From: “Perry E. Metzger” <perry@piermont.com>
To: cypherpunks@toad.com
Message Hash: 3a3c3f51386ae27b0c05f468cb790cc322e7c06513bbb2d64a87ca07c1899519
Message ID: <199606040222.WAA06345@jekyll.piermont.com>
Reply To: N/A
UTC Datetime: 1996-06-04 06:22:19 UTC
Raw Date: Tue, 4 Jun 1996 14:22:19 +0800
From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 4 Jun 1996 14:22:19 +0800
To: cypherpunks@toad.com
Subject: Java
Message-ID: <199606040222.WAA06345@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain
I've been rather hard on Java here lately.
I'd like to state, for the record, that I have nothing against the
folks at Sun. They are good, smart people, and I'm sure they mean
well and aren't in on some evil plot. However, that doesn't make Java
a good idea.
For at least twenty or more years, people have known that for the
ultimate in multimedia email or what have you all you would need to do
is make the recipient execute a program that you sent them. This
obviates all the questions of having to figure out what sort of things
you would want to send -- if you can execute a program, you can do
anything. Unfortunately, this is also so phenomenally obvious a
security problem that no one ever proposed it as anything more than a
joke -- until now.
Sun is, unfortunately, suffering from a substantial hubris problem. As
I have noted, the original Java applet security model and all the
followups have had exactly the same problem -- they depend on perfect
implementation of every element of the security model for the security
to work, instead of having the realistic and conservative assumption
that portions of the model will be misimplemented, and designing for
defense in depth.
Beyond that, however, they have created the ultimate hype
monster. Java is a neat idea looking for a good application. I use the
web all day long and I have yet to see a good use for Java. We have,
essentially, mortgaged our system security for almost nothing better
than the occassional gee whiz animation that could have been
implemented with a safe graphics description format instead of a
turing equivalent language.
Again, I don't hate the Sun people or hold any animosity towards
them. However, I will point out the lesson that any good student of
Greek Tragedies could tell you -- the gods punish hubris, and severely.
Perry
Return to June 1996
Return to ““Vladimir Z. Nuri” <vznuri@netcom.com>”