Why You Can't Dump Java (Even Though You Want To) 402
snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"
less risk? (Score:3, Interesting)
but we can still remove java and have less risk right ?
And Java's not patched because... (Score:1, Interesting)
... it can't be patched.
I run a Windows 7 computer with auto-updating turned on for both Windows and Java. Every time I boot, I get a message telling me there are Java updates to apply. I click 'Yes' to apply them, and nothing happens. No update, and no error message to give a clue as to why.
Maybe it's an admin privileges thing. But most processes give options to get around that requirement. Java Update doesn't.
So there it is, an unpatched Java installation. I've tried to uninstall it, and that's a similar usability nightmare but long story short, that doesn't work either.
Re:Can't stop crims, can fix holes (Score:5, Interesting)
'We' can't do anything to fix security holes in "Java", unfortunately.
Only core virtual machine and class libraries have been released under the GPL + Classpath Exception. The installer, auto updater, javafx, java web start, browser plugin are proprietary Oracle.
OpenJDK might be free but Java (TM) isn't. My bet, [citation needed], is that many of these Java security holes occur in unreleased code.
Re:This is a stupid article (Score:5, Interesting)
Yeah, I think the bigger problem is that the updates are weird. It's been a while since I've had Java installed on my main machines, but the way I remember it, you'd end up with a long list of updates in your Programs and Settings panel, even when they all have the same major version number. Like... you could keep Java 1.6.19 even when you uninstalled Java 1.6.12. And they don't seem to be patches, either... like, each one adds another 350MB subdirectory to some folder in your system disk, and they all just sit there like turds.
Then there was the time Oracle tried to bundle a McAfee "security scan" [infoworld.com] in the Java updates. That really inspired confidence. "Hey, I know -- let's interrupt this vital security procedure to push crapware from our marketing partners."
No, I think Roger Grimes is wrong -- folks can and will uninstall Java. I've been avoiding it just fine, and those bespoke Java applications that we're told all these Fortune 500 companies are sitting on will eventually be replaced with Web applications.
(None of this is to say Java doesn't have a strong future in the datacenter, though.)
Re:Accountability (Score:0, Interesting)
I'd be happy if they just didn't criminalize an individual for defending their family and stuff. That's the real kicker. They police won't respond to a break-in in any timely manner, but if you shoot the scumbags, you're the criminal now.
Unpatched Java? Blame the patching process! (Score:5, Interesting)
Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of.
And so the appropriate thing is to see why in the heck we don't have all software always patched up to date. And the reason for that in Java is that it's bloody stupid updater takes 5 minutes and 10 clicks. Change it to be like Chrome -- background auto-update itself silently* with zero user input (or one click) -- and you'll have 99% of the installs up to date without issue.
To be clear, for the control-freak BOFHs, enterprisey people and hobbyists that actually enjoy computer maintenance, there should be a checkbox in options that says "Disable All Automatic Updating until I uncheck this box". If the user checks it, turn on the webcam and require them to raise their right hand and swear "I AM RESPONSIBLE FOR KEEPING THIS SOFTWARE UPDATED, ANY ILL THAT BEFALLS ME FROM NOT PATCHING IS MY OWN DAMNED FAULT AND I DESERVE IT". Make sure that preference persist between installs.
IOW, I'm not saying everyone has to do automatic silent updating, I'm saying that it should be the default setting unless the user expresses a desire to maintain it updated himself and is appraised of the risk of doing so. Let the user decide, but provide a better default behavior that's appropriate for most users.
Re:less risk? (Score:5, Interesting)
Re:Accountability (Score:3, Interesting)
The Trayvon Martin case is a little weird, because it looks a lot like the guy sought the kid out and picked a fight with him and then shot him. That's not legal, even under the Stand Your Ground laws. We have the same kind of law here in AZ, but it's not going to protect you if you go out of your way to start a fight with someone; it just means you're allowed to defend yourself where you stand. However, you better be able to convince people that you really were physically threatened, and that (this is the key here in the Martin case) that you didn't provoke the threat in the first place. That means you can't go pick a fight with someone, punch him, wait for him to punch you back, then pull out your gun and shoot him dead because you were "afraid for your life". Anyone can see that's a BS line of reasoning. Because of this, if you're in public, you really need to have witnesses or some other evidence that you were in the right, and didn't instigate the conflict, or else anyone could just go shoot someone and claim they were threatened. It's much easier inside your home; if some stranger is inside your home and you shoot him dead, it's pretty hard for prosecutors to argue that you instigated it or whatever; your story that the person broke in and threatened your life is hard to argue with. If it's your brother-in-law, however, expect some trouble.
Comment removed (Score:5, Interesting)
Re:Can't stop crims, can fix holes (Score:5, Interesting)
Again, we've been known to bend over backwards to get our laws imposed on people in other countries when the FBI's lords and masters (the *AA) want them to. Perhaps they should use some of that to go after actual criminals rather than autistic UFO nuts and Megaupload.
Most of the Nigerian scams could be handled by insisting that U.S. banks clear checks once and for all with foreign banks (as in no take backs) before they claim that a check has cleared. That won't help people who are determined to be ripped off, but it will help a lot of people. "Identity theft" could be killed dead by making banks take responsibility when they hand wads of cash over to strangers and letting credit agencies know that if they continue repeating gossip and hearsay as if it was somehow verified information, they WILL be on the hook for libel.
And how do you know who picked a fight? (Score:2, Interesting)
The big question in the case is who picked a fight with who. The person who called the police and campaigned on behalf of a black homeless person against a white sheriff OR the self proclaimed gangsta nigga (his own nickname). I wouldn't trust the bleeding heart side with this one, they also make much that the HISPANIC guy lived in a gated community, but so did the black guy. Apparently white guy in gated community, racist. Black guy in gated community, victim.
I think it is even odds that Travor wanted to go crazy n* on the dudes as, thinking he could scare him off. In holland a group of youth immigrants formed a gang called the "crazy foreigners" operating on the same method, trying intimidation, knowing any white victim would be wary of standing up to them for fear of racist charges.
We shall see in the court case what both sides claim really happened.