At 23:48 3/24/96, Perry E. Metzger wrote:

When you build something large and complex, and you require that the entire thing work for you to be secure, there are just too many failure modes.

That just about sums it up. Chisel these in granite: o Thou shall not execute untrusted code. Java or no Java. o Privileges that an user doesn't have can't be abused. o The only safe firewall is a non-networked computer. o A feature that doesn't exist won't introduce security holes. Yes, I know that there is a balance between functionality and security. Where to draw the line depends on the application. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.