1996-02-24 - Re: REM_ote

Header Data

From: frantz@netcom.com (Bill Frantz)
To: Alex Strasheim <cypherpunks@toad.com
Message Hash: b4f5e2a376530b38d0e0086a4e9162e755caf97fe69072201b7a3881caba73bf
Message ID: <199602240609.WAA15885@netcom7.netcom.com>
Reply To: N/A
UTC Datetime: 1996-02-24 07:33:33 UTC
Raw Date: Sat, 24 Feb 1996 15:33:33 +0800

Raw message

From: frantz@netcom.com (Bill Frantz)
Date: Sat, 24 Feb 1996 15:33:33 +0800
To: Alex Strasheim <cypherpunks@toad.com
Subject: Re: REM_ote
Message-ID: <199602240609.WAA15885@netcom7.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 10:28 PM 2/23/96 -0600, Alex Strasheim wrote:
>> Might want to be careful calling Marianne a borderline liar. She's our host
>> for Cypherpunks meetings at Sun, where's she's in the Java group. The
>> article didn't make it clear that she's with Sun and not Netscape. She's
>> also been coming to Cypherpunks meetings since the beginning, and posts
>> here occasionally.
>
>I apologize for the remark, it was out of line.  I don't know who she is,
>or what she actually said, for that matter.
>
>But the fact remains that these sorts of security problems were predicted
>well before Java was widely deployed.  They're serious, and this isn't
>going to be the last one.  An awful lot of people aren't going to patch
>their copies of Netscape any time soon, either.

I agree these problems will continue to show up from time to time.  With a
large security kernel, you will have security bugs.  However, if the fixes
come out in a week, then the hacking potental is greatly reduced.

>(A useful feature for Netscape might be a facility that checks
>periodically to see if a security patch is in order, and displays a
>warning if it is.)

A very good idea.  An advantage for web based products.

>Problems with security are a fact of life.  I've made embarassing mistakes
>that compromised security for some of my users.  When that happens you
>have to come clean, tell the truth, and fix the problem.  Don't try to
>convince people that you didn't screw up, that the problem isn't serious. 
>Don't say things that will encourage users to put off installing a
>security patch.  And don't underestimate the ability of your attackers.

This is all true.  However, from what I know, in this case you would need
to know the details of the flaw, and be able to generate a java bytecode
stream which takes advantage of the problem.  If the fixes come out
quickly, then your attackers don't have much time.  However if they
discover the flaw before you do you are in deep shit.


------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA







Thread