RE: signed applets a solution?

[Hal <hal () mrj com>]

The military think tank does have sensitive stuff on many of their  machines. Some of which is by law supposed to be 
protected (not classified).  They spend a lot of time and money to keep hackers out after a few more or less 
disasterous incidents in the '80 and early '90s.  I have confidence that they must have been up against a wall with 
respect to applets to give in that way they did.  I use them as an example to illustrate the problem I see that is 
becoming  severer all the time. This is exactly the problem mjr first pointed  out.  This military think tank has about 
5000 users online and many use the Web as an  important tool. Without too much imagination you could construct an 
activeX "X-let" that dances right past all the fw application proxies and IP filters. There's a active X demonstration 
applet (called the exploder) on the web (signed too!) that turns off your PC by manipulating some power saver BIOS 
interrupt. Given the talent out there I' sure an IP scanner wouldn't be too hard.  They perfectly well know this better 
then most but what to do about it? 
In sum, its like the old saying: can't live with it, can live without it. 

On you second point: Its not always possible to enforce a policy   that restricts something user don't perceive as a 
problem.  Consider the diversity of  opiniop in different organizations of which wall street is but one. 


----------
From:   Bennett Todd[SMTP:bet () rahul net]
Sent:   Wednesday, December 17, 1997 8:28 AM
To:     Hal
Cc:     firewall-wizards () nfr net
Subject:        Re: signed applets a solution  --maybe!

On Mon, Dec 15, 1997 at 07:01:34PM -0500, Hal wrote:
> Here's my problem: A web page comes into my system and with it three
> objects: one is java [...] another VB [...] and the third is [...]

Indeed, if you're in a setting requiring any kind of serious security,
that is your problem; chunks of java, VB, and so on shouldn't come in to
your system; they should be stopped at the firewall.

> [...] There is a growing body of users who suspect the merits of a
> firewall. They are web users and firewalls get in their way because it
> prevents their arbitrarily using any port at any time. An increasing
> number of web services ordinary and not so ordinary are feeding this
> trend.

Where people are web users --- e.g. at ISPs, at internet information
service bureaus of various sorts, etc. --- the security policy is
necessarily different; you don't try to secure the desktops at all,
instead they lie in a ``sacrificial'' net, which would be the DMZ in a
more conventional setting. Internal business data machines and anything
else requiring serious protection will of course lie behind a strong
(i.e. application-proxy) firewall with a very strict policy, but people
who are web users (as opposed to traders, or systems administrators, or
admin staff, or other sorts of jobs) should definitly have no barriers
between their desktops and the internet.

Out of curiousity, how many professional web users are there these days?
I hadn't really thought about it, but I guess that's probably a very
fast-growing field these days. We don't have any at my company today,
but I imagine we will before much longer.

-Bennett