Noticing articles on Java Security etc

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Noticing articles on Java Security etc

Joe Niffen
Not sure if this an OK topic, but lately I've noticed articles claiming
that Java must not be used there is a major security flaw etc.

http://www.theregister.co.uk/2012/09/04/antisec_hackers_fbi_laptop_hack/

Also in http://www.pcmag.com/article2/0,2817,2409251,00.asp

And in http://www.pcworld.com/article/261843/time_to_give_java_the_boot.html

Are these just zealots that have a bone to pick with Oracle or is there
a major issue to worry about.

If this isn't suppose to be posted here I apologize.

Thanks

_______________________________________________
Ibm-netrexx mailing list
[hidden email]
Online Archive : http://ibm-netrexx.215625.n3.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: Noticing articles on Java Security etc

Fernando Cassia-2


On Tue, Sep 4, 2012 at 7:53 PM, Joe Niffen <[hidden email]> wrote:
Are these just zealots that have a bone to pick with Oracle or is there a major issue to worry about.

Yes, call me paranoid but there seems to be a major anti-Java FUD campaign (Fear, Uncertainty and Doubt), which started shortly after
this article appeared:

Oracle has been good to Java, despite early fears
http://www.infoworld.com/t/java-programming/oracle-has-been-good-java-despite-early-fears-200200

And these stream of positive events:

-Oracle makes OpenJDK 7 the reference implementation of Java7

-All Linux distros ship OpenJDK
http://www.java7developer.com/blog/?p=361

-IBM joins OpenJDK
http://www.infoq.com/news/2010/10/ibm-joins-openjdk

-Apple contributes its OSX JRE code to OpenJDK
http://9to5mac.com/2011/01/12/openjdk-code-lands-as-mac-port-project-springs-to-life/

-Twitter joins OpenJDK
https://dev.twitter.com/blog/twitter-open-source-and-jvm

-Oracle decides to offer Java 7 JREs for Apple OS X
http://www.macrumors.com/2012/08/14/oracle-officially-launches-java-se-7-for-os-x/

-In 2012, Java continues to be among the top-3 programming languages according to TIOBE index, despite a campaign of previous FUD articles like this:

http://www.businessweek.com/stories/2005-12-12/java-its-so-nineties

And third-party languages for the Java VM have skyrocketed, thanks to Java7's support for dynamic languages:

http://java.sun.com/developer/technicalArticles/DynTypeLang/

http://en.wikipedia.org/wiki/List_of_JVM_languages

I guess Microsoft' s anti-Java campaign never actually ended after all: http://ho.io/sunblock

And someone in Redmond must be laughing out loud.

All the above writers deliberately confuse the browser plug-in and in almost all instances advise uses to UNINSTALL JAVA rather than disabling the browser plug-in. (which I won't do as I use keepvid.com and other Java based services too).

Interestingly, there' s also a double standard here, Microsoft's own .Net gets "critical security vulnerabilities" patched almost every "patch Tuesday". So where are the headlines telling users "you don' t need .net" or "uninstall .net"?

FC

--
During times of Universal Deceit, telling the truth becomes a revolutionary act
- George Orwell


_______________________________________________
Ibm-netrexx mailing list
[hidden email]
Online Archive : http://ibm-netrexx.215625.n3.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: Noticing articles on Java Security etc

Fernando Cassia-2


On Tue, Sep 4, 2012 at 8:23 PM, Fernando Cassia <[hidden email]> wrote:

All the above writers deliberately confuse the browser plug-in and in almost all instances advise uses to UNINSTALL JAVA rather than disabling the browser plug-in.

sorry, forgot the URLs of some of the anti-Java articles

Time to give Java the boot?
http://www.pcworld.com/article/261843/time_to_give_java_the_boot.html#tk.nl_dnx_h_crawl

///

"Over the years both Apple and Microsoft have hardened their systems’ defenses. The Mac operating system has been near-bulletproof to vulnerabilities, and the company no longer ships new devices with Java preinstalled"

FUD, totally confuses Apple's reasons for stopping JRE shipping, negates Apple's contribution to OpenJDK and Oracle's new official support for OSX.

"Microsoft has made a full-court press to eliminate operating system-level vulnerabilities since the Conficker worm outbreak in late 2008, and no comparable worms have attacked Windows systems since then."

And what has been the Java based worm? how many thousands of infected people?

"Part of the attraction is Java’s ubiquity. “It’s almost a compliment to Java’s developers,” says Steve Santorelli, director of global outreach for Team Cymru, a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. “It comes down to the economics of malware,” Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market."

So they attack it because it' s ubiquitous. The solution is to make it less ubiquitous?. LOGIC FAIL.

"While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge."

Funny, the java auto-updater kicked in last Friday and updated my JRE to Java 7 update 7, automatically. What "devices" ship with Java7 SE? That's plain FUD Devices have EMBEDDED JAVA not the desktop version..

"Some experts recommend virtualization as a workaround for businesses that need to use those Java-based services. Installing it in a virtual machine keeps it at arm’s length from critical systems. The home user, especially one focused on Facebook and the Web, may be able to dispense with Java altogether."

What experts? Names?

"Fans of HTML 5 point to this alternative to delivering the multimedia functions that Java enabled earlier in the Web’s development. It is a focus of both Adobe development and AT&T’s work, and appears to be gaining momentum this year, although it targets Flash more than Java."

That's a narrow view of Java. Java stopped being about "eye candy" and animations a long long time ago. No mention of desktop java apps, no mention of Java Web Start (JWS) apps like muCommander and the like...

"The question of whether to keep Java comes down to “your risk profile, and how critical that system is,” says Team Cymru’s Santorelli. “If the consequences of a compromise would be catastrophic,” uninstall Java.

/////

More FUD. But let's see who' s behind this security firm... hmm... 3 former Oracle execs...

"Andrew Brandt is a freelance writer and security expert."

https://twitter.com/threatresearch
"Andrew Brandt is an award-winning journalist and, oddly, Internet security researcher who currently works as the Director of Threat Research for Solera Networks"

http://www.soleranetworks.com/company/management/

"
Steve Shillingford – President and CEO Steve has more than 18 years of experience in sales, marketing, operations and executive management with leading technology companies. He joined Solera Networks in early 2007 from Oracle Corporation, where he was responsible for some of the largest deals in the company during his tenure. In 2005, Steve was named Top Account Executive for North America Sales as a result of his success closing several of the company’s largest deals, his consistently strong performance in meeting revenue objectives, and broad new product expansion for the territory."

Rick Simmons – Vice President of North American Sales
Rick provides executive sales leadership to Solera Networks with over 25 years of experience in sales and high technology products. Prior to Solera Networks, Rick was Executive Director of Sales at Bit9 and also Vice President of Sales for Fusion Middleware Products at Oracle. At Oracle, he was instrumental in directing Oracle’s strategy for becoming a market leader for enterprise infrastructure solutions.

Alberto Yépez

J. Alberto Yépez currently serves on the board of Trident Capital portfolio companies including, Solera Networks, Qualys (on demand vulnerability management and policy compliance), HyTrust (virtualization security and compliance), and AirTight Networks (wireless security and compliance). Mr. Yépez is a Managing Director at Trident focusing on Software, IT Security, and mobile investments. Prior to Joining Trident, he was Vice President of Identity Management and Security at Oracle.


FC
--
During times of Universal Deceit, telling the truth becomes a revolutionary act
- George Orwell


_______________________________________________
Ibm-netrexx mailing list
[hidden email]
Online Archive : http://ibm-netrexx.215625.n3.nabble.com/