Boost logo

Boost :

From: David Allan Finch (sarum_at_[hidden])
Date: 2000-07-31 10:34:38


This will be my last post on this issue to the list. It is
way off topic and probably borring to most people. I will
be happy to discuss any further point directly via email.

William Kempf wrote:

> But there are known Java viruses. A very quick web search turned up
> two: Strange Brew (admittedly a non-issue for applets) and BeanHive
> (which shows a true virus written in Java running as an applet).

Intresting. We had not seen them before. Not that worried
by either of them as they are nothing compared to VB virus.
One dated 98 and the other Jan 99, not bad for such a virus
ridden programming language, IMHO.

"It takes a big man to admit he is wrong, I am not
a big man" Fletch. Attually I am happy to admit I am wrong
but it made me smile so I thought I would quote it. :-)

> The
> sandbox makes things much more difficult, but not impossible. The
> reality is that nothing could make it impossible. There will always
> be some way around any security barrier invented by man.

True, you can only make it harder.

> MS bashing aside (shows poor profesionalism, IMHO), you are correct
> that VBScript is much more dangerous than Java applets. Even MS
> knows this... as evidenced by the upcoming ILM.

Attually I take exception to this. It is unprofessional to
point out when a company was wrong! OK just to
prove I can slag off Sun. What about Sun's refusal to
ship X initially (yes I have been working on Sun's
that long), and there denial that they had a bug in there
display driver that would trash your root partition. They
quietly fix the bug in there next version, we almost
lost of client because of this bug. I can think of lots more
if you wish. No company is perfect. M$ made a judgement
call and where wrong, they have it appears got around
to fixing it but after how many email virus have wasted
almost unestimatable man hours! That I call unprofessional!

> An application specifically designed to dump core is an insidous and
> dangerous program. Java does not prevent such attacks. It also
> doesn't prevent starvation attacks.

True. In fact I will add that Java is a pain in *** because
it does not tidy up it's resources well enough, this has
been a major headache for us.

> Virus, Trojan, Worm. All are technically different beasts, but they
> represent the same problem and dangers and are typically lumped
> together in the same category. I don't care if it's a virus or a
> trojan that trashes (or crashes) my system.

In the same way that it does not matter whether you have
a cold or a flu. If you have the same symptoms so the same
remedy will fix me up. If you run an unverified binary
program someone emails to you get what you deserve.
Unless we move over to total class B1+ Orange Book spec
OS's you can't expect the OS to full protect you from
a dangous program, even then it is likely that everything
at the same or lower security level is vunrable to some
exploits or other.

> There have been numerous Java exploits in the past. Some have been
> based on bad implementations of the JVM, but that's just further
> proof that you can't assume Java to be immune from this. The sandbox
> is a great idea and drastically decreases the danger... but NOTHING
> is a silver bullet.

True.

> Maybe you should monitor the Internet for info like this if it means
> so much to you.

I do, I am supprised that I did not know of the two to mensioned
above. If fact I asked around the office and we all had a blank on
them. I am happy to admit I was wrong, I also do not see my
being wrong as unprofessional. We only learn by making mistakes,
anyone that does not understand and plan for this is not an
engineer. In fact if I had not been so certain of my facts initially
I would not have placed myself up to be shot down. :-)

The initial post that started this was wrong:

Valentin Bonnard <Bonnard.V_at_[hidden]>
> It isn't the HTML which contains viruses/worms/bombs, it's
> the Java.* code. Never mind.)

This statement implied that it was the Java fault when
it is not it is VB! I stand my this assertion even if there
are some minor Java viruses.

IMHO virus the explote a weakness in an implementation
are of a different order to ones that attack you machine because
the OS provider does not think you need or deserve security.
They may both have the same effect, but to not try because
one might fail is no defence. Hence I am happy with Sun &
Java even if implementation might have bugs and would
trust Java over VB and day of the week.

As I said at the start of this email, I will not post
on this topic again here, unless I am again called
unprofessional. As my boss would say I don't do
enough work to be unprofessional :-)

--
   /     The whole history of this invention has been a struggle
/\|/\    against time - Charles Babbage 1837 on the Analytical Engine
| K |    All Hail Discordia - Burn all Orange Books!
\___/    david.allan_at_[hidden] - http://www.ironfort.com

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk