- Email: [email protected]
Java risks are hype, say experts
MARKET
NEWS
Java risks are hype, say experts Companies are being sold unnecessary Java security, safety experts have claimed. Security experts contend that much of the fuss over whether Java should be allowed to cross the Internet and enter corporate networks are unfounded. Software firms are using the increasing prevalence of Java to peddle more products. According to Simon Phipps, program manager at IBM Centre for Java Technology, "People selling firewall security software regard Java as a security threat. These fears are misplaced." IBM is basing its business on selling Java as a safe, secure environment. Gary Barnett, an analyst at IT consultancy Ovum in the UK, says that since most users only run Java applets when they use their Web browser to visit a site containing Java, the security risk is non-existent. He added that Java applets, programs that run over the Intemet from a Web browser, are safe because they use the so-called Java
sandbox. This prevents Java applets from directly accessing the computer system on which they are ran. Robin Bloor, head of analyst group Bloor Research, questioned whether anyone would attempt to use Java to crack a c o m p u t e r system. "Hackers d o n ' t use standard methods like Java to break into systems. They break people's passwords." The chance of finding a security hole in Java is now minimal according to Sun Microsystems' JavaSoft division. J a v a S o f t hired P r i n c e t o n U n i v e r s i t y researchers to hack into Java to identify known security flaws in the Java virtual machine. Referring to the security software vendor Fin Jan, Amy Porter, European marketing manager at JavaSoft, said, "they are building a mousetrap and there is no mouse. Fear is a wonderful incentive to buy a product." Porter added that with Java this fear is unfounded.
Encryption sellers crack US export laws In moves designed to skirt export restrictions on their products, more and more US encryption vendors are deploying international partnerships to sell strong versions of their software around the world. Network Associates is the latest vendor to do so.
international version of its Web server containing strong encryption, which it says was d e v e l o p e d independently overseas. RSA Data Security had also planned to finance a group in China for a similar effort, but failed to implement the project.
To get a r o u n d the r e q u i r e m e n t that e x p o r t s of encryption stronger than 56-bit obtain US Commerce Department approval, Network Associates, the US security software maker, has announced that its Dutch subsidiary will begin selling a 128-bit version of its Pretty Good Privacy program.
Sun Microsystems has devised a similar scheme, working with a Russian firm Elvis-Plus, which was working from Sun's published specification called Simple Key management for Internet Protocols, or SKIP. However, Sun's project has been put on hold as the Commerce Department examines the extent to which Sun has offered technical help to Elvis-Plus, a company in which Sun owns a 10% interest.
The company has contracted the Swiss firm CnLab to develop an international version of its strong PGP product for shipment from the Netherlands. Network A s s o c i a t e s said that has p r o v i d e d no technical assistance to CnLab, in keeping with US export law r e q u i r e m e n t s . S o u r c e c o d e for P G P has b e e n available to the public for several years on the Internet. Network Associates is not the only US vendor to try getting around export laws by selling from overseas subsidiaries. C 2 N e t S o f t w a r e currently sells an
Companies' efforts to circumvent US export laws come as no surprise. Losses caused by export controls on encryption technology could cost US vendors as much as $35 billion over the next five years, according to a study by W a s h i n g t o n - b a s e d think-tank the Economic Strategy Institute. On the other hand, law enforcement officials in the US say that the availability of strong encryption products that they cannot crack make it nearly impossible for them to capture and prosecute computer criminals.
Computer Fraud & Security May 1998 © 1998 Elsevier Science Ltd
NEWS
Java risks are hype, say experts Companies are being sold unnecessary Java security, safety experts have claimed. Security experts contend that much of the fuss over whether Java should be allowed to cross the Internet and enter corporate networks are unfounded. Software firms are using the increasing prevalence of Java to peddle more products. According to Simon Phipps, program manager at IBM Centre for Java Technology, "People selling firewall security software regard Java as a security threat. These fears are misplaced." IBM is basing its business on selling Java as a safe, secure environment. Gary Barnett, an analyst at IT consultancy Ovum in the UK, says that since most users only run Java applets when they use their Web browser to visit a site containing Java, the security risk is non-existent. He added that Java applets, programs that run over the Intemet from a Web browser, are safe because they use the so-called Java
sandbox. This prevents Java applets from directly accessing the computer system on which they are ran. Robin Bloor, head of analyst group Bloor Research, questioned whether anyone would attempt to use Java to crack a c o m p u t e r system. "Hackers d o n ' t use standard methods like Java to break into systems. They break people's passwords." The chance of finding a security hole in Java is now minimal according to Sun Microsystems' JavaSoft division. J a v a S o f t hired P r i n c e t o n U n i v e r s i t y researchers to hack into Java to identify known security flaws in the Java virtual machine. Referring to the security software vendor Fin Jan, Amy Porter, European marketing manager at JavaSoft, said, "they are building a mousetrap and there is no mouse. Fear is a wonderful incentive to buy a product." Porter added that with Java this fear is unfounded.
Encryption sellers crack US export laws In moves designed to skirt export restrictions on their products, more and more US encryption vendors are deploying international partnerships to sell strong versions of their software around the world. Network Associates is the latest vendor to do so.
international version of its Web server containing strong encryption, which it says was d e v e l o p e d independently overseas. RSA Data Security had also planned to finance a group in China for a similar effort, but failed to implement the project.
To get a r o u n d the r e q u i r e m e n t that e x p o r t s of encryption stronger than 56-bit obtain US Commerce Department approval, Network Associates, the US security software maker, has announced that its Dutch subsidiary will begin selling a 128-bit version of its Pretty Good Privacy program.
Sun Microsystems has devised a similar scheme, working with a Russian firm Elvis-Plus, which was working from Sun's published specification called Simple Key management for Internet Protocols, or SKIP. However, Sun's project has been put on hold as the Commerce Department examines the extent to which Sun has offered technical help to Elvis-Plus, a company in which Sun owns a 10% interest.
The company has contracted the Swiss firm CnLab to develop an international version of its strong PGP product for shipment from the Netherlands. Network A s s o c i a t e s said that has p r o v i d e d no technical assistance to CnLab, in keeping with US export law r e q u i r e m e n t s . S o u r c e c o d e for P G P has b e e n available to the public for several years on the Internet. Network Associates is not the only US vendor to try getting around export laws by selling from overseas subsidiaries. C 2 N e t S o f t w a r e currently sells an
Companies' efforts to circumvent US export laws come as no surprise. Losses caused by export controls on encryption technology could cost US vendors as much as $35 billion over the next five years, according to a study by W a s h i n g t o n - b a s e d think-tank the Economic Strategy Institute. On the other hand, law enforcement officials in the US say that the availability of strong encryption products that they cannot crack make it nearly impossible for them to capture and prosecute computer criminals.
Computer Fraud & Security May 1998 © 1998 Elsevier Science Ltd