Re: Fwd: On sandboxes, and why I ... don't care.

[coderman <coderman () gmail com>]

On 3/30/06, michaelslists () gmail com <michaelslists () gmail com> wrote:
> Just because no-one has told you, or you haven't seen it doesn't mean
> it doesn't happen.

amen.  what's the cost if you are wrong?  (the likely case over a
sufficient period of time against motivated attackers)

that artificial security flavoring is only reassuring while the luck
continues...


> It's pretty concerning to me, as a java programmer, that the verifier
> is off by default and hence any jar running can run free or the
> contraints I've tried to enforce. Or that another j2ee app could
> possibly be viewing the data I was processing in a shared-hosting
> environment.

in a shared processing environment you have bigger concerns, but i do
agree this is disturbing if your system was designed to operate in
privacy.


> And further, if your code _doesn't_ run properly with the verifier,
> then what the hell are you doing?

probably coding like the other 97% of the planet.  (now that's
_really_ concerning)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/