On Fri, 3 Nov 1995, Adam Jack wrote:
> On Wed, 1 Nov 1995, Rick Smith wrote:
>
> > (third level referecnes unattributed):
> > > Reassurance isn't a right! ...
> >
> > Competent firewall and security vendors do NOT subscribe to this
> > mindset. If a customer is concerned enough about security to seek a
> > quality product, they have every right to (re)assurance that the
> > protections they expect are in place. They deserve to know what
> > security measures are effective and deployed. They deserve evidence.
> >
> Precisly. Customers pay you to prove something. Sun aren't selling
> to you - they are testing a concept in good old Internet fashion
> - by letting 'net individuals do some of the leg work. Sun have
> made a lot of information availble - it just takes time to injest.
The problem is that they are not only testing it, they are test
marketing it as well. It is a topic in almost every sales pitch, press
release, etc. One cannot have a talk with a Sun employee without Java
being mention in the conversation--and sounding like the sales litterature.
Then I walk into a company and hear "oh neat, where can I get this Java
thingy." All they know is what is put out by Sun's marketing machine,
but they're out and ready to buy a non-existant product. Is this right?
I hate to say this, but Sun is doing to Java what M$ did to Windoze 95.
Will it fizzle like Win95 has?
I also have a problem with this concept "in good old Internet fashion -
by letting 'net individuals do some of the leg work." Oh really?? What
a way to get cheap labor. Get every <deleted> out there with two
seconds free time to play with this and go "oooo neat!" instead of doing
a proper evaluation. I think they would be better off hiring a few
independent contractors (as in independent from Sun) to do a proper
analysis on this from all aspects, including for security!
> I don't neccessarily condone it (except maybe from a business
> standpoint) - but it is happening. And it will continue to ...
Just because Sun is doing it doesn't make it right!
> > Evolving attack methodologies also strain current firewall models,
> > even without throwing HotJava into the picture. Sites concerned about
> > security want finer grained awareness of what crosses their boundary.
> > It's not clear how we meet their needs and also pass applets. Magic
> > doesn't exist, and firewalls can't perform mathematical miracles.
> >
> I am not able to comment on other than Java - but your point seems
> very sound. Maybe one of the benefits of this Internet explosion
> will be heightened user awareness - and reduced requirement for
> transparancy at the firewall. If users will accept a bit more pain
> for their functionality maybe the need for magic can be removed.
Don't count on it. I am now talking to people (trying to sell my
services :-) who do not know the first thing about the internet or
internet security except what they read in Time or Newsweek (basically).
It is amazing the look of shock and fear when I explain what is really
going on and shove a few examples under their noses.
I don't know why I keep arguing this point, especially since I just
installed a firewall for a customer whose systems were hacked into. I'm
making a good living. I guess I'm just tired of the mop-up roll.
> > >.. How are firewalls going to deal with the next 20 Java's?
> >
> > The same way this one is dealt with: a refusal to throw caution to the
> > wind simply because it's Kool Stuff.
> >
> Cheap retort to a serious question. Do you expect the Internet to
> wait 'cos you imply they are being immature? People will push the
> boundaries to attempt to make money - that is business. What you might
> think of as Kool - may, to others, be big dollars. You (firewall
> security types) will need better arguements than yours above.
I don't think it's a cheap retort, I think it's a valid answer! Why
should I just open my (virtual) doors and allow the (net) traffic in if
I cannot trust it, just because it's neat and wonderful? I think horses
are neat and wonderful animals, but I'm not going to let one in my house!
(POINT: Even the best of intentions have their consequences)
> Some applications will be worthwhile - some will not be. Rick - I know you
> have taken time & effort to learn about Java - and I respect that choice of
> investment. However there is too much coming for individuals to
> continually keep abreast of.
Live by information, die by ignorance. It is the responsibility of
the person who has the guard the door to understand the threats.
Watching over this, security and systems, is more than a full time job.
This is where this list comes in, to help keep those of us who requires
this information up to date. I've had no problems keeping up--well,
maybe I should s/no/only a few/ !! :-)
scott barman
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott @
disclosure .
com and I speak only for myself.
barman @
ix .
netcom .
com
"I don't know if security explains why the Win95 support Web servers run BSDI
2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is
the ideal Web software solution. Does Redmond know something we don't know?"
-Robert X. Cringely, INFORWORLD, 9/11/95
Follow-Ups:
References:
|
|
