BMW RULES...FIGHT THE GOOD FIGHT Page #4

Java begat Javascript. Java, a full fledged programming language was the much more powerful of the two, with Javascript coming up as nothing more than a scripting language. Javascript found itself compared to HTML, a very well liked and very popular individual in the Internet community. With the design and intervention of Netscape Version 2.0, Java and Javascript were utilized to gain access to certain programs inside of your very own computers womb and was capable of producing some dramatic results.

Then, the darkside of the Internet community arrived and Inspected Java and found that it was good as they had heard and better....

For it left a door way right onto the womb of your computer and it was deemed by the darkside that this was good. Very good indeed, for thy computer could then be "Hacked",explored, prodded, manipulated in ways that you had ever intended.

For it now has been decided by a few of the Knowledgable Folk of the Internet, the good that Java and Javascript provide just may not be worth the risk of the bad that may come ones way if Java is left enabled, so Disenable is certainly a good choice when dealing with a Java Mode.

Here are some Links to pages that offer information on Java Security issuses so you can make up your own mind.

• This tries to cover the other side of Java. Of course they do have a vested interest in the information they are providing.
  
• This is a site that you need to enter with a very open mind. A Perfect example of how not everything on The Internet is as it appears to be at first or maybe even second glance. Check out Some Commonly asked Questions before drawing any conclusions. A very Thought provoking site indeed. The new improved edition is even SCARIER than Before. Heaven help us if this Dude gets any more Creative.
• A book on Java Security that you may Purchase.
  

Netscape's Barksdale sings praises of 100% Java

By Jim Kerstetter

NEW YORK - Netscape Communications Corp.

CEO Jim Barksdale painted his vision of an Internet future here today, filling it with post-Baby Boomers who treat the Internet with the familiarity of water while using Java-based Navigator browsers.

Barksdale, speaking on the final day of the Java Internet Business Expo at the Jacob Javits Center, expounded on the virtues of 100% Java and the exponential growth of the Internet while taking jabs at Microsoft Corp. and what he sees as its creation of software "solutions where there is no problem."

"I've got an idea," Barksdale told his keynote audience. "Let's upgrade all of our desktop operating systems. Just for the hell of it. We've read in the paper that it's very fashionable - with no return on investment."

Instead, companies should be focusing on getting a realistic payback, and the Internet and Java will play a key role in making that a reality, he said. To support that goal, Netscape will release an all-Java Navigator browser in the first quarter of next year and embark on an ambitious project to distribute 100 million Navigator browsers to end users, mostly through Internet service provider channels.

Java's cross-platform abilities are critical to the continued growth of business Internet use, Barksdale said. It will be difficult for businesses to work with each other in an "extranet" environment if their systems are incompatible, he said. He said Microsoft, though it is downplaying the need for 100% Pure Java programming, will eventually smell the coffee. "My prediction," Barksdale said, "is that Microsoft can't afford to ignore 100% Java."

Barksdale ticked off several recent coups for his Mountain View, Calif., company, including the installation of more than 2 million seats of Netscape E-mail, Java and Java scripts in corporations over the last six months.

In a later session with reporters, Barksdale touched on several other issues:

* On Microsoft's downplaying of Java: "If you are strong enough to keep [users] in the cave, more power to you," he said. "But I don't think they are strong enough."
* On corporate migration to Microsoft's eventual release of Windows 98: "What is the definable business reason to do this? To get a browser? I don't think so," he said. "There is no secret sauce that Microsoft can pull in that magically moves people over to their product."
* On computer telephony: Barksdale said it has a strong future, but "I don't think it's ready for prime time yet."

New Security Hole in Java

In most Java implementations, security policy forbids applets from reading the local directory structure. I have discovered that it is possible for an applet, using only Java, to determine if specified files exist on the file system of the client machine. The applet I have prototyped cannot read or write to the file, but it can detect its presence. My applet is then free to surreptitiously Email the result of the file search to any machine on the Internet, for example MarketResearch@microsoft.com.
Ramifications of the attack
Potential uses of this type of applet include market research for determining which products are installed on a system ( e.g. d:/Excel ), hackers probing for specific versions of programs or libraries ( e.g. /lib/libc.so.4.7.2 ) or just generally hostile applets that choose to invade the privacy of the user on the client machine. Due to the device naming scheme that Microsoft Windows uses, it is also possible to search for devices such as c:, d:, or a CDROM drive normally located at e:. Any software product or device that has a "signature" file can be detected.
Description of the attack
My applet is not complicated, just observant. It sits back and watches the state of the virtual machine as attempts are made to access files. There is a difference in behavior when the file exists, vs. when the file does not exist. If you consider the "sand box" paradigm of Java security, it's a bit like poking around out of the sand box in the dark and watching the reaction of the playground monitor. As in previous security holes, the flaw is in the Java implementation, not the Java model. I believe correcting this bug will be easy for the various vendors. They must make the behavior of the virtual machine the same when the file exists, vs. when the file does not exist. For the time being, I will not release a more detailed description of the attack or the code in source or object form until I have given Microsoft, Sun, Netscape andall other vendors a chance to respond.
I've now got an example applet on-line. If you don't want my applet to poke around for a few files on your system, turn Java off before viewing it. I didn't integrate the applet with my Hostile email applet (yet), let's just see how it goes as a stand-alone hostile applet. I also haven't made the applet smart enough to only look for Unix-type files on Unix systems, Windows type files on a windows system etc. It would be easy to do, but who has the time? The applet will not always be sucessful as it uses a bit of a "fuzzy" search techinque. It will not always work well on re-load either. It's just a proof of concept.
I have tested my applet under various versions of Netscape on Solaris, Linux, Windows 95, and Windows NT. Tests on the current version of Internet Explorer are inconclusive. Either bugs in Internet Explorer prevent the attack from working, or Internet Explorer is not susceptible.
28 March, 1997 : OK, OK, here's the source files and html files for the Applet, Have Fun !
Thus ends Jim's Portion of Fight the GOOD Fight.

I am still using Netscape Gold and Netscape Communicator. With both of those I'm missing out an a lot of neat stuff on the Internet. But until someone can show me that JAVA, 100% or not, is going to be safe at all times from all sources, I shall remain in my boring JAVA free shell. I shall also be free of one less thing to worry about in this Wild, Wild hairy thing called the Internet.
Ok, With the advent of Netscape version 4.5 Communicator, I have switched and am proceding to utilize JAVA and Javascript.