From:	everhart  9-AUG-1997 17:10:40.55
To:	VMSSIG
CC:	
Subj:	Java

Return-Path: open-vms-sig-owner@decus.org
Received: by arisia.gce.com (UCX V4.1-12C, OpenVMS V7.1 VAX);
	Sat, 9 Aug 1997 17:10:33 -0400
Received: from DECUS.Org (Topaz.DECUS.Org [192.67.173.1]) by bort.mv.net (8.8.5/mem-951016) with ESMTP id RAA01526; Sat, 9 Aug 1997 17:09:13 -0400 (EDT)
Received: from Reprocess.DECUS.Org by DECUS.Org (PMDF V4.2-13 #18511) id
 <01IM8R3IL09C8X331E@DECUS.Org>; Sat, 9 Aug 1997 16:48:03 EDT
Received: from arisia (gce.com) by DECUS.Org (PMDF V4.2-13 #18511) id
 <01IM8R3CHACG8X30WL@DECUS.Org>; Sat, 9 Aug 1997 16:47:50 EDT
Date: Sat, 09 Aug 1997 16:42:29 -0400
From: everhart@arisia.gce.com
Subject: Java
To: open-vms-sig@DECUS.Org
Errors-to: open-vms-sig-owner@DECUS.Org
Warnings-to: open-vms-sig-owner@DECUS.Org
Message-id: <97080916422964@arisia.gce.com>
X-VMS-To: VMSSIG
Content-transfer-encoding: 7BIT
Comments: Send OPEN-VMS-SIG subscribe/unsubscribe requests to mailserv@DECUS.Org

Java holes result in access the user has being given to some random
external program, as a general matter.

Fact is, under VMS, the user is protected better by the OS than by
other OSs...

Consider that under Windows (any pretty much) there isn't much OS
security, so get thru a Java hole and you're hosed.

Of course, if the user has access to something sensitive, so can
someone using a Java bug. (Thank God that VMS doesn't have that collection
of supposedly-benign viruses labelled ActiveX.)

Note though that Safety (see the S97 sigtapes folks) can put the system
in a "paranoid mode" when a Java enabled browser is running so that
you can keep from accessing random stuff you don't want to.  You
get, in that mode, to check any opens that go on and veto those
you don't want. (The command files I supply just notify you but can
EASILY be altered to disallow what you want; the .com file exit status
governs whether the open is permitted or not.)

So I'd say that VMS is in a somewhat unique position of being able to
be invulnerable to Java holes, because it has a robust security setup
of its own and need not rely on one built into Java to protect the
system. Woe to those who use Java or, worse, ActiveX where the OS does
not offer this. 

Glenn Everhart