Slashdot Mirror
Comparison of Java and .NET security
prostoalex writes "The Computer Science Department at the University of Virginia has published a comparative study of security in Java and .NET in Portable Document Format. DevMktg blog on MSDN summarizes the findings saying that due to careful design process, .NET presents security advantages over Java platform in several areas." From the article: "Where Java evolved from an initial platform with limited security capabilities, .NET incorporated more security capability into its original design. With age and new features, much of the legacy code of Java still remains for backwards compatibility including the possibility of a null SecurityManager, and the absolute trust of classes on the bootclasspath. Hence, in several areas .NET has security advantages over Java because of its simpler and cleaner design."
Except it run on Windows.
D'OH!
Since starting in my new job, I had to switch from Java to .Net... so this is a little bit of good news. I guess....
I still miss the Eclipse IDE though... Visual Studio blows chunks in comparison. :(
Friends don't let Friends use Internet Explorer.
In the first page of the study they document the difference of age of .net and java. Java has been out for over 9 years, .net, 2-3. Let's see how .net is doing in number of vulnerabilities in 9 years.
Text conversion of PDF document
wake me up... when .Net ends to be a vehicle to lock users and developers more and more into windows...
From day 1 .Net was designed to lure over the Java devs so that they get rid of the dangerous cross platform capabilities of Java!
And dont come with Mono we all know where it stands!
It's not truly cross-platform so it's out of question for any serious production environment. Sorry, but until Micro$oft releases the most important classes under a free license and port them to Linux I won't touch it with a ten foot stick. Java is closer but it's hardly fast enough. If Sun adds real OOP features like multiple inheritance, operator overloading, traits, mixins, and introduces optional strong or weak dynamical typing, I might consider using it. But right now I am stuck with Perl, Ruby, Lisp, Smalltalk, Eiffel, Scheme and Python, and what I am really looking forward is a study comparing their respective security and how the development of the Parrot VM will affect it. Of course since it's a blog on M$DN I am not holding my breath.
Karma: Positive (probably because of superiour intellect)
C is portable, fast, very complex and since 35+ years the leading standard for professional OS and APP development.
.NET??? ...amusing.
C is so successful that C++ had to be invented to get more people into OO style C programming. C++ was designed as an syntax aid for people who lacked the skill writing OO in C by disciplined use of structs and func pointers.
C is obviously too complex for the average CS student who crouch from one alternative to the next.
Java?
Well ignoring the fact that Microsoft is mean to be 'teh evil' and looking purely at the framework that their engineers have produced I have found very little to criticize.
It feels like they looked at Java and stripped out the bad and produced easy to use clean languages. The first things that spring to mind:
* Easier exception handling.
* Transparency with the whole string class/primitive issue.
* Really easy to create and catch events.
The Visual studio IDE however! Piece of HTML mangling non XHTM compliant &*$£
Security in Java is multi layered and complex, you cannot possibly cover all its faces. ".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security. .NET has no such thing. .NET is more secure is just about the stupidest thing someone can say... Its like saying Windows is more secure than Linux since its newer than UNIX and Linux is based on UNIX.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community,
Saying that
First of all, it's interesting to note that 10 of the 45 Java vulnerabilities that the researchers take in account are due to Microsoft. They are specific to the ill-famed Microsoft JVM.
.Net runtime? The researchers talk at length about the better .Net design, which is unsurprising given it was designed after many years of experience with the JVM.
.Net runtime, somehow I doubt it. Some partners might have portions of it, maybe.
.Net; maybe Microsoft did it right this time, and spent they money where it matters most in the long run.
Furthermore, 10 of the remaining 35 vulnerabilities were discovered and fixed in the first six months after the initial Java release. I consider that quickly-fixed flaws in a young product.
So, we're left with 25 vulnerabilities found in a mature product, between 2 and 3 every year. Not quite pretty, not quite a disaster either.
Now, question is, why are there no vulnerabilities discoveries in the
However, they fail to assess any impact the availability of Java source code might have on finding vulnerabilities and fixing them. The whole source code for the JVM is available (free as in beer), anybody can have a look once they register with Sun. I don't know if the same applies to the
So, availability of source code might be enough to generate two or three vulnerability discoveries per year.
Note that I'm not saying that there are six to nine vulnerabilities yet to be discovered in
I've seen the crossplatform remarks already, but no one asked the question yet about how widespread implementations are. I currently see much more .Net implementations in Intranet environments, and java when the client is less known. my guess is that those more local implementations are much less scrutinized. opposed to the much more open and directly accesible implementations in java.
http://dictionary.reference.com/search?q=dynamical
Im not going to read the article but the reasons stated in the summary suggests a strong (and maybe well funded) bias. In short, the summary is basically bullshit. The quoted material on the ms blog is suspicious and the scientific study might actually be quite good (I wouldnt criticize it without reading it first).
.Net come with very similar security features. Both have finegrained role based security features. Id say Java is somewhat more flexible by providing an extensible model so that you may provide your own protocol implementations. For example, I used an oss pgp implementation recently that plugs into the default Java security api. .Net on the other hand has some nice language features like attributes. Java has null securitymanagers; .net has unmanaged code.
Security is not something you just switch on in a project. You design your project from the ground up to have security features. Both Java and
Javas security features are designed through the JCP process in which a broad range of industries and individual experts have been and continue to be involved. Indeed some of the older security features come from the earlier JDK versions developed by SUN. Overall I trust this process more than I trust the microsoft process which when it comes to security has received a lot of criticism over the past few years.
Jilles
Okay, so, .net is designed better. Now, unfortunately the thing only runs under MS Windows. Windows is a rather poorly designed Operating system . So, your .net is better, but it only runs on a OS with major security issues.
