Re: Java "security holes'

• To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
• Subject: Re: Java "security holes'
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
• Date: Thu, 14 Mar 1996 10:13:09 -0800
• Cc: www-security@ns2.rutgers.edu
• Organization: Hewlett-Packard Co.
• References: <199603131806.NAA03745@argon.ncsc.mil>
• Reply-To: gene@hpfsvr01.cup.hp.com

David P. Kemp wrote:
> 
> > From: Dana Hudes <dhudes@panix.com>
> >
> >    ...    Maybe I'm confused here but I understood
> > the question of opening connections to arbirtrary destinations to be
> > forbidden, which is what I am against.
> 
> Pick up a copy of Cheswick & Bellovin sometime.  It describes a firewall
> (which is more than a box and some software, BTW - it also includes
> policy and administration) as a "crunchy shell around a soft and
> chewy center".  Then consider just how soft and chewy your own site
> is.  

Haha haha, excellent metaphor.  (If I may give the metaphor a twist, some
crunchy shells dissolve like tasty M&M treats..  ``melts in your mouth and
not in your hands.'')  :-D

> Do you run X?  NFS?  Do you mind if j.random.applet connects to
> your own machine and does keystroke monitoring, passing the results
> back to the host from whence it came?  Do you mind if it makes NFS
> requests on your behalf, perhaps only reading whatever you have
> permission to read, or perhaps writing?
> 

Permission is the operative word.  What if you could temporarily disable your
OWN permissions during an applet session (requiring a password to reactivate
those permissions), so that the applet essentially could do nothing..

> >    How do you know that Mosaic or Netscape
> > is not attacking, quietly, your network and passing the info on to
> > cracker.mcom.com?
> 
> You don't.  But NCSA and Netscape have reputations to uphold.  Microsoft
> took some heat for allegedly having its software scan user's disks
> and emailing the results back home.  If Netscape were caught doing
> something similar, they might be embarrassed.  Do you believe that
> each and every java-enabled site on the Internet has a similar
> interest in protecting it's own reputation?
> (Hint: it only takes one.)
> 
> #include <std.disclaimer>

As the movie The Net brought out (which I saw recently on pay-per-view,
pretty exciting stuff, admittedly flawed but conceptually thought provoking),
it takes only a few rogue employees and some cash-fat mucky-muck in a
penthouse who doesn't give a hoot about ``reputation'' or corporate
``embarassment'' (but instead puts personal gain ahead of integrity).  So I
emphasize a question posed, "HOW do we know Mosaic or Netscape is not
attacking, in the background, our network and passing info to
cracker.mcom.com?"  ;-)  Hopefully this proves to be just another rhetorical
question..

Reminds me of my family's household cats.  It was the paranoid feline whose
trust needed to be earned time and time again, and whose pride didn't prevent
it from sitting hunched in a safe place at even the slightest sign of
perceived danger, who lived long and prospered..  ;-)

-- 

____________________________________________________________
Gene Ingram                                  gene@cup.hp.com
                                     ingram@pubs.holosys.com

• Re: Java "security holes'
• From: dpkemp@missi.ncsc.mil (David P. Kemp)

• Previous: Re: Netscape && FTP sites
• Next: CYLINK's Support for Open Public Key Standards
• Index(es):
  • Index
  • Thread