
> protocols such as HTTP and FTP.

Hmmm, FTP.  That's RFC 7?? or something like that, isn't it?? 

As an example, I'd like to know how Java handles a file, that is called
foo.bar.au.  Does a .au file refer to an audio file, or does it refer to
something from Australia??  

I'll stop here, and not continue with my deconstruction, especially
the part that continues:

> Java is intended to be used in networked/distributed environments.
> Therefore, much emphasis has been placed on security.  The product
> enables programmers to create virus-free, tamper-free systems through
> public-key encryption authentication techniques.

To every problem, a product solution ... we can leave mathematician's
at the door, and simply enable our programmers.

Those technical analyst rocket scientist types, really can't know
anything, at all.  Can they?



Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.


P.P.S. To Sun:   I was also a bit disappointed that nobody thought to 
       show what a vice-presidential tribble looks like on satellite 
       simulcast ... then again, I was thrilled with the female 
       "trader" who spoke about patterns in chaotic systems to her 
       cab driver.  

       Did she work the back office at Daiwa, or something??  Probably 
       believe's in runs of luck, too ...