Java Zero-Day Vulnerability Rolled Into Exploit Packs 193
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
Just remove Java and get it over with (Score:2, Insightful)
At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.
If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
It sucks more in the corporat
Re: (Score:2)
Re: (Score:2)
Same in Denmark - and we need it for .gov interaction as well. Remove the plugin from your primary browser, keep it in a secondary browser you launch just for Java stuff - and if you're slightly paranoid, keep that secondary browser in a virtual machine.
Re:Just remove Java and get it over with (Score:4, Interesting)
Here in Norway we are required to have it to do online banking :(
I refuse to bank online, and I would ESPECIALLY refuse to bank online if the bank demanded java. If I want to check my balance I'll call them; I never heard of anyone getting rooted over a voice-only phone call.
In fact, I use my credit card as little as possible online. Yes, I'm paranoid... but my computers haven't been infected with anything since my daughter installed the XCP trojan Sony provided on a CD she bought at the store she worked at.
If I do get rooted, there's no sensitive information whatever on my PCs or phone.
Re: (Score:3)
never heard of anyone getting rooted over a voice-only phone call.
Bank fraud is hardly new to the internet. You can bank on the internet quite safely if you do it from a VM that you only use for thta purpose - and I strongly recommend that approach. I use a credit card freely online, but it's one with a $0 fraud protection guarentee.
Re: (Score:2)
Hi. (Online) Security Officer for a large bank here. I deal with Phishing, Malware and the likes on a daily basis. You are partially right: Most of the attacks we observe tend to rely on an online vector. However, mixed-media has seen a great rise throughout 2012, the most popular attack being phishing coupled with voice-only phone calls.
From our point of view, we can bring a lot of defense mechanisms into our online services, while phone-b
Re: (Score:2)
Thank you for that, it was informative. I really don't have any reason to bank online, and know better than to give any sensitive info to anyone who calls me.
Re: (Score:2, Flamebait)
Re: (Score:2)
Re: (Score:3)
If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
This has been my situation for the last few years, )though not for minecraft.)
Adobe's Flash/Shockwave more or less killed java for the average user.
/the mass of exploits that is flash makes for another conversation entirely
Re: (Score:2, Informative)
Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)
Comment removed (Score:5, Informative)
Re: (Score:2)
Sorry, to correct my previous post.
Java does indeed overwrite system settings, however both Chrome and Firefox ignore the system setting and the plugin remains disabled.
Re: (Score:2)
Re: (Score:3)
Here here, The amount of updates released to keep .Net secure is the same or more than the security updates for JRE/JDK/JVM.
People just seem to get off on basing Java it seems.
Re:Just remove Java and get it over with (Score:4, Insightful)
While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".
Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.
Re: (Score:2)
Re: (Score:3)
Re:Just remove Java and get it over with (Score:4, Insightful)
So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.
Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.
Re: (Score:2)
Are you a $hill, by chance ?
No such luck, I wish I could get paid for promoting Java. I just use it everyday for development. If find that there is still no alternative to Java that meets *my* requirements (and I understand it meets the needs of many others for lots of reasons, which I won't go into here). That's why I choose to address the anti-Java hysteria.
Re: (Score:2)
At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.
It's used on a lot of websites to launch various games and applets to do things like search a database of parts. The same argument could be used for ActiveX controls and yet, you can't go online for very long without running into someone's website that uses it.
But for home users? Just remove it and make your life easier.
It'd be better to use something like NoScript to control access to it. I pair it with other plugins that prevent cross-site scripting, as most of these exploits take advantage of advertising link-ins to popular websites.
Re: (Score:2)
How do we play Minecraft then? :P
Re:Just remove Java and get it over with (Score:4, Funny)
But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!
I see. Have you tried turning it off and on again?
Is it definitely plugged in?
Re:Just remove Java and get it over with (Score:5, Funny)
Customer: The 10 key? Do you mean F10?
Support: No. The 10 key is a black rocker on the back of the computer with a 1 and a 0. Pushing that will make your computer secure.
Re: (Score:3)
You must have an old computer. My 10 key is next to the cup holder on the front.
Re: (Score:2)
You take the TIOBE numbers to mean anything whatsoever? Interesting.
If you actually have something that uses Java on your home machine (though most users don't), disable the browser plugin. That solves the problem, assuming Java's updater doesn't go and turn it back on.
Re: (Score:2)
You take the TIOBE numbers to mean anything whatsoever? Interesting.
