Why You Can't Dump Java (Even Though You Want To) 402
snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"
Accountability (Score:4, Insightful)
Re:Accountability (Score:5, Insightful)
Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.
The criminal justice system, and the police are scaled just big enough to keep people from murdering each other and running off with with other people's property on any grand scale. It was never intended that this level of policing should be 100% fool proof. Even in those countries where there is totalitarian control, petty crime is rampant and tolerated simply because you can't lock up everybody.
I doubt you or the author of TFA would want to live in a society so tightly monitored that it was impossible to commit ID theft or internet crime (he seems to equate the two).
There was an opportunity, and actually some proposals for a non anonymous internet once upon a time. Also for absolutely verifiable Email senders. That path wasn't chosen, and would likely have been impossible anyway, with the side effect of turning a lot of petty internet activity into internet crimes, merely because you posted without a license, or made a name up.
Re:Accountability (Score:4, Insightful)
The Internet is not and never was designed to be "anonymous" despite the popular myths online. People confuse "anonymity" with the fact that the Internet does not provide any good mechanisms to verify who you are actually dealing with (SSL certificates are a semi-useful additional layer designed to fix that issue).
Go back to the earliest days of the Internet and the WWW and you'll see that it was actually the opposite of anonymity. It was a bunch of physicists who wanted people to actually read their papers and give them grants ;-)
Re:Accountability (Score:5, Informative)
The whole idea of accountability is utterly stupid as long as you have a single data network that spans multiple countries. If someone in Nigeria sends you a virus or does something else illegal, WTF are you going to do about it? Nothing. There's absolutely no way you're going to make people entirely accountable for their actions as long as there's multiple governments, and worse different laws in different places. The only rational thing to do is to protect yourself.
Re: (Score:3)
There was an opportunity to try. It may even have been an opportunity to succeed, but we will likely never know, as we collectively took a different option.
Re: (Score:3, Insightful)
You might want to move then. There are 28 states with no duty to retreat there is a break-in your home. And another 17 states where you can stand your ground no matter where the attack takes place.
http://en.wikipedia.org/wiki/Castle_law#States_with_a_Stand-your-ground_Law [wikipedia.org]
About three weeks ago there was an guy in his eighties that killed a robber with a shotgun and two other ran off. The media report his heroics in defending his property, and sleeping wife. Doesn't sound like he was considered a criminal
Re: (Score:3, Interesting)
The Trayvon Martin case is a little weird, because it looks a lot like the guy sought the kid out and picked a fight with him and then shot him. That's not legal, even under the Stand Your Ground laws. We have the same kind of law here in AZ, but it's not going to protect you if you go out of your way to start a fight with someone; it just means you're allowed to defend yourself where you stand. However, you better be able to convince people that you really were physically threatened, and that (this is t
Re:Accountability (Score:4, Insightful)
I hate to point out that one of the largest failing civilisations right now is the one with the most ridiculously overbearing property rights laws. Yours. Most of us civilisations who refuse to accept the premise that any replaceable material object can be worth more than a human life are doing quite well thank you. Any argument that tries to claim that property can be worth more than life under any circumstances is inherently logically and morally flawed.
Re:Accountability (Score:4)
Any argument that tries to claim that property can be worth more than life under any circumstances is inherently logically and morally flawed.
Well, that's a logical fallacy if there is one.
Let's start at the absurd end of the spectrum to demonstrate the vapidity of your claim.
If the property is necessary for survival of its owner, then it is certainly worth more than the life of the person trying to steal it.
This could be necessary medical equipment, or even clothes in a suitably exposed setting. Stealing that property is tantamount to murder, since it will directly cause the death of its former owner.
Do you still claim that the property is worth less than life?
Let's now swing to a wild other extreme.
If you believe that no property is worth more than a human life, then why don't you give away everything you own towards the cause of saving lives? If you refuse to do so, then you are valuing your property more than human lives.
Your argument is absurd, and you don't even believe it yourself.
