|> As a security consultant, I'm very happy about Java because once the |> holes are found in it and massive, Morris style worms are launched |> with it, I'll be laughing all the way to the bank. |> I exagerate only slightly. I don't believe Java to be secure, in spite |> of the claims. Its too complicated, and it operates in an environment |> who's correct operation is required for it to remain secure. Good |> system design says that you want a system's failure mode to produce a |> secure result, but thats not what Java does. I disagree for the simple reason that Java and Hotjava are not being treated as trusted code in their applications. Applets are tightly contrained in what they can do, and hotjava's default attempt to configure a "firewall" when it boots up is not likely to engender a false sense of security. I've been looking at the Java code closely for a couple of months now, and I find it to be relatively clean in its implementation (Solaris version at least). I think the biggest worry might be holes in the non-Sun ports along the host machine interfaces. Overall, I give the Solaris implementation extremelly high marks in terms of its security. I think I'm actually more worried by far less powerful browsers whose code I don't approve of, like Mosaic. The vast majority of security problems result from the fact that most code has security added in AFTER coding starts. Java has been designed for excellent security from the very begining. JWS