Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: Fury on September 17, 2013, 02:33:30 am
-
http://nakedsecurity.sophos.com/2013/09/17/oracle-java-fails-at-security-in-new-and-creative-ways/
Long story short:
- Java's "Run" pop-up contents can be faked
- Oracle recommends signing of Java applets, so people can determine they come from trusted source
- Trusted Java applets run outside of Java's internal sandbox (wtf?)
- Certificates used to sign java applets can be faked
If anybody still wonders why Java browser plugin should be disabled, this is why. The only reason to keep Java around is to run stand-alone Java applications. But even then, it would send a clear message back to Oracle that this **** is unacceptable if people would simply refuse to use Java for anything. including stand-alone apps. Of course, businesses are a different animal since there is large wad of money involved. Sucks to be them.
-
i always though java (and all attempts to duplicate it) sucked.
-
It means that Java's Internet/Applet connection interface is crap, and frankly, for quite a long time so was C's.
It doesn't say a thing about the programming language itself, merely Oracles implementation of the applet system, and as someone posted in the article itself, the answer is to stop faffing around with the certificate system.
-
Someone tell governments to quit using Java already. It's pathetic that most of Canada's online systems for public use (e.g tax filings) require Java.
-
i'd rather have working internet than be paranoid about security.
-
you could have both if java wasn't so ****ty
-
Someone tell governments to quit using Java already. It's pathetic that most of Canada's online systems for public use (e.g tax filings) require Java.
Exactly, the problem is more about how Java tends to be applied, rather than the language itself, it's a utility and application language, certainly, but it lacks the low-level access required to make certain kinds of systems safe. Instead people have to rely on available resources from Oracle, which are not designed to be used at this kind of level.
Java is to languages what Mario is to computer games, it's fun, it's perfectly acceptable for any age or level of skill, and it's friendly. But it's also terribly 'innocent'. Oracle had a dream of a big, happy user-base all exchanging ideas and code, but caught on a bit late that things like Applets and RMI relied too heavily on everyone playing nice.
What I won't agree with, though, is that Java itself is '****'. It isn't, it's not suited to every job and it has criticism, some well deserved others not so, of the memory management system it uses. But it produces some perfectly good code, and teaches at least as many good programming practices as bad ones, which is no more than you can say of any other language, it depends largely on the coder themselves.
I know a lot of advanced programmers consider Java 'lightweight', sort of like the modern day version of BASIC, and in some ways the comparison sticks, but the language itself is still a powerful one at its core, it's just that Oracle need to be more aware of potential risks in their code extensions.
-
you could have both if Oracle's implementation of java wasn't so ****ty
FTFY
Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.
FTFY
-
you could have both if Oracle's implementation of java wasn't so ****ty
FTFY
Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.
FTFY
FTFY
Please to not be doing FTFY posts without making it clear what part you changed, kthx
-
you could have both if Oracle's implementation of java wasn't so ****ty
FTFY
i used 'java' to refer to the implementation of java almost everyone uses, so sue me
-
NO WE MOST BE RIGOR! MOST MAKE EVERY WORD RIGOR! ELSE FTFY ENDIF
-
you could have both if Oracle's implementation of java wasn't so ****ty
FTFY
Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.
FTFY
FTFY
Please to not be doing FTFY posts without making it clear what part you changed, kthx
I thought it was pretty obvious.
Sun was cool. Oracle, not so much.
-
NO WE MOST BE RIGOR! MOST MAKE EVERY WORD RIGOR! ELSE FTFY ENDIF
Many members of HLP can't achieve [REDACTED] unless they are typing a post correcting someone on the internet.
-
Many members of HLP can't achieve [REDACTED] unless they are typing a post correcting someone on the internet.
and damn did I ever achieve it there! a double FTFY, followed by three quotes, an asinine sarcastic mocking and a whole thread derail. I'm not going to be able to stand for a good five minutes or so.
-
and damn did I ever achieve it there! a double FTFY, followed by three quotes, an asinine sarcastic mocking and a whole thread derail. I'm not going to be able to sit for a good week or so.
FTFY
-
was it good for you? ;7
-
no not really.
