From: Eliezer Yudkowsky (sentience@pobox.com)
Date: Wed Jan 01 1997 - 19:52:18 MST
> I think you need to explain this more carefully... all your explanation
> seems to imply is that if Java is insecure then I can write trojans which
> will pass a verifier but trash your computer when run. I don't see that it
> implies anything about whether or not it *is* secure.
All right. After this, I give up and you visit Sun's Website.
1. Java is an artificial assembly language. The verifier is a side
issue; it simply confirms that this is a Java program and not something
else. It is almost impossible (as far as I know, simply and
mathematically impossible) to fool the verifier because it is an
extremely simple program.
2. Java, the assembly language, simply cannot do anything bad to your
computer. It cannot crash it. It cannot read the hard drive. It
cannot look at, or affect, programs in memory. Period. End of story.
3. Various standard classes give Java clearly defined holes; if these
holes stack up to a large hole, this is not the fault of the Java
language - it is the fault of whoever designed the standard classes.
4. If you're feeling paranoid, feel completely free to disable Java.
I'd stake my hard drive on it. There are a lot of security holes in
Netscape; Java isn't one of them.
-- sentience@pobox.com Eliezer S. Yudkowsky http://tezcat.com/~eliezer/singularity.html http://tezcat.com/~eliezer/algernon.html Disclaimer: Unless otherwise specified, I'm not telling you everything I think I know.
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 14:43:56 MST