Re: (Score:3)
If another copy of said equipment is available, then no death occurs, so the only reason you are perceiving the property as being valuable is because of the circumstances under which it was obtained. By stealing it, you cause someone to die, which makes you guilty of killing that person. That secondary crime, ca
Re:Accountability (Score:5, Insightful)
Re: (Score:3)
Jokes on them. Slashdot went through its user haemorrhage years ago. Not sure where the users went though.
less risk? (Score:3, Interesting)
but we can still remove java and have less risk right ?
Re:less risk? (Score:5, Insightful)
but we can still remove java and have less risk right ?
Indeed. I will have to disagree with "security advisor Roger Grimes" and point out that complexity breeds bugs; bugs breed security holes; Java's JIT and supporting libraries are just way too complex for their own good. This problem is made way more severe by Java's closed development model.
Java can be made secure, just not any time soon, not until Oracle gets a clue and opens up the development process.
Re:less risk? (Score:5, Informative)
You can also not use windows and opt for linux. But is it worth it? For some, yes, I'd say that for most people it isn't.
Java runs some cool software that most have no idea it actually is Java (it can copy the look and feel of your OS). The only way to mostly fix java is to have chrome like updates. Silent, forced on you but safe.
Re:less risk? (Score:5, Interesting)
Re: (Score:3, Informative)
Package managers are not a silver bullet, because it still requires a diligent maintainer. There are plenty of software packages for the various distros, which are older versions. Running the update mechanism won't fix that.
Can't stop crims, can fix holes (Score:5, Insightful)
He may be right, but he's also totally unrealistic. Nothing you ever do will stop the "underlying problem". But we can fix security holes, and pressure companies to release more secure code.
No point hoping for what is "right", or "best". Aim for something realistic instead.
Re:Can't stop crims, can fix holes (Score:5, Insightful)
Re:Can't stop crims, can fix holes (Score:5, Interesting)
'We' can't do anything to fix security holes in "Java", unfortunately.
Only core virtual machine and class libraries have been released under the GPL + Classpath Exception. The installer, auto updater, javafx, java web start, browser plugin are proprietary Oracle.
OpenJDK might be free but Java (TM) isn't. My bet, [citation needed], is that many of these Java security holes occur in unreleased code.
Re:Can't stop crims, can fix holes (Score:5, Insightful)
You are right of course.
Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. With a few thousand more eyes on that source code its quite possible it could be much more secure than it is now, especially since Grimes himself points out it was originally designed with security in mind. But as long as vendors and bloggers can claim that popular platforms fall to attack simply because they are popular, we will never see much pressure for improvement.
Some popular things, like Gold Ingots, are just harder to steal because Fort Knox has better security. Even with a map, a tour, and three corrupt ex-guards on your payroll you aren't going to succeed.
The idea that we will ship code, vetted by nobody in particular, for execution on some remote machine, and then expect a software sandbox to contain that code successfully, forever, with zero maintenance is just begging for trouble. To do so without publicly vetting the platform in all of its details is foolish.
Re: (Score:3, Funny)
"Some popular things, like Gold Ingots, are just harder to steal because Fort Knox has better security. Even with a map, a tour, and three corrupt ex-guards on your payroll you aren't going to succeed."
Or employ the Goldfinger option. Drop a Nuke on Oracle, and another on on Microsoft just for giggles, and thus make all your alternate code much more valuable.
Re:Can't stop crims, can fix holes (Score:5, Insightful)
You are right of course.
Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. .
Here, you hit the nail on the head...but it isn't about open- versus closed-source. It's about the real problem...patching. Most exploitation involves Flash, Java or Adobe Reader vulnerabilities largely because these don't get patched as easily. Microsoft became the gold standard in patch deployment over the past several years, and as a result the time in which a Microsoft-based vulnerability can be counted on to produce botted host after botted host from a compromised website is far shorter. On the other hand, Java and Adobe both tend to lag a bit in their patching, and their systems rely upon a reboot to even look for the latest version. When Microsoft pushes a patch, within 24-36 hours I usually have it installed. I don't know how long it takes between when the latest Java engine is out and when I happen to reboot and, once my machine comes back up...ah, look! A new Java version!
Criminals will always exist, and they will go after the easier targets. Vulnerabilities will always exist. The key is to patch the vulnerabilities quickly enough and frequently enough that criminals look for lower-hanging fruit.
Re:Can't stop crims, can fix holes (Score:5, Insightful)
Microsoft became the gold standard in patch deployment over the past several years
I *actually* laughed when I read that! When Microsoft's updater can update software other than their own, THEN you can TRY saying that again. Until then all the Linux users will just shake their heads at your ignorance.
Comment removed (Score:5, Interesting)
Re: (Score:3)
You obviously do not understand the *nix updating process. In a vast majority of cases, it's not the OS vendor patching other software. The patches/updates are created and submitted by the owners (or more likely, maintainers) of the software that needs patching/updating. The patches/updates are pushed to the various distribution servers and are pulled in using a common updater process depending on the OS in question such as yum, apt, etc.
Yes, from time to time something breaks but that is pretty rare in my
That's not how it works (Score:5, Insightful)
MS wouldn't be patching 3rd party software (you're right, that'd be crazy). MS would provide a general framework for maintaining installed software which 3rd party vendors could hook into.
Instead of every package implementing its own updater with its own background service and configuration system, they'd be one updater that everyone used which presented updates to the user in a central place. Instead of 10 badly implemented updaters, you'd have one good one.
This is what all linux distributions do and it works pretty well. I expect the win8 app store will do something like this.
Re: (Score:3)
They can. It's called Systems Management Server. And it works. The reason Microsoft doesn't do it for free is because then they have to deal with all the headaches of any oddness of the software or installer. Oh, and they would also be paying for the integration and deployment costs too. This is not what businesses do for free.
Re: (Score:3)
I *actually* laughed when I read that! When Microsoft's updater can update software other than their own, THEN you can TRY saying that again.
Um, it can, and it does. It often tries to install old outdated nVidia drivers on my systems...
The problem with Windows Update is that there is no sane or timely way for producers of other software to get a patch in. And when they do, by the time the patch becomes available through Windows Update, it's already going to be several versions behind.
Re: (Score:3)
Re: (Score:2)
Really, both are necessary. If you leave your front door wide open while you go on vacation, you'll be robbed. If you put in a steel door and door frame, bars, etc but the police just smile and wave to the nice man with the cutting torch, you will be robbed.
"The authorities" seem to be pretty good at persecuting^wprosecuting 13 year old "uber hackers" but somehow can't seem to see the urgency in chasing after the less dangerous to society entities such as the Russian Mafia.
Re: (Score:3)
There's a few differences. First, it's fully possible to make a "door" on your computer that really is extremely difficult to open, sort of like a steel door made with a special kind of steel that requires 100 years with a cutting torch to open. This can be done by writing very secure code.
Secondly, the police can't do anything about criminals located in other countries. What are the police going to do about a Nigerian or Russian hacker trying to break your system? Nothing. Laws are only effective insi
Re:Can't stop crims, can fix holes (Score:5, Interesting)
Again, we've been known to bend over backwards to get our laws imposed on people in other countries when the FBI's lords and masters (the *AA) want them to. Perhaps they should use some of that to go after actual criminals rather than autistic UFO nuts and Megaupload.
Most of the Nigerian scams could be handled by insisting that U.S. banks clear checks once and for all with foreign banks (as in no take backs) before they claim that a check has cleared. That won't help people who are determined to be ripped off, but it will help a lot of people. "Identity theft" could be killed dead by making banks take responsibility when they hand wads of cash over to strangers and letting credit agencies know that if they continue repeating gossip and hearsay as if it was somehow verified information, they WILL be on the hook for libel.
The other problem (Score:5, Insightful)
Security is one problem -- the other being that you'll get sued for using it. Just ask Microsoft and Google.
Re: (Score:3, Informative)
Nobody got sued for using Java. Microsoft got sued because they called something that wasn't Java Java. Google got sued because they used the elements of Java, but not Java itself.
Re: (Score:3, Informative)
Google got sued because they made a lot of money selling a Java platform to consumers.
Which Oracle/Sun failed horribly for years at doing. (Java ME anyone?)
Fuck Oracle!
Re: (Score:2)
To be fair, Google also didn't get much money selling it. They got nearly all the money from searches.
On nearly all cases, Android is free. The only exceptions are when it comes bundled with a Google product.
Re: (Score:3)
Don't know who's right, but I do know that the Android developers I know basically call it Java. "Hey, how do you program apps for Android?" Answer is usually: "It's Java." "What's Dalvik?" Answer: "Oh, it's Google's own Java VM that runs on handsets."
Really. Programmers call it what it is.
Trying to get developers to get developers to differentiate between the Java platform and Java the language is asking us to put on legal hats that we don't want to wear.
And please don't misread this post. This isn't meant
Re:The other problem (Score:4, Funny)
You're completely pathetic.
That was fun, let's do it again sometime.
This is a stupid article (Score:5, Insightful)
Java isn't insecure, criminals just aren't being punished.
That applies to EVERY piece of software. Why should Java get a free pass?
Re: (Score:2)
Re: (Score:2)
Users not installing patches has been an issue for as long as I can remember. That is why we have Windows Update, Mac Software Update, RHN, etc.
So it's a problem with an obvious solution: add an auto-update feature to the JRE and enable it by default on desktops.
Refusing to implement a time-tested solution does not allow them to wash their hands of the problem.
Re:This is a stupid article (Score:5, Insightful)
You mean the "java update" icon in the taskbar? The one that wants to update every few months?
Yeah, I ignore it, too... It seems every update is a few hundred megabytes, and I don't really want to pay attention to it long enough to tell it to install, then come back to follow up on it. Between all of the "time-tested" self-updaters for Windows, Adobe, Apple, Google, and a dozen more I could track down if I cared to, I'm sick of the whole self-updating thing. Why the hell don't we use RSS (or equivalent) for this yet, and be able to group all the updates together in a single interface, with a single "update now" button?
I guess that'll still be a Linux-only thing for another decade or so...
Re:This is a stupid article (Score:5, Interesting)
Yeah, I think the bigger problem is that the updates are weird. It's been a while since I've had Java installed on my main machines, but the way I remember it, you'd end up with a long list of updates in your Programs and Settings panel, even when they all have the same major version number. Like... you could keep Java 1.6.19 even when you uninstalled Java 1.6.12. And they don't seem to be patches, either... like, each one adds another 350MB subdirectory to some folder in your system disk, and they all just sit there like turds.
Then there was the time Oracle tried to bundle a McAfee "security scan" [infoworld.com] in the Java updates. That really inspired confidence. "Hey, I know -- let's interrupt this vital security procedure to push crapware from our marketing partners."
No, I think Roger Grimes is wrong -- folks can and will uninstall Java. I've been avoiding it just fine, and those bespoke Java applications that we're told all these Fortune 500 companies are sitting on will eventually be replaced with Web applications.
(None of this is to say Java doesn't have a strong future in the datacenter, though.)
Re: (Score:2)
Re: (Score:2, Insightful)
In Apple's case, they had a perfectly good update mechanism, they just never released the patch.
Re: (Score:2)
Re: (Score:2, Offtopic)
Don't forget the toolbar that usually wants to come for the ride, so one has to be very careful when clicking on the Java update icon, or else one's Web browser may have a little companion with it...
Yes, it is removable, but a security update shouldn't come with crapware.
I wish Oracle would start looking for the future. Java is a gem, but eventually it will be passed up for existing solutions (C#, Flash, HTML5 on the client end, ASP on the server end) unless Oracle does something.
