Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #14415 > unrolled thread

Article: Why you can't dump Java (even though you want to)

Back to article view | Back to comp.lang.java.programmer

Contents

  Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 08:51 -0700
    Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 17:14 -0300
      Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 15:36 -0500
        Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:51 -0700
          Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:01 -0500
            Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 14:15 -0700
              Re: Article: Why you can't dump Java (even though you want to) "Nasser M. Abbasi" <nma@12000.org> - 2012-05-08 16:41 -0500
                Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:19 -0700
                Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 15:21 -0700
            Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-08 15:05 -0700
          Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-08 19:12 -0300
            Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 19:05 -0700
          Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:03 -0400
            Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:52 -0700
              Re: Article: Why you can't dump Java (even though you want to) Eric Sosman <esosman@ieee-dot-org.invalid> - 2012-05-09 06:58 -0400
                Re: Article: Why you can't dump Java (even though you want to) Lew <lewbloch@gmail.com> - 2012-05-09 12:04 -0700
              Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-09 10:06 -0700
              Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:20 -0400
                Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-11 09:09 +0000
                  Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-11 09:41 -0700
                    Re: Article: Why you can't dump Java (even though you want to) "javax.swing.JSnarker" <gharriman@boojum.mit.edu> - 2012-05-12 01:30 -0400
                      Re: Article: Why you can't dump Java (even though you want to) Sleepy the Dwarf <std75821@gmail.com> - 2012-05-13 08:40 -0400
                    Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:37 -0400
                      Re: Article: Why you can't dump Java (even though you want to) Gene Wirchenko <genew@ocis.net> - 2012-05-20 20:25 -0700
                      Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:31 +0000
                  Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:35 -0400
                    Re: Article: Why you can't dump Java (even though you want to) Bent C Dalager <bcd@pvv.ntnu.no> - 2012-05-21 19:26 +0000
                      Re: Article: Why you can't dump Java (even though you want to) Kev Warren <k.warren312@noobnot.notnoob.org> - 2012-05-21 17:36 -0400
        Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 13:59 -0700
          Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:04 -0400
            Re: Article: Why you can't dump Java (even though you want to) markspace <-@.> - 2012-05-08 20:54 -0700
              Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:23 -0400
        Re: Article: Why you can't dump Java (even though you want to) Joshua Maurice <joshuamaurice@gmail.com> - 2012-05-08 15:32 -0700
        Re: Article: Why you can't dump Java (even though you want to) BGB <cr88192@hotmail.com> - 2012-05-10 16:36 -0700
      Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:13 -0400
        Re: Article: Why you can't dump Java (even though you want to) Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2012-05-09 16:50 -0300
          Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:26 -0400
    Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-08 21:19 -0400
    Re: Article: Why you can't dump Java (even though you want to) Roedy Green <see_website@mindprod.com.invalid> - 2012-05-09 14:42 -0700
      Re: Article: Why you can't dump Java (even though you want to) Joshua Cranmer <Pidgeot18@verizon.invalid> - 2012-05-10 17:07 -0500
      Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-10 20:19 -0400
        Re: Article: Why you can't dump Java (even though you want to) Arne Vajhøj <arne@vajhoej.dk> - 2012-05-20 22:33 -0400

Page 2 of 3 — ← Prev page 1 [2] 3  Next page →

#14483

On 11/05/2012 12:41 PM, Gene Wirchenko wrote:
> <bcd@pvv.ntnu.no>  wrote:
>> Personally, if someone expects me to spend my time on their website
>> they better provide a compelling reason for me to want to do so, and
>> gratuitous dependence on JS just puts me off. In general I consider it
>> a good early indicator of a terrible web designer: "You need JS to
>> click this link", right so this guy taught himself web design in his
>> own dreams.
>
>       Exactly.  Except that the JS-to-click design might also be due to
> a gratuitous complexity bug (in the coder).

I'm convinced that in most cases it's deliberate: punish users who 
disable JS and force them to turn it on so they can be harassed with 
annoying animated JS-reliant ads and crap.

