I hope people evaluate Java (and all software) based on technical issues, and not based on whether or not you think I'm clueless, brain damanged or a liar. We take the DNS-related problem very seriously; we do understand how DNS works (I did say "apologies for the oversimplifiation"); we never have put our heads in the sand. I do think it's a bit unfair to the Java team to say we put our heads in the sand, since we are deliberately trying to be as open and honest and forthcoming as we can. I mean, we are publishing full source code, which I'm not sure is the case for lots of software that people place a lot of trust in, implicitly or explicitly. As I've said every time I've said anything, every time security awareness on the net is raised, I think it's good for the net. I personally don't regard the internet as secure, and any information I care about I have encrypted on disk. Any information I really, really care about I don't even have on the internet. I do regular backups. I'm not saying this is what everyone has to do. But it's not that hard or time-consuming, and it wouldn't hurt. But people who are in charge of corporate security for their company, or people who have very sensitive or very valuable information on their disks, should consider the many ways that the internt is insecure, not just how some applet could be exploited. Having said that, does that imply that I think it's OK for a Java application to have security holes? Of course not! I hope we can use Java-the-language to build more secure systems than we've gotten used to surviving in the past. Does that mean I'm downplaying the importance or seriousness of any applet-related hole? Of course not! I think it's possible simultaneously to understand the seriousness of a security hole, AND still to say it's a good idea for people to practice safe internet. Marianne Mueller I work for Sun, on the Java team. mrm@netcom.com mrm@eng.sun.com http://java.sun.com/people/mrm/