Why You Can't Dump Java (Even Though You Want To)

snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"

Accountability

[amginenigma]

Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.

Can't stop crims, can fix holes

[Anonymous Coward]

He may be right, but he's also totally unrealistic. Nothing you ever do will stop the "underlying problem". But we can fix security holes, and pressure companies to release more secure code.

No point hoping for what is "right", or "best". Aim for something realistic instead.

The other problem

[MrEricSir]

Security is one problem -- the other being that you'll get sued for using it. Just ask Microsoft and Google.

This is a stupid article

[rgbrenner]

Java isn't insecure, criminals just aren't being punished.

That applies to EVERY piece of software. Why should Java get a free pass?

soo..

[Anonymous Coward]

We should legislate away our technical problems?
No thanks. It's been shown time and time again that not only doesn't it work, but it tends to make the technical problems worse.

If everyone thinks "i can just sue them later" them attention to security will drop even farther.

There are very good security systems out there that very few people and organizations bother to implement or continue.

Invalid argument...

[wbr1]

We punish drug dealers and users... they keep on pushing and using.
We punish robbers and gangsters... stores get robbed and people gangbanged every day.
We punish rapists and other sex offenders...new ones crop up.
We punish murderers and and wife beaters... people still get killed and wives beaten every day.

Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
And somehow Grimes thinks that punishing crackers (not hackers.. I am proudly one of those), is going to make a difference. Even if you did manage to snuff it out in one place (highly unlikely), the internet is worldwide and you will have places with less lax laws or corrupt officials where those of a criminal bent can launch whatever they choose.
Most crime (not all)is cause by real or perceived poverty or other social disparity. Spending billions to incarcerate the underprivileged does nothing but further this disparity and create -more- crime.
Try looking at the world with empathy instead of greed and anger and try to lift people up. You may be surprised what a difference it makes.

The problem of accountability

[c0lo]

They (cyber criminals) almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.

Hang on... what about the accountability of the software producer? Oh, yeah, the DISCLAIMER in the copyright/license legalese... it passes the responsibility to deal with the effects to the users. So why are the users complaining?

Before you jump on my throat: I reckon the "social cost" of going after hackers would be higher than the cost of the "war on drugs" (even if only because a running software is intangible and the attack vectors are easier to anonymize).
Even more, the "cost of discovering/deterring/preventing the cyber criminals" will be supported from taxes, even if the bug allowing the exploited is caused by the software producer... feels like a great incentive to reduce the cost of quality assurance stages in a software project, by externalizing them to the society... that's what corporations are excellent at, ain't it?

Incompatabilities...

[linatux]

I'm sure Java would be kept a lot more up to date if version 'x' could still run software built when version 'n' was current.

Java Update for Windows sucks; Java's fault.

[Anonymous Coward]

The Java Update notification shows up in the tray (on Windows Vista and XP), you click on it and get an error message to the effect of Java couldn't be downloaded or installed. What I have to do is logout and log back in as the Admin. Now, it would be nice if there were some program in the Programs list were I could click on it and just do an update, or easily bring up the java console - like Windows Update is easy to find and run. With Java, I have to search the web or better yet, bring up a page with a java applet which then brings up the Java console and then I can update - because the auto update sucks.

Now, I understand about the permissions and all that because I have a similar problem with Firefox and other Mozilla programs BUT I can do a "Run As" and run them as an admin and continue with the install - not really a problem. Java, on the other hand, requires an entire new download and then installing - only from the Admin account and digging for the damn Console in the control panel. BTW, the Java icon can only be found in the "Classic" view. And if I, an ex-programmer IT person thinks this is a pain, I wonder how many people get the error and then forget about the update?

tl;dr Updating Java is a pain in the ass if you run your machine under a user account. Java needs an easier way to bring the Java console. And this security problem is Java's fault.

Not just unpatched Java

[Hentes]

The big security problem with Java software is that you can't differentiate between them since they all run on the jvm. For example, you can't block net access from a Java program in a firewall, because you would have to block the whole jvm.

