Re: Why I dislike Java. (was Re: "Scruffies" vs. "Neats")
From: "Perry E. Metzger" <perry@piermont.com>
The Web is the universal marketplace these days. Being unable to use the web is the equivalent of being unable to use the phone. I have research analysts at large trading houses begging for Netscape. Unfortunately, these people have a need for top notch security, because vast amounts of money are at stake. [...] Unfortunately, when the same machine runs Netscape so the trader can read the UUNet/MFS merger press release and also has the big shiny red "trade!" button on some application, you get nervous.
Aren't you holding Java to a higher standard than ordinary applications? If your traders run any software at all on their machines there is the risk of harm. The Netscape binary itself could be hacked to do bad things. Likewise with any other software they run. Wouldn't it be safer to run a Java applet than a typical program from the net? At least applets run in an environment which is designed to restrict the harm they can do. In OS's like Windows 95 there are no such restrictions on programs. Take a specific example: Mixmaster. This is a client for the remailer network. It is reasonably well suited to being implemented as a Java applet given the current restrictions on the language. If you had a choice between downloading and running the client as a program on your PC, versus loading and running it as an applet, which would you prefer? Or if you would do neither, how would you go about acquiring this functionality? Would you forego it forever, or would there come a time, say if no one else reported problems, that you would be willing to run one or the other? What I am really trying to get at is how you balance the risks that come automatically when you interact with the net against the benefits you get by doing so. You have chosen a certain point on the risk-reward continuum, one for which Java applets are apparently on the too-risky side. So I am wondering what principles you use to decide where a proposed application falls. Hal
Perry E. Metzger wrote:
Netscape with Java cannot be so tested because important components come down off the net. So no, I'm not holding Netscape with Java to a higher standard. I'm very much holding it to the same standard.
The Netscape Administration Kit will allow a site security admin to create a configuration that disables Java, and does not allow the user to enable it. If your customers require netscape, perhaps this is an option that will make you more comfortable. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Jeff Weinstein writes:
Perry E. Metzger wrote:
Netscape with Java cannot be so tested because important components come down off the net. So no, I'm not holding Netscape with Java to a higher standard. I'm very much holding it to the same standard.
The Netscape Administration Kit will allow a site security admin to create a configuration that disables Java, and does not allow the user to enable it. If your customers require netscape, perhaps this is an option that will make you more comfortable.
It certainly makes me feel more comfortable. The problem I have is that I expect that increasingly pages will arise for which information can only be extracted with the use of Java. Some flunky from some desk will will come up and scream "what do you mean I can't get a copy of Foo Corporation's merger press release because we won't run some program! Thats bullshit! Do you know how much money the risk arb desk pulls in, you twit! This must never happen again! Fix it immediately!" Luckily things aren't quite at that stage yet, but its only a matter of time. When you create a tool like this, you have a certain degree of, dare I say it, community responsibility. Once you've hyped the tool enough and made it ubiquitous, people at some point are going to claim that they *need* it, at which point the security people have no choice but to do something that gives them nightmares. Perry
-----BEGIN PGP SIGNED MESSAGE----- In article <199605031303.JAA24332@jekyll.piermont.com>, "Perry E. Metzger" <perry@piermont.com> wrote:
Jeff Weinstein writes:
The Netscape Administration Kit will allow a site security admin to create a configuration that disables Java, and does not allow the user to enable it. If your customers require netscape, perhaps this is an option that will make you more comfortable.
It certainly makes me feel more comfortable. The problem I have is that I expect that increasingly pages will arise for which information can only be extracted with the use of Java. Some flunky from some desk will will come up and scream "what do you mean I can't get a copy of Foo Corporation's merger press release because we won't run some program! Thats bullshit! Do you know how much money the risk arb desk pulls in, you twit! This must never happen again! Fix it immediately!"
Luckily things aren't quite at that stage yet, but its only a matter of time. When you create a tool like this, you have a certain degree of, dare I say it, community responsibility. Once you've hyped the tool enough and made it ubiquitous, people at some point are going to claim that they *need* it, at which point the security people have no choice but to do something that gives them nightmares.
