Tony [Moderator]
Welcome to the Java User Forum, GO JAVAUSER! Today's guest is Gary McGraw, author of "Securing Java: Getting Down to Business with Mobile Code". Java is becoming a universal feature of Web site programming and is managing electronic commerce transactions of all sizes, a steady stream of alarming breaches, holes, and gaping vulnerabilities in the language have been surfacing. How can you protect your site? This is where we will find out!
Gary McGraw
Glad to hear that!
Tony [Moderator]
If you have a question for our guest, please type a single ? and we'll take your questions in order. Gary, do you have anything you'd like to add?
Sue Nethercott
?
Gary McGraw
Nope. Just that Java has undergone some amazing changes, and it's actually being used out there now
Tony [Moderator]
Gary and all> When you have done typing, put in <ga> so I will know when to ask the next question.
Gary McGraw
In fact, I am connected to the forum through a signed Java applet <ga>
Tony [Moderator]
Sue> Go ahead.
Sue Nethercott
What competition does Java have these days, and what are the comparative advantages and disadvantages? ga
Gary McGraw
In terms of mobile code, Java has no competition. ActiveX is not a viable option because of security problems. In terms of a language, Java has competition mostly from C and C++. <ga> In Chapter one of the book, we cover the other popular forms of mobile code.
Sue Nethercott
?
Gary McGraw
My view is that Java makes great glue for middleware, server side functionality, and things like that. <ga>
Tony [Moderator]
Go ahead, Sue.
Sue Nethercott
The introduction mentioned vulnerabilites. How do they compare with Activex? ga
Gary McGraw
There have been some spectacular security holes...BUT they have all been discovered by good guys like me (bwahahaha) and the Princeton guys The attacks involve complete compromise of security. The good news is that none of them have ever been seen in the wiild. On the other hand, ActiveX has no security model to break in the first place. ActiveX relies on authenticode (a trust model) but does no enforcement or encapsulation akin to the Java sandbox. Java 2 has both a sandbox (flexible now) and code signing. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue. :)
Sue Nethercott
How confident are you that Java is now secure? ga
Gary McGraw
Not confident. The problem is that Java keeps growing and evolving. So we find holes in, say JDK 1.0.2 and JDK 1.1 and get them all fixed up and along comes Java 2. Every time there is a major release, we tend to find a few more security problems. So far, three have been found in Java 2...and, well, keep your eye on the news next week! <ga>
Sue Nethercott
?
Tony [Moderator]
Sue> Go ahead.
Sue Nethercott
What effect has Microsoft had on the development and spread of Java? ga
Gary McGraw
That's a good one.
Tony [Moderator]
For those of you just joining us, welcome! Today we're discussing about Java Security with Gary McGraw. If you have a question for our guests, please type a single ? and we'll take your questions in order!
Gary McGraw
My opinion is that M$ tried to Balkanize Java with the MFC thing. They're in court with Sun over that issue now. So the question now is whether they will even include Java in MSIE in the future. But that is all focused on client side Java. True, that's where most of the risks and security problems are apparent (though they apply across the entire spectrum) But Java is way more than a simple applet language. The funny thing is I really like Java and think it is very useful. But part of my job the last few years has been to poke holes in the security model and make sure people know what the risks are. NOTE that these risks apply to all internet-based mobile code! <ga>
Sue Nethercott
?
Tony [Moderator]
Go Ahead, Sue
Sue Nethercott
Who is your book aimed at? ga
Gary McGraw
Four audieces: users of Java (mostly concerned with client side browser security) Administrators (who need to understand the risks of mobile code) Java developers (who can learn from some of the language guidelines we give) sorry 'bout that! and business people who need to cut through the hype to make decisions about Java <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue.
Sue Nethercott
Are you consulted on future developments in java? ga
Gary McGraw
I am not part of the Java Security Advisory Committee. That group is all academics. Ed is a memeber of that advisory board though. But I do know Li Gong quite well and we talk about stuff.
