An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."

snydeq writes "Simon Phipps sheds light on a fight for control over Vert.x, an open source project for scalable Web development that 'seems immunized to corporate control.' 'Vert.x is an asynchronous, event-driven open source framework running on the JVM. It supports the most popular Web programming languages, including Java, JavaScript, Groovy, Ruby, and Python. It's getting lots of attention, though not necessarily for the right reasons. A developer by the name of Tim Fox, who worked at VMware until recently, led the Vert.x project — before VMware's lawyers forced him to hand over the Vert.x domain, blog, and Google Group. Ironically, the publicity around this action has helped introduce a great technology with an important future to the world. The dustup also illustrates how corporate politics works in the age of open source: As corporate giants grasp for control, community foresight ensures the open development of innovative technology carries on.'"

An anonymous reader writes "After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware." Meanwhile, writes reader Beeftopia, the U.S. Department of Homeland Security is getting in on the action, and "has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw."

hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18." Here are some ways to disable Java, if you're not sure how.

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

Dr Herbert West writes with news that General Motors and Ford have both used CES to announce a Software Development Kit for developers to create in-car apps. "Ford is focusing on three primary categories for apps: news and information, music and entertainment, and navigation and location. Marchwicki said the automaker will “instantly deny” apps that incorporate video, excessive text and gaming in a bid to reduce the risk of distracted driving. After developers have incorporated the Sync AppLink code into a proposed app, they submit it to Ford engineers for review. Ford will certify the app is bug-free and appropriate for automobiles. Once approved, Ford will work with the developer to provide a distribution license and get the app on the market." Similarly GM seeks infotainment apps that can be downloaded directly to the dashboard. "GM will provide developers with an SDK through an online portal that allows them to work with the automaker to design, test and deliver relevant automotive apps. GM also is including an HTML5 Java Script framework in its SDK."

eldavojohn writes "I kickstarted a project undertaken by Daniel Shiffman to write a book on what (at the time) seemed to be a very large knowledge space. What resulted is a good book (amazing by CC-BY-NC standards) available in both PDF and HTML versions. In addition to the book he maintains the source code for creating the book and of course the book examples. The Nature of Code starts off swimmingly but remains front heavy with a mere thirty five pages devoted to the final chapter on neural networks. This is an excellent book for Java and Processing developers that want to break into simulation and modeling of well, anything. It probably isn't a must-have title for very seasoned developers (unless you've never done simulation and modeling) but at zero cost why not?" Read below for the rest of eldavojohn's review.

mikejuk writes "Every January it is traditional to compare the state of the languages as indicated by the TIOBE index. So what's up and what's down this year? There have been headlines that C# is the language of the year, but this is based on a new language index. What the TIOBE index shows is that Java is no longer number one as it has been beaten by C — yes C not C++ or even Objective C."

Last year a group of UK teachers started working on a Creative Commons licensed teaching manual for the Raspberry Pi. That work has produced the Raspberry Pi Education Manual which is available at the Pi Store or here as a PDF. From Raspberry Pi: "The manual is released under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 unported licence, which is a complicated way of saying that it’s free for you to download, copy, adapt and use – you just can’t sell it. You’ll find chapters here on Scratch, Python, interfacing, and the command line. There’s a group at Oracle which is currently working with us on a faster Java virtual machine (JVM) for the Pi, and once that work’s done, chapters on Greenfoot and Geogebra will also be made available – we hope that’ll be very soon."

An anonymous reader writes "First, some quick background: I am 26 years old and I have been working for a large software development company with more than 50,000 employees for about 5 years now. My actual title is Senior Software Engineer, and I am paid well considering I have no degrees and all of the programming languages I have learned (C, C++, C#, Java) are completely self taught. The only real reason I was able to get this job is because I spent a year or so in a support position and I was able to impress the R&D Lead Developer with a handful of my projects. My job is secure for the time being, but what really concerns me is the ability to find another job in the field without 95% of companies discarding me for lack of formal education. I started looking into local community colleges and universities, and much to my dismay, they offer neither nighttime or online courses for computer science. Quitting the job to pursue a degree is not an option, especially considering they will compensate me up to $10,000/yr for going back to school. Has anyone else been in a similar situation? Does anyone know of any accredited colleges and universities that offer a CS degree through online courses? Obviously excluding the scam 'colleges' such as Univ. of Phoenix and DeVry."

hypnosec writes "Oracle has proposed a new project for OpenJDK — Nashorn, which aims to implement a high-performance yet lightweight JavaScript runtime that would run on the JVM natively. Nashorn will be headed by Jim Laskey, multi-language Lead at Oracle and the project will be sponsored by HotSpot group. The project proposes an implementation of JavaScript such that it can run standalone JavaScript applications via the JSR 223 APIs. Nashorn's design will enable it to take advantage of new JVM technologies like the MethodHandles and the InvokeDynamic APIs."