How far does that get you?
I recall mr Katz but one must admit, lately it's getting pretty brutal around here. At least today isn't quite as bad. must...resist...urge...to join...trolls.....
ugh
Java has run everything a sandbox from version 1.0. I wonder how they twist this into a claim that it had no security.
Karma: It's all a bunch of tree-huggin' hippy crap!
... than Java" ;-)
.net platforms are 99% the same !
.net will be release I will seriously consider .net as a viable long-term alternative to Java. But for now it is not more viable that MS DNA oldies ;-)
... the bigger you get the best target you are :) William IIIrd go and ask blue boys ;-)
...so I would be interrested to se an updated picture of the situation to see how is the lobby progressing. Tnx.
If it is said thru an independant chanel it must be true isn't it
Looking at global capabilities Java and
At the end the only real choice is : do I want vendor and platform lock-on or do I want to keep the choice of vendors and platforms ?
I mean, the day the complete specification of
Anyway, we'll see how it will turn in the next 5 years, but I really think it will be fun for MS
By the way, is there anybody that got a link to the MS hydra picture (an update one). I mean all the cross shareholding with other compagnies ? In the late 90s the list was around a thousand covering lots of media, etc
Ok... let me get this out there first. I like the .Net framework (not all the stuff M$ tried to label as .Net after they realized that they were on the right track).
.Net 1.0 came out 6 YEARS after Java 1.0... it's not exactly fair to compare them as pure equals. Considering that they're so similar you have to take into account that M$ had time to see what was wrong w/ Java and fix it. It's kinda like saying "Well, this brand new bridge is far supperior to that one over there that was built 200 years ago. I mean, sure it's better looking, but this one is stronger AND lighter." People learn things and then implement them... is that so hard to understand?
However, this study is flawed.
Jeremy Logan's Website.
I notice the article did not talk much about the implications of having a .Net implementation on your network.
The one (and only) multi-tiered .Net implementation I have had to work with was a networking nightmare. The whole thing used DCOM which is a total pain in the ass. No NAT'ing (DCOM doesn't function across NAT) means that production DMZ's had to have routeable IP's. DCOM uses RPC which means that firewalls have to allow the entire high port range (>1024) between tiers. The transaction protocol in the framework likes to talk all the way from web layer to db layer so defense in depth is pretty much thrown out the window.
It may be that there is a way to use .Net without running into these issues, but the developers and the MS consultant all insisted this was standard and typical. Of course, they all also insisted that the environment would be better off flat and the MS consultant strongly urged not doing multi-tiered. So I suppose if you don't mind having your SQL server in the DMZ .Net is great.
Didn't like it. No sir. Not at all.
.NET ... Windows ... but not all of them.
:)
price: free, You only need to have Windows 2003 Business Server for serious work
secure: rtfa in few years to make sure
portable: it runs on many systems, like Windows and
speed: well actually speedy on Windows machine
IDE: brilliant Visual Studio, unfortunatelly no plugins
Java
price: free, well it is free
secure: most likely as secure as Your application
portable: well actually, even my SonyEricsson cell runs it
speed: a bit clumsy, but hey, almost all >1GHz desktop PC can run Java application in very responsive manner (Eclipse, Netbeans, Azureus, etc.)
IDE: Eclipse and/or Netbeans ROCKS!
This reply seems biased, but well, almost every opinion will be biased.
> Operator overloading is great, as long as it is done in a sane fashion.
;)
As i first learned java soem years ago, i learned that java's concept was to be very sane and portable.
So it would not be java's concept to leave the sanity as a task for the user, but rather java should enforce sanity.
In that case i agree that operator overloading would be a great thing.
(until then i will rave about haskell's way to solve this thing
Any sufficiently advanced intelligence is indistinguishable from stupidity.
ACK. I could not resist anymore. look where it look me: Karma: Bad But at the end this is always a thing between two entities. If my karma is bad for them, then this implies that their karma is bad for me too. And in this case i'm okay with this. ;)
(As long as it does not become the heise.de golem.de situation. ;)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
As a side note NASA World Wind uses .NET:
.NET, and another dialog pops up saying Direct X needs to be upgraded too. At this point, I decided not to continue. I don't fancy reading one of MS's EULAs, don't care to download one of their hulking tarballs, don't want Direct X changed in case it breaks something.
.NET is just a wrapper for Windows on the local machine, why didn't you just make native code you f**** idiots.
http://worldwind.arc.nasa.gov/
It's similar to Google Earth, except that its 180MB and once you download it it tells you you need to upgrade your version of
Piece of shit Nasa,
1) ACEGI - Aspect-orientaded-programming using a dependency injection model to replace or complement JAAS for authentication and authorization in an Application server independant way. A subproject of the Spring framework:
http://acegisecurity.sourceforge.net/docbook/acegi .html/
2) XML Encryption and XML Digital Signatures. Used in Web Service security or independently.
http://xml.apache.org/security/
http://ws.apache.org/wss4j/
3) Container managed security implemented in every servlet container on the market, including tomcat.
In short, I'd like to see a comparison of the features and availablity of what people actually use in their applications, rather than an entirely fudgable comparison of reported/unreported security flaws.
"None are more hopelessly enslaved than those who falsely believe they are free. -- Goethe"
iksrazal
Whatever that would be. Use an operating system that gives you memory protection, and even better: capabilities (rights to read/write files and other things), and you can run ANY program, written in ANY language, without the programs even being ABLE to do any harm.
Oh, that would be too much of progress, wouldn't it?
The gall to put into account vulnerabilitys from Microsofts own JWM in a comparison to Microsofts .Net is astonoshing. What a way to belittle your competitor, make crappy implementation of their product and call them unsecure.