Tony [Moderator]
For those of you just joining us, welcome! Today we're discussing about Java Security with Gary McGraw. If you have a question for our guests, please type a single ? and we'll take your questions in order!
Gary McGraw
I am a security research guy, and we all tend to frequent the same conferences. Of course, I'm also a business guy working on improving software behavior. So my approach is sliightly less academic than say Ed's. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
How about giving us the gist of the book? <sitting back> <g> ga please <s>
Gary McGraw
How about giving you the ENTIRE book! see http://www.securingjava.com We put the entire book online, and the search capability rules! Our publisher was a bit concerned (to say the least), but we own the e-rights and we're more interested in getting the word out and cutting through the hype than we are in making a buck. Of course, you're all welcome to click the "buy now" button too!
Sue Nethercott
:-)))
Gary McGraw
Shall I paste in the TOC??
Tony [Moderator]
Gary> Sure, if you want to. :)
Gary McGraw
hmm, harder than I thought. I hate windoze...which I am running now at home How about this! http://www.securingjava.com/toc.html can you guys browse along in realtime?
Sue Nethercott
I can
Gary McGraw
The gist of the book is this...
MikaVCS
Hello! ... Please tell us a little about vulnerabilities in java security.
Gary McGraw
Java is an excellent language with a reasonable security model But all is not perfect (and there is no such thing as 100% security) So learn as much as you can, and then you can manage the risks intelligently. <ga>
Sue Nethercott
?
Gary McGraw
I would be happy to anser Mika There are two kinds of hostile applets in the world. 1) attack applets are tantamount to being hacked by a bad guy these have not been seen in the wild (but they are real, and I have a whole collection) 2) malicious applets are less of a threat they do things like kill your browser, play annoying noises, or forge mail. these have been seen on the wild, and there are a few floating around out there. If you want some examples of the latter, see http://www.rstcorp.com/javasecurity/links.html
MikaVCS
am I to be concerned about personnal info on the web?
Gary McGraw
On the other hand, we have never released any of our attacks to the general public. We tell the vendors and we explain them, but we never distribute code. As a result, no attack applets have ever been seen out there! Nothing like a bit of pure luck, eh? <ga>
Tony [Moderator]
Mika> Gary will answer your question when he have done answering Sue's question. Unless Gary want to answer Mika's question?
Gary McGraw
Go ahead Sue.
Sue Nethercott
What do you see in the future for java? More security or more functionality, or both? ga
Gary McGraw
Based on the stuff now in Java 2, I think we're in for more functionality. The security model has evolved significantly since 1996. In fact, things changed so much that we did the second edition even though the first one was still selling. The challenge is to be able to manage all the functionality without accidentally shooting yourself in the foot (from a security perspective) And here's the kicker... Java may have a nice security model, and assuming we fix holes quickly and well and the platform is reasonably sound, the Java platform is a solid sta rting point. BUT, if you're writing software in Java, there is NO guarantee that it will be secure by default. Making secure software is harder than it sounds...and a secure platform is a good start, but no guarantee. The Software Security Group I run at RST helps people make their software secure. That's a new focus in securityland (which is obsessed with firewalls and crypto to the detriment of system security). <ga>
Tony [Moderator]
gary> Can you answer Mika's question? Thanks.
Gary McGraw
Hmm, personal info on the Web. The answer is a huge, loud HECK YES. Privacy is a tricky issue. Many people seem to be willing to type all sorts of private data into a form just to access some Web content or be able to buy something. Computers have a very dangerous capability that could end up causing a 1984 scenario unless we watch what we let people do with our private info.
MikaVCS
have you earn of any of private data information and if so how Will the public know about it?
Gary McGraw
From a security perspective, there is a real risk that data will be stolen from your machine by mobile code without your knowing about it. I don't understand your followup Mika. <ga>
MikaVCS
if my information get intercepted by ?
