Mozilla Blocks Vulnerable Java Versions In Firefox

Trailrunner7 writes with this excerpt from Threatpost: "Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. 'This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms,' Mozilla's Kev Needham said."

Soo

Does this mean the Java plugin will refuse to install now? They should do the same thing for Flash.

Re:Soo

[poetmatt]

Also makes me wonder what happens to bad legacy apps which rely on the older versions of java?

Re:Soo

[Bigbutt]

That's my problem. I have older Dell hardware that requires a specific version of Java or we can't get console access. I have an old laptop that I use to maintain the older versions so I can still get that access.

[John]

Re:Soo

those apps should die anyway. I have an array of Virtual machines on my workstation just to keep that kind of crap happy.

This is really a PITA.

Re:Soo

[LordLimecat]

I believe you can override it on a per-page basis. Thats how chrome deals with it.

Re:Soo

[jorgevillalobos]

This is a softblock, meaning that you can ignore it if you want to or need to.

Re:Soo

> those apps should die anyway.

In other news, IE is gaining market share again, FF losing.

Users hate it when companies turn arrogant and remotely turn off their stuff because they decided it "should die".

Re:Soo

[scdeimos]

I believe you can override it on a per-page basis. Thats how chrome deals with it.

Afraid not, it's a choice of completely disabling the plugin or not. But the disablement dialog that pops doesn't tell users why Firefox wants to disable Java, and the default state is disabled, so the majority of users seeing it will probably just disable it.

I wouldn't expect this to affect the majority of Java users out there - only the ones like myself that have disabled JRE's automatic updates.

Re:Soo

[justforgetme]

Actually client side Java in the browser should go away all together. It was is and always will be a disgrace to the Internet
as well as a giant vulnerability generator. Plus when, finally, all those plugin cancers (Java applets, Flash, unity3d web
whatsoever) get eradicated the WWW experience will become much more concise, user safe, efficient, homogenous
and enjoyable.

Java dying?

[Compaqt]

So sad what has become of Java.

I know a large part of Slashdot hates Java, but:

-Java passed C/C++ on Sourceforge a while back
-Java was the first language of a lot of people because a lot of colleges adopted it
-Java was the first real and powerful language for a lot of people
-Java held out the promise of developing programs not beholden to M$, thereby making a lot of platforms viable
-Java was supposed to make things easier for the small developer (ISV) by allowing write-once, run anywhere.

So that's why a lot of people have good feelings for Java. Unfortunately, it's dying of a thousand cuts.

Re:Java dying?

[jellomizer]

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

Re:Java dying?

[ruinevil]

Mainly... its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

Secondly, people hate it the same reason colleges love it, it forces sane programming techniques, like Pascal did.

Thirdly, it is abstracted away from machine code, so you cannot understand what your algorithms do in assembly.

Re:Java dying?

[Necroman]

Java's server-side is still very strong and won't be going anywhere anytime soon.

Java as a language for UIs, not so much. The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward. Plus it always felt just enough different from native applications to stop developers from using it.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

Re:Java dying?

[afidel]

Maybe java applications never got popular with end users but they're pretty much the standard for advanced GUI management interfaces on enterprise equipment. I hope for the sake of people who need older java versions to access the management interface on their switches, storage arrays, etc that there is an advanced preference to turn this feature off (if not globally then on a per-domain basis).

Re:Java dying?

[eternaldoctorwho]

According to the language rankings by TIOBE, Java is still very much in the lead, with only C as a "competitor" (although I think the practical usages of both languages are disjoint enough to not worry about competition). Everything else is training behind by a fair margin.

Re:Java dying?

[The+MAZZTer]

Minecraft runs on Java, so it'll stick around for a bit longer whether we like it or not.

Re:Java dying?

[oh_my_080980980]

And that (the enterprise) my dear sir, is where the money is at.

Re:Java dying?

[rudy_wayne]

-Java held out the promise of developing programs not beholden to M$

So now you can make programs that are beholden to Oracle, who are just as bad, or worse.

Re:Java dying?

[oh_my_080980980]

"Thirdly, it is abstracted away from machine code, so you cannot understand what your algorithms do in assembly."

You're joking right? Who the hell knows machine code these days. That's the point about higher level languages, you program in near real language not assembly.

The java icon is not nearly as annoying as Flash.

