Tangled Webs
Fear and Loathing on the Internet
May 17, 1996
Issue 1.1

Deadly Psyco-Killer Stalks the Net!!!!!

I admit the subject line caught my eye: "Deadly Black Widow on the Web: Her Name is JAVA." This alert was written by a consulting firm that calls itself The Home Page Press. Over the last month, I have seen a lot of this sensationalistic tripe. If the hype is to be believed, killer Java applets began stalking the Web on March 28 and are just waiting to delete your files, trash your hard drive and steal your data.

The text of the article in question can be found at http://www.hpp.com/s-javablackwidow.html. It's typical of the genre in its paucity of technical detail. It seems that HPP is the latest company to discover that preying on people's fear of things unknown is a grand way to get attention, and that offering protection from imaginary hobgoblins is a sure-fire way to separate a man from his money.

If you decide to go to the site, you might want to check out their other articles including "Doomsday on the Net: Prudent Business Planning For The Collapse of Cyberspace" or "What could happen to Net stocks? What are the coming disaster signs to look for?." Of course, the purpose of all that fear-mongering is to sell their consulting services.

But the purpose of this article is not to slam HPP, but to explain how these security holes affect us and why so many people, many of whom know very little about the situation, are running around telling us that the sky is falling.

Java Security - The Real Story
There are security holes in Netscape's implementation of Java and seemingly in Java itself. On March 28, 1996 Drew Dean of the Princeton Computer Science Department announced that he had exploited a bug in Netscape's implementation of Java and created a Java applet that deleted a file from another machine on the network. The exact nature of this bug and the extent to which it can be exploited are being kept secret until Netscape plugs the holes. In general terms, however, it allows an applet to execute machine code on a remote user's machine. Theoretically, this could allow an applet to do anything the user himself can do, including reading and deleting data.

Most reports, after presenting the information above, launch into tirades about how surfing the Net is like playing Russian Roulette and how it is only a matter of time until one of these killer applets hunts you down. Some even go on to predict that this security flaw means the end of Java itself. However, one important fact is consistently omitted from such reports:

People on the Web:25,000,000
Number of killer applet victims:0

That's right. As of this writing, not one person been affected by these assassins of the Web. I assume I will be excused for not joining in the panic. Things accomplished under the controlled conditions of a computer lab do not always translate into the real world of the Internet. The bugs are real. They need to be, and are being, fixed. However, the danger is being grossly exaggerated, and if, after reading this article you are concerned, simply disable Java in Netscape's security preferences.

How Much Security Can We Expect
Java is a powerful programming language, and malicious programs and viruses written in Java are no more or less destructive than viruses written in other programming languages. At the moment, most Java programs on the Net are simple animations, but that will be changing as better Java programming tools become available.

Within a year we will most likely see Java-based database and spreadsheet programs. Creating an computer environment that forbids reading data from and saving data to the disk will render all programs running in that environment virtually worthless. Who wants a word processor that doesn't let you save your work?

Sun's HotJava browser restricts Java access to a single designated directory, and Netscape has disabled all access for the time being. Neither of these approaches are really solutions. Neither allows useful programs to run while preventing damage from malicious ones. Personally, I don't think such a programming feat is possible. The simple fact of the matter is that any time you run a program you are at the mercy of the programmer. Poorly written or maliciously written programs can cause damage no matter what programming language was used to write them.

No one has been hit by a malicious Java applet, but it will happen eventually. When it does, authors will make money selling articles predicting the end of the Net, Internet consultants will make money telling their clients that everything is OK now that they have been hired, and programmers will quietly fix the bugs. After it happens a few times, it will no longer be newsworthy and things will calm down.

Running Java programs poses risks, but they are the same risks computer users have been living with for years. There are hundreds of extremely destructive viruses spread via floppy disks, but only in the days when floppy disks were actually floppy did anyone suggested that this made them an unworkable method of data transfer.

Viruses occasionally do make news today, but we don't see people suggesting that all computer users stop using their drives until manufactures fix all theoretical means of virus transmission. Floppy dives and viruses have become too familiar, and authors who write sensationalistic articles, are simply not taken seriously. Java viruses will undoubtedly become familiar, if annoying part of the Internet. By that time, of course, our yellow journalists will have found other bogeymen.

[ Home Page] [ Back to Index ] [ Next Issue ]

© Copyright 1996, Tim Romero, t3@t3y.com
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.dotco.com/t3/tangledwebs/index.shtml