From: “Vladimir Z. Nuri” <vznuri@netcom.com>
To: perry@piermont.com
Message Hash: 9d174b186516403c8297e33552f60eb2776158e8b7ab8f226077b183d67c1638
Message ID: <199605011937.MAA22988@netcom18.netcom.com>
Reply To: <199605010033.UAA15101@jekyll.piermont.com>
UTC Datetime: 1996-05-02 05:04:21 UTC
Raw Date: Thu, 2 May 1996 13:04:21 +0800
From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Thu, 2 May 1996 13:04:21 +0800
To: perry@piermont.com
Subject: Re: Why I dislike Java. (was Re: "Scruffies" vs. "Neats")
In-Reply-To: <199605010033.UAA15101@jekyll.piermont.com>
Message-ID: <199605011937.MAA22988@netcom18.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
PM:
>> well, are you saying it would be impossible to do such a thing
>> [produce a safe execution environment] in a distributed programming
>> language?
>
>It is difficult. The way Java does this, with the protection relying
>solely on the correctness of the runtime (the interpreter isn't
>emasculated so flaws in the runtime can cause unexpected behavior) it
>is nearly impossible. Humans aren't good enough at designing systems
>this century.
I agree that designers should start from the assumption that their
software will have bugs, not the converse (in fact have been having
a long running argument with an academic on this list on this subject,
he claims that RCS will not be necessary with good OO programming
because OO programming gets rid of virtually all bugs that require
re-releases). however, again my main point is that the assumptions
Java makes are suitable for its environment. you can't realistically
make demands on the language it was not meant to support.
>The Web is the universal marketplace these days. Being unable to use
>the web is the equivalent of being unable to use the phone.
of course others will call you on this. and ideally a future infrastructure
for your country would not have the insecurity the internet does.
everyone is slowly working toward this goal. but it is an incremental
process. Java is an inherent part of that incremental process. no
one today can take java and say, "at last!! the net is secure!!".
anyone who does this I agree is misguided.
> I have
>research analysts at large trading houses begging for
>Netscape. Unfortunately, these people have a need for top notch
>security, because vast amounts of money are at stake.
yes, I know that there are banks that don't understand that when
something is "secure", it still may not be sufficient for their needs,
which may require a whole higher order of security not available.
but any consultant worth his salt such as yourself will be able to
make a good judgement about the software and hardware they plug
in and guide the client. the point is that no one who wrote Java
is misleading the public, as you sometimes seem to imply.
however there are ways to use Netscape and java that make the
insecurity of the internet irrelevant. suppose that you put Java
inside an intranet inside a company. you already have a degree
of trust over employees. if you can demonstrate that your intranet
does not make any additional trust requirements than those you
already rely on, then sure, go ahead and use Netscape and Java in
an intranet, a semi-secure environment.
>So, yes, if you are going to create a product that everyone on earth
>has to be able to use, it had damn well not explode in your face every
>once in a while. Imagine if all the world's refrigerators had a 1 in
>10,000 chance of blowing up on you. "Whats the harm" you say. Well,
>most people don't expect that sort of behavior in a friendly consumer
>appliance that nice people from Sun and Netscape guarantee is
>absolutely positively safe except for all the bugs.
people will always put products to use in ways they were not designed.
the designers can try to anticipate this as much as possible but should
not be responsible for it ultimately.
>As I said, the traders don't expect that their phone will explode when
>they pick it up, or that every piece of literature they get in the
>mail may be coated with contact poison. Well, Java is a silent
>killer. It soon is going to be sitting on every desktop at every
>company in America and its being sold as the new paper or phone. Its
>also sitting on all those PCs running "Quicken" that helpfully now can
>do direct electronic funds transfer from your account, etc. If you
>don't care about the security of your bank account, well, sure, you
>have nothing to worry about.
I trust that those who implement bank security, such as yourself, will
not use a widget where a gadget is actually called for. really, humanity
is not *totally* stupid. there are two classes of people for our purposes:
those that build the systems, and those that use them. stupidity on the
part of the latter is not a problem if you have good designers; their
mistakes are protected against and are not made fatal.
stupidity on the part of the former-- well, what can you possibly do
to avoid ramifications of bad design? it seems to me if your designers
are bad, you can't rely on anything whatsoever. a good designer is
not going to use Java in an inappropriate environment. are you complaining
that "there are a lot of bonehead designers that create bad systems"?
agreed, but what can Java do about it? a tool cannot necessarily
prevent its own misuse. in fact Java goes to great lengths to avoid
the problems that arise in regular programming languages, such as
memory leaks.
>In short, my clients need security today. Your home computer probably
>needs it soon if not now, and if you think your business can survive a
>few days without its computers, please, by all means, run without
>security.
but Java did not claim to be your savior for security. maybe someone
will augment it to the point that you are happy. in the meantime why
are you criticizing it for being unable to handle something it was not
designed to handle?
>Its not Java crashing that I worry about. Its everything else on the
>computer and the network it is attached to that needs protection.
I see. so Java designers need to solve every security problem on the
planet for you not to criticize that language. look, security problems
exist and are all over the place, I agree. the internet is insecure.
people rely on this insecurity. but again, why are you ranting at
Java designers for all these other problems? Java is a step in the
right direction. it is a new attitude change. when we do have secure
networks in the future, I think people will look back on Java as
a milestone, not a trip-up.
>Well, sorry, you try to keep it off the desks in the banking industry
>if you can.
again, if a bonehead designer uses something in the way it was not
intended, are you going to blame the person who made the hammer?
>Life critical applications or important financial applications are all
>around us. You just don't seem to notice.
I agree they are all around us. but again, why are you ranting at Java
because you don't have tools to make your job a piece of cake? that's
what a good designer does-- takes pieces that in themselves may insufficient
to accomplish his job, and puts them together in a way that they do.
Return to May 1996
Return to ““Vladimir Z. Nuri” <vznuri@netcom.com>”