[Fury]

http://nakedsecurity.sophos.com/2013/09/17/oracle-java-fails-at-security-in-new-and-creative-ways/

Long story short:
- Java's "Run" pop-up contents can be faked
- Oracle recommends signing of Java applets, so people can determine they come from trusted source
- Trusted Java applets run outside of Java's internal sandbox (wtf?)
- Certificates used to sign java applets can be faked

If anybody still wonders why Java browser plugin should be disabled, this is why. The only reason to keep Java around is to run stand-alone Java applications. But even then, it would send a clear message back to Oracle that this **** is unacceptable if people would simply refuse to use Java for anything. including stand-alone apps. Of course, businesses are a different animal since there is large wad of money involved. Sucks to be them.

[Nuke]

i always though java (and all attempts to duplicate it) sucked.

[Flipside]

It means that Java's Internet/Applet connection interface is crap, and frankly, for quite a long time so was C's.

It doesn't say a thing about the programming language itself, merely Oracles implementation of the applet system, and as someone posted in the article itself, the answer is to stop faffing around with the certificate system.

[MP-Ryan]

Someone tell governments to quit using Java already.  It's pathetic that most of Canada's online systems for public use (e.g tax filings) require Java.

[Klaustrophobia]

i'd rather have working internet than be paranoid about security.

[Phantom Hoover]

you could have both if java wasn't so ****ty

[Flipside]

Someone tell governments to quit using Java already.  It's pathetic that most of Canada's online systems for public use (e.g tax filings) require Java.

Exactly, the problem is more about how Java tends to be applied, rather than the language itself, it's a utility and application language, certainly, but it lacks the low-level access required to make certain kinds of systems safe. Instead people have to rely on available resources from Oracle, which are not designed to be used at this kind of level.

Java is to languages what Mario is to computer games, it's fun, it's perfectly acceptable for any age or level of skill, and it's friendly. But it's also terribly 'innocent'. Oracle had a dream of a big, happy user-base all exchanging ideas and code, but caught on a bit late that things like Applets and RMI relied too heavily on everyone playing nice.

What I won't agree with, though, is that Java itself is '****'. It isn't, it's not suited to every job and it has criticism, some well deserved others not so, of the memory management system it uses. But it produces some perfectly good code, and teaches at least as many good programming practices as bad ones, which is no more than you can say of any other language, it depends largely on the coder themselves.

I know a lot of advanced programmers consider Java 'lightweight', sort of like the modern day version of BASIC, and in some ways the comparison sticks, but the language itself is still a powerful one at its core, it's just that Oracle need to be more aware of potential risks in their code extensions.

[Bobboau]

you could have both if Oracle's implementation of java wasn't so ****ty

FTFY

Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.

FTFY

[Aardwolf]

you could have both if Oracle's implementation of java wasn't so ****ty

FTFY

Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.

FTFY

FTFY

Please to not be doing FTFY posts without making it clear what part you changed, kthx

[Phantom Hoover]

you could have both if Oracle's implementation of java wasn't so ****ty

FTFY

i used 'java' to refer to the implementation of java almost everyone uses, so sue me

[Luis Dias]

NO WE MOST BE RIGOR! MOST MAKE EVERY WORD RIGOR! ELSE FTFY ENDIF

[SypheDMar]

you could have both if Oracle's implementation of java wasn't so ****ty

FTFY

Sun Microsystems had a dream of a big, happy user-base all exchanging ideas and code.

FTFY

FTFY

Please to not be doing FTFY posts without making it clear what part you changed, kthx

I thought it was pretty obvious.

Sun was cool. Oracle, not so much.

[redsniper]

NO WE MOST BE RIGOR! MOST MAKE EVERY WORD RIGOR! ELSE FTFY ENDIF

Many members of HLP can't achieve [REDACTED] unless they are typing a post correcting someone on the internet.

[Bobboau]

Many members of HLP can't achieve [REDACTED] unless they are typing a post correcting someone on the internet.

and damn did I ever achieve it there! a double FTFY, followed by three quotes, an asinine sarcastic mocking and a whole thread derail. I'm not going to be able to stand for a good five minutes or so.

[Nuke]

and damn did I ever achieve it there! a double FTFY, followed by three quotes, an asinine sarcastic mocking and a whole thread derail. I'm not going to be able to sit for a good week or so.

FTFY

[Bobboau]

was it good for you? 

[Nuke]

no not really.

[karajorma]

The saddest thing about all this is that the Java language itself was designed to be secure!

A lot of the choices in the language were made precisely to avoid security issues. The inability to alter Strings for instance was specifically to avoid buffer overrun/underrun exploits.

[MachManX]

Well at least Java doesn't have pointers, which is one of the reasons hacking can be done on C++.  Oh, and don't forget about the operator overloading...haha, nice.  At least Java is cross-platform.

And then there's the M!(r0$h@f+'s iron grip on C and Xbox game development.   

Though I do understand your pain of Java always being vulnerable in some way.  Those updates are annoying.  If they can make a better and proper low-level JVM that cannot be vulnerable to all these attacks then we'd all be sitting and laughing and sipping our beers while laughing at all the other languages.  Heck, we'd be able to start a revolution and convert all to the Java platform.  Well, that would require Sun Microsystems to grow a pair both below the belt and above the eyes. 

[BloodEagle]

Except for games.  Java isn't very efficient in that regard.