[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: On sandboxes, and why I ... don't care.

To: michaelslists@xxxxxxxxx
Subject: Re: [Full-disclosure] Fwd: On sandboxes, and why I ... don't care.
From: coderman <coderman@xxxxxxxxx>
Date: Thu, 30 Mar 2006 02:46:15 -0800

On 3/30/06, michaelslists@xxxxxxxxx <michaelslists@xxxxxxxxx> wrote:
> Just because no-one has told you, or you haven't seen it doesn't mean
> it doesn't happen.

amen.  what's the cost if you are wrong?  (the likely case over a
sufficient period of time against motivated attackers)

that artificial security flavoring is only reassuring while the luck
continues...

> It's pretty concerning to me, as a java programmer, that the verifier
> is off by default and hence any jar running can run free or the
> contraints I've tried to enforce. Or that another j2ee app could
> possibly be viewing the data I was processing in a shared-hosting
> environment.

in a shared processing environment you have bigger concerns, but i do
agree this is disturbing if your system was designed to operate in
privacy.

> And further, if your code _doesn't_ run properly with the verifier,
> then what the hell are you doing?

probably coding like the other 97% of the planet.  (now that's
_really_ concerning)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Fwd: On sandboxes, and why I ... don't care.
  - From: michaelslists

Prev by Date: [Full-disclosure] Fwd: On sandboxes, and why I ... don't care.
Next by Date: Re: [Full-disclosure] Third party patches, a matter of trust by n3td3v
Previous by thread: [Full-disclosure] Fwd: On sandboxes, and why I ... don't care.
Next by thread: [Full-disclosure] McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability
Index(es):
- Date
- Thread