No Subject

• To: www-security@ns2.rutgers.edu
• From: c.flink@att.com
• Date: Fri, 15 Dec 95 10:08:34 EST
• Apparently-To: <www-security@ns2.rutgers.edu>

>From c.flink Fri Dec 15 10:06:21 0500 1995 remote from att.com
Received: from att.com by vodka.sse.att.com; Fri, 15 Dec 1995 10:11 EST
Received: by cwf-nb.sse.att.com with Microsoft Mail
	id <01BACAD4.FD520B80@cwf-nb.sse.att.com>; Fri, 15 Dec 1995 10:06:23 -0500
Message-ID: <01BACAD4.FD520B80@cwf-nb.sse.att.com>
>From: Chuck Flink <c.flink@att.com>
To: 'Adam Shostack' <adam@bwh.harvard.edu>, Michael Kerr
	 <mkerr@largnet.uwo.ca>
Cc: "jm@circle-slide.indianapolis.sgi.com"
	 <jm@circle-slide.indianapolis.sgi.com>, "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Subject: RE: your mail
Date: Fri, 15 Dec 1995 10:06:21 -0500
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Content-Length: 2134

In reply to attached...
More importantly, users WON'T turn off Java.  Animation and "cool
graphics" are all part of the WWW addiction.  The answer is not
going to be found in telling users "don't do anything risky".  We
need to engineer systems that help assure accountability.  We then
need laws that hold people accountable.  (I'm thinking of the
digital signatures on Telescript scripts that (theoretically) ID
the source (and verify the integrity) of the script.  The script
won't run unless verified and the source identified as trustworthy.
Then, of course, the laws come into effect.... if the Trojan Horse
was planted in such a way that the "source" didn't realize what
was being "signed".... and who decides what "trustworthy" means....
and who can sue who for how much.... and this requires a lot of
legal groundwork that has yet to be started.)

-Chuck 

----------
From:  Adam Shostack[SMTP:adam@bwh.harvard.edu]
Sent:  Thursday, December 14, 1995 3:06 PM
To:  Michael Kerr
Cc:  jm@circle-slide.indianapolis.sgi.com; www-security@ns2.rutgers.edu
Subject:  Re: your mail

This is not correct. (Netscape 2.0beta2, Sunos 4.14).  Turn off Java,
go to http://www.tripleg.com.au:80/staff/scott/

The bug that let you do this has been fixed in Beta3, but I'd take
with several grains of salt the assertion you can turn off JavaScript.

Adam


Michael Kerr wrote:

| On Tue, 12 Dec 1995, jon madison wrote:
| 
| > anyone know more about the security of java/livescript (mocha, whatever)?
| > i've already heard of a big flaw that was plugged for the latest 2.0beta
| > that would allow a javascript author to save a history of the
| > clients travels on the web.  are there any other potential dangers?
| > 
| > i really don't like the fact that this java script is not something
| > that cannot be chosen to be turned off by the browser, can be embedded in
| > html pages, etc.
| 
| They can.  If you go through the Netscape 2.0b Options menu and look under 
| Security | General, it gives you the option to turn Java off.  
| 
| Mike.
-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Previous: Re: E-mail Address in WEB Browser
• Next: Re: E-mail Address in WEB Browser
• Index(es):
  • Index
  • Thread