[4978] in WWW Security List Archive
Re: Prediction:Plug-ins will go away (Re: Automatic trojans)
daemon@ATHENA.MIT.EDU (Gary McGraw)
Fri Apr 4 10:27:20 1997
Date: Fri, 4 Apr 1997 08:11:57 -0500 (EST)
From: Gary McGraw <gem@rstcorp.com>
To: jay@homecom.com, rjc@n2k.com
Cc: WWW-SECURITY@ns2.rutgers.edu, patton@sysnet.net
Errors-To: owner-www-security@ns2.rutgers.edu
It is unlikely that plug-ins and other fun forms of executable
content will go away (as the subject of this mail implies). Ed
Felten once said, "Given the choice between dancing pigs and security,
people will choose dancing pigs every time." I think he's right.
But many of us security people actually don't want things like
Java to go away. I think Java has some superb features.
The reason some of us security people are clamoring about on our
respective soapboxes is that we simply want people to be aware of
the risks. Ignorance is not bliss with regards to computer security.
Educate yourself and your users about the risks and then manage
them so you can still reap the benefits of cool Web functionality.
To learn about Java, see the book that I wrote with Ed called, "Java
Security: Hostile Applets, Holes, & Antidotes" (Wiley 1997). Also
surf the Java Security Web Site http://www.rstcorp.com/java-security.html.
And please learn to distinguish Java (with its sandbox) from ActiveX
(which should NEVER be used to run untrusted code).
Gary McGraw
*------------------------------------------------------------------*
| Dr. Gary McGraw gem@rstcorp.com | (__) |
|-----------------------------------------| (oo) |
| Research Scientist | /-------\/ |
| Reliable Software Technologies (RST) | / | || |
| Sterling, VA | * ||----|| |
| <http://www.rstcorp.com/~gem> | ^^ ^^ |
*------------------------------------------------------------------*