Gary McGraw
The net works on an open protocol, so unless you're encrypting something yourself, anybody can snoop the wire and see what you're doing.
Tony [Moderator]
Just a reminder, folks; If you have a question for our guests, please type a single ? and we'll take your questions in order.
MikaVCS
will I have to wait until that person do something with it?
Gary McGraw
What, before you know they have collected it? Yep, it seems you will. So a bad guy could learn lots about you, save it all up for some opportune time and then use it against you...maybe blackmail, maybe social engineering, who knows. <ga>
MikaVCS
Is there any other alternatives?
Gary McGraw
Just think of the Web and the Net as a public forum. Don't send private data. And don't store private data that you are concerned about on an unprot ected machine (liek say a win95 box) If you want to send somebody secrets, use cryptography. <ga>
{Guest-1}
?
Gary McGraw
go ahead Guest-1
MikaVCS
I think that is true.
{Guest-1}
What the best cryptography u recomend? like pgp .. ? <ga>
Gary McGraw
I am not a cryptographer first of all. But here's the deal. There are lots of different algorithms and ways to do things. Picking which tool to use in what situation is the main thing. There is no one silver bullet that works in all cases. But for crypting personal messages, I do happen to use PGP
MikaVCS
Most of the commercial site claims to be secure... How can I verify that?
Gary McGraw
Though I use the old freeware version! <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
How soon do you think that some of the high-level concerns you raise will eventually be addressed in the Java platform itself? ga
Gary McGraw
Good one Sue. Some of the things we suggested in 1996 never got added to Java. So probably never! But Java is actually a pretty good system. the thikng I am afraid of now is that it is getting too complicated for people to use effectively. With code signing, policy, and flexible sandboxing according to trust, setting and mantaining policy is a real challenge. I would say we're doing pretty well with one goal of mine though... the goal of educating people about security issues in a balanced and realistic way. I think vendors are no longer able to make stuff up with impugnity. Now they think twice about the claims they make. Snake oil will always be with us, but we're working on the 409. (sorry for non-Americans, that's a cleaning product that cuts grease and oil) <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
What is the role of third party vendors in java? Do they compromise security, or can they improve it? ga
Gary McGraw
Funny you should ask. We devoted chapter six to just that issue. The answer is: There are certainly things that third party vendors can do to help. But there are also some things that they claim they can do that are impossible, So we provide some hard questions for you to ask vendors And we also suggest some things we think vendors should work on. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
How wary should we be of smart cards? ga
Gary McGraw
You're reading the TOC aren't you, you sneaky person.
Sue Nethercott
:-)
Gary McGraw
I've been working closely with Visa on Java-based smart cards for a couple of years now. Smart cards are interesting little computers on a credit-card sized thing. The real answer is that Java card is a good solid multi-application system for smart cards.
Tony [Moderator]
For those of you just joining us, welcome! Today we're discussing about Java Security with Gary McGraw. If you have a question for our guests, please type a single ? and we'll take your questions in order!
Gary McGraw
BUT smart cards have some issues (including differential power analysis) that makes designing systems with them a bit tricky. Can be done, but you have to be careful. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
How do Linux and java get along? ga
Gary McGraw
They're an OK mix.
MikaVCS
Was My question previously answered?
Gary McGraw
The blackdown guys (I think) port the VM to Linux whenever there is a new major release. I'm not sure they are completely up to date now, but I'm sure it is important to them. I like linux (and have used it since 93 or so) It's much easier to secure a linux box than a windows box in my opinion. <ga>
Sue Nethercott
?
Tony [Moderator]
I think you have missed Mika's question, Gary
Gary McGraw
What was it?
Tony [Moderator]
Mika, can you repost your question?
MikaVCS
Is there a way to really tell if a com site is secured?
Gary McGraw
Oh the one about commercial sites being secure? Nope. There is NO way a consumer can know that. All you can do is hope they know what they're doing.
