Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: article on java in infosecurity mag

From: spiff <spiff () bway net>
Date: Fri, 29 Jun 2001 21:29:31 -0400 (EDT)
not me :)

It's not the 'exploits' so much as what you can do to a client with the
stuff they _allow_ you to do. Why try for a buffer overflow when many
clients offer up private information by thenselves, as well as shared
filesystems and data structures. It's much harder on an enterprise level
to keep clients secured.

Arguably this is a threat model issue more than a technical one, I suspect
many companies are focused on keeping hostile thingies from entering their
network, while missing almost entirely the 'legitimate' information
leaking out of their network...

Then again, maybe the reason nothing really made waves was the targets of
the hostile java apps turned up nothing worth exploiting, as their targets
most probably were the empty shells of the other over-hyped phenomenon
that had no basis in reality -- the dot-com...

spiff

happy summer Ron :)

On Wed, 27 Jun 2001, R. DuFresne wrote:



Howdy,

Have othere here seen and read the recent article in information security
magazine;

http://www.infosecuritymag.com/articles/june01/columns_curmudgoens_corner.shtml

The gist of the article boils down to these statments:

Hostile Java applets are a perfect example of an over-hyped security
threat that has no basis in reality. For years, we've been warned
about crackers and unethical Web-site operators surreptitiously placing evil
Java code on Web servers. The hostile applets would secretly steal or sabotage
data on the PC of any visiting user. But after six years of warnings, such
exploits have never materialized.

Hostile applet attacks remain theoretical for two reasons. First, what few Java
vulnerabilities have appeared have been fiendishly hard to exploit. And second,
such an attack would provide little benefit to attackers--e-mail is a much more
efficient mechanism for spreading hostile code. To put the situation into
perspective, more computer damage is caused by fire and weather than
by Web-based hostile Java applets. Even insects cause more damage than Java,
so why aren't those bugs front-page news, too?

The FUD surrounding Java is a lesson in the perils of believing everything
you hear.  To understand why this non-threat has assumed such epic proportions,
you have to go back to 1995.
</quote>

Are folks in the industry changing their stances on the security
implcations of java these days?

Thanks,


Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: