Another little joy has entered onto the Internet, which is great at heart, but if allowed to be manipulated in a devious manner, unknowingly, can cause your computer and Data great harm. In the case of selected files, Total Theft. I just want you to be aware.


For on the Tenth day, The Internet was created. And It was gazed opoun and studied and found to be good. The Browser was said to be free of intervention, save maybe the evil spammer or the abomination known as the Virus, but the browser in general was found to be good and helpful, a vital link to the Internet.

/////Back to Page 3

Forward to Page 5/////

Then Java was brought forth to the Internet community for inspection. Java was gazed upon in wide-eyed amazement, for Java could do some wonderous things to text and images on the Internet. Java had the inatate ability to communicate to a wide variety of computers and interfaces, thus for the first time getting communication flowing freely in the Internet communities of servers and providers, and it was greeted and welcomed freely to frolic and play in the web design of many pages on the Internet.

Java begat Javascript. Java, a full fledged programming language was the much more powerful of the two, with Javascript coming up as nothing more than a scripting language. Javascript found itself compared to HTML, a very well liked and very popular individual in the Internet community. With the design and intervention of Netscape Version 2.0, Java and Javascript were utilized to gain access to certain programs inside of your very own computers womb and was capable of producing some dramatic results.

Then, the darkside of the Internet community arrived and Inspected Java and found that it was good as they had heard and better....

For it left a door way right onto the womb of your computer and it was deemed by the darkside that this was good. Very good indeed, for thy computer could then be "Hacked",explored, prodded, manipulated in ways that you had ever intended.

For it now has been decided by a few of the Knowledgable Folk of the Internet, the good that Java and Javascript provide just may not be worth the risk of the bad that may come ones way if Java is left enabled, so Disenable is certainly a good choice when dealing with a Java Mode.

Here are some Links to pages that offer information on Java Security issuses so you can make up your own mind.

  • This tries to cover the other side of Java. Of course they do have a vested interest in the information they are providing.
  • This is a site that you need to enter with a very open mind. A Perfect example of how not everything on The Internet is as it appears to be at first or maybe even second glance. Check out Some Commonly asked Questions before drawing any conclusions. A very Thought provoking site indeed. The new improved edition is even SCARIER than Before. Heaven help us if this Dude gets any more Creative.
  • A book on Java Security that you may Purchase.

Here is some more wood to throw on the JAVA Fire.
Thursday, August 28, 1997

Netscape's Barksdale sings praises of 100% Java

By Jim Kerstetter

NEW YORK - Netscape Communications Corp.

CEO Jim Barksdale painted his vision of an Internet future here today, filling it with post-Baby Boomers who treat the Internet with the familiarity of water while using Java-based Navigator browsers.

Barksdale, speaking on the final day of the Java Internet Business Expo at the Jacob Javits Center, expounded on the virtues of 100% Java and the exponential growth of the Internet while taking jabs at Microsoft Corp. and what he sees as its creation of software "solutions where there is no problem."

"I've got an idea," Barksdale told his keynote audience. "Let's upgrade all of our desktop operating systems. Just for the hell of it. We've read in the paper that it's very fashionable - with no return on investment."

Instead, companies should be focusing on getting a realistic payback, and the Internet and Java will play a key role in making that a reality, he said. To support that goal, Netscape will release an all-Java Navigator browser in the first quarter of next year and embark on an ambitious project to distribute 100 million Navigator browsers to end users, mostly through Internet service provider channels.

Java's cross-platform abilities are critical to the continued growth of business Internet use, Barksdale said. It will be difficult for businesses to work with each other in an "extranet" environment if their systems are incompatible, he said. He said Microsoft, though it is downplaying the need for 100% Pure Java programming, will eventually smell the coffee. "My prediction," Barksdale said, "is that Microsoft can't afford to ignore 100% Java."

Barksdale ticked off several recent coups for his Mountain View, Calif., company, including the installation of more than 2 million seats of Netscape E-mail, Java and Java scripts in corporations over the last six months.

