1996-05-04 - Re: Why I dislike Java.

Header Data

From: abostick@netcom.com (Alan Bostick)
To: perry@piermont.com
Message Hash: dbc5be5fdfc1a6819ebf20ba90ff6fd793fb4d1d86a56b19196ae69dc934dd86
Message ID: <723ix8m9LAhG085yn@netcom.com>
Reply To: <199605031303.JAA24332@jekyll.piermont.com>
UTC Datetime: 1996-05-04 21:08:19 UTC
Raw Date: Sun, 5 May 1996 05:08:19 +0800

Raw message

From: abostick@netcom.com (Alan Bostick)
Date: Sun, 5 May 1996 05:08:19 +0800
To: perry@piermont.com
Subject: Re: Why I dislike Java.
In-Reply-To: <199605031303.JAA24332@jekyll.piermont.com>
Message-ID: <723ix8m9LAhG085yn@netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <199605031303.JAA24332@jekyll.piermont.com>,
"Perry E. Metzger" <perry@piermont.com> wrote:

> Jeff Weinstein writes:
> > 
> >   The Netscape Administration Kit will allow a site security admin
> > to create a configuration that disables Java, and does not allow the
> > user to enable it.  If your customers require netscape, perhaps this
> > is an option that will make you more comfortable.
> 
> It certainly makes me feel more comfortable. The problem I have is
> that I expect that increasingly pages will arise for which information
> can only be extracted with the use of Java. Some flunky from some desk
> will will come up and scream "what do you mean I can't get a copy of
> Foo Corporation's merger press release because we won't run some
> program! Thats bullshit! Do you know how much money the risk arb desk
> pulls in, you twit! This must never happen again! Fix it immediately!"
> 
> Luckily things aren't quite at that stage yet, but its only a matter
> of time. When you create a tool like this, you have a certain degree
> of, dare I say it, community responsibility. Once you've hyped the
> tool enough and made it ubiquitous, people at some point are going to
> claim that they *need* it, at which point the security people have no
> choice but to do something that gives them nightmares.

This, it seems to me, is the key issue.  

The Security Department isn't going to have time to test and certify the
applet code for Foo Corporation's fancy merger press release; the risk
arb desk is going to need to see it *right now*.

I hate saying things like "the answer is to educate the users" because
it is as close to a cop-out as you can get.  But educating the users has
to be at least part of the answer - and not just the users.  The
publicity and shareholder relations offices at Foo Corporation need to
know that putting out information for Wall Street needs to be in a form
that Wall Street can deal with safely.  If Java doesn't belong on the
trading floor, it doesn't belong in a press release either.

I suspect that the best way to get the message across would be for a
major security disaster - a big-time hack or perhaps just a Java-caused 
system failure - to take place.

(A near-future Wall Street techno-thriller about such a hack *might* do
the trick, but there's no guarantee it wouldn't just vanish into the
science fiction midlist.)
 
- -- 
Alan Bostick               | "The thing is, I've got rhythm but I don't have
mailto:abostick@netcom.com | music, so I guess I could ask for a few more 
news:alt.grelb             | things." (overheard)
http://www.alumni.caltech.edu/~abostick

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBMYuB3uVevBgtmhnpAQGDXwMAv6fD4svaKKAPgcyyfRF6NONf/hira2Ao
Ix052uZ2SGd+xkuE1rqqm4BGY1AulLJWU7pSPN6KgbZ6mJO4+nF7xaUbavBHArGZ
R1gwfRtyzEumpknhYqV9IV4IE+UNRi9C
=39Ub
-----END PGP SIGNATURE-----





Thread