| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Mar 30 11:46:28 2006 From: coderman at gmail.com (coderman) Subject: Fwd: On sandboxes, and why I ... don't care. On 3/30/06, michaelslists@...il.com <michaelslists@...il.com> wrote: > Just because no-one has told you, or you haven't seen it doesn't mean > it doesn't happen. amen. what's the cost if you are wrong? (the likely case over a sufficient period of time against motivated attackers) that artificial security flavoring is only reassuring while the luck continues... > It's pretty concerning to me, as a java programmer, that the verifier > is off by default and hence any jar running can run free or the > contraints I've tried to enforce. Or that another j2ee app could > possibly be viewing the data I was processing in a shared-hosting > environment. in a shared processing environment you have bigger concerns, but i do agree this is disturbing if your system was designed to operate in privacy. > And further, if your code _doesn't_ run properly with the verifier, > then what the hell are you doing? probably coding like the other 97% of the planet. (now that's _really_ concerning)
Powered by blists - more mailing lists