Re:Can't stop crims, can fix holes

[jhoegl]

seems more like he is building a case for rules to govern the internet, justifying "big brother" tactics, and random stealing of servers from server racks by the FBI.

Re:This is a stupid article

[Sarten-X]

You mean the "java update" icon in the taskbar? The one that wants to update every few months?

Yeah, I ignore it, too... It seems every update is a few hundred megabytes, and I don't really want to pay attention to it long enough to tell it to install, then come back to follow up on it. Between all of the "time-tested" self-updaters for Windows, Adobe, Apple, Google, and a dozen more I could track down if I cared to, I'm sick of the whole self-updating thing. Why the hell don't we use RSS (or equivalent) for this yet, and be able to group all the updates together in a single interface, with a single "update now" button?

I guess that'll still be a Linux-only thing for another decade or so...

Re:Invalid argument...

[wbr1]

It doesn't work at that either though. Many criminals would like a better life and a better chance, and don't want to make the same mistakes again. Not all, of course there are exceptions. But you take a man, put him in prison for 5 or 10 or 15 years at the prime of his life, give him some opportunities to learn, but most are bogus, and most of what is learned is -more- criminal mentality, and more hatred of -the system-. Then you put him out on the street with strict rules, little money, most of his family and friend have probably deserted him (if he had much to begin with) during his time in prison so he has little if any healthy support systems in place. No add to the fact that everywhere he turns he cannot get a job. If he owes court fines he may not even be able to get a drivers license until he can pay part of his fees, further limiting his chance of employment. Is it any wonder if he goes back to robbing stores or dealing drugs? It is what he knew and all he has left.
And even if you made him a ward of the state forever, now the state has weakened whatever family he had, and made it more likely for others in his family to follow the same path. And there will ALWAYS be more criminals to replace him.
So no, it is not about deterrence. It is not about accountability even. In the United States it is about making victims feel better, and about making money for the government. Bringing in tax dollars through fear.

Re:less risk?

[Tough Love]

but we can still remove java and have less risk right ?

Indeed. I will have to disagree with "security advisor Roger Grimes" and point out that complexity breeds bugs; bugs breed security holes; Java's JIT and supporting libraries are just way too complex for their own good. This problem is made way more severe by Java's closed development model.

Java can be made secure, just not any time soon, not until Oracle gets a clue and opens up the development process.

Re:Accountability

[icebike]

Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.

The criminal justice system, and the police are scaled just big enough to keep people from murdering each other and running off with with other people's property on any grand scale. It was never intended that this level of policing should be 100% fool proof. Even in those countries where there is totalitarian control, petty crime is rampant and tolerated simply because you can't lock up everybody.

I doubt you or the author of TFA would want to live in a society so tightly monitored that it was impossible to commit ID theft or internet crime (he seems to equate the two).

There was an opportunity, and actually some proposals for a non anonymous internet once upon a time. Also for absolutely verifiable Email senders. That path wasn't chosen, and would likely have been impossible anyway, with the side effect of turning a lot of petty internet activity into internet crimes, merely because you posted without a license, or made a name up.

Re:Can't stop crims, can fix holes

[icebike]

You are right of course.

Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. With a few thousand more eyes on that source code its quite possible it could be much more secure than it is now, especially since Grimes himself points out it was originally designed with security in mind. But as long as vendors and bloggers can claim that popular platforms fall to attack simply because they are popular, we will never see much pressure for improvement.

Some popular things, like Gold Ingots, are just harder to steal because Fort Knox has better security. Even with a map, a tour, and three corrupt ex-guards on your payroll you aren't going to succeed.

The idea that we will ship code, vetted by nobody in particular, for execution on some remote machine, and then expect a software sandbox to contain that code successfully, forever, with zero maintenance is just begging for trouble. To do so without publicly vetting the platform in all of its details is foolish.

Re:This is a stupid article

[Anonymous Coward]

In Apple's case, they had a perfectly good update mechanism, they just never released the patch.

Re:Can't stop crims, can fix holes

[Shoten]

You are right of course.

Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. .

Here, you hit the nail on the head...but it isn't about open- versus closed-source. It's about the real problem...patching. Most exploitation involves Flash, Java or Adobe Reader vulnerabilities largely because these don't get patched as easily. Microsoft became the gold standard in patch deployment over the past several years, and as a result the time in which a Microsoft-based vulnerability can be counted on to produce botted host after botted host from a compromised website is far shorter. On the other hand, Java and Adobe both tend to lag a bit in their patching, and their systems rely upon a reboot to even look for the latest version. When Microsoft pushes a patch, within 24-36 hours I usually have it installed. I don't know how long it takes between when the latest Java engine is out and when I happen to reboot and, once my machine comes back up...ah, look! A new Java version!

Criminals will always exist, and they will go after the easier targets. Vulnerabilities will always exist. The key is to patch the vulnerabilities quickly enough and frequently enough that criminals look for lower-hanging fruit.

Re:Accountability

[CajunArson]

The Internet is not and never was designed to be "anonymous" despite the popular myths online. People confuse "anonymity" with the fact that the Internet does not provide any good mechanisms to verify who you are actually dealing with (SSL certificates are a semi-useful additional layer designed to fix that issue).

Go back to the earliest days of the Internet and the WWW and you'll see that it was actually the opposite of anonymity. It was a bunch of physicists who wanted people to actually read their papers and give them grants ;-)

Re:Accountability

[SScorpio]

You might want to move then. There are 28 states with no duty to retreat there is a break-in your home. And another 17 states where you can stand your ground no matter where the attack takes place.

http://en.wikipedia.org/wiki/Castle_law#States_with_a_Stand-your-ground_Law [wikipedia.org]

About three weeks ago there was an guy in his eighties that killed a robber with a shotgun and two other ran off. The media report his heroics in defending his property, and sleeping wife. Doesn't sound like he was considered a criminal.

Shooting fleeing suspects in the back when they are outside your home may bring about criminal prosecution, but it's up to a judge and jury if there was immediate threat at the time.

Re:Can't stop crims, can fix holes

[DarwinSurvivor]

Microsoft became the gold standard in patch deployment over the past several years

I *actually* laughed when I read that! When Microsoft's updater can update software other than their own, THEN you can TRY saying that again. Until then all the Linux users will just shake their heads at your ignorance.

That's not how it works

[jcupitt65]

MS wouldn't be patching 3rd party software (you're right, that'd be crazy). MS would provide a general framework for maintaining installed software which 3rd party vendors could hook into.

Instead of every package implementing its own updater with its own background service and configuration system, they'd be one updater that everyone used which presented updates to the user in a central place. Instead of 10 badly implemented updaters, you'd have one good one.

This is what all linux distributions do and it works pretty well. I expect the win8 app store will do something like this.

Re:Accountability

[Kalriath]

I hate to point out that one of the largest failing civilisations right now is the one with the most ridiculously overbearing property rights laws. Yours. Most of us civilisations who refuse to accept the premise that any replaceable material object can be worth more than a human life are doing quite well thank you. Any argument that tries to claim that property can be worth more than life under any circumstances is inherently logically and morally flawed.

Re:Accountability

[mr_gorkajuice]

Well, duh. Several lives are more valuable than a single life. To me, my life is worth more than yours, though I'm sure you'd disagree.
However, every life is worth more than a flat screen TV.
Btw, capitalism is doing just fine over here, despite lethal violence not being legal means for protecting property.

Re:Accountability

[emho24]

I simply cannot understand the position some people take "it's just stuff, it's not worth a life!". You broke into my *home*. This is where I live with my wife and child. I am not going to spend one nanosecond pondering your motives, whether you are here to steal my tv or the life of my family. I'm going to shoot center mass (no, *not* in the legs), and I am not going to stop shooting until the threat is no more. Period. My state has a castle doctrine, but I don't care. It was my doctrine long before it was state law. No one is going to tell me that my life and my family’s lives are worth less than some criminal that broke into my house.