This, it seems to me, is the key issue. The Security Department isn't going to have time to test and certify the applet code for Foo Corporation's fancy merger press release; the risk arb desk is going to need to see it *right now*. I hate saying things like "the answer is to educate the users" because it is as close to a cop-out as you can get. But educating the users has to be at least part of the answer - and not just the users. The publicity and shareholder relations offices at Foo Corporation need to know that putting out information for Wall Street needs to be in a form that Wall Street can deal with safely. If Java doesn't belong on the trading floor, it doesn't belong in a press release either. I suspect that the best way to get the message across would be for a major security disaster - a big-time hack or perhaps just a Java-caused system failure - to take place. (A near-future Wall Street techno-thriller about such a hack *might* do the trick, but there's no guarantee it wouldn't just vanish into the science fiction midlist.) - -- Alan Bostick | "The thing is, I've got rhythm but I don't have mailto:abostick@netcom.com | music, so I guess I could ask for a few more news:alt.grelb | things." (overheard) http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMYuB3uVevBgtmhnpAQGDXwMAv6fD4svaKKAPgcyyfRF6NONf/hira2Ao Ix052uZ2SGd+xkuE1rqqm4BGY1AulLJWU7pSPN6KgbZ6mJO4+nF7xaUbavBHArGZ R1gwfRtyzEumpknhYqV9IV4IE+UNRi9C =39Ub -----END PGP SIGNATURE-----
I hate saying things like "the answer is to educate the users" because it is as close to a cop-out as you can get. But educating the users has to be at least part of the answer - and not just the users. The publicity and shareholder relations offices at Foo Corporation need to know that putting out information for Wall Street needs to be in a form that Wall Street can deal with safely. If Java doesn't belong on the trading floor, it doesn't belong in a press release either.
I suspect that the best way to get the message across would be for a major security disaster - a big-time hack or perhaps just a Java-caused system failure - to take place.
If Perry and a couple of his competitors got together, called themselves a professional organization, and issued a press release and guidelines, they'd probably be able to have a big impact. I'll bet they could get it picked up in the WSJ, and probably some other papers as well. "People in environments where security matters (like finance and banking) shouldn't use java or javascript. If you want to use the web to reach these people, don't use java or javascript in your pages." As stupid as it sounds, sending letters to the people who maintain the www faqs might be helpful to. Most web designers would probably follow guidelines if they knew what they were. I'll bet that a lot of people who write web books will take a look at the faqs, and you might get wider coverage through them.
I saw this on your pages. Where can I get the beta, and will it work with my firewall so I can 'force' all users to upgrade to a version that understands it? Adam Jeff Weinstein wrote: | Perry E. Metzger wrote: | > Netscape with Java cannot be so tested because important components | > come down off the net. So no, I'm not holding Netscape with Java to a | > higher standard. I'm very much holding it to the same standard. | | The Netscape Administration Kit will allow a site security admin | to create a configuration that disables Java, and does not allow the | user to enable it. If your customers require netscape, perhaps this | is an option that will make you more comfortable. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Hal writes:
From: "Perry E. Metzger" <perry@piermont.com>
Unfortunately, when the same machine runs Netscape so the trader can read the UUNet/MFS merger press release and also has the big shiny red "trade!" button on some application, you get nervous.
Aren't you holding Java to a higher standard than ordinary applications? If your traders run any software at all on their machines there is the risk of harm. The Netscape binary itself could be hacked to do bad things. Likewise with any other software they run.
At one of my clients, there is a software testing lab where all software that is placed on the trading floor is rigorously tested for months before it is put out on the users desktop -- it is, indeed, tested in conjunction with all other products the user would be using. No software is deployed before rigorous testing occurs. By the time the thing is put out, it is known to a high degree of certainty that it will not cause damage. This wasn't even something I requested -- they had this in place before I got there. This isn't that unusual on Wall Street, either -- I know of a number of firms with similar "integration labs", "test labs", etc. Netscape with Java cannot be so tested because important components come down off the net. So no, I'm not holding Netscape with Java to a higher standard. I'm very much holding it to the same standard. Perry
participants (6)
-
abostick@netcom.com -
Adam Shostack -
Alex Strasheim -
Hal -
Jeff Weinstein -
Perry E. Metzger