Re:Java dying?

[Myopic]

Java definitely isn't dying. I thought it was over the hump about five years ago, and started using other languages. Since then, Android dev has exploded, and now I spend my time using Cassandra database (Java) and Storm topology runner (Java).

In the past we used Java to make web pages a little more interesting. Today, web pages can do enough with HTML and JavaScript, so we don't need Java applets anymore -- and good riddance, at that. But that hardly means Java is dying. It isn't. Not at all.

Re:Java dying?

Maybe Slashdot hates Java in part because its evolution as a language has become stunted and, after you've used other, better languages (C# being the obvious comparison), it's painful to go back.

Re:Java dying?

[Myopic]

The presence of a Java icon doesn't make programmers exasperated, it makes us thankful to have a tool which manages memory for us. Memory management is hard, and this tool makes it easier. All programming languages are tools, tools which do some things better than others, and memory management is one of the most important features of a programming language as a tool.

Re:Java dying?

Unfortunately, it's dying of a thousand cuts.

It is, even as someone whose never been a fan, I can recognize it has so much damn potential. As an observer, the idea of Java Web Start seemed to be a decent alternative to the square peg we've been pounding into a round hole for the last decade of jamming applications into webpages. Of course I knew it wouldn't get any traction, but it seemed like a solid idea.

Re:Java dying?

Your so-called x86 "machine code" is reinterpreted by the processor into RISC-like microcode that only vaguely resembles your binary. It's been like this since the Pentium II.

Re:Java dying?

after you've used other, better languages (C# being the obvious comparison),

LOL. C# is Java with the kitchen sink thrown in. 80% of the "features" added to C# lead to shitty, unmaintainable code.

The other 20% I'd like to see in Java XD

If you wanted to pick a "better" language you'd have done better with F#, Haskell, or Clojure.

Re:Java dying?

[Korin43]

I think being abstracted away from the operating system is more important than assembly output or execution speed differences. I suspect a lot of Java programs feel slow because they're not using the power of their OS as well (virtual memory and various kinds of notifications, plus the fact that NIO isn't promoted very heavily).

Re:Java dying?

[CubicleZombie]

However Java Applications have never gotten popular because they always end up looking a bit out of date

The Windows look-and-feel should have been enabled by default. Then Java wouldn't look like a 15 year old version of Solaris.

Re:Java dying?

More like Slashdot hates Java because they flunked their intro CompSci course at the community college and now "develop" by tweaking PHP blogging software.

Re:Java dying?

[Windwraith]

"Slashdot hates Java because they hate anything that isn't Pure GNU open source."
So how do you explain the massive influx of Apple lovers?

Re:Java dying?

[CubicleZombie]

The built in UI widgets and windowing (Swing) is weak at best. While it has many of the basic widget types, it hasn't really evolved much as time has moved forward.

Hasn't evolved, compared to what? Its big competitor for the rich-client is .NET, which is basically just a wrapper over same old Win32 controls we were using with MFC in the 90's. I can do anything with Swing.

Java applets, I feel, have been dead for a long time. Applet initialization time was just too long or would break during loading to discourage people from using it. Though, I've seen Java Web Start work pretty well for deploying Java applications.

The worst thing to ever happen to Java was Netscape 3.x and the Hotspot VM. Everybody remembers the "Starting Java..." message on the task bar - for several minutes - and then the inevitable browser crash. That sealed Java's fate on the client.

Re:Java dying?

Don't forget that whoracle began bungling crap with java updates like Mcafee trials.

Re:Java dying?

[__aaltlg1547]

More to the point, being abstracted from the machine-code level is the point of writing in a higher-level programming language.

Imagine the horror of writing a simple dialog box to enter a string in machine code. Maybe one in a ten million programmers has ever actually done that.

You should only even consider opening up the assembler manual if you are about to do something that's machine-specific and not supported by whatever higher-level language you're using for the bulk of your project.

Perhaps ruinevil was considering that there's value in understanding what operations processors can do at the the machine level, and I agree that there is, but it's easily overstated. 99.9% of the time, I don't care what low-level operations have to happen to make my higher-level program compute and I certtainly don't want to waste time thinking about it when I don't have to.

Re:Java dying?

