not me :) It's not the 'exploits' so much as what you can do to a client with the stuff they _allow_ you to do. Why try for a buffer overflow when many clients offer up private information by thenselves, as well as shared filesystems and data structures. It's much harder on an enterprise level to keep clients secured. Arguably this is a threat model issue more than a technical one, I suspect many companies are focused on keeping hostile thingies from entering their network, while missing almost entirely the 'legitimate' information leaking out of their network... Then again, maybe the reason nothing really made waves was the targets of the hostile java apps turned up nothing worth exploiting, as their targets most probably were the empty shells of the other over-hyped phenomenon that had no basis in reality -- the dot-com... spiff happy summer Ron :) On Wed, 27 Jun 2001, R. DuFresne wrote: > > Howdy, > > Have othere here seen and read the recent article in information security > magazine; > > http://www.infosecuritymag.com/articles/june01/columns_curmudgoens_corner.shtml > > The gist of the article boils down to these statments: > > Hostile Java applets are a perfect example of an over-hyped security > threat that has no basis in reality. For years, we've been warned > about crackers and unethical Web-site operators surreptitiously placing evil > Java code on Web servers. The hostile applets would secretly steal or sabotage > data on the PC of any visiting user. But after six years of warnings, such > exploits have never materialized. > > Hostile applet attacks remain theoretical for two reasons. First, what few Java > vulnerabilities have appeared have been fiendishly hard to exploit. And second, > such an attack would provide little benefit to attackers--e-mail is a much more > efficient mechanism for spreading hostile code. To put the situation into > perspective, more computer damage is caused by fire and weather than > by Web-based hostile Java applets. Even insects cause more damage than Java, > so why aren't those bugs front-page news, too? > > The FUD surrounding Java is a lesson in the perils of believing everything > you hear. To understand why this non-threat has assumed such epic proportions, > you have to go back to 1995. > </quote> > > Are folks in the industry changing their stances on the security > implcations of java these days? > > Thanks, > > > Ron DuFresne > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior consultant: darkstar.sysinfo.com > http://darkstar.sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > > > > _______________________________________________ > firewall-wizards mailing list > firewall-wizardsat_private > http://www.nfr.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://www.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 12:14:05 PDT