From: Mutant Rob <wlkngowl@unix.asb.com>
Date: Wed, 27 Mar 1996 22:30:48 +0800
To: John Young <jya@pipeline.com>
Subject: Re: WSJ on Big Java Flaw
In-Reply-To: <199603261558.KAA25648@pipe1.nyc.pipeline.com>
Message-ID: <31591D05.5998@unix.asb.com>
MIME-Version: 1.0
Content-Type: text/plain


John Young wrote:
>    Wall Street Journal, March 26, 1996, p. B4.
>    Researchers Find Big Security Flaw In Java Language
>    By Don Clark
> 
>    A team of Princeton University researchers said they
>    discovered the most serious security flaw yet in the widely
>    used Java programming language from Sun Microsystems Inc.
> 
>    The flaw could make it possible for unscrupulous hackers to
>    destroy files or cause other types of damage on any
>    personal computer that uses Netscape Communications Corp.'s
>    Navigator program, said Edward Felten, a Princeton
>    assistant professor of computer science who helped discover
>    the flaw.[..]
>    Mr. Felten said that unscrupulous people who discovered the
>    flaw could boobytrap a Web page on the Internet,
>    essentially seizing control of the browser software of any
>    PC that tapped into that page. At that point, the hackers
>    could read or delete an entire hard disk of data files.
>    "The consequences of this flaw are as bad as they can be,"
>    he said.[..]

The generalized halting problem comes to mind...

Since it can be proved that there's no complete set of heuristics
to tell if a given program has a characteristic (such as "secureness")
then sooner or later someone will discover another security flaw.

A question is whether a simple patch is made or if the set of heuristics
is widened (ie, learn from mistakes) so that similar flaws can be found
based on knowledge of that one flaw.