Yo Fred, nobody said you wer not right on the money, just that these issues clearly have fixes and are part and parcel to a pre-adolesencent product, not a mature one. Yes, you get two points for posting the bug report, but lose one for soap-boxing about the woes of the product in general... Keep up the good work, just drop the proslitizing and we all wouldn't mind hearing your rap. BTW - If your or your friends are up for a game of speed-chess... I'm willing, I used to be *rated* until I dropped off the circuit a few years ago... Winged Benoni, Classical Ruy, or maybe an Accellerated Dragon (for those who play the black)... I won't even charge you the nominal 5$ fee...

I just picked this up from the Risks forum:

...

Date: Mon, 30 Oct 1995 16:14:59 -0500 From: Drew Dean <ddean@CS.Princeton.EDU> Subject: HotJava 1.0 alpha 3 security issues

We have found several security problems in the 1.0 alpha 3 release of HotJava from Sun Microsystems. The two most important problems are that HotJava does not enforce the stated limits on where an applet can connect to (an applet can talk to any place with which you have IP-level connectivity), and HotJava is vulnerable to a man-in-the-middle attack, where someone can watch your web-surfing, both seeing your requests, and the content that you receive.

Two of the Java attacks I outlined in this forum and got abuse for.

...

While HotJava prevents applets from actively opening connections that violate the user-selected security policy, it allows an applet to accept connections from anywhere. At this point, an applet only has to use any one of a number of channels to communicate where it is, and have the remote end do the active open.

HotJava also allows an applet to set the proxy servers that the browser uses. This opens up a huge hole for anyone concerned about the privacy of their web surfing.

Attacks 31-49 work here.

...

Please note that these bugs are specific to the 1.0 alpha 3 release, and are _not_ bugs in the Java language itself, nor do they apply to Netscape 2.0 beta 1J, which doesn't permit network connections. We have notified Sun of these problems, and are presently writing a paper on these and other issues. We will make more information available on our Web page after we hear back from Sun.

Drat - Sun doesn't offer awards.

...

http://www.cs.princeton.edu/~ddean/java/

Drew Dean Dan Wallach ddean@cs.princeton.edu dwallach@cs.princeton.edu

Inquiring minds want to know.

-- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Regards, T. S. Glassey Chief Technologist Looking Glass Technologies todd@lgt.com (415) 324-4318 -----BEGIN PGP SIGNATURE----- Version: 2.6 iQB1AwUBMFu5E6gNRnWhagU5AQHI+gL+Mwpcd3lAWd8FF06qcG6rnLhIYveHW71a XC7xh1T0uu8qnYX31yMp17OG28jWpKUbWec1IM9/eXOi+gInA7rKICWczV8zo9Z0 0puxjRRN7yO4KfRb3cPpk+r0p6pDg01Y =bTYb -----END PGP SIGNATURE-----