Excellent musings. I just wanted to add something here. There is a fundamental issue with Java, and that is control: People in charge of organizations are responsible for what goes on within them. Without proper controls, it's impossible to carry out that responsibility. The people who want us to use Java are asking us to give up control over the programs run by our computers. They tell us to trust them because they say they have come up with a nearly fool-proof system for doing this safely. - They don't claim it's really secure, they only say it is harder to abuse than a C++ program. But nobody in their right mind would make it organizational policy to allow users to load and run C++ programs from over the Internet at the push of a button, and the removal of the particular things removed by Java are not adequate to justify this increased trust. - They won't back up their claims of security by assuming liability for resulting damages. Their liability disclaimers tell us they think their security is worth exactly nothing. They are asking us to bet control of our IT on a product that they take no responsibility for. - They don't even provide us with the ability to control their product in the way we control other purchased software we place into our environments. The inability to restrict which programs from which sources are run on our machines is a fundamental element of control. - Their product has been proven to be insecure in the past. Several examples of its insecurities have been demonstrated, and many more have been pointed out. There is essentially no counter point made by the Java supporters against these known defects. It seems to me that the loss of control resulting from the widespread introduction of Java would make it unacceptable to business. The use of Java as it exists today violates the policies of many businesses, and if their policies are ignored or changed to permit this to happen, it weakens the overall control structure of the organization. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Frederick B. Cohen writes:
- They won't back up their claims of security by assuming liability for resulting damages. Their liability disclaimers tell us they think their security is worth exactly nothing. They are asking us to bet control of our IT on a product that they take no responsibility for.
You haven't paid for liability claims. Why do you think you should be able to pursue them? I don't know of *any* software which is guaranteed. But now you have the opportunity to change that. Point out all of Java's problems, and then sell them a solution that fixes those problems.
- They don't even provide us with the ability to control their product in the way we control other purchased software we place into our environments. The inability to restrict which programs from which sources are run on our machines is a fundamental element of control.
Again, sounds like something you could sell. Sell an HTTP proxy that only passes Java content if it's been signed by your company. And, of course, sell the matching signing service. There are no problems, really, just business opportunities. -russ <nelson@crynwr.com> http://www.crynwr.com/~nelson Crynwr Software | Crynwr Software sells packet driver support | PGP ok 11 Grant St. | +1 315 268 1925 voice | Flushing, NY. Not just a suburb, Potsdam, NY 13676 | +1 315 268 9201 FAX | it's a good idea in general.
participants (2)
-
fc@all.net -
nelson@crynwr.com