I lack words.
HTTP/1.1 400
ikvm-0.14.tar.gz +
eclipse-JDT-SDK-3.2M1.zip
IS BETTER AND MORE SECURE than
jdk-6_0-ea-bin-b49-linux-amd64-25_aug_2005.bin
By + + + J.C. Pizarro + + + ATH OK.
It goes deeper than .NET not being subject to the same rigorous kinds of source code review; .NET runs the advantage of not having been seriously tested in a production environment. Oh, sure, people are running .NET. But they're running it natively. The things this study covers are not the parts of .NET people are interested in actually using. Given this the security model is just a show pony. The Java security model is something that's been hammered against in the real world constantly for years in real businesses; in the academic sphere the jvm is getting hammered not just through source review, but in serious conceptual testing as people implement their own JVMs. The .NET security model ... well, is just kind of sitting there waiting for the day when someone tries to actually run serious applications on it. Not really as difficult; all it has to do is sit there and look pretty.
.NET ties into win32, if you're wanting to do something malicious why bother hitting on the .NET security model? Why bother even looking for holes? Just call any one of the nasty Win32 functions. Hell, malware programs are able to do nasty enough shit to our windows machines totally within the windows security model. If you want to do something malicious to a Microsoft machine, it's so much simpler to attack it directly than to try to do so through .NET.
.NET security model as a lone locked door sitting in the middle of a field. Nobody visits it, and if anyone actually came upon the door, all they'd have to do is walk around it. Now, in this context, should we find it impressive that no one has yet found a way to pick the lock?
Meanwhile since
A possibly somewhat mean way of putting it would be to think of the
Where is the raw data so anybody may review the methodologies and conclusions?
Perhaps Laura Didio can help explain it to everybody.
+ ikvm-0.18.0.0.zip
By + + + J.C. Pizarro + + + ATH OK.
Why is this a surprise? Windows takes care of giving problems for .NET instead.
This is my sig. There are thousands more, but this one is mine.
For what I have seen, Java is good for Enterprise development precisely beacuse it eliminates things like multiple inheritance and operator overloading. This results in code that is very understandable, and usually follows standard design patterns. I think Java makes it easier for IDE developers to make very helpful IDEs (IDEA, Eclipse, Netbeans, JBuilder) and promote certain technologies as the 'de facto' standard (eg hibernate). For enterprise apps java is FAST, whereas other languages that you mention, such as python are just too slow (zope/plone). Perl code just gets too messy after a while, and as you say .NET not being cross platform makes it useless.
How do you get it to stop wasting your entire screen with extra menus?
The auto-hiding tabs are a nightmare. Every time I want to go back to working, I have to move my mouse off and wait five seconds for it to decide to auto-hide, and then another second for the animation to finish. Is there any way to MANUALLY hide them without getting rid of them entirely?
If I leave things at the default I'm left with barely more room than half a terminal screen to actually code in. Gah!
Mod cousin down!
small print: feature not available in West Virginia or Tennessee
Wow, look at their nice graph will you. Their first graph shows 'vunerabilities found' in Java VM's... nothing mentioned about patches... and 0 in .net...
.NET's design is fundamentally more secure than Java's
.Net.
.NET platform's apparent lack of security vulnerabilities. .NET is a less desirable platform for attackers to compromise than Java so it has .NET .NET, the .NET platform presents an attractive target.
.net runs on 15% of that figure.
Now look at this: In this paper we explore the more optimistic hypothesis that
So they have a bent from the start to discredit Java. Onto my point:
Java is 10 years old. There are groups of people looking at Java VM code and multiple versions of VM's, all of which are bunged in here. These 'vunerabilities' are not even reflections on the fundemental paradigm of the Java security model.
This article is FUD, and bad FUD to counter Goslings stand against the 'untrusted code' model of the
No, quoting JNI is not relevant in that argument because JNI still works within the seucrity model, yet it allows native code to be interfaced with, that is a seperate issue, and akin to making a network call, and running code on another server.
They then mark up 9 security vunerabilities listed with Microsoft 'but because the way they classify them they do not count for this paper' (paper is the new word, because papers sound academic, not like paid research).
There are many possible explanations for the
One possibility is that
not received the scrutiny necessary to reveal vulnerabilities. This is unlikely, however, since the
framework is now provided as a Windows update. Since Windows has over 90% of the desktop market
with a large number of machines using
Well, yes, windows runs on 90% of desktops, I would say
From the available information, the one implementation that did have many of its own
unique vulnerabilities was Microsoft's Java implementation,
They even try and discredit sources that go against their ideas. 'from the available information' or is the a way of saying 'this might be worse than we imply'.
I didn't want to dig deeper, I found the single statement copied into a marketting guys website (fuck the word blog) rather twatish of the guy.
This is FUD, yet the people this is aimed at are those who will read the '.Net found to be more secure than Java!!!!111OMGLOL!!' on [insert one of the many microsoft run 'news' farms that are used to infect propoganda into the media].
pteeesh.
To confirm you're not a script,
please type the word in this image: binomial
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Good interview of Miguel de Icaza about Mono.
Notable reduction in the IKVM's size (thanks to Eclipse Java Compiler [jdtcore.jar]).
More about IKVM's weblog.
Good LiveCD Monoppix-v1.1.8.0!!!
By + + + J.C. Pizarro + + + ATH OK.
.N3T 1S Th3 C00list!
Watch 0ur L33t Sk1llz...
W3 0wnz Y0u !!!1!1!
- What good is it if you lock the front door, but leave open all the Windows?
Anyone ever ask WHY it was named windows?
