Re: Hot Java is here! And it *rocks* from Dianne Hackborn on 1995-04-03 (www-talk@w3.org from March to April 1995)

From: Dianne Hackborn <hackbod@python.cs.orst.edu>
Date: Mon, 3 Apr 1995 03:07:05 -0700 (PDT)
To: Multiple recipients of list <www-talk@www10.w3.org>
Message-Id: <Pine.3.89.9504030258.A4008-0100000@python.CS.ORST.EDU>

On Mon, 3 Apr 1995 David.Halls@cl.cam.ac.uk wrote:

> So you will NEVER download packages from the net, compile them and install
> them? You rely on your native OS and its utilities completely. No-one
> checks source code (e.g. Gnu <fill-in-here>, XV etc etc) for "rm -r *".
> Just because you compile them doesn't make them safe. The same amount
> of trust applies.

This isn't really directed at this post, but just this argument, which I
have seen a couple times now...

While there are certainly many similarities between using public domain
software and documents with embedded programs, when it comes to safety I
think there are two major practical difference between them: the former
has a much more constrained distribution path, and requires that the user
explicitly retrieve and execute the software.

It is not too hard to imagine some WWW script which, when retrieved by a
browser, quietly digs out the user's home page and attaches itself there.
This kind of potential makes any current PD viruses pale in comparison;
there is simply no current situation like this, where such a high
percentage of consumers of programs are also -- even possibly unwittingly
-- producers of them.  If a virus is discovered in some PD program, it is
at least feasible to let people know such and such program has it, so that
it can be tracked down and removed.  I don't think any such action would be
possible with a WWW virus.

While you could theoretically say that browsers will warn their users when
they execute foreign scripts, I don't think this is a practical option; it
gets in the user's way enough that more than likely the vast majority of
users will either turn this off or just blindly hit "okay."  I think that
any practical scripting implementation -must- be something the user can
trust under normal circumstances.  Anything else either won't be used, or
just begging for all kinds of nastier-than-we've-ever-seen-before viruses.

------------------------------------------------------------------------------
Dianne Kyra Hackborn         "Americans like to talk about (or be told about) 
hackbod@mail.cs.orst.edu     Democracy but, when put to the test, usually find
Oregon State University      it to be an `inconvenience.'"                    
//www.cs.orst.edu/~hackbod/                                     -- Frank Zappa

Received on Monday, 3 April 1995 06:07:24 UTC