MikaVCS
Thank you for being frank.
Gary McGraw
Security is pretty hard to get right (as Sun and Microsoft can attest from the Java side) The people I mostly work with are financial folks. they seem to know what they're doing. But the dot coms have a ways to go (in general) <ga>
Tony [Moderator]
We should probably start wrapping things up here... if there are any last questions, please type a single ? and we'll take them in order!
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
Is there a trade off between security and speed in java? ga
Gary McGraw
Yes. If you want to have an applet that uses special privileges (like reading/writing files) then it needs to ask for permission to do so. And the VM must verify what it is, who signed it, and where it was loaded from. then check that against policy all at runtime. So there is a definite performance impact on the client side. Here's the real deal. Computer security is all about getting nothing done If you're doing nothing, chances are that's secure! If you're doing stuff (adding functionality) then you're introducing security risk. So the big trick is to learn about security, and start figuring out how much risk you want to take on. Life is risky (as well as terminal), so that's not all that big a surprise. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead, Sue
Sue Nethercott
Have any of the majot viruses such as Melissa and Chernobyl been written in java? ga major
Gary McGraw
Nope. But if the Mellissa author had not been a moron (cut and paste weenie with Visual Basic) he might have used Java as a tool to make Melissa cross-platform. The latest major Java hole (discovered a month ago in the Microsoft VM) could have led to something way worse than melissa. We have only scratched the surface of possible horendous attacks. Maybe we'll all get lucky and they'll never surface. I, for one, hope so. <ga>
Sue Nethercott
?
Tony [Moderator]
Go ahead Sue
Sue Nethercott
I see you can order the book over the net. Is that done using java? Can we trust it? ga
Gary McGraw
Haha
Sue Nethercott
:-)
Gary McGraw
You can order the book from amazon. I am not sure what they use.
MikaVCS
Can I find your book in Computer Book Club?
Gary McGraw
On the book site, we have an engine that searches the web for the lowest price. I'm not sure we're in the club yet. For a while, the first edition was a free premu\ium when you joined up. The second edition only came out in February. In any case, see http://www.securingjava.com and try it out on the Web! <ga>
Tony [Moderator]
I think it's time to end this conference. :) Gary, Thank you so much for your time today! Do you have any final thoughts for us?
Gary McGraw
Sure. Surf safely... and carry a big stick.
{Guest-1}
:)
Gary McGraw
<ga>
Sue Nethercott
lol
MikaVCS
thanks
Tony [Moderator]
And thanks to Sue, for asking lots of good questions!
Sue Nethercott
thanks to Gary for the good answers
Gary McGraw
yeah, hey sue, how much do I owe you?
Sue Nethercott
a free copy of the book?
Tony [Moderator]
Lol
Gary McGraw
It's on the web!
Tony [Moderator]
You could have the Web based ones, Sue? ;)
Sue Nethercott
<s>
Gary McGraw
Thanks to all.
Tony [Moderator]
Thanks again, Gary!
{Guest-1}
Thanks Gary :)
MikaVCS
The web page once more
Gary McGraw
Now it's time to go outside on my farm and paint the barn!
{Guest-1}
GL painting :)
Gary McGraw
http://www.securingjava.com
Anne Papina
Thanks for your time today, Gary!
Gary McGraw
You're welcome.
Anne Papina
Lots of great questions!
Tony [Moderator]
Ah, Anne has surfaced. :)
Gary McGraw
OK everyone, I'm outta here!
{Guest-1}
cya
Sue Nethercott
Bye Gary, thanks again
Tony [Moderator]
Bye gary!
Anne Papina
Thanks Tony!
Sue Nethercott
yes, thanks Tony
Tony [Moderator]
No problem, Anne :)
Anne Papina
And thank *you* Sue!
For more information about this conference or others in our series, please email anne@glenbrook.com.
Copyright 1999 Glenbrook Systems, Inc. All Rights Reserved.