JavaScript Problems - In The Press (1996)

I have not been updating this since 1996. All of the dates below are over a year old.

All of a sudden, the press has picked up on the problem I've documented. Interestingly enough, the few journalists I've talked to don't seem to have taken the time to read (let alone understand) my RISKS posting or the content of these web pages.

More so, I'm amazed at the number of reports confusing Java and JavaScript. The number of times I've read that the Java Applet patch fixes JavaScript bugs is incredible. Finally, almost everybody seems intent on reporting how the problems can steal e-mail and directory listing, and then giving my name as the responsible party. Although I take credit for reporting the directory listing bug still viable in the final 2.0 release, my real discovery of the ability to track is often downplayed or left out!

FLASH! It has happened. The story has been mutated out of control by Educom. How much worse can it get?

If you see an article in the press mentioning these pages, please let me know.

Tasty Bits From the Technology Front, Feb 27

The first article of interest appeared in an electronic newsletter, Keith Dawson's Tasty Bits From the Technology Front. I gave significant input to the article and was granted an editing passover prior to its publication. I feel its accuracy is exceptional. Note that it was in response to an earlier piece on Feb 19 talking about Java and JavaScript privacy/security.

CMP's NetGuide, Mon March 4 and Tue March 5

The first article incorrectly states ``Java'' ``script'' several times, confusing the difference between Java and JavaScript. It does attribute me to working for the Research Institute, though.

The second article down plays the ability to track a user as a secondary issue to the old bug of being able to merely view the directories on your disk. It also gets my name wrong! Finally, it includes a report that Sun and Netscape plan a complete rewrite of JavaScript later this year.

San Jose Mercury News, Tue Mar 5

The News titles their article with weaken security, the old directory browsing bug, and calls all this due to bugs. This loses the point that the tracker is really a privacy violation that doesn't take advantage of a bug, but rather a designed in feature of the language.

The last paragraph of the article is flawed and it doesn't identify me as from the RI (in fact, lists me in a confusing manner with Tennyson). However, overall, I'm happy with the article. It makes a very clear distinction between Java and JavaScript. Besides, it was on the front page.

This is also the first article to state that I have received a $1000 prize from Netscape. This is not (yet) the case. I've been told I will receive such a prize...

The Australian, Tue Mar 5

An article on page 21 in the computer section (brought to my attention by Kim Dowling). I haven't read it since they aren't online. I wonder what their source was.

Mecklermedia's Web Developer, Thu Mar 7

This article has a wonderful summary of the report from the WWW Security FAQ in its second paragraph. It only forgets to report where I work.

It's a shame then that they totally blew it by confusing the Java patch released by Netscape as having to do with JavaScript. This is the basis for their headline, which is about as wrong as you can get.

UPDATE: This article was pulled after I pointed out the above problems. Note that they had previously given a good pointer to the WWW Security FAQ, including pointing out the difference between Java and JavaScript in the Feb 29 issue.

Educom's Edupage, Thu Mar 7

Well, I told you the SJ Mercury News article listed me in a confusing manner. Educom has just gotten Tennyson a job at OSF! Even though I brought it to their attention, it took until Mar 10 to get it corrected.

PC Week, Mon Mar 11

Somewhat interesting article, starting on page 1 and continued on page 88. Noteworthly in that they mentioned that these problems were "fixed" before 2.01 was even released. They obviously talked to Netscape (but not me!). They actually don't mention me, but they do list my URL.

MacWeek Online, Wed Mar 13

A well written article by James Staten. This one is the first I've seen to get everything right!

Computing Canada, March 28

A well written article by Dale Burger, on page 1.

Internet Reporter N08

This is an article in a French paper, on page 63.

C'T, May 96

An article in a German paper, on page 72, sited by Thomas Radetzki.

The Net, July 96

In the net desk, News Flashes second, on page 18. Several people, starting with Mike Affourtit, have brought this article to my attention. I have not seen it, but one person mailed me a copy they transcribed. The article seems concise and correct, but is under the title Java Breaches Security.

(Oh, And they called me a Hacker; the Guild would be proud).

Other references I've seen reporting on this issue

WWW Security FAQ
An accurate report of the problems. http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q61
Power MAC Resource page
Reported on JavaScript Feb 29. Responsible for the flood of MACs I've tracked. Up until then, the browsers I tracked were 40% Windows, 30% MAC, 15% Solaris. Since then, it's been 45% MAC, 35% Windows.
(Feb 29, Mar 3, Mar 4)
MacSense HotBits, Sun Mar 3
A good summary of the report from the WWW Security FAQ.
InterBizNet
Incorrectly called this a Java problem.
InfiNet's WebPaper
There are at least five identical papers with different names.
All of them mispell my first name.
ByteThis
Incorrectly called this a Java problem, but fixed it after I pointed it out. They still say ``Java script'', however.
Oder: Warum ist mein SysAdmin panisch erregt?
I love this one!
Netscape-sponsored Off The Net Column
(psst, in case you can tell, I'm listed as the con).
IEEE Cipher Newsletter 3/31/96

John Robert LoVerso

Last modified on .
This page accessed times.