-
The saddest thing about all this is that the Java language itself was designed to be secure!
A lot of the choices in the language were made precisely to avoid security issues. The inability to alter Strings for instance was specifically to avoid buffer overrun/underrun exploits.
-
Well at least Java doesn't have pointers, which is one of the reasons hacking can be done on C++. Oh, and don't forget about the operator overloading...haha, nice. At least Java is cross-platform.
And then there's the M!(r0$h@f+'s iron grip on C and Xbox game development. :banghead:
Though I do understand your pain of Java always being vulnerable in some way. Those updates are annoying. If they can make a better and proper low-level JVM that cannot be vulnerable to all these attacks then we'd all be sitting and laughing and sipping our beers while laughing at all the other languages. Heck, we'd be able to start a revolution and convert all to the Java platform. Well, that would require Sun Microsystems to grow a pair both below the belt and above the eyes. :rolleyes:
-
Except for games. Java isn't very efficient in that regard.
-
Well at least Java doesn't have pointers, which is one of the reasons hacking can be done on C++. Oh, and don't forget about the operator overloading...haha, nice. At least Java is cross-platform.
wat.
Java has pointers (http://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.3), they're just called references. Also, the mere existance of pointers in a language is not a security risk in and of itself.
And then there's the M!(r0$h@f+'s iron grip on C and Xbox game development. :banghead:
wat^2
Microsoft does not have an "Iron Grip" on C. They don't care about C to the point where the MSVC compiler just doesn't implement the current C standard (because it's a C++ compiler, and while the two languages share many things, they are drifting incrasingly apart), and they don't have any sort of "grip" there either. C/C++ are both governed by international standards committees, and while MS has a voice there, they are far from a dominant one.
And yeah, of course they have tight control over XBox development. That's what happens on Consoles!
Though I do understand your pain of Java always being vulnerable in some way. Those updates are annoying. If they can make a better and proper low-level JVM that cannot be vulnerable to all these attacks then we'd all be sitting and laughing and sipping our beers while laughing at all the other languages. Heck, we'd be able to start a revolution and convert all to the Java platform. Well, that would require Sun Microsystems to grow a pair both below the belt and above the eyes. :rolleyes:
wat^3
First, you mean Oracle, not Sun.
Second, and this is an important concept you need to understand, there is no way to prove that a program as complex as the Java Virtual Machine is secure. You can validate it against previously discovered vulnerabilities, but you can't ever be sure that no vulnerabilities exist.
-
Except for games. Java isn't very efficient in that regard.
Depends on the type of game to be honest. Certainly something like Minecraft is probably poorly suited to Java in a lot of ways, JOGL isn't a perfect wrapper, and because it's difficult coding decent low-level thread control systems, so most people rely on synchronized methods, which carry their own punishments. However. it's not that Java lacks the power, it's that it lacks the support. Whilst C++ has full coding support for things like OpenGL, Java's strength is also its weakness, it has to rely heavily on community support.
Speed-wise, Java is close, but not quite equal to C++. It's powerful enough to produce pretty high quality stuff were it not for the above problems. There are engines like JavaMonkey for game development, but they are touch and go, and tend to be specialized around a specific game-type.
For 2.5D or 2D games, I would actually say Java is an ideal platform for coding them in, since it's easy to code and modify, and isn't making extreme demands on Javas internals.
-
Java references are another example of what I mean about Java being designed to be secure actually.
Misuse of pointers is often a cause of exploits. References don't allow you to get into quite as big a pile of **** as pointers.
Basically, Oracle's mishandling of Java is basically destroying one of the major reasons for using it in the first place!
-
If I have a complaint about Java, it's that it sometimes offers too many paths to the same solution, which might seem odd since that is a good thing overall. The reason is that when you are an obsessive revisionist with your code, you can suddenly see another way of doing things later on that might be more efficient on class creation or that maybe an Interface would have been better than inheritance etc, and whilst Java is designed to be easily revised, you can get lost in simply polishing.
I suppose, in the end, that's a problem with all languages, but I suppose that's why system design is such an important part of development these days.
-
none of those paths being the one you wanted.