For example, Java updates o
Re:This is a stupid article (Score:5, Informative)
Re: (Score:3)
One of our old packages required Java 1.5 to execute certain Crystal Reports queries but would otherwise function, and there's one still in use elsewhere that requires JVM 1.4_03 and nothing else; not _02 or _04; it will refuse to run with anything else.
Re:This is a stupid article (Score:4, Informative)
> Write once, run anywhere.. my ass...
Write once, write anywhere... that has Java 1.2.3.4.5 installed. Not 1.2.3.4.4 or 1.2.3.4.6. It *MUST* be 1.2.3.4.5.
That's Java's main problem. Back in the days of DOS, a BAT or COM or EXE file that worked on DOS 1 would work on DOS 2 and 3 and 4 and 5 and 6, unless it did some really braindead version checking. The vast majority of Windows apps survive service pack security updates. But many Java apps seem to break with each sub-minor version bump.
Re: (Score:2)
I pick the same way on all third party run-time environments. Flash, Silverlight, Java, heck the browsers get a bit of slack because:
1) They get updated very often
2) I would be a Luddite if I don't have at lest one installed.
I don't need third party run-times. Java is not on my system anymore. Nor is Flash. Thanks to the wonders of standardization (sarcasm), every time a website requires flash I launch it on my phone to get a standard HTML version that does not.
Re: (Score:2)
This article was brought to you by your friendly neighbor Oracle!
soo.. (Score:4, Insightful)
We should legislate away our technical problems?
No thanks. It's been shown time and time again that not only doesn't it work, but it tends to make the technical problems worse.
If everyone thinks "i can just sue them later" them attention to security will drop even farther.
There are very good security systems out there that very few people and organizations bother to implement or continue.
Invalid argument... (Score:5, Insightful)
We punish robbers and gangsters... stores get robbed and people gangbanged every day.
We punish rapists and other sex offenders...new ones crop up.
We punish murderers and and wife beaters... people still get killed and wives beaten every day.
Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
And somehow Grimes thinks that punishing crackers (not hackers.. I am proudly one of those), is going to make a difference. Even if you did manage to snuff it out in one place (highly unlikely), the internet is worldwide and you will have places with less lax laws or corrupt officials where those of a criminal bent can launch whatever they choose.
Most crime (not all)is cause by real or perceived poverty or other social disparity. Spending billions to incarcerate the underprivileged does nothing but further this disparity and create -more- crime.
Try looking at the world with empathy instead of greed and anger and try to lift people up. You may be surprised what a difference it makes.
Re: (Score:3)
Well, it's not necesarily about deterrence. It's about accountability and keeping a criminal from doing the same thing again. That shouldn't be that hard to figure out.
Re:Invalid argument... (Score:5, Insightful)
And even if you made him a ward of the state forever, now the state has weakened whatever family he had, and made it more likely for others in his family to follow the same path. And there will ALWAYS be more criminals to replace him.
So no, it is not about deterrence. It is not about accountability even. In the United States it is about making victims feel better, and about making money for the government. Bringing in tax dollars through fear.
Re: (Score:3)
In the United States it is about making victims feel better, and about making money for the privatized prison industry.
FTFY
Re: (Score:2)
Re: (Score:3)
Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
What is a strong deterrent, though, is a high risk of getting caught. For instance, if you put your criminal justice resources into hiring police, training them to be more effective at tracking down crimes, and building trust with the citizens (so they'll be more likely to volunteer information), that gives you a lot better results than putting your money into keeping people in prison longer for having a bag of weed.
what? (Score:3)
there are people who grow up in grinding poverty who would never do anything unethical
then there are assholes like this:
http://en.wikipedia.org/wiki/Leopold_and_Loeb [wikipedia.org]
very intelligent, very rich, and they decided to kill a 14 year old just for the hell of it. why? because evil is real in this world, and it exists independent of poverty, neither as cause nor effect, and independent of stupidity, neither as cause nor effect
class != morality != intelligence
there are poor people who are good
there are dumb people
Re: (Score:3)
But by and large, walk into any prison in America and take a census. You will find that at a minimum 70%-80% grew up in poor, broken homes with dysfunctional families.
