From: frantz@netcom.com (Bill Frantz)
Date: Tue, 19 Dec 95 12:22:25 PST
To: Andrew Loewenstern <Jim_Miller@bilbo.suite.com
Subject: Re: Java and timing info - second attempt
Message-ID: <199512192018.MAA27098@netcom23.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


>Jim Miller (jim_miller@bilbo.suite.com) writes:
>Of course it would be a lot easier for the applet to just try to read the  
>secret key file, encrypt it with an embedded public key, and post it to  
>alt.anonymous.messages.

If I understand Java security correctly, the applet can just send data back
to the server it was loaded from, but can't read random files on the
machine it runs on (even if the user running it can read them).  Java is
beginning to become cluefull about the idea that a program is not the same
as the person running it, and should not have the same privileges.  In this
area, most OSs (inluding Unix) are totally clueless, which is why the
Orange Book has mandatory security requirements at the "B" and above
levels.


-----------------------------------------------------------------
Bill Frantz                   Periwinkle  --  Computer Consulting
(408)356-8506                 16345 Englewood Ave.
frantz@netcom.com             Los Gatos, CA 95032, USA