[rc5] Security, Java, and Source
gindrup at okway.okstate.edu
Fri Oct 10 14:49:37 EDT 1997
I'm not sure that the Java-client camp is (entirely) suggesting
that the Bovine developers NOT be the single point of release. I
would still prefer to see the Bovine "seal of approval" on any client
or core that I might download in the future, Java or not.
You say that Java is neither secure nor mature. While I will
conceed that the hype on these points is overoptimistic, it might be a
bit much to claim either. The security model is considerably better
than the security model of any other Algol-derived language we might
actually write clients in, even C/C++. And, since people have been
developing in Algol-style languages for a while, there is a lot of
early learning that (could have been/) was skipped. It's certainly
more mature than if it had leapt out of a vacuum.
I also like the usable and (somewhat) friendly code that Bovine
releases now and I have no intention of destroying the central
authority for client approval. I'd prefer to lighten their burden by
simplifying their code base and "auto-porting".
Sure, Java isn't as secure as it's proponents would like you to
believe, but it's considerably more secure than C/C++. Further, I'd
like to point out an abvious insecurity in using C/C++ interchangable
Client is running using "known" core. Client reports done work and
requests new work. Client discovers that it will have to download a
new core module to do the work. Client attaches to the Bovine site to
download the new module. Client runs using new native code module.
Module formats HD.
What? Yes, those pesky crackers cracked a DNS server near you and
redirected your module retrieval to be from their own machine. You
got their code. Looked like it was from Bovine, though... And
there's no "perfect" signature scheme to avoid this. Consider the
current effort as sufficient refutation.
-- Eric Gindrup ! gindrup at okway.okstate.edu
______________________________ Reply Separator _________________________________
Subject: Re: Re: [rc5] Security, Java, and Source
Author: <rc5 at llamas.net > at SMTP
Date: 1997/10/10 17:26
On Fri, 10 Oct 1997 18:48:32 +0200 (MET DST), Ivo wrote:
>Two disadvantages: code size and easy_to_install.
>How many of you of there actually have a java-[interpreter|whatever]
>running on your machine? I only have java within Netscape, but not
Nope. Someday, perhaps, but not now. Java is not a secure language. Java
is not a mature language. Secure is a _single_ point of release client, like
we have now. I trust the Bovine team to release usable, friendly code.
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.
More information about the rc5