Not for the Windowing feature of the software,
maybe it is for truth in advertising that people
can 'peek' into your PC through your Windows...
- The Skeptic
Good, wonderful. Now back to the real world.
Thanks. GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Ok. As a C#-developer, I call bullshit on your entire story.
Fine. You had a crap solution which caused you a lot of troubles. I'm not doubting that. But what you are saying is boiling down to "I don't know how to use .NET at all, I'm not willing to look up documentation, so whatever mischief and framework abuse I'm the sole cause of, I'll blame on the framework".
Really. .NET was designed to work with internet-standards to a certain degree. To a certain degree that means that you can channel any remoting over http, syncroneously or asyncroneously. However, it seems you aren't even close to knowing what sort of tools the framework provides and decides to blame that on the framework.
You know what? I'm no really any good in basic C. I know there are some network/tcp-ip includes, but I wouldn't know how to use them. If I chose to implement all that myself because of that, should I blame myself for being inept at C or complain that C doesn't do what I want? Hopefully you get my point.
So your issue isn't with .NET itself, it's with your utter lack of knowledge on how to take advantage of it.
Not Buzzword 2.0 compliant. Please speak english.
besides: stuff like the borland c compiler make "c is portable" a joke.
writing oo in c when you have c++ is stupid, you entirely fundamental basics of oo-concepts such as inheritance, encapsulation and the like.
t
If you don't learn from history,
then you are an idiot by definition.
--- Vadim Yasinovsky
But lets look at this another way... Java has had one virus since it's inception. Monad has 5 proof of concept viruses and has not yet been released.
Why UNIX?
This is news? ONJava did a detailed, four-part analysis of .Net and Java security a year or so ago:
I may be wrong, but I'm pretty sure untrusted websites can't silently run .Net code. Surely this makes a security hole in it a lot less useful than one in Java? I mean, what's .Net actually used for where this type of sandboxing is needed?
who cares if .NET has better security when there is no point to it?
.NET when it only runs on windows. seriously, why not just code natively??
.NET, but seeing as it only runs on windows it really makes no sense to me.
There is absolutely no point to
or if you want to code a certain program for your business, in java you can make that program run on your servers, workstations that use mac, windows, or linux, and then let your employees run a client to that program on their business cell phones
i'm not really familiar with
I couldn't agree more. And I've been around long enough to know, look at my user ID.
/. article posted about how much it has been going down hill.
/. seriously needs to return to the site of "Stuff that matters." Instead there are 20 articles posted a day and only a few of them are actually worthy of posting. Maybe there should be a recycling bin page you can go to which has all the drivel, leaving just the good stuff on the front... like a newspaper -- the crap should be shuffled to page 2 or more.
Why is it when you have an unpopular view point, you're considered a troll. Granted the opinion expressed didn't apply to the article directly, so it might be better modded as "off-topic", but it isn't as if there will be a
How else is one going to express their viewpoint?
Time flies like an arrow;
Fruit flies like a bananna
The first post pokes fun at Windows +5 funny. The second post pokes fun at Linux -5 Troll.
TFA is blatantly biased to .NET, it's written on an MSDN blog for goodness sake. It's not what I'd call a fair comparison.
I mod TFA -1 Troll.
In this world nothing is certain but death, taxes and flawed car analogies.
Am I reading this correctly? A common claim from the java crowd for superiority is how it has better interoperability? That is one of the least important things in a business today.
.NET platform.
.NET, power of ASP .NET means that in a company you can now embrace your beloved linux for the worker desktops, have one microsoft server running ASP .NET / SQL Server, and service the entire company with one application that is cheap and easy to build.
.NET is starting to knock the socks off java in the business world.
If you look at the statistics Windows 2003 server is really catching on with businesses, that advances the
There's this thing called XML web services, if you've been living under a rock or just plain closed your eyes to the real world this means that you can communicate with any system, so Java as a web platform has lost its major advantage it once had over MS products.
In fact, the ease of installing a server, the cleanness of
That is why
For client side apps java is still the winner for multiplatform... but outside of handhelds it's largely irrelevant b/c Windows dominates the desktop market.
If we're comparing these two languages for security, I'll suggest an easy fix for Sun:
Introduce a Secure Mode runtime environment on the server side (for Enterprise JavaBeans and whatnot), and then enforce the same security rules on apps that connect to it. Sure, you'll give users the option of breaking some key classes, but it'd be too difficult to force an update for security. This would give developers the option of increased security without hurting them too much. Java has been about forcing developers to adhere to good-practices design from the beginning, so get hopping on Java 5.0 Security Edition!
Jasin NataelTrue science means that when you re-evaluate the evidence, you re-evaluate your faith.
MSFT has ported the .NET Framework to FreeBSD themselves!
.GNU run on many platforms (Linux, Windows, BSD, OSX and Solaris). As long as you don't use System.Windows (the desktop app stuff), you can do cross-platform development in many languages!
AND, Mono and
I have written GTK# apps in VS.NET and run it on my Windows and SuSE box with ZERO modifications.
If you want to bash something, you should probably learn a bit more about it. That's the reason I read the Bible multiple times: so I can refute Bible thumpers' arguments.
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
Writing a Security Manager
You can just do this at server startup and lock it down as much as you want.
-- ac at home
Complexity is itself a security issue, and it is a bad thing for Java's security model to be described this way. The latter part of your sentence proves the point.
".Net" managed code is very rare and all .NET applications I know of (that are real applications) use native code thus removing any sense of security.
Most desktop applications aren't candidates for serious security. Server apps almost always need serious security, as do browser applets. So, Mr Coward, your comment needs qualification if it is to be useful.
Java has had years of full source code visibility (not open source) and had several holes plugged by the community, .NET has no such thing.
