cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1995-11-08 - Re: PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE

Header Data

From: Herb Sutter <herbs@interlog.com>
To: sameer <sameer@c2.org>
Message Hash: 825c71af0a422e9e78a5595f7a8b343ecba636efe09d6d68f7269422aa05b5ee
Message ID: <199511070413.XAA07602@gold.interlog.com>
Reply To: N/A
UTC Datetime: 1995-11-08 21:37:30 UTC
Raw Date: Thu, 9 Nov 1995 05:37:30 +0800

Raw message

From: Herb Sutter <herbs@interlog.com>
Date: Thu, 9 Nov 1995 05:37:30 +0800
To: sameer <sameer@c2.org>
Subject: Re: PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE
Message-ID: <199511070413.XAA07602@gold.interlog.com>
MIME-Version: 1.0
Content-Type: text/plain


I've always read with interest Sameer's notes, and I also enjoyed this one.
I just can't figure out why he's writing it (spelling and grammar errors aside):

At 07:52 11.06.1995 -0800, sameer wrote:
>For Immediate Release
>Date: Nov 6th, 1995
>Contact: Sameer Parekh 510-601-9777 sameer@c2.org
>
>PRINCETON STUDENTS FIND HOLE IN INTERNET SECURITY SOFTWARE

This title and the opening paragraphs seem unnecessarily (and
misleadingly[*]) alarmist, given the recent spate of similar mass-media
articles.  After the lead and second paragraphs repeatedly talk about
"holes", "make viruses and other malicious programs possible", etc., it
isn't until the third paragraph that we read a calmer quote:

[*] Java isn't really 'Internet security software', and the students didn't
find a hole in any current version according to the rest of the text.

>"While we did find some interesting holes, we believe these can be
>addressed and Java could make a good standard for remote code on the
>Web, if an effective security policy is defined."

The opening paragraphs sure didn't reflect this.  Then:

>The holes they found exist only in the alpha release of HotJava. The
>beta release, which is the version found in the widely-used Netscape
>Navigator 2.0b1J is not vulnerable to these attacks.

They do?  It's not?  Then... why mention it at all?!

If this is so, it's a dead issue, old news, passe'.  Why another alarmist
press release (other than to promote Community ConneXion's decision to add
Java to its hit list <grin duck & run>)?  The public's paranoid enough about
net commerce; why should we, of all people, fan the flames?

This isn't to bash Sameer, whose posts I always enjoy reading.  I'm just a
bit puzzled by this one...

Herb

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Herb Sutter                 2228 Urwin, Suite 102       voice (416) 618-0184
Connected Object Solutions  Oakville ON Canada L6L 2T2    fax (905) 847-6019

Thread