On 3/30/06, michaelslists@gmail.com <michaelslists@gmail.com> wrote:
Just because no-one has told you, or you haven't seen it doesn't mean it doesn't happen.
amen. what's the cost if you are wrong? (the likely case over a sufficient period of time against motivated attackers) that artificial security flavoring is only reassuring while the luck continues...
It's pretty concerning to me, as a java programmer, that the verifier is off by default and hence any jar running can run free or the contraints I've tried to enforce. Or that another j2ee app could possibly be viewing the data I was processing in a shared-hosting environment.
in a shared processing environment you have bigger concerns, but i do agree this is disturbing if your system was designed to operate in privacy.
And further, if your code _doesn't_ run properly with the verifier, then what the hell are you doing?
probably coding like the other 97% of the planet. (now that's _really_ concerning) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/