This comment is at a tangent to the study's remit, which is the design of .NET/Java. They only use the comparison of flaws to suggest their hypothesis, not to prove it.
Saying that .NET is more secure is just about the stupidest thing someone can say
The nature of this assertion is self-describing, in any context, since one would have to know all possible stupid statements which is impossible since there are an infinite number.
I am surprised that your post recieved such high mod points, particularly as you are a coward.
That was supposed to be Scheme, not Schema. Sometimes my fingers have a mind of their own.
---------------------------------------------
SERENITY NOW!!!!!!!!!!!!!!!!
The comments about Java and OOP are misinformed. Do you really expect .NET to ever be cross platform? I wouldn't hold my breath.
Your post is an effective Troll.
In this world nothing is certain but death, taxes and flawed car analogies.
As far as I can tell, the authors of the study fail to mention that .NET can define "unsafe" code blocks.
Or, as I like to call them, "Please Fuck Me Up The Ass" code blocks.
asp.net 2.0 (and it's not a vs feature really, it's down to the controls built into the framework) are, finally, xhtml compliant. You can set a switch in web.config to use transitional or strict. There have been a few bugs (including one I reported) which are marked as fixed for release and I've done, as a learning exercise a site that is XHTML compliant with little effort in VS2005.
The effort comes in things like the membership controls, which, by default are table based. This kind of makes sense, because they won't know which stylesheets you're using for layout purposes. However there is the option to template these controls, which means you right the HTML yourself, but the backend is still provided by the built in controls. The only control I've found that refuses to give up a table is the wizard based "Create new user".
There are still problems with VS2005, niggles like style sheets not displaying if they're "included", nested master pages killing off GUI editing and so on, but nothing I've found that will kill XHTML, unless you're on a downlevel browser where will make a best attempt to spit something that renders.
The downlevel browser thing is a pain though, as the W3C validator isn't known to asp.net, so it will spit out XHTML transitional, despite your DTDs. To fix it you can add a .browser file to explain to asp.net that the validator knows what it's doing. I produced one already, and provided it with some documentation for download.
Microsoft did an excellet job with .NET. While we all like to make fun of Ballmer jumping up and down and saying "Developers...", Microsoft actually means it.
Their tools, concepts, and design are *way* ahead of, say Xcode and Objective-C. It's painful for me when I have to do Mac development because everything's so backward.
I would love it if other companies starting implementing C#/.NET/CLR products based on the ECMA standard (unlike Java, C#/.NET has been accepted by a neutral standards committee)...this would prevent Microsoft from changing the language drastically from release to release.
Best Buy can have you arrested
.NET is Free source (as in free speech, mono or dotGNU)
Java isn't
- -- Truth addict for life.
The main reason to use Java is that its cross-platform. If you think Microsoft's plan is to lure over Java developers to a platform that's locked into Windows from a platform that runs on who knows how many platforms, you have another thought coming to you.
Pelé!
It's too bad you gave up. Thanks for the link though. I wouldn't argue the google project is good and cool and easy to use, but the Nasa project is many many times more rich and featured thatn the google viewer. Perhaps it's the depth of the available content in the Nasa project that makes it so much larger, but it is worth the extra effort of installing it. It is really cool. The best world viewer I have seen to date. I don't care if it's MS driven or whatever, the content in it makes it a worthwhile investment in the time it takes to download it. Fancy, EULA's? I only had to update the Directx portion of managed code, it took a few seconds and then install the application, seven clicks as I counted it. GTA San Andreas was a harder install than that as it was eight clicks. George Jetson syndrome maybe?
In NET, you can complete subvert the security manager.
Java has evolved to be rock solid where net has only started to have people pound on it (nice chart tho, comparing a 95 deploy to and 05 deploy - I guess its like comparing Windows 95 sales to Windows 3.1 sales - musta been some product to outsell 3.1... (btw this is a not so subtle sarcasm)).
/\/\icro/\/\uncher
The reason is that Rotor is not .net ! .net submited to .net. ...
;-)
:)
.net is point less. If you are colding old MS MFC and ASP and all that b*llshit ... then maybe it is better to have a look at .net platform if you are still keen on staying platform locked and vendor locked. It is your choice man ...
It is a the core part of
But it dones not contains all the major API that are required to build complete enterprise solutions
Rotor is just nothing but a PoC of the ECMA submission that it all
Sorry MS zeelot, but difference between you and us is that we analyse and test the things that PRs push
Really, I mean, if you are already using Java,
The study authors say "Since a security policy cannot be enforced on unmanaged code, we only consider managed code." Given that most C# applications use unmanaged code, they are potentially vulnerable to buffer overflow attacks and the like.
C# has been criticised repeatdely in the security community for this feature. Java always runs in safe or managed mode and is therefore more secure than C#.
For more on what unsafe code means see http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dncscol/html/Csharp10182001.asp
That the authors of the paper make conclusions about C# security, while deliberatley excluding a gaping hole, and the papers appearance on an MS site leads me to the belief that the paper was probably sponsored by MS and they directed the study authors to exclude unmanaged code from the scope.
Bill Caelli, one of the world's leading security experts, humiliated a Microsoft representative over unsafe code and stated that "Microsoft had missed an historic opporunity to improve security in their products".
There are at least 9 security flaws in .NET. The paper conveniently dismisses them all as not being part of the framework even though Microsoft classifies them as such on their Knowledge Base. This is only to justify their pretty little chart in the introduction showing that .NET has zero security flaws.
If .NET has zero security flaws... nevermind. The paper is deception.