In a later session with reporters, Barksdale touched on several other issues:

    * On Microsoft's downplaying of Java: "If you are strong enough to keep [users] in the cave, more power to you," he said. "But I don't think they are strong enough."
    * On corporate migration to Microsoft's eventual release of Windows 98: "What is the definable business reason to do this? To get a browser? I don't think so," he said. "There is no secret sauce that Microsoft can pull in that magically moves people over to their product."
    * On computer telephony: Barksdale said it has a strong future, but "I don't think it's ready for prime time yet."

Then the other day (Sept. 1997) I came across this page on the Internet:

New Security Hole in Java

This Portion of Fight the GOOD Fight Page 4 is created and copyrighted by Jim Buzbee.
This is to announce the discovery of a security hole in the current implementation of Java. I do not believe that this attack has been reported previously.

In most Java implementations, security policy forbids applets from reading the local directory structure. I have discovered that it is possible for an applet, using only Java, to determine if specified files exist on the file system of the client machine. The applet I have prototyped cannot read or write to the file, but it can detect its presence. My applet is then free to surreptitiously Email the result of the file search to any machine on the Internet, for example
Ramifications of the attack
Potential uses of this type of applet include market research for determining which products are installed on a system ( e.g. d:/Excel ), hackers probing for specific versions of programs or libraries ( e.g. /lib/ ) or just generally hostile applets that choose to invade the privacy of the user on the client machine. Due to the device naming scheme that Microsoft Windows uses, it is also possible to search for devices such as c:, d:, or a CDROM drive normally located at e:. Any software product or device that has a "signature" file can be detected.
Description of the attack
My applet is not complicated, just observant. It sits back and watches the state of the virtual machine as attempts are made to access files. There is a difference in behavior when the file exists, vs. when the file does not exist. If you consider the "sand box" paradigm of Java security, it's a bit like poking around out of the sand box in the dark and watching the reaction of the playground monitor. As in previous security holes, the flaw is in the Java implementation, not the Java model. I believe correcting this bug will be easy for the various vendors. They must make the behavior of the virtual machine the same when the file exists, vs. when the file does not exist. For the time being, I will not release a more detailed description of the attack or the code in source or object form until I have given Microsoft, Sun, Netscape andall other vendors a chance to respond.
I've now got an example applet on-line. If you don't want my applet to poke around for a few files on your system, turn Java off before viewing it. I didn't integrate the applet with my Hostile email applet (yet), let's just see how it goes as a stand-alone hostile applet. I also haven't made the applet smart enough to only look for Unix-type files on Unix systems, Windows type files on a windows system etc. It would be easy to do, but who has the time? The applet will not always be sucessful as it uses a bit of a "fuzzy" search techinque. It will not always work well on re-load either. It's just a proof of concept.
I have tested my applet under various versions of Netscape on Solaris, Linux, Windows 95, and Windows NT. Tests on the current version of Internet Explorer are inconclusive. Either bugs in Internet Explorer prevent the attack from working, or Internet Explorer is not susceptible.
28 March, 1997 : OK, OK, here's the source files and html files for the Applet, Have Fun !
Thus ends Jim's Portion of Fight the GOOD Fight.

Personally, I keep my JAVA turned off. There are plenty of JAVA Files in my software that came with what I puchased to allow someone access to my system undected, I believe. I could be wrong, but on the Internet, I believe strongly in playing it safe. I love my system and computer and have put way too many hours into my files for some goof ball to come along and totally thrash it.

I am still using Netscape Gold and Netscape Communicator. With both of those I'm missing out an a lot of neat stuff on the Internet. But until someone can show me that JAVA, 100% or not, is going to be safe at all times from all sources, I shall remain in my boring JAVA free shell. I shall also be free of one less thing to worry about in this Wild, Wild hairy thing called the Internet.
Ok, With the advent of Netscape version 4.5 Communicator, I have switched and am proceding to utilize JAVA and Javascript.

Mail to: b-eamer at For Contacting the Author.
This page Last modified on
March 19, 1999

///// Back to page 3.

Forward to page 5/////

Geocities, thanks for the Real Estate.