If this country spent as much effort and resources in helping to fix families, in making sure children had proper role models, in truly ending pove
Re: (Score:2)
"You will find that at a minimum 70%-80% grew up in poor, broken homes with dysfunctional families."
There's another possible reason for that. They're the ones who can't afford spiffy lawyers.
Re: (Score:2)
ever hear the phrase "those with the best intentions can do the most damage?"
i don't know about this very common meme about the usa having such a large prison population: i think if you go to some poor country rife with petty corruption, you'd find most poor people in favor of increasing the prison population
the greatest perpetrator of poverty is criminality. behavior, not socioeconomics. so you stop poverty most effectively by cracking down on criminal behavior. this can occur independently and at the same
Re: (Score:2, Informative)
Actually, most crime is the result of opportunity, not poverty. It's not so much class psychology or class deprivation (in the Western world real deprivation is uncommon), but that lower income people tend to live in communities where crime is easier because of 1) underfunded enforcement and 2) cheaper targets. Crime is an evolutionary strategy, and there's no reason to think that the genes aren't evenly spread throughout the society, especially considering how the lower and upper classes mix so readily thr
Re: (Score:2)
There are some countries in the world where the punishment for some crimes is physical torture. It is incredibly painful, and in our western culture, it's considered dehumanizing, but it's worth nothing that those countries don't really have a serious repeat offender problem.
FTFY. I think we've found a solution to America's problems right here.
It doesn't matter if they are innocent (Score:2)
Swift public punishment of convicted offenders is intended to act as a deterrent for the rest of society. It's not to reform the offender, and it's not to provide justice for the victim or the victims family.
I don't necessarily agree with taking Rousseau's Social Contract to that extreme, but that's the theory in practice in these situations.
-- Terry
story summary != story (Score:5, Funny)
Title:
Why Elephants Are Large
Story:
An Elephant's trunk is very flexible. Even more amazing are the flexible snakes in the grass. Click this link to learn all about why bird's eggs are shaped the way they are.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
thank you
Get away with crime? (Score:5, Funny)
Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty.
Beloved, this is not being true! I have sure-fire way to stop crimes and makes you not being victims of many internet crimes ever. Alls I needs is your passwords to your accounts, and I makes them very secures. Especially yours banks passwords accounts numbers, I very much promising. I extra interested if you been scammed before. I help most much.
To show I most sincere, I also give you free 500 Viagra pills extra-effective man-stick for your every account you wants me protect! Your woman moan against your amazing he umbrella many time.
The problem of accountability (Score:4, Insightful)
They (cyber criminals) almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.
Hang on... what about the accountability of the software producer? Oh, yeah, the DISCLAIMER in the copyright/license legalese... it passes the responsibility to deal with the effects to the users. So why are the users complaining?
Before you jump on my throat: I reckon the "social cost" of going after hackers would be higher than the cost of the "war on drugs" (even if only because a running software is intangible and the attack vectors are easier to anonymize).
Even more, the "cost of discovering/deterring/preventing the cyber criminals" will be supported from taxes, even if the bug allowing the exploited is caused by the software producer... feels like a great incentive to reduce the cost of quality assurance stages in a software project, by externalizing them to the society... that's what corporations are excellent at, ain't it?
Re: (Score:2)
Well maybe the issue is more about making it obvious to the user that they need to install updates, making that process as unobtrusive as possible, and providing incentives to companies to do this well. God forbid, maybe even government regulations (although I don't think we're at that stage yet) on how these things have to behave, so that my java updates, my adobe updates my windows updates, my firefox/chrome/ie updates all come in roughly the same style and roughly the same way and with an ease of unders
Incompatabilities... (Score:3, Insightful)
I'm sure Java would be kept a lot more up to date if version 'x' could still run software built when version 'n' was current.