Java runs on Solaris/SPARC, Solaris/X86, Windows, MacOS, and Linux. As soon as Microsoft starts supplying .NET for those platforms, on similar terms to what Sun offers, then I'll consider using it. In addition, a GPL compatible RFND patent license for every 'invention' required to implement .NET and the framework would give them a step up on Java. Until then, I'll pass, thanks anyway.
Novell supplies it for those platforms already. Given that, why would you want to deal with Microsoft?
... i see you never used Borland Delphi.
Having used many development tools like Emacs, VIM, SciTe, kate, Eclipse, Visual Studio.Net and Delphi, i gotta say Delphi is the best IDE i've used hands down.
Simplicity and high productivity is the key here.
You don't have tons of floating dialogues, icons, buttons and drop-downs poluting your interface just for no other reason than to show off and make you feel like your investment was well worth it
No, just the right form designer, object inspector and class hierarchies, along with the project manager. Less bloat and complexity, more productivity...
KISS.
I don't feel like it...
I'm not sure a language forcing security is a good thing. It seems to me writing secure systems is really the responsibility of the development team. Especially since different situations call for different security levels and methodologies.
-I go to UVA.
If it took you seven seconds, you clearly didn't read the EULA. So how would you inow if it 'fancy' (or pick any other adjective, you still wouldn't know because you didn't read it.) I am sufficiently paranoid about licenses that I prefer BSD-style licenses to the GPL and the GPL to most commercial licenses.
Think global, act loco
at first, mono is no imaginable way more secure than java, java is being tested by millions of programmers, thats why flaws are detected, if mono would have millions of users, it would definetly have an enormous bug database :D
... i doubt that even the licence agreement of .net itself would fit in there ... .net and mono are completely different from java in every sense, this is a pointless comparision, just the same as if you would compare a rocket with a jet.
.Net definetly is .Not the answer for most of them. so why go on some fresh born platform when you can choose something that works ?
and now to the real world part, what should i do with that thing you call mono or the windows executable on my 104 node sun server ? stick it up it's ventilation shaft ? read my lips : your toy doesnt scale nor probably even run on it.
or should i just try to fit your mono into my mobile phone with 1 meg of ram
people who cant handle java choose something else. people who dont need java choose something else. i know that java has many flaws but
bush is more similar with adolf than java is with dotNet.
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
Novell's implementation isn't as complete nor does it compete on performance.
--
WHO ATE MY BREAKFAST PANTS?
With all due respect for the author(s), I have the following questions:
Why the mis-leading chart so early in the paper? I believe a table may have been more appropriate.
Why not have more peer-reviewed references? I see plenty of references from MSDN, and some from some conferences. But it looks like most of the arguments are being supported by non-peer reviewed sources.
Why are there a SMALL number of peer-reviewed articles directly related to JAVA?
Why are the peer-reviewed articles on JAVA so old? And most likely no longer relevant?
What is the deployment history of .NET vs. Java? Market share? Security incidents (in the wild)?
Why the microscopic view of JAVA's flaws and the lack of depth in .NET?
Why isn't the dangers of native code discussed (.NET or JNI)?
I do however like the information in Table 3... but what practical advantages do the "finer grained" security functions provided by .NET give the programmer or the end-user?
I think it is a decent paper that maybe was turned in for an assignment. BTW, if the author has asbestos underwear and reads slashdot. Don't forget a short biography at the end of the paper next time. This gives the paper extra creditability.
Regards, Bill
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
This is a really blatantly biased study. I wonder where his grant money is coming from.......??? There is some major flaws with his theory....... He is focusing on .NET framework vulnerabilities. Microsoft tries to act as though the languages and .net api's have had no vulnerabilities. Here is just a few ASP.NET vulnerabilites:
" Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability (Vulnerabilities) Rank: 1000
Last modified on: 2004-10-05 18:00:00 MDT
URL: http://www.securityfocus.com/bid/11342
2 Microsoft Ships Nimda To Korea in .NET (News) Rank: 952
Last modified on: 2002-06-13 18:00:00 MDT
URL: http://www.securityfocus.com/news/480
3 Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability (Vulnerabilities) Rank: 944
Last modified on: 2002-06-05 18:00:00 MDT
URL: http://www.securityfocus.com/bid/4958
4 Microsoft Visual Studio .NET Debugger Privilege Enforcement Weakness (Vulnerabilities) Rank: 932
Last modified on: 2004-04-15 18:00:00 MDT
URL: http://www.securityfocus.com/bid/10161
5 Microsoft Visual Studio .NET Korean Version Nimda Infected File Vulnerability (Vulnerabilities) Rank: 907
Last modified on: 2002-06-12 18:00:00 MDT
URL: http://www.securityfocus.com/bid/5012
6 Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability (Vulnerabilities) Rank: 885
Last modified on: 2005-08-17 00:00:00 MDT
URL: http://www.securityfocus.com/bid/14594
7 Microsoft Visual C++ 7/Visual C++.Net Buffer Overflow Protection Weakness (Vulnerabilities) Rank: 882
Last modified on: 2002-02-13 17:00:00 MST
URL: http://www.securityfocus.com/bid/4108
8 Microsoft ASP.NET Unicode Character Conversion Multiple Cross-Site Scripting Vulnerabilities (Vulnerabilities) Rank: 879
Last modified on: 2005-02-15 17:00:00 MST
URL: http://www.securityfocus.com/bid/12574
9 Microsoft ASP.NET RPC/Encoded Remote Denial Of Service Vulnerability (Vulnerabilities) Rank: 871
Last modified on: 2005-07-11 18:00:00 MDT
URL: http://www.securityfocus.com/bid/14217
10 Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability (Vulnerabilities) Rank: 871
Last modified on: 2003-09-07 18:00:00 MDT
URL: http://www.securityfocus.com/bid/8562
11 Multiple Vulnerabilities found in Microsoft .Net Passport Services Rank: 871
Last modified on: 2003-05-07 18:00:00 MDT
URL: http://www.securityfocus.com/archive/82/320989
12 Multiple Vulnerabilities found in Microsoft .Net Passport Services Rank: 871
Last modified on: 2003-05-07 18:00:00 MDT
URL: http://www.securityfocus.com/archive/1/320808"
So the idea that there is no vulnerabilites in .net is bunk at best.....
