On Mon, 6 Nov 1995, Dr. Frederick B. Cohen wrote:

WARNING - THIS MESSAGE CONTAINS INFORMATION THAT MIGHT BE CONSIDERED AS A FLAME BY SOME READERS - IT IS LONG AND TEDIOUS - YOU ARE WARNED!

...

4.2 Security in the Java Environment

Security commands a high premium in the growing use of the Internet for products and services ranging from electronic distribution of software and multimedia content, to "digital cash". The area of security with which we're concerned here is how the Java compiler and run-time system restrict application programmers from creating subversive code.

[long list of important questions deleted ...] Essentially, I think that all of this will distill to a single issue, vis-a-vis Java or any other paradigm which wishes to represent itself as *secure*. Where is the security review role placed within the project development life cycle?? Is it at Design Concept? Or during Application Development? Or is it done last, after design completion, after all of the programming is complete and the production people are involved in operational turnover. Or is it done at all? This concept is not new, and should not present any problems to anyone in the industry. Even John Q. Public will understand it, if we use a simple construction analogy. If you want to build a secure house, your security doesn't start AFTER the house is built. It has to start at a very early stage. It starts before the blueprints are made, when you specify that you want a concrete windowless box located on a quiet street at the end of a cul-de-sac. That is simple and obvious. You certainly don't have *security* if after building a glass house on Main Street, if after the design is finished, the footings have been poured, and the key is about to be turned over to the occupant; if then, as an afterthought you put a single strong deadbolt on the front door to "secure" it. Anyone who can't or won't quite grasp this idea is either willfully attempting to steer gullible individuals astray, or is congenitally stupid. It's time to call a spade a spade.

What exactly does this mean?

...

While all this checking appears excruciatingly detailed, by the time the byte code verifier has done its work, the Java interpreter can proceed knowing that the code will run securely. Knowing these properties makes the Java interpreter much faster, because it doesn't have to check anything.

Yikes!! I'll leave this for someone else to address. This sounds to me like a variation on virus scanning. I think that there are far more reputable virus experts than I who can comment and expand on *flaws* with that approach.

No runtime checking whatsoever. Get past the supposed verifier, and you have free run of the machine. A single verifier bug or inadequacy, and the world is unsafe for electronic commerce.

As someone who *vividly* remembers October, 1987 and the near economic meltdown which was BARELY averted by the Fed, a near meltdown which occurred because of the interactions of systems far less intelligent or complex than those we routinely utilize today, systems which directly interface not only to each other, but have undocumented, non-predictable interactions with "soft and wet" systems, I might have some serious concerns. Then again, it is _only_ the economy, isn't it?

ASBESTOS SUITS MAY NOW BE REMOVED - FLAME OFF.

P.S.

When: Tuesday, November 7, 8AM Where: The Hilton, Washington D.C. (the CSI conference) The talk: 50 Ways to Attack Your World Wide Web Systems

If you want a chance to heckle - be there.

Drat ... I don't think that I'll be able to attend. I've already got a local presentation that I've pencilled in for tomorrow morning at some god awfully early hour. Then again, D.C. isn't quite my circuit. I was hoping though for some clarification. Are you THE Dr. Frederick B. Cohen?? The one who originally coined the phrase "computer virus" and who maintains the computer virus FAQ? Are you THAT Dr. Frederick B. Cohen, and are you speaking publically in Washington, tommorow as one of the keynote speakers? If you are, I'd be interested as to whether you'll talk about the recent gaping security hole in the existing installed Navigator code base which I detailed to this list's subscribers. The one posted this last Friday the Thirteenth, that questioned Netscape's wisdom in creating an experimental MIME object which does not follow the usual HTTP request/response paradigm, but instead allows a server to open and maintain a bi-directional communications channel from server to client. Effectively a non-password protected telnet into the heart of any system, a open exploitable connection which penetrates proxy servers and firewalls, and acts as an enhanced bi-directional delivery/recovery mechanism? I'd be very interested in the comments around that, especially since both Netscape and AT&T (who distributes the softwre under its own brand name) have made an explicit "no comment". I'd especially be interested in any post-session transcript. I also think that Elaine Garzarelli might be interested. Especially since she'll be addressing the nation and the public via the public television airwaves this Friday evening. Or at least ... uhmmm ... I _think_ that's when her electronic daytimer has her pencilled in ... Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.