Of course, Adblock Plus + enable JS and the user still gets the last laugh.

-- 
public final class JSnarker
extends JComponent
A JSnarker is an NNTP-aware component that asynchronously provides 
snarky output when the Ego.needsPuncturing() event is fired in cljp.

[toc] | [prev] | [next] | [standalone]

#14501

On 12/05/2012 1:30 AM, javax.swing.JSnarker wrote:
> On 11/05/2012 12:41 PM, Gene Wirchenko wrote:
>> <bcd@pvv.ntnu.no> wrote:
>>> Personally, if someone expects me to spend my time on their website
>>> they better provide a compelling reason for me to want to do so, and
>>> gratuitous dependence on JS just puts me off. In general I consider it
>>> a good early indicator of a terrible web designer: "You need JS to
>>> click this link", right so this guy taught himself web design in his
>>> own dreams.
>>
>> Exactly. Except that the JS-to-click design might also be due to
>> a gratuitous complexity bug (in the coder).
>
> I'm convinced that in most cases it's deliberate: punish users who
> disable JS and force them to turn it on so they can be harassed with
> annoying animated JS-reliant ads and crap.

And so they can be tracked!

[toc] | [prev] | [next] | [standalone]

#14703

On 5/11/2012 12:41 PM, Gene Wirchenko wrote:
> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
> <bcd@pvv.ntnu.no>  wrote:
>
>> On 2012-05-11, Arne Vajhøj<arne@vajhoej.dk>  wrote:
>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>
>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>> need one thing from a site.
>>>
>>> That does not sound as 2012 to me.
>
>       I decide on site use by something other than fashion.
>
>       There are many Websites that are not decked out in a fashionable
> manner but that are very useful.  I prefer them.

That is your privilege.

Just be prepared that the share of web sites working without
JS will drop every year.

Arne

[toc] | [prev] | [next] | [standalone]

#14704

On Sun, 20 May 2012 22:37:28 -0400, Arne Vajhøj <arne@vajhoej.dk>
wrote:

>On 5/11/2012 12:41 PM, Gene Wirchenko wrote:
>> On Fri, 11 May 2012 09:09:48 +0000 (UTC), Bent C Dalager
>> <bcd@pvv.ntnu.no>  wrote:
>>
>>> On 2012-05-11, Arne Vajhøj<arne@vajhoej.dk>  wrote:
>>>> On 5/8/2012 11:52 PM, markspace wrote:
>>>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>>>
>>>>> Sure I often have to enable JS, but only after I've seen the site first.
>>>>> If it looks dodgy, I just leave. And often I can still click on a few
>>>>> links or read an article without JS. It's rare I'll enable JS if I just
>>>>> need one thing from a site.
>>>>
>>>> That does not sound as 2012 to me.
>>
>>       I decide on site use by something other than fashion.
>>
>>       There are many Websites that are not decked out in a fashionable
>> manner but that are very useful.  I prefer them.
>
>That is your privilege.
>
>Just be prepared that the share of web sites working without
>JS will drop every year.

     I have not noticed that, but it really does not matter.  If the
Websites that I find useful tend not to use JavaScript, then I do not
have to enable JavaScript very often.  It does not matter to me if the
proportion of useful sites to non-useful sites is low.  What matters
is the number of useful sites, and yes, I do find enough of them.

     I have found that a Website requiring JavaScript for simple
functionality is a fairly good indication that the Website will not be
useful to me.

Sincerely,

Gene Wirchenko

[toc] | [prev] | [next] | [standalone]

#14746

On 2012-05-21, Arne Vajhøj <arne@vajhoej.dk> wrote:
>
> Just be prepared that the share of web sites working without
> JS will drop every year.

This is unlikely to become an actual problem before AJAX has proper
support (that developers actually /use/) for accessibility options
required by law.

And once that is in place, maybe GUI on web pages is finally mature
anyway.

Cheers,

Bent D
-- 
Bent Dalager - bcd@pvv.org - http://www.pvv.org/~bcd
                                    powered by emacs

[toc] | [prev] | [next] | [standalone]

#14702

On 5/11/2012 5:09 AM, Bent C Dalager wrote:
> On 2012-05-11, Arne Vajhøj<arne@vajhoej.dk>  wrote:
>> On 5/8/2012 11:52 PM, markspace wrote:
>>> On 5/8/2012 6:03 PM, Arne Vajhøj wrote:
>>>
>>> Sure I often have to enable JS, but only after I've seen the site first.
>>> If it looks dodgy, I just leave. And often I can still click on a few
>>> links or read an article without JS. It's rare I'll enable JS if I just
>>> need one thing from a site.
>>
>> That does not sound as 2012 to me.
>
> I think it's generally well accepted that using protection may detract
> from the experience somewhat, but this does not automatically make it
> a bad idea to do so. :-)

Correct.

> Personally, if someone expects me to spend my time on their website
> they better provide a compelling reason for me to want to do so, and
> gratuitous dependence on JS just puts me off. In general I consider it
> a good early indicator of a terrible web designer: "You need JS to
> click this link", right so this guy taught himself web design in his
> own dreams.

????

Considering AJAX heavy web sites to be terrible designed
it not exactly the trend seen on the web.

Arne

[toc] | [prev] | [next] | [standalone]

#14745

On 2012-05-21, Arne Vajhøj <arne@vajhoej.dk> wrote:
> On 5/11/2012 5:09 AM, Bent C Dalager wrote:
>> Personally, if someone expects me to spend my time on their website
>> they better provide a compelling reason for me to want to do so, and
>> gratuitous dependence on JS just puts me off. In general I consider it
>> a good early indicator of a terrible web designer: "You need JS to
>> click this link", right so this guy taught himself web design in his
>> own dreams.
>
> ????
>
> Considering AJAX heavy web sites to be terrible designed
> it not exactly the trend seen on the web.

That's ok; I often find myself at odds with the general perception. :D

What I do find striking is that this is 2012, more than 15 years after
HTML had standardised forms (<input>, HTML 2.0 I believe) and they are
/still/ playing catch-up to the established GUI frameworks such as
Motif, Windows, etc. Tab order, menu and tool bars, hotkeys/shortcuts,
i18n, layout, drag and drop, list selection: mostly a hodge podge of
what the developer chanced upon in some library somewhere and what he
could be bothered to hack together himself. Just such a simple matter
as standardising how to handle the browser's "Back" button in a web
app – cutting edge rocket science, it would seem.

Usually a new technology is reasonably mature after ten years, but
getting a proper GUI on web pages is taking forever.

(Yes, I sometimes do turn on JavaScript. :D)

Cheers,

Bent D.
-- 
Bent Dalager - bcd@pvv.org - http://www.pvv.org/~bcd
                                    powered by emacs

[toc] | [prev] | [next] | [standalone]

#14747

On 21/05/2012 3:26 PM, Bent C Dalager wrote:
> Usually a new technology is reasonably mature after ten years, but
> getting a proper GUI on web pages is taking forever.

I thought you hated GUIs and refused to use any UI more advanced than a 
screen-oriented console mode one such as a Unix shell, vi, or emacs?

[toc] | [prev] | [next] | [standalone]

#14421

On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:

> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>
>> The main problem is the human being, whether coder or user.
>>

> I think the whole internet is doomed. no where to run and hide
> any more.


Arved wins this argument.  From the article:

"Sure, I could opt not to use those Java-enabled services or install 
Java and uninstall when I'm finished. But the core problem isn't 
necessarily Java's exploitability; nearly all software is exploitable. 
It's *unpatched* Java. Few successful Java-related attacks are related 
to zero-day exploits. Almost all are related to Java security bugs that 
have been patched for months (or longer)."


Again I use FireFox.  After a recent upgrade of FF, it disabled the Java 
plugin (a recent one, version 6 update 22 or so) calling it insecure. 
OK whatever, so I downloaded a new one.  It bugged me at the time but 
now I see why:  FF was forcing me to upgraded to a later patch.  This 
I'm removes known vulnerabilities.

It takes effort to stay on top of these things but it can be done.  Now, 
who's at fault for the Mac Java exploit?  Oracle?   Or Apple for 
allowing users to run old, insecure versions of Java?

[toc] | [prev] | [next] | [standalone]

#14435

On 5/8/2012 4:59 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.
>
>> I think the whole internet is doomed. no where to run and hide
>> any more.
>
> Arved wins this argument. From the article:
>
> "Sure, I could opt not to use those Java-enabled services or install
> Java and uninstall when I'm finished. But the core problem isn't
> necessarily Java's exploitability; nearly all software is exploitable.
> It's *unpatched* Java. Few successful Java-related attacks are related
> to zero-day exploits. Almost all are related to Java security bugs that
> have been patched for months (or longer)."

????

Java should automatically update these days.

Arne

[toc] | [prev] | [next] | [standalone]

#14442

On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
>
> Java should automatically update these days.


The article specifically mentions Apple, who didn't patch their own 
special version of Java for several months, until they got bit hard by a 
trojan or something.

Yes, Oracle's new version for the Mac does enable auto-updates.  But 
there's enough old Java out there that I guess many don't have it.

[toc] | [prev] | [next] | [standalone]

#14468

On 5/8/2012 11:54 PM, markspace wrote:
> On 5/8/2012 6:04 PM, Arne Vajhøj wrote:
>>
>> Java should automatically update these days.
>
> The article specifically mentions Apple, who didn't patch their own
> special version of Java for several months, until they got bit hard by a
> trojan or something.

Ah - the use of "Few successful Java-related attacks" made me think
that it was general not specific to the MacOS X incident.

Auto update of course requires that there is a fix.

> Yes, Oracle's new version for the Mac does enable auto-updates. But
> there's enough old Java out there that I guess many don't have it.

And that auto update exists for the platform & version in question.

Arne

[toc] | [prev] | [next] | [standalone]

#14432

On May 8, 1:36 pm, "Nasser M. Abbasi" <n...@12000.org> wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>
>
> > The main problem is the human being, whether coder or user.
>
> > AHS
>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
>
> I think the whole internet is doomed. no where to run and hide
> any more.

I will also second (or third?) firefox and noscript. Yes it's a pain,
and yes there's some websites that require javascript to work, but
it's better than nothing for a little amount of hassle.

[toc] | [prev] | [next] | [standalone]

#14462

On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>>
>> The main problem is the human being, whether coder or user.
>>
>> AHS
>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
>
> I think the whole internet is doomed. no where to run and hide
> any more.
>

pretty much anything which has open sockets or reads from shared 
data-files is a potential security risk.

is the code reading data from the socket sufficiently hardened?
how about the code parsing ones' document?
...

it isn't always an easy problem...


given programming languages can do a bit more, they present a much 
bigger surface area to try to attack, making securing the language a 
good deal harder.

but, with languages, it is a hard tradeoff between trying to give the 
person using the language a lot of freedom while at the same time trying 
to find ways to prevent the language from being used in unintended ways 
by an attacker, which is also a bit of a problem.

[toc] | [prev] | [next] | [standalone]

#14436

On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>       This was in the morning's trade articles:
>>
>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>

> I tend to agree with what Grimes wrote on the second page of his
> article. As he pointed out, popular software always gets exploited. Part
> of it is due to defects in the software, so in Java in this case, but a
> major part of it for a programming language and platform (JVM) is how
> people code in it. How many Java programmers have genuinely absorbed the
> lessons in "Secure Coding Guidelines for the Java Programming Language",
> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
> percent? No way is it any higher than that.

I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
    PC's when their users just browse the internet
B) hackers that break into a Java web app using various
    security holes

A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.

B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.

Arne

[toc] | [prev] | [next] | [standalone]

#14453

On 12-05-08 10:13 PM, Arne Vajhøj wrote:
> On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
>> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>>       This was in the morning's trade articles:
>>>
>>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>>>
>>> InfoWorld Home / Security / Security Adviser
>>> May 08, 2012
>>> Why you can't dump Java (even though you want to)
>>> So many recent exploits have used Java as their attack vector, you
>>> might conclude Java should be shown the exit
>>> By Roger A. Grimes | InfoWorld
>>>
> 
>> I tend to agree with what Grimes wrote on the second page of his
>> article. As he pointed out, popular software always gets exploited. Part
>> of it is due to defects in the software, so in Java in this case, but a
>> major part of it for a programming language and platform (JVM) is how
>> people code in it. How many Java programmers have genuinely absorbed the
>> lessons in "Secure Coding Guidelines for the Java Programming Language",
>> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
>> percent? No way is it any higher than that.
> 
> I think we need to distinguish between:
> A) malicious applet code that gets unauthorized access to desktop
>    PC's when their users just browse the internet
> B) hackers that break into a Java web app using various
>    security holes
> 
> A is what I assume the article is about. And the security
> problems is caused by bugs in JVM and Java runtime.
> 
> B is caused by bugs introduced by the Java web app
> developers. And this seems to be what that coding
> standard try to address.
> 
> Arne
> 
Well, Grimes mentioned everything: Java apps as well as applets, users
insisting on using old Java versions because they believe their apps
need it [1], people not knowing what version they are running, unpatched
Java etc. Which is why I seized the opportunity to bitch about insecure
coding...which is ultimately the root of the problem anyway.

But you're right, it's mostly defects in Java runtimes that Grimes is
talking about.

One point about the secure coding guidelines - let's not characterize
that as "web app" coding. All those guidelines are about secure coding
for Java, period. If I were a Java EE web app developer I'd read the Sun
now Oracle secure coding guidelines for Java first, then something like
OWASP.

AHS

1. And we've had that conversation a number of times in various threads.

-- 
Never interrupt your enemy when he is making a mistake.
--Napoleon

[toc] | [prev] | [next] | [standalone]

#14469

On 5/9/2012 3:50 PM, Arved Sandstrom wrote:
> On 12-05-08 10:13 PM, Arne Vajhøj wrote:
>> On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
>>> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>>>>        This was in the morning's trade articles:
>>>>
>>>> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>>>>
>>>> InfoWorld Home / Security / Security Adviser
>>>> May 08, 2012
>>>> Why you can't dump Java (even though you want to)
>>>> So many recent exploits have used Java as their attack vector, you
>>>> might conclude Java should be shown the exit
>>>> By Roger A. Grimes | InfoWorld
>>>>
>>
>>> I tend to agree with what Grimes wrote on the second page of his
>>> article. As he pointed out, popular software always gets exploited. Part
>>> of it is due to defects in the software, so in Java in this case, but a
>>> major part of it for a programming language and platform (JVM) is how
>>> people code in it. How many Java programmers have genuinely absorbed the
>>> lessons in "Secure Coding Guidelines for the Java Programming Language",
>>> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
>>> percent? No way is it any higher than that.
>>
>> I think we need to distinguish between:
>> A) malicious applet code that gets unauthorized access to desktop
>>     PC's when their users just browse the internet
>> B) hackers that break into a Java web app using various
>>     security holes
>>
>> A is what I assume the article is about. And the security
>> problems is caused by bugs in JVM and Java runtime.
>>
>> B is caused by bugs introduced by the Java web app
>> developers. And this seems to be what that coding
>> standard try to address.

> Well, Grimes mentioned everything: Java apps as well as applets, users
> insisting on using old Java versions because they believe their apps
> need it [1], people not knowing what version they are running, unpatched
> Java etc. Which is why I seized the opportunity to bitch about insecure
> coding...which is ultimately the root of the problem anyway.
>
> But you're right, it's mostly defects in Java runtimes that Grimes is
> talking about.
>
> One point about the secure coding guidelines - let's not characterize
> that as "web app" coding. All those guidelines are about secure coding
> for Java, period. If I were a Java EE web app developer I'd read the Sun
> now Oracle secure coding guidelines for Java first, then something like
> OWASP.

Good point.

The advice are applicable to all types of apps.

Systems connected to the internet is just a bit more let us
say expected to be attacked.

Arne

[toc] | [prev] | [next] | [standalone]

#14437

On 5/8/2012 11:51 AM, Gene Wirchenko wrote:
>       This was in the morning's trade articles:
>
> www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
> InfoWorld Home / Security / Security Adviser
> May 08, 2012
> Why you can't dump Java (even though you want to)
> So many recent exploits have used Java as their attack vector, you
> might conclude Java should be shown the exit
> By Roger A. Grimes | InfoWorld
>
>       Comments?

The article is true but still completely BS.

There is a need for code running client side in web
solutions.

That code runs sandboxed and in theory does not have access
to anything on the client PC.

In practice there are some security bugs in the sandbox that
allows malicious code to gain access that it was not supposed
to have.

Same story whether it is Java applet, Flash, Silverlight,
JavaScript/HTML5 or even to some extent JavaScript/oldHTML.

As long as there is a need for code running client side
then the problem will exist.

Whether it is Java or something else does not matter.

So suggesting disabling Java in the browser is BS.

On can suggest disabling Java, Flash, JavaScript etc.
and see if one can live with the 1996 feeling.

Arne

[toc] | [prev] | [next] | [standalone]

#14454

On Tue, 08 May 2012 08:51:55 -0700, Gene Wirchenko <genew@ocis.net>
wrote, quoted or indirectly quoted someone who said :

>
>www.infoworld.com/d/security/why-you-cant-dump-java-even-though-you-want-192622
>InfoWorld Home / Security / Security Adviser
>May 08, 2012
>Why you can't dump Java (even though you want to)
>So many recent exploits have used Java as their attack vector, you
>might conclude Java should be shown the exit
>By Roger A. Grimes | InfoWorld
>
>     Comments?

If dumped something on finding the first security hole Windows would
not have sold even one copy.  JavaScript has no security at all.  It
does not even try.

I have not personally ever found or been harmed by a hole in the
Applet sandbox or the run time or the Jet run time. I see comments
about obscure bugs getting fixed.  

If a hole is causing trouble in the real world and the vendor does not
fix it, then you may have to look elsewhere. That does not describe
Java.
-- 
Roedy Green Canadian Mind Products
http://mindprod.com
Programmers love to create simplified replacements for HTML. 
They forget that the simplest language is the one you 
already know. They also forget that their simple little 
markup language will bit by bit become even more convoluted 
and complicated than HTML because of the unplanned way it grows.
.

[toc] | [prev] | [next] | [standalone]

#14460

cOn 5/9/2012 4:42 PM, Roedy Green wrote:
> If dumped something on finding the first security hole Windows would
> not have sold even one copy.  JavaScript has no security at all.  It
> does not even try.

The JavaScript language has no affordance for security by itself, 
exactly like Java. The implementations of JS (in particular, what would 
amount to standard libraries for JS) as found on most web browsers pay 
as much attention to security as Java's applet sandboxing model does. 
This includes going to such outlandish extremes as giving you the wrong 
data for the color of some text on your page in certain circumstances.

-- 
Beware of bugs in the above code; I have only proved it correct, not 
tried it. -- Donald E. Knuth

[toc] | [prev] | [next] | [standalone]

Page 2 of 3 — ← Prev page 1 [2] 3  Next page →

Back to top | Article view | comp.lang.java.programmer

csiph-web