Another problem is that because of the MSDN EULA there has not been any hack challenges or external without Microsoft's permission. A few months ago Windows NT Pro magazine hosted a IIS6 hack challenge and it was mysteriously pulled fromt their site. I tried contacting them, but they never responded to my questions about the hack challenges.
The big issue however is that there is architectual flaws in the Windows architecture Microsoft's Blind Spot (http://news.com.com/2010-1071-831385.html
If you wanted performance, why would you be programming in .NET anyway?
It is how you define your criteria as to what is "vulnerable" and what is "safe".
They would have done a LOT better in just sticking to the design of each instead of counting admitted vulnerabilities and patches.
Microsoft has been known to sit on vulnerabilities for a LONG time (http://www.eeye.com/html/research/upcoming/index
Security starts with the security model. Here is where you'll see patches to disable stuff in a flawed model. You cannot just count the patches here, but they are useful for evaluating the model itself.
Then that model has to be implemented in code. This is where you'll see bug fixes for code errors.
The last thing to look at is any application built by someone else on that platform.
And one last item to consider. Any platform is only as "secure" as the level beneath it. If
Here is where they get it wrong on Java: So, if Windows is compromised and code inserted to Java to run, then Java is at fault
Either you count it as a flaw in both, or you don't count it for either.
The age difference is kind of abused in the article in the first graph. It shows that java had many security issues in the first few years, when the security model was not very mature yet and as I understand changed between releases. By shifting the time axis between .Net and java there seems to be a huge difference where java has had many problems while .Net "at the same time" had none. If one would look at the last 3 years the difference wouldn't be so bad (although java had some more). The first few "bad" years of java could be justified by the age difference (different time/focus, .Net could learn from java, etc), but are presented falsely by shifting the time axis and by cumulating all those vulnerabilities of the first years of java.
.NET.
It is too bad that the article seems biased in how it presents it's research, because it does seem to look at some interesting issues.
That being said, most comments here on slashdot seem to be equally biased. I am a big open-source fan and dislike many (but not all) Microsoft products, but like to keep an open mind. As an experienced java programmer, I must say that c# has many interesting features and seems in some ways even better than java, both as language (no checked exceptions, explicit override/virtual keywords) as in the underlying IL. I liked the point in the article about the call/invoke opcodes, which seems cleaner on
Disclaimer: I can't claim I read the entire article, but I at least skimmed through it. I am also not an expert on (java) security models or bytecode/IL issues.
Because we don't want to use VS 6?
Wake me up when .NET runtime ships in a easy installer on mac, linux and FreeBSD.
.NET for AIX?
E.g. (speaking for OS X) "net.dmg" sits in microsoft.com/mac , there is installer pkg for it...
They should spare time to making it true multiplatform (no fink,mono, 2gb of developer tools!) and we see some applications coded with it on all platforms other than making universities abusing their name with stupid donations from microsoft.
E.g. Virginia.edu server runs AIX. Is there
This could have been written by a MS PR flack.
.NET... better than... VBScript! You remember that, right? On Error Resume Next? Set? Don't Set?
.NET an open standard. Does MS provide full specs and all cross-platform sources for their product? No, they do not. They only give some parts of it, I imagine so that they can fool people like you into not noticing the shackles being attached. Why is it that Mono is spending years reverse-engineering the core APIs and hoping they won't be sued for patent infringement all the while? There is nothing like this in the Java world. This is why Java will still be jumping to new OSs and hardware architectures long after .NET is de-supported.
.NET is, and there are many more Java jobs than .NET jobs. .NET may have a future, of course... the world's appetite for version 1.0 and 1.1 Microsoft products seems curiously inexhaustible. But today it's hardly the first language I would tell a young programmer to learn.
.NET programmers spend an hour with IntelliJ Idea and weep with envy. There is a mountain of impeccable, production-tested enterprise-class BSD-licensed libraries for Java. If you look at the enormous work the Apache foundation has done, there is nothing in the .NET world that compares to it, though there are things that aspire... and may some day...
Microsoft did a better job with
What Microsoft means is for developers to get locked into a closed, proprietary, patented platform that Microsoft controls. "Neutral standards committee" standardized the steering wheel of the car but not the engine... It is utterly wrong and highly deceptive to call
Java is mature, fast, and an industry standard. It's taught in universities more than
dotNET development tools and 3rd party libraries are immature compared to Java...
dotNET has some sugar and some cute extra features; it also has some mistakes and pitfalls. It's a vaguely improved Java knock-off, and what it offers in no way compensates for becoming locked into the world's most notorious vendor.
Tired of Political Trolls? Opt Out!
" If it took you seven seconds, you clearly didn't read the EULA. "
And you clearly didn't read my post as I said seven clicks, not seven seconds.
Thank you.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
he's right.
I don't feel like it...
Java security involves implementing a buttload of interfaces, which may then implement a "sandbox" policy. Java's reputation for security comes from the (almost) successful implementation of a sandbox for the Applet API in Netscape Navigator. Outside of the "sandbox", Java provides extremely powerful techniques to generate and dynamically load bytecode, techniques that are far easier to use than the equivalent, dlopen/LoadLibrary tricks on the native platform.