The TIOBE numbers are considered approximate, yet you fail to provide any alternative numbers and scoff at the approximation. Java rules the Enterprise, many development tools, and some games (IL-2, Minecraft, Take on Helicopters, the upcoming Arma3). The Java browser plugin may as problematic as Flash or the .NET plugin (Silverlight), but the Java Runtime Environment (JRE) itself is solid and very, very fast (which is why many developers, myself included, prefer Java to alternative development platforms).
Re: (Score:2)
Which was specifically mentioned in the comment you're replying to. Awesome attempt at reading comprehension though!
Re: (Score:2)
Paunch? (Score:2)
How has the exploit maker gone unfound? (Score:5, Insightful)
Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?
Re:How has the exploit maker gone unfound? (Score:4, Interesting)
Follow the money and you probably find that various three letter agencies are his main customers.
Re: (Score:2)
Re: (Score:2)
Is finding a bug and writing an exploit for it illegal yet?
Re: (Score:2)
Re:How has the exploit maker gone unfound? (Score:4, Insightful)
The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.
Re: (Score:3)
Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down?
Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.
If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.
Re: (Score:3)
Explain laws against selling drug paraphernalia, subsections of the DMCA, or consumer protection against malware laws in several states like California, Arizona, Indiana and others...
Re: (Score:2)
Explain laws against selling drug paraphernalia,
"Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is. That's why you can buy a brand new "water tobacco pipe" from a head shop, but not a used bong (water pipe that has been used to smoke marijuana), even though they are the exact same piece of equipment.
subsections of the DMCA,
Such as?
consumer protection against malware laws in several states like California, Arizona, Indiana and others...
A) Again, such as? If you can't cite specific ordinance, I'm inclined to call bullshit.
B) State law != federal law. I'm certain some municipalities have laws against selling slim-jims (aut
Re: (Score:2)
Wishful thinking. Let me introduce you to 21 USC 863 [cornell.edu] specifically where it defines the term drug paraphernalia:
The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introduci
Re: (Score:2)
Wishful thinking. Let me introduce you to 21 USC 863 [cornell.edu] specifically where it defines the term drug paraphernalia:
The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introducing into the human body a controlled substance, possession of which is unlawful under this subchapter. It includes items primarily intended or designed for use in ingesting, inhaling, or otherwise introducing marijuana, [1] cocaine, hashish, hashish oil, PCP, methamphetamine, or amphetamines into the human body, such as—
(1) metal, wooden, acrylic, glass, stone, plastic, or ceramic pipes with or without screens, permanent screens, hashish heads, or punctured metal bowls; (2) water pipes; (3) carburetion tubes and devices; (4) smoking and carburetion masks; (5) roach clips: meaning objects used to hold burning material, such as a marihuana cigarette, that has become too small or too short to be held in the hand; (6) miniature spoons with level capacities of one-tenth cubic centimeter or less; (7) chamber pipes; (8) carburetor pipes; (9) electric pipes; (10) air-driven pipes; (11) chillums; (12) bongs; (13) ice pipes or chillers; (14) wired cigarette papers; or (15) cocaine freebase kits.
Yet I can still walk into any of the dozen or so head shops in town, and walk out with any of those items, legally. All the proprietors have to do is put a little sticker on the object that states, "FOR TOBACCO USE ONLY," and bip-bang-boom, not drug paraphernalia.
This statue was used as the basis for Operation Pipe Dreams [wikipedia.org] where 55 people were indicted and charged for trafficking in illegal drug paraphernalia.
According to the link you provided, the only arrests made were in Pennsylvania and Iowa. not really what I would consider the national dragnet that you're making it out to be.
17 USC 1201 section (2) [copyright.gov] states:
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that — (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
As I said before, if the sole purpose of the kit was crime, you'd have a
Re: (Score:2)
Let's go back to your post:
You gave a premise that the government could not legally 'shut down' anyone and everyone capable of using a tool for crime.
I gave three of where "the government" could and have. You didn't say what type of gover
Re: (Score:2)
I believe most people will equate the "government" as being either federal, state, or local. You don't see dis
Re: (Score:2)
I'm the petulant one? I'm not the one declaring someone's comments as bullshit nor am I the one calling people asshole. All I do is give information. I can bring the horse to water but I can't make him drink.
I never declared anyone's comment as bullshit, you inferred that because that's what you wanted to think; if you go back and re-read my comment, I said that I would be forced to call bullshit on your claims if you failed to provide reference. The reference was provided, and I did not declare the claims bullshit as a result.
In the same fashion, I never called anyone an asshole - I merely pointed out that by making such petulant accusations as
I should of known that since you accused me of "bullshit" that you wouldn't accept counter examples to your statement.
Followed by needless snark:
One day you may figure out Google.
makes you look like an uptight assho
Re: (Score:2)
No harm no foul.
I still don't understand why you consider jurisdiction significant.
Re: (Score:2)
No harm no foul.
I still don't understand why you consider jurisdiction significant.
Because it is.
Consider this case of the exploit kit maker: Presuming he lives in a city/county/state that does not have a law that explicitly makes his sale of the exploit kit a criminal act, then he cannot be charged with any crime, as there definitely is not a federal law against making available tools which can be used for crime (assuming, of course, this isn't the tools only stated purpose; with the exploit kit, it is a reasonable assumption that the tools can be used to prevent crime as well, and th
Re: (Score:2)
I don't think the OP took locality in account, and you must admit in today's political environment it doesn't take much to make a federal case out of any issue.
For the record, the items that I went into detail were federal statues.
Re: (Score:2)
One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.
There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got
Re: (Score:2)
One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools.
One could argue that about hardware stores, too, but that person would get laughed out of the room, and rightly so.
There absolutely are laws that bar you from selling tools specifically designed for criminal use.
On a federal level? Cite the statute, or STFU.
There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.
Preface: Cars are often used for criminal acts.
So, to bring out the oft-over used car analogy - what you're saying here is that you believe would be legally OK for GM to release the instructions on how to make a car, but if they actually build cars and sell them, they're guilty of encouraging crime?
I shouldn't even have to point out how ridicul
Re: (Score:2)
Funny thing I do work in IT security. I pretty familiar with many of the exploit kits out there and regularly work with (I won't drop names) one of the developers of a more popular one.
The thing is while they are fun to play with I don't seem them adding lots of value. I am not suggesting any information be censored here. Publish your whitepaper with details about how an exploit work, publish the source code even! I draw the line a slick little binary with GUI interface. Things like Backtrack just bei
Re:How has the exploit maker gone unfound? (Score:5, Interesting)
There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.
Re: (Score:2)
They offer a hosted service, they don't give the exploits to customers.
When I said before that I couldn't have any less respect for things hosted "in the cloud" for no good reason, I see I was wrong.
Re: (Score:2)
I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are
1. not really in the business of protecting the ordinary citizen.
2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating
Re: (Score:2)
I did not mean to imply he necessarily was working for them. Although I would not discount that as possibility. I do expect they know who he is one way or another, and as I stated they probably view these java exploits as not a threat to someone who is not most likely already a victim.
My guesses would be one of the following are true:
1. He is direct FBI plant, on the pay roll and informs on his customers.
2. He has a handshake agreement with the FBI to let him run his little racket and make what money he c
Re: (Score:2)
Safer browsing (Score:2)
Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".
What do you mean, your browser can't display H.264 natively? Get a real browser.
The bigger surprise... (Score:2)
Why does Slashdot glorify hackers? (Score:5, Insightful)
These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!
Re:Why does Slashdot glorify hackers? (Score:5, Interesting)
I suppose because on some level, we identify with the hacker. Our way of life is under constant assault by well-financed interests. The collective geek culture rejects the notion that ideas can be owned. Knowledge is power, and because of that, it should be shared freely and widely. Our culture rejects the limitations of online freedom that everyone wants -- whether it's bloggers in Iran being disappeared for providing updates on what their government is up to, to China's appetite for supressing western influences, to our own government's desire for internet kill switches and pervasive monitoring. All of this gets in the way of free and unfettered access to information, something geeks believe is a cultural heritage and the right to access granted to all human beings. Geeks... are idealists and creatives.
And when we see our creations turned against us, used to corrupt the ideals that gave birth to them, there is a certain artistic desire to destroy it because its beauty has been tarnished. It's something that you can find historical and literary examples of dating back to pre-greek times. So on some level, we identify with the so-called "bad guys", because they're hurting the people who are hurting us.
Sure, morally, ethically, we can recognize that its wrong and destructive. We know that it only emboldens the destroyers and usurpers of our lifestyle to pass even more restrictive edicts and arrest more people, but psychologically it doesn't matter. We ourselves are powerless so when we see others in the same boat doing powerful things against powerful people, it's very enticing to support them no matter their motivations.
There are 2 archetypes of bad Java coders (Score:3, Insightful)
I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:
1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.
