Even homeland security tells you to disable java

[the_tyrant]

http://www.zdnet.com/homeland-securi...aw-7000009713/

Quote:

The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

[longam]

Firefox has disabled it by default a while back.

[Skybird]

Quote:

Originally Posted by the_tyrant

http://www.zdnet.com/homeland-securi...aw-7000009713/

What took them so long...??? Hesitence to give up unfounded optimism? Other offices (foreign nations I mean) issued such warnings already years ago.

[the_tyrant]

Quote:

Originally Posted by Skybird

What took them so long...??? Hesitence to give up unfounded optimism? Other offices (foreign nations I mean) issued such warnings already years ago.

you don't really kill off the world's second most popular programming language: http://langpop.com/ http://jobstractor.com/monthly-stats

Before someone says that java is used for a lot more than just browser applets, yes that is true. However, browser applets are an extremely popular use for java, and java is probably the world's second most popular browser plugin (after flash)

You can't just kill off one of the most commonly used applications for the world's second most popular programming language (most popular managed language) in one stroke.


Also, previously, Oracle has been pretty decent with patching java issues. Usually they can get a patch out before the exploit is widely deployed. However, last week, there was a significant vulnerability that is still not patched now, and exploits are pretty much found everywhere now. Also, this vulnerability is caused by a poorly written patch for a previous vulnerability.

When java first came out, the technology of choice was ActiveX. Back than, one of Java's biggest selling points was the fact that it was secure (ActiveX didn't even claim to be ultra secure). But in recent years, Java's security implementation is really falling behind.

[Skybird]

European security offices and authorities, amongst them German federal police and the Federal Office for IT security, have issued warnings against Java long time ago. I think something like that was done by the Russian authorities longer while back, too. I even seem to recall that even the FBI has issued a warning against Java years ago, but I am not certain anymore, and may be wrong there.

We have also had warnings by the Federal Police and/or the Federal Office for IT Security about browsers and online services, namely Chrome, namely Google+. Plus warnings about Facebook. The EU pendants issued such warnings, too.

So, authorities and police can very well warn of a programming language for sure, no matter whether it is the worlds' second most used or not.

I think last year I had not just one but two threads started ringing the bell for major Java alarms issued, hadn't I.

Homeland Security simply has slept - very long.

Java is a security nightmare. Plus there is no excuse to use it for programming. There is nothing it can do that you cannot do with something different and more safe as well. Laziness is the problem that causes Java staying that dominant. And that is why I think that people really need to get hit by Java-induced security problems - so that they get a slap on the back of their heads.

One should also boycott all household gadgets, mobile tech, navigators etc that use Java - to send manufacturers a message and forcing Java out of the market. But with people still buying smartphones with Android and WhatsApp like crazy, that amount of swarm intelligence on behalf of data security probably is too much expected.

Buying a new smartphone every two or three years. Sometimes I think I have no clue how humans are ticking.

[Skybird]

Quote:

Originally Posted by the_tyrant

Also, previously, Oracle has been pretty decent with patching java issues. Usually they can get a patch out before the exploit is widely deployed.

What...? You must be kidding. Oracle ignores the private consumer market with its patching needs pretty much, and do them slowly only, focussing on business markets and their habits favoring longer patching intervals. Last year was a security hole nightmare for Java. And after two patches, I think not only the majority of these still were present - but new ones were even added.

You could promise to pay me money, and I wouldn't use it anymore.

[the_tyrant]

Quote:

Originally Posted by Skybird

What...? You must be kidding. Oracle ignores the private consumer market with its patching needs pretty much, and do them slowly only, focussing on business markets and their habits favoring longer patching intervals. Last year was a security hole nightmare for Java. And after two patches, I think not only the majority of these still were present - but new ones were even added.

You could promise to pay me money, and I wouldn't use it anymore.

Its all relative!

They aren't good compared to their competitors in this field (Which to be honest is only Microsoft with .net/silverlight), but usually they aren't THAT bad. I mean, you can usually expect a patch that generally more or less fixed it.

But this time, this exploit is now being actively exploited on all three platforms (windows, mac, and Linux), plus, it made its way into every singe exploit pack under the sun. I'm pretty sure even the exploit writers are angry! Back when java exploits were hard to write, they made $$$$$. Now every guy who knows basic java can do it!


I mean, the security situation with Java is highly unfortunate. Back then, ActiveX didn't even claim to be secure, whereas Java was supposed to be the "secure solution from the future!" When I did my first programming course in middle school, I signed up for the Java course instead of the VB.net course. A guy asked why should one learn Java instead of VB.net, and one of the biggest reasons that the teacher provided was that "java applets are infinitely more secure than ActiveX".

Nowadays, you are probably safer with ActiveX than Java. At least people fully understand the risks with ActiveX

When HomeLand Security suggests anything I take it as if the SS is talking.

[Hawk66]

Quote:

Originally Posted by Skybird

Java is a security nightmare. Plus there is no excuse to use it for programming. There is nothing it can do that you cannot do with something different and more safe as well. Laziness is the problem that causes Java staying that dominant. And that is why I think that people really need to get hit by Java-induced security problems - so that they get a slap on the back of their heads.

One should also boycott all household gadgets, mobile tech, navigators etc that use Java - to send manufacturers a message and forcing Java out of the market. But with people still buying smartphones with Android and WhatsApp like crazy, that amount of swarm intelligence on behalf of data security probably is too much expected.

Buying a new smartphone every two or three years. Sometimes I think I have no clue how humans are ticking.

What is the alternative to Java, Skybird? I program in .NET and I love it but ask the java guys to switch to .NET and you can bet that you got a dozens 'I hate Microsoft' threads. Java is an industry standard when it comes to enterprise applications and that will not change. In the consumer market 'PC-Desktop' oracle-java does not play that big role anymore...although it is used in open-source office suites etc.

And Android does not use Java from Oracle but a complete different implementation. It only implements (most) of the specs of java.

[danasan]

Get yourself an old rig for internet browsing only. Don't keep personal data on it. Format it once in a while. Problem solved.

[HundertzehnGustav]

there comes dat solution.

[Wolferz]

Quote:

Originally Posted by privateer

When HomeLand Security suggests anything I take it as if the SS is talking.

That's because the SS IS talkin.