1995-12-08 - Java musings

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: 789b3d0b86d184ae1aa8d54c38e1b8b0b98baa6a4f9b53000d19113a476796bf
Message ID: <9512081153.AA07233@all.net>
Reply To: N/A
UTC Datetime: 1995-12-08 11:55:56 UTC
Raw Date: Fri, 8 Dec 95 03:55:56 PST

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Fri, 8 Dec 95 03:55:56 PST
To: cypherpunks@toad.com
Subject: Java musings
Message-ID: <9512081153.AA07233@all.net>
MIME-Version: 1.0
Content-Type: text


Excellent musings.  I just wanted to add something here.  There is a
fundamental issue with Java, and that is control:

	People in charge of organizations are responsible for what goes
on within them.  Without proper controls, it's impossible to carry out
that responsibility.

	The people who want us to use Java are asking us to give up
control over the programs run by our computers.  They tell us to trust
them because they say they have come up with a nearly fool-proof system
for doing this safely.

	- They don't claim it's really secure, they only say it is
		harder to abuse than a C++ program.  But nobody in their
		right mind would make it organizational policy to allow
		users to load and run C++ programs from over the Internet
		at the push of a button, and the removal of the particular
		things removed by Java are not adequate to justify this
		increased trust.
	- They won't back up their claims of security by assuming liability
		for resulting damages.  Their liability disclaimers tell
		us they think their security is worth exactly nothing.
		They are asking us to bet control of our IT on a product
		that they take no responsibility for.
	- They don't even provide us with the ability to control their
		product in the way we control other purchased software
		we place into our environments.  The inability to restrict
		which programs from which sources are run on our machines
		is a fundamental element of control.
	- Their product has been proven to be insecure in the past.  Several
		examples of its insecurities have been demonstrated, and many
		more have been pointed out.  There is essentially no counter
		point made by the Java supporters against these known defects.

	It seems to me that the loss of control resulting from the
widespread introduction of Java would make it unacceptable to business. 
The use of Java as it exists today violates the policies of many
businesses, and if their policies are ignored or changed to permit this
to happen, it weakens the overall control structure of the organization.

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread