Re: Java sandboxing not used much

["Jared W. Robinson" <jwr () xmission com>]

My company outsourced a C to Java porting project to India, and we ended
up having to help them salvage the project. It was obvious that the
engineers were inexperienced. All user data (including authentication
credentials) was stored in an application directory, completely
world-writable.

When I changed the application to be more secure (before it shipped), an
Indie programmer took notice and was surprised that I had accomplished
the task so easily. It certainly wasn't rocket science -- I was just
more experienced.

Without educating engineers, security won't improve.

- Jared

On Thu, Mar 11, 2004 at 02:54:11PM -0500, Kenneth R. van Wyk wrote:
> An 
> app that I reviewed some time back had been ported (apparently from 
> MS-DOS) to a UNIX environment.  In their rush to get the port to 
> function, the developers left the permissions at 777 (read/write/execute 
> to all).  To make matters worse, the app executables and data were in 
> the same directory, which was also mode 777.  Just goes to show you that 
> people will find the path of least resistance even if you make things easy.
>
> As an aside, I'm curious how common it is to find mistakes like that 
> made when porting an application from one OS to another.  My bet is that 
> the people doing the porting probably didn't design or write the 
> original app, and that they had never worked on a UNIX system before.  
> Setting everything 777 is sloppy, but probably cut down the number of 
> "access denied" errors that they couldn't figure out... ;-\
>
> Cheers,
>
> Ken van Wyk
> http://www.krvw.com