-----BEGIN PGP SIGNED MESSAGE----- In article <199605031303.JAA24332@jekyll.piermont.com>, "Perry E. Metzger" <perry@piermont.com> wrote:
Jeff Weinstein writes:
The Netscape Administration Kit will allow a site security admin to create a configuration that disables Java, and does not allow the user to enable it. If your customers require netscape, perhaps this is an option that will make you more comfortable.
It certainly makes me feel more comfortable. The problem I have is that I expect that increasingly pages will arise for which information can only be extracted with the use of Java. Some flunky from some desk will will come up and scream "what do you mean I can't get a copy of Foo Corporation's merger press release because we won't run some program! Thats bullshit! Do you know how much money the risk arb desk pulls in, you twit! This must never happen again! Fix it immediately!"
Luckily things aren't quite at that stage yet, but its only a matter of time. When you create a tool like this, you have a certain degree of, dare I say it, community responsibility. Once you've hyped the tool enough and made it ubiquitous, people at some point are going to claim that they *need* it, at which point the security people have no choice but to do something that gives them nightmares.
This, it seems to me, is the key issue. The Security Department isn't going to have time to test and certify the applet code for Foo Corporation's fancy merger press release; the risk arb desk is going to need to see it *right now*. I hate saying things like "the answer is to educate the users" because it is as close to a cop-out as you can get. But educating the users has to be at least part of the answer - and not just the users. The publicity and shareholder relations offices at Foo Corporation need to know that putting out information for Wall Street needs to be in a form that Wall Street can deal with safely. If Java doesn't belong on the trading floor, it doesn't belong in a press release either. I suspect that the best way to get the message across would be for a major security disaster - a big-time hack or perhaps just a Java-caused system failure - to take place. (A near-future Wall Street techno-thriller about such a hack *might* do the trick, but there's no guarantee it wouldn't just vanish into the science fiction midlist.) - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick@netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMYuB3uVevBgtmhnpAQGDXwMAv6fD4svaKKAPgcyyfRF6NONf/hira2Ao Ix052uZ2SGd+xkuE1rqqm4BGY1AulLJWU7pSPN6KgbZ6mJO4+nF7xaUbavBHArGZ R1gwfRtyzEumpknhYqV9IV4IE+UNRi9C =39Ub -----END PGP SIGNATURE-----