Java Update for Windows sucks; Java's fault. (Score:2, Insightful)
The Java Update notification shows up in the tray (on Windows Vista and XP), you click on it and get an error message to the effect of Java couldn't be downloaded or installed. What I have to do is logout and log back in as the Admin. Now, it would be nice if there were some program in the Programs list were I could click on it and just do an update, or easily bring up the java console - like Windows Update is easy to find and run. With Java, I have to search the web or better yet, bring up a page with a ja
Not just unpatched Java (Score:5, Insightful)
The big security problem with Java software is that you can't differentiate between them since they all run on the jvm. For example, you can't block net access from a Java program in a firewall, because you would have to block the whole jvm.
Zero day exploits sure...but zero month?? (Score:3)
Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes.
I'd like to see a reliable reference for this.
Would also like to know the impact of "zero month" exploits. Much more relevant, since Java's auto-updater pings once a month.
Personally I only use Java for a handful of local applications, and I always disable the auto-updater attack vector.
DEP and ASLR. (Score:2)
Does anybody still run Java applets? (Score:2)
I haven't had Java installed on my desktop machines in years, and don't seem to be missing out on anything. Some of the less important OpenOffice functions didn't work, but that was about it.
Yes, but very few (Score:2)
I have Java installed on my systems, but have the Java plugin disabled in the web browsers I regularly use. I came across exactly one site that required a Java applet to run in the last year or so: a system to book appointments at the local government office. Maybe it's different in the enterprise; the last big company I worked for had some kind of SAP front-end as a Java applet. But for home use Java is no longer necessary on a daily basis.
Re: (Score:2)
Re: (Score:2)
I help manage a BlueCat Adonis and this requires a Java application (not an applet) to run. Our Cisco AnyConnect VPN uses Java to install the client unless you're using Internet Explorer, which uses ActiveX.
At home I will sometimes use the DBGL front-end for DOSBox, which is Java-based.
Other than the Cisco thing, I can't think of the last time I had to run Java in a browser.
That's an odd conclusion. (Score:2)
Blame the developers... (Score:2)
The problem isn't applying patches. The problems occur when applying the patch causes a mission critical application, or a very critical application to the end user to stop working. The end result is the IT department ends up fielding a ton of phone calls from irate users, and / or getting blamed for the patch, even if they have nothing to do with it.
It is no wonder IT departments are always behind on getting patches rolled out. They need / want to test them.
And if an individual or department have some sort
Wrong! (Score:2)
I dump java all the time. Try kill -3 `pidof java`
Re: (Score:2)
Do you have any religious aversion to the 'killall' command?
Also, what is the difference between SIGTERM and SIGQUIT?
Penalties (Score:3)
Because we can't do anything. We're helpless (never mind keeping up to date on Java patches). It's all hopeless. We need authority to trace the criminals and possibly take preemptive measures to shut them down and seize their servers.
And then all you do is chase down people sharing Lady Gaga MP3s. Yeah, right.
The real answer (Score:2)
As much as it sucks to have a vendor pushing patches without explicit dialogs/permission, I would argue that the global damage from lack of patches far outweighs the downsides at this point.
This is one area Chrome gets right. Java (along with Firefox, Windows, et al) should automatically download and apply all security patches without prompting or notifying the user in any way unless you go in and manually disable it.
I've seen people see the Windows Update dialog and immediately click cancel. They just see
I dumped Java a while back (Score:2)
At least in my web browsers. Can't say I've noticed that anything useful has been affected. Heck, I'm not sure I've seen any affect at all.
Besides, understanding what the real root cause of these Java exploits is has very little bearing on whether I can dump Java. I can choose to dump it regardless of its relative security. On the web, client-side Java tends to make Flash look light and nimble - so I said no thanks to Java some time ago.
If I could dump Java, I would (Score:2)
But that isn't going to happen as long as we have $600K of Oracle ERP software running in the company.
