Forgot your password?
typodupeerror
Java Security

Why You Can't Dump Java (Even Though You Want To) 402

Posted by Soulskill
from the i-think-the-EPA-frowns-on-that dept.
snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"
This discussion has been archived. No new comments can be posted.

Why You Can't Dump Java (Even Though You Want To)

Comments Filter:
  • Re:The other problem (Score:3, Informative)

    by Anonymous Coward on Tuesday May 08, 2012 @08:31PM (#39936307)

    Nobody got sued for using Java. Microsoft got sued because they called something that wasn't Java Java. Google got sued because they used the elements of Java, but not Java itself.

  • Re:The other problem (Score:3, Informative)

    by binarylarry (1338699) on Tuesday May 08, 2012 @08:50PM (#39936529)

    Google got sued because they made a lot of money selling a Java platform to consumers.

    Which Oracle/Sun failed horribly for years at doing. (Java ME anyone?)

    Fuck Oracle!

  • by GIL_Dude (850471) on Tuesday May 08, 2012 @08:59PM (#39936605) Homepage
    Well, in the enterprise space you have a huge catch-22. I deal with this at work all the time. Since Oracle / Sun Java doesn't actually do patches (they just do full versions that introduce new features, break existing code, and deprecate other features), you can't deploy it. You have this trade off of known security vulnerabilities vs. enterprise software that won't work with the new versions. You have banks that require you to run Java versions that are a year old in order to move money. You have vendors whose code won't work with the current version of Java - ever (since they take longer to get their code working on new versions that it takes Oracle to release the next new version). We try as hard as we can to get app owners to test - but every last time we ship a new Java versions apps come out of the woodwork with emergency requests to "stop the push". You can't win. Bust people's critical apps and you lose. Allow machines to get owned by insecure versions of Java? Yeah, you lose there too. Oracle needs to figure out how to do security patches that just fix the vulnerabilities and don't introduce (and remove) features. Until they can do that - yes, it is their fault.
  • Re:less risk? (Score:5, Informative)

    by errandum (2014454) on Tuesday May 08, 2012 @09:25PM (#39936827)

    You can also not use windows and opt for linux. But is it worth it? For some, yes, I'd say that for most people it isn't.

    Java runs some cool software that most have no idea it actually is Java (it can copy the look and feel of your OS). The only way to mostly fix java is to have chrome like updates. Silent, forced on you but safe.

  • by Anonymous Coward on Tuesday May 08, 2012 @09:30PM (#39936875)

    Actually, most crime is the result of opportunity, not poverty. It's not so much class psychology or class deprivation (in the Western world real deprivation is uncommon), but that lower income people tend to live in communities where crime is easier because of 1) underfunded enforcement and 2) cheaper targets. Crime is an evolutionary strategy, and there's no reason to think that the genes aren't evenly spread throughout the society, especially considering how the lower and upper classes mix so readily through the generations. Place groups of rich and poor people in a 7-11 with the understanding that there's no surveillance and in fact no repercussions whatsoever (not even peers) if they steal, and the same number of people from each group are likely to shop lift eventually. Others will never shop lift, because they're reciprocity instinct is just too strong, and still others will fall in between.

    That's why punishment is ineffective. The supposition held by a perpetrator is that he would not get caught. You don't need harsher penalties (no matter what the economists say); you just need better policing and fewer opportunities (in the software case, safer software).

  • Re:Accountability (Score:5, Informative)

    by Grishnakh (216268) on Tuesday May 08, 2012 @11:02PM (#39937415)

    The whole idea of accountability is utterly stupid as long as you have a single data network that spans multiple countries. If someone in Nigeria sends you a virus or does something else illegal, WTF are you going to do about it? Nothing. There's absolutely no way you're going to make people entirely accountable for their actions as long as there's multiple governments, and worse different laws in different places. The only rational thing to do is to protect yourself.

  • by knorthern knight (513660) on Tuesday May 08, 2012 @11:22PM (#39937507)

    > Write once, run anywhere.. my ass...

    Write once, write anywhere... that has Java 1.2.3.4.5 installed. Not 1.2.3.4.4 or 1.2.3.4.6. It *MUST* be 1.2.3.4.5.

    That's Java's main problem. Back in the days of DOS, a BAT or COM or EXE file that worked on DOS 1 would work on DOS 2 and 3 and 4 and 5 and 6, unless it did some really braindead version checking. The vast majority of Windows apps survive service pack security updates. But many Java apps seem to break with each sub-minor version bump.

  • Re:less risk? (Score:3, Informative)

    by happymellon (927696) on Wednesday May 09, 2012 @01:17AM (#39938029)

    Package managers are not a silver bullet, because it still requires a diligent maintainer. There are plenty of software packages for the various distros, which are older versions. Running the update mechanism won't fix that.

  • Re:Accountability (Score:2, Informative)

    by roman_mir (125474) on Wednesday May 09, 2012 @04:31AM (#39938877) Homepage Journal

    You have all the facts wrong it looks like. Zimmerman didn't attack Martin, he was backing off, returning to his car when Martin attacked him. Zimmerman fell, Martin jumped over him beating Zimmerman's head against the ground, Zimmerman then shot him.

    The cops who didn't throw Zimmerman into a holding cell right away obviously thought that it happened this way, that Zimmerman was protected with that 'Stand your ground' law, that it was self defence.

    The media is being used though to create a narrative among the public that there is this splurge of white on black crime, when actually that is not the case in USA, and nobody makes a federal case out of crimes like this [nydailynews.com] for example.

  • Re:Accountability (Score:2, Informative)

    by Anonymous Coward on Wednesday May 09, 2012 @07:37AM (#39939589)
    There was at least one eye witness who saw Martin sitting on top of Zimmerman. There was physical evidence that Zimmerman was laying on his back on the ground (the back of his shirt was wet and covered with leaves and grass clippings). Zimmerman has a freshly broken nose and lacerations on the back of his head. All of the evidence publicly presented tends to confirm Zimmerman's version of the story.

ASCII a stupid question, you get an EBCDIC answer.

Working...