From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: 789b3d0b86d184ae1aa8d54c38e1b8b0b98baa6a4f9b53000d19113a476796bf
Message ID: <9512081153.AA07233@all.net>
Reply To: N/A
UTC Datetime: 1995-12-08 11:55:56 UTC
Raw Date: Fri, 8 Dec 95 03:55:56 PST
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Fri, 8 Dec 95 03:55:56 PST
To: cypherpunks@toad.com
Subject: Java musings
Message-ID: <9512081153.AA07233@all.net>
MIME-Version: 1.0
Content-Type: text
Excellent musings. I just wanted to add something here. There is a
fundamental issue with Java, and that is control:
People in charge of organizations are responsible for what goes
on within them. Without proper controls, it's impossible to carry out
that responsibility.
The people who want us to use Java are asking us to give up
control over the programs run by our computers. They tell us to trust
them because they say they have come up with a nearly fool-proof system
for doing this safely.
- They don't claim it's really secure, they only say it is
harder to abuse than a C++ program. But nobody in their
right mind would make it organizational policy to allow
users to load and run C++ programs from over the Internet
at the push of a button, and the removal of the particular
things removed by Java are not adequate to justify this
increased trust.
- They won't back up their claims of security by assuming liability
for resulting damages. Their liability disclaimers tell
us they think their security is worth exactly nothing.
They are asking us to bet control of our IT on a product
that they take no responsibility for.
- They don't even provide us with the ability to control their
product in the way we control other purchased software
we place into our environments. The inability to restrict
which programs from which sources are run on our machines
is a fundamental element of control.
- Their product has been proven to be insecure in the past. Several
examples of its insecurities have been demonstrated, and many
more have been pointed out. There is essentially no counter
point made by the Java supporters against these known defects.
It seems to me that the loss of control resulting from the
widespread introduction of Java would make it unacceptable to business.
The use of Java as it exists today violates the policies of many
businesses, and if their policies are ignored or changed to permit this
to happen, it weakens the overall control structure of the organization.
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to December 1995
Return to “nelson@crynwr.com (Russell Nelson)”