First time accepted submitter Hatfield56 writes "I've been in IT since the mid-1980s, mainly working for financial institutions. After 16 years at a company, as a programmer (Java, C#, PL/SQL, some Unix scripting) and technical lead, my job was outsourced. That was in 2009 when the job market was basically dead. After many false starts, here I am 3 years later wondering what to do. I'm sure if I were 40 I'd be working already but over 60 you might as well be dead. SO, I'm wondering about A+. Does anyone think that this will make me more employable? Or should I being a greeter at Walmart?"

theodp writes "When it comes to monolithic IDEs, Wille Faler has lost that loving feeling. In IDEs Are a Language Smell, Faler blogs about a Eureka! moment he had after years of using Eclipse for Java development. 'If the language is good enough,' Faler argues, 'an IDE is strictly not needed as long as you have good support for syntax highlighting and parens matching in the case of Clojure, or indentation in the case of Haskell.' So why do Java coders turn to Eclipse? 'Because [of] a combination of shortcomings in the Java compiler and Java's OO nature,' explains Faler, 'we end up with lots and lots of small files for every interface and class in our system. On any less than trivial Java system, development quickly turns into a game of code- and file-system navigation rather than programming and code editing. This nature of Java development requires IDEs to become navigation tools above all.' Yes, only an IDE could love AbstractSingletonProxyFactoryBean!"

hypnosec writes "Developers over at Red Hat are busy porting OpenJDK to ARM's latest 64-bit architecture — the ARMv8, also known as the AArch64. The current OpenJDK ARM situation is rather unsatisfactory: for the current 32-bit ARM processors, there are two versions of the HotSpot JVM for OpenJDK — Oracle's proprietary JIT, and a less sophisticated free JIT that performs poorly in comparison. To avoid a similar situation for the 64-bit platform, the developers are working on an entirely Free Software port of HotSpot to 64-bit ARM."

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

StonyCreekBare writes "I started out programming in Z80 assembler in the 1970s. Then I programmed in Pascal. Then x86 Assembler in the early '90s. Over time I did a smattering of C, Basic, Visual C++, Visual Basic, and even played at Smalltalk. Most recently I settled on Perl, and Perl/Tk as the favorite 'Swiss army Chainsaw' tool set, and modestly consider myself reasonably competent with that. But suddenly, in this tight financial environment I need to find a way to get paid for programming, and perl seems so 'yesterday.' The two hot areas I see are iOS programming and Python, perhaps to a lesser extent, Java. I need to modernize my skill-set and make myself attractive to employers. I recently started the CS193P Stanford course on iTunesU to learn iPad programming, but am finding it tough going. I think I can crack it, but it will take some time, and I need a paycheck sooner rather than later. What does the Slashdot crowd see as the best path to fame, wealth and full employment for gray-haired old coots who love to program?"

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

snydeq writes "Self-taught technologists are almost always better hires than those with a bachelor's degree in computer science and a huge student loan, writes Andrew Oliver. 'A recruiter recently asked me why employers are so picky. I explained that of the people who earned a computer science degree, most don't know any theory and can't code. Instead, they succeed at putting things on their resume that match keywords. Plus, companies don't consider it their responsibility to provide training or mentoring. In fairness, that's because the scarcity of talent has created a mercenary culture: "Now that my employer paid me to learn a new skill, let me check to see if there's an ad for it on Dice or Craigslist with a higher rate of pay." When searching for talent, I've stopped relying on computer science degrees as an indicator of anything except a general interest in the field. Most schools suck at teaching theory and aren't great at Java instruction, either. Granted, they're not much better with any other language, but most of them teach Java.'"

hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.