[ale] running OPA (other people's apps) on my network

[Jim Sculley]

Chris Kleeschulte wrote:
> I need opinions here.
>
> For a while now, I have been forced to run Custom Data Solution's  
> DataStreamer Jar file on hardware under my care. For some reason the  
> before-mentioned company insists on me running this jar file to be  
> able to submit data to them so we can get a discount from the vendor  
> that is a customer of theirs.
>
> I have asked to just POST the data to them and they can run their own  
> app against it on their machines, they refuse.
>
> I have asked to see the source code for the datastreamer java app,  
> they refuse.
>
> I have told my company not to comply with their data plan, my company  
> refuses.
>
> Custom Data Solution says that they have many customers who run their  
> app on the customer's machines/network, nary a complaint.
>
> I have quarantined this app as much as possible, but this is extremely  
> bad business for CDS to ask me to run their app on my network without  
> providing me the source code. I try to run only apps that I compile  
> myself or from trusted sources.
>
> What would you all do in this situation? I guess I am just wondering  
> if you think that it is absurd for a client to ask a supplier to run  
> their software? The unmitigated gall.
>   

Java has a fairly fine-grained security implementation.  If you can wrap 
their JAR in a little Java app with a custom SecurityManager you can 
make the code fall over any time it tries to do something like access a 
file.  With a little bit of testing, you might be able to verify what it 
is doing and grant it only the level of permission that you deem necessary.

Note:  I haven't ever done this, but it seems possible, looking at 
articles like this:

http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html

Jim Sculley
>
>
> Chris Kleeschulte
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>