[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PM's Java Envy




PM returns to rant on Java after being mowed down by most people
her. why? I think he has some more ulterior problems with Java
than those that he cites. for Perry, ranting at java reveals
certain psychological characteristics of his profile.

>For at least twenty or more years, people have known that for the
>ultimate in multimedia email or what have you all you would need to do
>is make the recipient execute a program that you sent them. This
>obviates all the questions of having to figure out what sort of things
>you would want to send -- if you can execute a program, you can do
>anything. Unfortunately, this is also so phenomenally obvious a
>security problem that no one ever proposed it as anything more than a
>joke -- until now.

so you agree, what they are trying to solve is the holy grail of
distributed computing, in some ways. but you start from a different
assumption-- that such a thing is a joke to even try. they are
forging ahead because they have started with the opposite assumption.

>Sun is, unfortunately, suffering from a substantial hubris problem. As
>I have noted, the original Java applet security model and all the
>followups have had exactly the same problem -- they depend on perfect
>implementation of every element of the security model for the security
>to work, instead of having the realistic and conservative assumption
>that portions of the model will be misimplemented, and designing for
>defense in depth.

true, but as I have reiterated here, there is nothing preventing
someone from creating an IMPLEMENTATION of Java that has the
"defense in depth" that you are always ranting about. why don't you
INVENT it??? such a thing is possible. Java is mostly a theoretical
construct: a language. implementations are left up to different
licensees. how else would you  propose handling it? surely the
NSA would have plenty of suggestions for putting a lock and
chain around ideas. the rest of us in the real world would like to
get some computing done.

I continue to believe that everything you are asking for could be
integrated into somebody's ingenious invention of a Java interpreter.
something that implements all the features of Java in a secure way.

notice, Perry, that if there was such a thing as a secure OS, you
could just stick your Java browser in it and not care at all. you
have your "redundant systems protection" if you already have a 
good OS. what? there aren't good OSes? well, why are you blaming
someone who is writing a computer language because their aren't
fully secure OSes?

wouldn't Java running on a Kerberos system come close to the kind
of security and redundancy you are proposing? such systems will
probably evolve in the future. but why is a problem outside
of java considered a problem of java itself by you? 

speaking of "hubris", I think it is you that is the most "full of it".
you don't seem to understand some simple conceptions, which I have
stated before in response to your ranting but you have never 
really replied to in the past:

1. NOBODY IS ASKING PERRY METZGER TO USE JAVA. people who ARE using
it may have different needs and demands than you have. who are you
to criticize all the people who have made an independent decision,
"java is what we want"?

2.  java threatens CONTROL by individuals over what they allow to
run on their machines. it's the old "mainframe vs. PC" problem all
over again. surprise!! pc's won. WHY? because people wanted to
get work done without going through an all-powerful MIS priesthood.
but surprise, some companies still are implementing a priesthood
around their PCs. Java will help break through such kinds of monopolies.
you are free to reject it, but you are getting a glimmer of understanding
that Java threatens the idea of monopolistic, monolithic control
over computing resources. the sysadmin with his own narrow interests
may no longer be the only one who has say over how company computing
resources are used.

3. no one is claiming Java is perfect. it will take years before
a high level of trust is established. no one is implementing all kinds
of incredibly sensitive applications in Java, YET. it is an evolutionary
process.

4. in evolutionary processes, you aren't trying to find nirvana or
utopia, or solve problems that no one has ever been able to solve.
you make an *incremental*step*. Java is precisely this very valuable
incremental step. I don't know why you continue to rant so endlessly
against it. NO ONE IS ASKING YOU TO USE IT. your comments are not very
valuable, either, considering that YOU ARE NOT USING IT. perhaps the
people who are USING IT are far more qualified to judge whether
it is fulfilling their needs, eh?

5. the world is very insecure right now in terms of computer security.
java is a step in the right direction. there are a bazillion places
it can be plugged into right now in which you get *better*security*
than what you had before by using it. now, I wouldn't recommend
placing it anywhere where you would have *less* security, but I 
trust designers of systems to have some sense about that. (yes,
there are a lot of bonehead designers in the world, but why do you
think it is a problem with Java exclusively? granted, the hype
machine is way out of control, and this can lead to improper uses
of the language, but there are still a lot of places where it
is useful).

6. if you could point to some EXAMPLES of people using Java that
shouldn't be, and ARE, then you will have a much better case.
but all you have at the moment is a nagging suspicion that all
kinds of people are using Java where it shouldn't be placed.

7. frankly I think you have "security envy" of pioneers who are
creating the next generation of cyberspace and didn't pay some
monstrous consulting fee to you in doing so. I think you would
have liked to have been behind Java, because it is the next
step in a field you feel you are an expert in, but instead it
appeared on the scene without you ever taking it seriously, and
you are increasingly pissed off that other people are taking
it seriously, and that your arguments, which at one point people
might have agreed with, are becoming less valid in the face of
reality as people begin to understand what java is for (and
not for!!).

8. criticizing something because it is not evolved is a bad
way to go. C started out as the most flimsy of languages. there
were serious bigtime problems with it. early compilers had 
ambiguities, etc. things get better. the way of the world is
evolution. the tools that *you* are using *now* could have
been criticized in their infancy as completely insufficient
for the jobs they were "aspiring" to. they *were*. things
like PCs were once the most disrespected "toys" on the planet.
and you criticize Java because it is "toylike"? beware, PM, 
because the toys of today become the tools of tomorrow.

>
>Beyond that, however, they have created the ultimate hype
>monster. Java is a neat idea looking for a good application. I use the
>web all day long and I have yet to see a good use for Java. We have,
>essentially, mortgaged our system security for almost nothing better

"we"??? hee, hee. someone who is the first to slash someone with 
claw-marks for using that term here among the Nihilists uses it himself.
there was absolutely no system of security prior to java for what it
is attempting to implement. the world is not going to end when everyone
starts playing with java applets. I agree that there should be some
serious question about where companies allow browsers with Java (or
browsers for that matter) to be run. but you have this kind of
siege mentality, "we're being invaded!! POUR DOWN THE HOT OIL!!"

>than the occassional gee whiz animation that could have been
>implemented with a safe graphics description format instead of a
>turing equivalent language.

a killer java app hasn't yet been written, imho and other. 
so what? why are you whining about it? again, no one is forcing you to use 
java. the killer app lies around the corner. the PC didn't start out
with excel written for it, and only an illtempered, impatient
bonehead would demand such a thing.

>
>Again, I don't hate the Sun people or hold any animosity towards
>them. However, I will point out the lesson that any good student of
>Greek Tragedies could tell you -- the gods punish hubris, and severely.

hee, hee. sounds like you speak from experience. reminds me of that
saying, "good judgement comes from experience and experience comes
from bad judgement". <g>