From: “David K. Merriman” <merriman@arn.net>
To: rollo@artvark.com (Rollo Silver)
Message Hash: 72f777ae823d0a5de2db3c84322bc0a7906d0b009d8d0952330989f2294cda4b
Message ID: <2.2.32.19960329165034.00693330@arn.net>
Reply To: N/A
UTC Datetime: 1996-03-30 09:27:14 UTC
Raw Date: Sat, 30 Mar 1996 17:27:14 +0800
From: "David K. Merriman" <merriman@arn.net>
Date: Sat, 30 Mar 1996 17:27:14 +0800
To: rollo@artvark.com (Rollo Silver)
Subject: Re: java security
Message-ID: <2.2.32.19960329165034.00693330@arn.net>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
At 08:44 PM 03/29/96 -0700, rollo@artvark.com (Rollo Silver) wrote:
>I'd like to hear from coderpunks/cypherpunks having ideas about how to
>break it, especially if you don't have the time/energy to pursue the idea
>to fruition yourself.
I wonder if it's possible to _subvert_ Java. That is, have site "A" send
along some modifications to a Java class, so that when the user logs into
site "B" (which calls that class), Nasty Things Happen. What site "A" does
raises no alarm flags _until_ site "B" trips the trigger - making it look
like site "B" is the Bad Guy.
(WARNING! CDA Violation!) Hell, you might even be able to spread the
modifications around some, so that it's even less obvious where they were
done. Maybe even use the technique to modify Java itself, thus disabling
security controls.
Dave Merriman
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMVv4Y8VrTvyYOzAZAQEt3wP+JBpJtTLoBLuMSqWpl6b8qSsIiIVXi6fh
9JiK9xfOEptPljW1Ca/KhHNmX8wHpUyR8U8vU4XZKraAAqcGiPlHO4ojuaJfa87I
LgkKGuSlsmaA7VSIZc7NkjH87B+IRhMgk5IkAE15StGyDAh9ugEm1e8X0PZjcDV0
HgokmdQMppA=
=XHYT
-----END PGP SIGNATURE-----
-------------------------------------------------------------
"Giving money and power to government is like giving
whiskey and car keys to teenage boys."
P. J. O'Rourke (b. 1947), U.S. journalist.
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
http://www.shellback.com/personal/merriman/index.htm
Return to March 1996
Return to ““David K. Merriman” <merriman@arn.net>”
1996-03-30 (Sat, 30 Mar 1996 17:27:14 +0800) - Re: java security - “David K. Merriman” <merriman@arn.net>