[antdude]

Why was Minecraft designed for Java anyways? I find that annoying. I can't get rid of Java just yet. Can't it use something else? OK, Flash sucks... Silverlight, ugh. :(

Re:Java dying?

[TheRaven64]

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful. That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86 was painful due to onerous licensing requirements (binaries weren't redistributable, so you needed to download the source - manually so you could agree to the license agreement - download the Linux version, use the Linux version to compile the BSD version).

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java. Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain. This means that Java often involves reinventing the wheel, while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

Re:Java dying?

[__aaltlg1547]

The X86 instruction code is the lowest level that's accessible. You can only cause actions to happen at the core level by executing machine instructions.

Re:Java dying?

[Mongo+T.+Oaf]

I think some people don't understand the difference between java and java script. After learning python, I realize how much fun java can be. They're both interesting. Very relate-able. From C, C++. Both languages are very powerful languages. More fun than plain old C.

Re:Java dying?

[TheRaven64]

Oh, and I forgot to mention the UI problem. Java UIs look and feel wrong on every platform, although they look and feel least wrong on Windows. Java promoted the idea that you should use the same UI on every platform (ignoring the fact that different user interface guidelines are one of the main differences between platforms, from a user's perspective). They intentionally made it difficult to use the target platform's user interface APIs with Java code (although Apple fixed that on OS X in 10.0, before deprecating it around 10.4) to push the idea that you'd run the same code everywhere. Good cross-platform GUI apps are MVC, using native views and slightly different controllers on each platform, but the same model code. Doing this in Java is much harder than it should be.

Re:Java dying?

[__aaltlg1547]

But they base their rankings on web searches, which is pitiably lame. The fact that a language showed up in a web search is subject to variation based on press releases and manipulation.

If you want high-quality information, survey professional and amateur programmers and ask them what languages they have used in the last month.

Re:Java dying?

[Bill_the_Engineer]

So how do you explain the massive influx of Apple lovers?

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

Re:Java dying?

[Hentes]

Many people like Java and it's not going anywhere in the foreseeable future. But Java applets are a different story, they will die a well-deserved death.

Re:Java dying?

[CosaNostra+Pizza+Inc]

Java is alive and well in enterprise server environments and mobile devices. Any tablet or smartphone that runs Android is using java for the majority of its apps. Also, as some other posters pointed out, Java is continually maturing.

Re:Java dying?

[Compaqt]

>Some rookie mistakes, like making String final.

Well, the way the father of Java (Gosling) explained it, I think he said something like if you could subclass String, then you could send a MyString to a someplace that expected a String, and possibly hack into something rather (password, etc.).

Re:Java dying?

[gstoddart]

Because being fond of Apple products and being fond of GNU open source isn't absolutely mutually exclusive.

With all of the hate directed at Apple, I actually have a hard time believing that.

Re:Java dying?

[Compaqt]

Well, I can't speak to the crazy-insane complicated machine code of today's procs, but I think compsci students should at least have a basic intro (like 1 or 2 days) to assembly/machine language, like maybe in an 8086 emulator on Linux.

Just make it do something, like access the MS-DOS subroutines (in FreeDOS).

The point is just to have some sort of grounding in what actually happens in a computer.

Re:Java dying?

[tlhIngan]

Java's pretty big in the consumer market - every blu-ray player uses it, most cellphones (vast majority) have a JVM, and Android uses it as a development language (though the bytecode used by Android isn't Java bytecode).

It's become the embedded language - used everywhere but few people noticing.

Re:Java dying?

Sure. Just rewrite it yourself in your favourite language du-jour you lazy fuck. Sorry, what should the World (which clearly revolves around you) do to alleviate the pain you must feel having Java installed on your machine?

Seriously, if you're an independent game developer Java is hard to beat because you get Mac, Linux and Windows support almost for free.

Re:Java dying?

[Bill_the_Engineer]

I'm just going to respond to a few of your points:

No, there are a lot of legitimate reasons to hate Java, mainly because it promised things it couldn't deliver.

There are plenty of other languages that promises much and deliver few. I think a lot of language preference depends on what you learned first and who you choose to associate with. I know plenty of Perl programmers who swear Perl is the one true language, and the same with C++, Python, Ruby, etc. Each language has its strength and weaknesses, but none of them have anything that warrants the level of hate. Except for Perl it is perfectly fine to hate that one. :P

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

I don't know where you get your information from but Java does pretty well on the performance front. It benefits greatly from its static typing system and doesn't suffer from the overhead that is associated with the dynamic languages like Perl, Ruby, and Python. Java is magnitudes faster than the current batch of young languages and is in close ranks with the big three (C, Fortran, and C++). The fact that it runs without recompile on multiple hardware platforms is a bonus.

