hypnosec writes "Developers over at Red Hat are busy porting OpenJDK to ARM's latest 64-bit architecture — the ARMv8, also known as the AArch64. The current OpenJDK ARM situation is rather unsatisfactory: for the current 32-bit ARM processors, there are two versions of the HotSpot JVM for OpenJDK — Oracle's proprietary JIT, and a less sophisticated free JIT that performs poorly in comparison. To avoid a similar situation for the 64-bit platform, the developers are working on an entirely Free Software port of HotSpot to 64-bit ARM."

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

StonyCreekBare writes "I started out programming in Z80 assembler in the 1970s. Then I programmed in Pascal. Then x86 Assembler in the early '90s. Over time I did a smattering of C, Basic, Visual C++, Visual Basic, and even played at Smalltalk. Most recently I settled on Perl, and Perl/Tk as the favorite 'Swiss army Chainsaw' tool set, and modestly consider myself reasonably competent with that. But suddenly, in this tight financial environment I need to find a way to get paid for programming, and perl seems so 'yesterday.' The two hot areas I see are iOS programming and Python, perhaps to a lesser extent, Java. I need to modernize my skill-set and make myself attractive to employers. I recently started the CS193P Stanford course on iTunesU to learn iPad programming, but am finding it tough going. I think I can crack it, but it will take some time, and I need a paycheck sooner rather than later. What does the Slashdot crowd see as the best path to fame, wealth and full employment for gray-haired old coots who love to program?"

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

snydeq writes "Self-taught technologists are almost always better hires than those with a bachelor's degree in computer science and a huge student loan, writes Andrew Oliver. 'A recruiter recently asked me why employers are so picky. I explained that of the people who earned a computer science degree, most don't know any theory and can't code. Instead, they succeed at putting things on their resume that match keywords. Plus, companies don't consider it their responsibility to provide training or mentoring. In fairness, that's because the scarcity of talent has created a mercenary culture: "Now that my employer paid me to learn a new skill, let me check to see if there's an ad for it on Dice or Craigslist with a higher rate of pay." When searching for talent, I've stopped relying on computer science degrees as an indicator of anything except a general interest in the field. Most schools suck at teaching theory and aren't great at Java instruction, either. Granted, they're not much better with any other language, but most of them teach Java.'"

hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.

First time accepted submitter WIn5t0n writes "Just a day after the alleged leak of 12million Apple UDID's, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous's story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI's statement, with an unidentified Apple representative claiming that, 'The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.' It should also be noted that while the hackers claim to have accessed 12 million UDID's, only 1 million were publicly released. The Apple representative who made the previous statements also said that, 'Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.' Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID's are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses."

Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim." Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"

PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

Trailrunner7 writes "The Windows version of the Crisis Trojan is able to sneak onto VMware implementations, making it possibly the first malware to target such virtual machines. It also has found a way to spread to Windows Mobile devices. Samples of Crisis, also called Morcut, were first discovered about a month ago targeting Mac machines running various versions of OS X. The Trojan spies on users by intercepting e-mail and instant messenger exchanges and eavesdropping on webcam conversations. Launching as a Java archive (JAR) file made to look like an Adobe Flash Installer, Crisis scans an infected machine and drops an OS-specific executable to open a backdoor and monitor activity. This week, researchers also discovered W32.Crisis was capable of infecting VMware virtual machines and Windows Mobile devices."

An anonymous reader writes "Today the source code to the Rootbeer GPU Compiler was released as open source on github. This work allows for a developer to use almost any Java code on the GPU. It is free, open source and highly tested. Rootbeer is the most full featured translator to convert Java Bytecode to CUDA. It allows arbitrary graphs of objects to be serialized to the GPU and the GPU kernel to be written in Java." Rootbeer is the work of Syracuse University instructor Phil Pratt-Szeliga.

theodp writes "Back in the day, getting traction for a new programming language was next to impossible. First, one needed a textbook publishing deal. Then, one needed a critical mass of CS profs across the country to convince their departments that your language was worth teaching at the university level. And after that, one still needed a critical mass of students to agree it was worth spending their time and tuition to learn your language. Which probably meant that one needed a critical mass of corporations to agree they wanted their employees to use your language. It was a tall order that took years if one was lucky, and only some languages — FORTRAN, PL/I, C, Java, and Python come to mind — managed to succeed on all of these fronts. But that was then, this is now. Whip up some online materials, and you can kiss your textbook publishing worries goodbye. Manage to convince just one of the new Super Profs at Udacity or Coursera to teach your programming language, and they can reach 160,000 students with just one free, not-for-credit course. And even if the elite Profs turn up their nose at your creation, upstarts like Khan Academy or Code Academy can also deliver staggering numbers of students in a short time. In theory, widespread adoption of a new programming language could be achieved in weeks instead of years or decades, piquing employers' interest. So, could we be on the verge of a programming language renaissance? Or will the status quo somehow manage to triumph?"

jfruh writes "One of the odder moments during the Oracle v. Google trial over Java patents came when patent blogger Florian Mueller disclosed that he had a 'consulting relationship' with Oracle. Now it looks like we're going to find out which other tech bloggers and journalists were on the payroll of one of the two sides in this epic fight. Judge William Alsup has ordered (PDF) that both parties disclose 'all authors, journalists, commentators or bloggers who have reported or commented on any issues in this case and who have received money (other than normal subscription fees) from the party or its counsel during the pendency of this action.'"

The Mars Science Laboratory, a.k.a. Curiosity, is now less than an hour from touchdown on Mars. It's scheduled to land at 1:31 AM EDT (0531 UTC). The landing will be monitored by the Odyssey orbiter, which will be the data relay between Curiosity and Earth. The Mars Reconnaissance Orbiter will be listening to Curiosity as well (yes — two of our probes orbiting another world will be watching a third). While Odyssey will be giving us close to real-time updates (as close as possible, given the 14-minute time delay), MRO's data will take a bit longer to be processed and evaluated. NASA is broadcasting from the JPL mission room right now. If you'd like to watch a pretty awesome graphical visualization of the mission, check out eyes.nasa.gov. If you'd like to play around with a Java app showing Mars-local times and seasons, check out Mars24. If you'd like to watch unofficial coverage, Bad Astronomer Phil Plait and a bunch of other astronomers are hosting a public Google Hangout. If you'd like to read a detailed explanation of the landing, checkout NASA's press kit (PDF), and there's also a post about what to expect when the rover starts sending pictures back to Earth, which will be about two hours after the rover lands. Good luck to everyone involved! We'll update this post when we get word on the landing.
Update: 08/06 05:33 GMT by S : Curiosity is on the ground! Everything looks nominal, and everybody at JPL is cheering. Congratulations, folks. They're continuing to receive telemetry from Odyssey, and the connection is strong. They've now received the first images back from Mars of Curiosity on the ground. A press briefing is scheduled in a little bit (2:15AM EDT, 0615 UTC), and several more throughout the day as more data comes back.

An anonymous reader writes "Ex-Sun employees did what Sun/Oracle failed to do since the iPhone launched. They brought Java to iOS and other mobile devices. They are getting major coverage from Forbes, DDJ, hacker news and others. They are taking a unique approach of combining a Swing-like API with a open source and SaaS based solution."

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."