Re: (Score:3)
But that isn't going to happen as long as we have $600K of Oracle ERP software running in the company.
dooooood.... don't you know it instantly loses the better half of its value the moment you drive it off the lot? Oracle software is like an oversized RV, or a boat, even a really nice expensive boat. It doesn't matter that it cost $2.4 million to build it, the day you bought it for that, it was really only worth half that, and after its been in the water, its often worth negative fortunes.
Oracle v. Google is why I want to dump java (Score:2)
One of the reasons that I can't dump java is because I still use a bunch of software written in java like, say, apps on Android. And don't forget that there are pieces of software like LibreOffice [documentfoundation.org] that still have legacy dependencies on java. Sure, LO is working on rewriting those pieces, but it won't happen overnight.
Even if Oracle loses regarding copyright and patents on the Java language, the Java APIs, etc.., they have shown that they regard the Java language as a business bargaining chip and not as an u
The Reason Why You Can't Dump Java... (Score:2)
Old Java (Score:2)
Unfortunately a lot of us have to keep old versions of java around and apps are free to ask for old versions and get them. Java for being "portable" is far far from it every java app only seems to works on a specific range of java versions. You know those fun apps networking kit seems to love. Work with a few different vendors and different version of there firmware and quickly you need a half dozen outdated versions installed.
Unpatched Java? Blame the patching process! (Score:5, Interesting)
Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of.
And so the appropriate thing is to see why in the heck we don't have all software always patched up to date. And the reason for that in Java is that it's bloody stupid updater takes 5 minutes and 10 clicks. Change it to be like Chrome -- background auto-update itself silently* with zero user input (or one click) -- and you'll have 99% of the installs up to date without issue.
To be clear, for the control-freak BOFHs, enterprisey people and hobbyists that actually enjoy computer maintenance, there should be a checkbox in options that says "Disable All Automatic Updating until I uncheck this box". If the user checks it, turn on the webcam and require them to raise their right hand and swear "I AM RESPONSIBLE FOR KEEPING THIS SOFTWARE UPDATED, ANY ILL THAT BEFALLS ME FROM NOT PATCHING IS MY OWN DAMNED FAULT AND I DESERVE IT". Make sure that preference persist between installs.
IOW, I'm not saying everyone has to do automatic silent updating, I'm saying that it should be the default setting unless the user expresses a desire to maintain it updated himself and is appraised of the risk of doing so. Let the user decide, but provide a better default behavior that's appropriate for most users.
One word why I can't quit Java (Score:3)
Minecraft.
I can an did and won't go back. (Score:3)
I pulled Java off of all my systems because of the incessant nagging of updates and the fact is would add 16 versions to the computer rather then updating a single version. I found that anything using Java on a desktop was not useful or missed anyways.
I've also gotten rid of Adobe (service) products for the same reason, ridiculously annoying install nagging and update process and yet another security hole with not much benefit. Silverlight too.
The only reason for a website to use Java technology these days is because "the fossil" a company hired 20 years ago refuses to learn something new.
The only reason for a website to use Flash is because they got a bunch of graphic designers who will crap their pants if they see an actual line of code.
The only reason for a website to use Silverlight is because Microsoft wanted fossils and graphic designers to use their platform instead.
As for updating, FTW would companies please adopt Google's model in Chrome of constant BACKGROUND updating rather then nagging "You have an update!" popup's or explicitly requiring to manually update. I love the fact that the software I am running is known to be current, relevant, stable, and secure without having to do anything but simply use the product.
The best way for a company or technology to become irrelevant is to constantly announce your failures and expect people to invest time and effort to fix them.
Re: (Score:2)
I don't think the OP's primary concern was with exploits, but with the general ugliness of java.
Re: (Score:2)
Someone's doing it wrong, then. Java Update will normally pop up a UAC window to execute, then possibly another if a new version exists to install.
If your admin has disallowed it, then they should be using Active Directory to push out .MSIs for each new release of the JRE.
We're now up to Java 1.6 update 32 or 1.7 update 4, with the former recommended for production use.