Steeling Against Web Attacks

When last week's eWeek featured my story about Java's proven security, I should have known that the same week would see a conspicuous new announcement of a Java-related vulnerability.

Sometimes, I get what I deserve, but most of the time, thats not what I want. When last weeks eWeek featured my story about Javas proven security, based on more than six years of practical trial and theoretical refinement, I should have known that the same week would see a conspicuous new announcement of a Java-related vulnerability (documented by the discoverer, which can be found via

I deserved that comeuppance because I never included in that story the three magic words that have to be used to placate the gods that rule over software security discussions. That incantation, which we forget at our extreme peril, is "when implemented correctly."

Imperfection isnt immediately fatal when we work with relatively forgiving materials. I have fond memories of the steel and concrete labs in the basement of Building 1. For the most part, those materials derive their strength from bulk properties, with fairly high resistance to point defects.

The reason we reinforce concrete with steel bars is because concrete holds up well in compression but fails suddenly and catastrophically in tension with the first tiny crack. Adding steel gives the combination a ductile failure mode, one that stretches before it gives way completely. Software doesnt have that much-needed feature: Its first crack, so to speak, brings down the entire structure.

If we cant make software behave in a way that warns us when its overstressed, we have to provide redundant strength: We have to encrypt our data traffic so that a man-in-the-middle attack doesnt intercept clear-text transmissions. We have to create, and use, least-privilege accounts for even our single-user machines, instead of merely logging in as Administrator because its the easiest way to get full access to the machine: The privileges you have can be hijacked by malicious code, so why give yourself any privileges that you wont actually need that day? Users who had both of these good habits could treat last weeks Java discoveries as someone elses problem.

People ask me why Sun and Microsoft, normally at each others throats, issued joint announcements of these vulnerabilities. Sun depends on the credibility of Java, and Microsoft on the credibility of Internet Explorer, and this incident occurred at their intersection. For once, keeping the user comfortable came first.

Tell me about other mixed blessings at