2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education o
Re: (Score:2)
The most troublesome Java coders are the ones who see themselves as genius design pattern architects rather than common coders. What drove me away from Java was trying to use libraries with names like AbstractSingletonFactoryBridgeAdapterDecoratorFacadeStrategyObserver. That group has turned using Java from something straightforward you could keep the design of in your head--an underrated benefit of C impacting why C++ never displaced it--into one where you need a tool like Eclipse just to figure out how
Re: (Score:2)
C was never used as a platform for web applets. Guess what could happened in that way (hint: 99% of the Microsoft Windows/Office/Adobe/etc viruses.)
He needs got (Score:3)
bigger interests are at play (Score:2)
Seth
Re: (Score:2)
In Soviet Russia Java exploits you!
Does it run on Linux? (Score:2)
Re:Oh Java... (Score:5, Insightful)
Re:Oh Java... (Score:5, Insightful)
Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.
Re: (Score:2)
Re: (Score:3, Informative)
Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.
Re: (Score:2)
Applets run in the same environment as webstart these days.
Re: (Score:2)
Applets run in the same environment as webstart these days.
Not really. They obey similar sandbox rules.
But key here is that applets are embedded objects running in the context of the browser (Java plugin). A webstart application is essentially a download of an xml description file (jnlp) and a new javaws process handles this. You can easily configure your browser to download jnlp files instead of opening them with javaws.
Re: (Score:2)
Applets now run within separate processes. Additionally, they are now deployed using jnlp in the same way as webstart.
Java plugin2 (from Java6u10) changed a lot...
Re: (Score:2)
Re:Oh Java... (Score:4, Interesting)
All the Java problems were with applets. Considering how many security problems were with Flash too, maybe the problem is with the browser APIs.
Re:Oh Java... (Score:4, Informative)
Re:Oh Java... (Score:5, Informative)
Sure, but I have No Script installed to keep it from running except when I need it to.
Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.
In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.
Hell, a lot of the tools I need to run daily for work are in Java.
Re: (Score:3, Informative)
I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.
about:config
plugins.click_to_play = true
Re: (Score:2)
Noscript also stops most JavaScript, which is another potential source of nuisance.
I prefer to have everything blocked and controllable by default, if I want it, I'll run it -- otherwise, your flashing monkey isn't going to happen.
Re: (Score:2)
Don't forget 64-bit Firefox.
Re: (Score:2, Funny)
Don't forget 64-bit Firefox.
Or all the other 64-bit browsers.
Oh, I just realised he's running on that wacky Windows thing, where the OS is 64-bit but 99% of apps are still 32-bit.
Re:Oh Java... (Score:5, Insightful)
You know the difference between a browser plugin and the JRE?
Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?
Re: (Score:2)
Re: (Score:2)
What does "online java application" mean? The app opens a network connection and communicates with some other host?
Such an app would not become more safe if it were written in, say, C++ or C# or most other languages.
The danger about java is in the browser plugin, because it downloads and runs untrusted byte code. This is about as unsafe as using an ordinary browser with java script enabled - which also downloads and runs untrusted code.
Re: (Score:3)
my bank requires it.
most browsers today though ask per page if you want to run it, don't they? at least firefox does..
Re: (Score:2)
My normal browser runs as a different user from my logged in user account. My bank browser runs as yet another user. So pwning my normal browser still requires a privilege escalation to affect my main user account or my banking stuff.
My main account has access to the files and folders of the normal browser account. But not the other way around.
Re: (Score:3)
Your bank requires Java, not Javascript? Are you in the US? I've never seen that before, though I hear web-based banking varies considerably between countries.
Re: (Score:2)
Re: (Score:2)
I do. I administrate/develop for/run a server that is built on java :-(
Also, anyone who plays mincraft would have it installed.
Re:Oh Java... (Score:5, Insightful)
At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.
Re: (Score:2)
We're talking about Java, not JavaScript.
Re: (Score:2)
Are you responding to me? jQuery is a JavaScript library, and the Java plugin and JRE aren't bundled with every modern browser (or really any that I can think of).
Re: (Score:3)
Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.
And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machine
Re:Oh Java... (Score:4, Informative)
> False. You don't need the Java browser plugin for Minecraft, only the JRE.
His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.
Re:Oh Java... (Score:5, Informative)
and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself
Re: (Score:2)
... etc
It is the libraries that matter, not the language. Add libraries and y
Re: (Score:3)
Re:cluelessness of slashdot (Score:4, Insightful)
For fun? Minecraft.
For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.
Re: (Score:2)
Re: (Score:2)
Exploit kits are not illegal. They have legit uses for testing your own security. For example, see Metasploit, which includes a large suite of exploits.