This ease of use leads to ease of abuse. People do stupid things like expose the ClassLoader over the equivalent of CGI in a web RAD platform; this enables access to any file readable by the application's effective id. Hope you're running your app server chrooted! No, I've never seen anybody actually do that, either! And even while this particular exploit has been "fixed", it is but the tip of the iceberg.
Java has an excellent security architecture -- the problem is that nobody uses it, and those who do are undermined by boneheads.
It doesn't work like that. You can't say "oh .net is slow so performance doesn't matter to people using it." If that were true then you could extrapolate it to say people who use .net would be happy with a free alternative that has no performance (i.e. takes infinite time to run anything).
--
WHO ATE MY BREAKFAST PANTS?
turn down the volume on your TTS... tsk.
Sometimes I use italitcs, which I personally find less readable, to seperate out commented code (ha I wrote code, I meant text...lol). If there is a lot I preffer to up the weight on it just to make it easier.
Now, I would have given you credit, but anyone who nitpicks netiquette on slashdot doesn't give a good impression of himself.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Especially when comparing it to java. I use
The world according to SComps
It was a real pain to read this thread and now this?!
Compare this:with this:Read both carefully. Read it again. Hint: Both are from Roget's II: The New Thesaurus, Third Edition by the Editors of the American Heritage® Dictionary Copyright © 1995 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.
OK, another hint: This is how a dictionary definition of dynamic starts in The American Heritage® Dictionary of the English Language, Fourth Edition Copyright © 2004, 2000 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.
Ths point is that dynamic and dynamical are synonyms for God's sake!!
Incidentally, the adverb dynamically is derived from dynamical, not dynamic. Otherwise it would be dynamicly which it isn't.
Who the hell is moderating this thread??!
Can't you see that this misinformed English lesson from the joker who asserts that:
s = a.plus(b).plus(c).dividedBy(2); A = Math.sqrt(s.minus(a).multipliedBy(s.minus(b)).mul
is easier to maintain than:
s = (a + b + c) / 2; A = sqrt((s - a) * (s - b) * (s - c));
is nothing but a Troll??
A whole pointless thread because some ignorant doesn't know English and still tries to be a smart ass? Are you mods on crack??!!
.net still runs on at least 3 platforms thanks to Rotor, making it 2 better than Java
.NET? It runs on every platform as long as it's Microsoft Windows! Wow.
I was using Java on Linux, Solaris, SunOS, HP/UX, IRIX, Windows, FreeBSD and OS/360. What about
No, you were using it on the JVM. The fact that there's a reasonably good emulator for all the platforms you list is beside the point. Wheras .net can run properly, natively, on windows, freebsd, and at least one other unix.
I am trolling
"Why is it when you have an unpopular view point, you're considered a troll."
Its simple. Quality is in the eye of the beholder. More important, the readership doesn't take its metamoderation duties seriously. When a Linux zealot "unfairly" marks off an article as a troll, the metamoderator is supposed to marked him off as unfair. The zealot should start to lose the opportunity to moderate.
What I see as the problem is that people are so eager to express an utterly unremarkable or weakly humorous post, a good issue is flooded with over a 1000 responses, but only a few are worth reading. , and even worse, a few worth reading is lost in t he chaff. That is the tragedy of Slashdot; it has become so sucessful, it only attracts marginally intelligent geeks who then have to express every incorrect and vacuous opinion. And the current moderation system cannot address this problem.
Even if you have concientious moderators and metamoderators, there aren't enough to make a difference. Thereby rendering the website as useless. Heck, even when I see a hot button issue, I'm not going to wade through 1000 posts. I just scan until I see five posts that I have strong positive or negative opinions. I never get down to the bottom of the list.
What I would like to see is an alternate moderation system without a karma mechanism (perhaps running along with the current system.) Let it only consist of two moderation values "props" and "lame". Let that be open to every member, all the time, in unlimited supply, but can only pos/neg one user once per day. Sure, users will try to abuse it, but they will be compelled to read every article they "lame". People can then filter based on the voting of the entire readership. The win is that I don't have to go through 1000 posts to make the current moderation system work.
Even better, allow users to filter their rankings based on who's making the rating. The newbs and non-account holders need a generic rating to filter worthwhile messages. The "real" readers can take out the trolls with the "friends/foes" feature. The "moderation" data should be cacheable, and the reader can yank it down and process it on their PC if they want it. Hopefully, that wouldn't overly tax server resources.
The real problem is that mangement doesn't give a damn anymore. Its apparent from the quality of stories, the increase in duplicate stories, and this current, broken system.
Can anyone recommend a Slashdot alternative? I really only look at Slashdot now to get a glimpse of a newsworthy geek item. Publication mags just don't do it, and Kuroshin is a tad too dry for my tastes. If enough primary source websites start to RSS, I may just setup a screen to get information that way.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Was that supposed to be funny or are you really such an idiot? Both Java and .NET apps need runtime environment to work. Your semantics masturbation won't change the fact that I can run Java programs on more platforms than I can run .NET programs on. Period. And THAT is what matters, not what is more "native" than something else. In other words, .NET programs work on less platforms but where they work they are more "native" so it somehow makes it more portable is pure bullshit and you know it.
If that were true then you could extrapolate it to say people who use .net would be happy with a free alternative that has no performance (i.e. takes infinite time to run anything).
.NET running on XP.
And it would still be faster than Microsoft
.net doesn't. You can compile it to native code.
Your semantics masturbation won't change the fact that I can run Java programs on more platforms than I can run .NET programs on. Period. And THAT is what matters, not what is more "native" than something else.
If what you're doing with Java counts as running then I can use Bochs to run .net on any platform.
I am trolling