IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM

A great article in the Harvard Law Review just got slashdotted. It argues that hackers, worms and viruses are actually good for network security. I'm a very strong believer in this, and have been for a long time. When we first released Java in 1995, we made all of the sources available on the net. Most people just downloaded the binaries and used them, but a lot of folks downloaded the sources, and many of them spent many hours trying to figure out how to break the security of the system. And several people did: they would publish their attacks, and we'd fix them. The end result is an extraordinarily strong system. Many people in the software industry are nervous about such policies because they fear that it will give nasty folks an unfair advantage. They somehow believe that "security by obscurity" is a valid technique. I have always believed, and experience has shown, that the reverse is true: there are many more good smart people than evil smart people, and good smart people let us know about any flaws they discover, so we get things fixed quickly.
June 26, 2006