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on.

To be fair, I'd hope it would be trivial to call a C library from within C++ and Objective-C otherwise something is seriously wrong since they are pretty much derived from C. As for "so on" I do know that there is usually a binding meta languages involved (Perl's comes to mind), so I don't think JNI is any less different than the others. Since the other languages tend to be *much* slower, binding to a C library is much more important for them.

Then there's the incompatibilities between versions. Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working. Meanwhile, the statically compiled, statically linked, program in another language works just fine...

Not necessarily true. You can keep your older versions of the JRE installed. Of course your comparison is with a "statically compiled, statically linked program" and not the more compact and prevalent dynamically linked programs. Nothing prevents someone from continuing to use the older JRE with a Java application that has all of its dependencies included in the application JAR file.

And then there's the library system. Some rookie mistakes, like making String final. More importantly there's the design patterns fetishism that's so prevalent. There's a reason for all of those JavaProgramFactoryFactoryFactory jokes...

And this is unique to Java?

Re:Java dying?

[mcgrew]

IMO if you don't know assemply (on at least one chip) you're not much of a programmer, because you really don't know what your code is doing.

You do realise that the CPU designers know machine code, right? And assembly was closer to human language that any of the high level languages. MOV A, B. Simple, elegant, easily understandable. If you know assembly, learning any other language is pretty easy.

Re:Java dying?

[Bill_the_Engineer]

With all of the hate directed at Apple, I actually have a hard time believing that.

How does hate being directed at Apple apply?

If we are talking about a group of people who like Apple stuff then why would someone's, who is outside of that group, opinion of Apple affect the Apple group's affinity towards GNU open source?

Re:Java dying?

Your numbers are slightly off, but I agree.

Re:Java dying?

[TheRaven64]

It benefits greatly from its static typing system

No it doesn't. That was one of the things that the StrongTalk team learned when Java was in its infancy. Type feedback (in class-based languages) provides more accurate information than user type annotations. A modern JVM doesn't even use the source-language annotations, it infers the types based on profiling.

{lots of stuff about how Perl is even worse}

Not really relevant. Yes, there are worse languages than Java. There aren't, however, any languages worse than Java that are anything like as successful as Java.

And this [design pattern fetishism] is unique to Java?

Not unique, perhaps, but Java does it far more than any other language. Design patterns are useful, but they can be taken too far. Occasional frameworks do in other languages. Pretty much everything in Java does.

Re:Java dying?

[lwriemen]

How about this post? http://radar.oreilly.com/2012/03/computer-book-market-2011-part1.html?google_editors_picks=true

From the article:

A nice steady pattern for Java now. Growth in each of the previous three years. It is the 12th largest category overall and reached that same rank in 2011.

It seems like programmers are still buying Java books, so interest must be there.

Re:Java dying?

[VGPowerlord]

Why was Minecraft designed for Java anyways?

As Maslow once said:

I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.

Replace "hammer" with "Java JDK" and "nail" with "Java Program."

Re:Java dying?

[phorm]

I would guess that the author is a strong Java programmer, but possibly not so much other languages?
That or he wanted portable (hey, it runs quite nicely on 'nix and windows with not so much fuss)

Re:Java dying?

[CryptDemon]

Why does everyone bring up swing? What about AWT and SWT? SWT looks the same as native components on any of the platforms. Eclipse uses it. IBM uses it in some of their stuff. We use SWT in our java projects here at work.

Re:Java dying?

While these are all fair points, the fact that Java is not as free/open as it could be is not only a legitimate reason for avoiding it but, in my opinion, the best reason.

Were not talking about a game or a piece of software, or even an operating system. We're talking about a programming language! If it is not truly open and/or free then there needs to be a very good reason why. If it is controlled by a large, for-profit company in some way then you can easily use it for a small, personal project, but if you are part of a large team designing a large suite of applications for a company this dependency could become a real problem and needs to be factored in.

The foolish man builds his house upon the sand.

Re:Java dying?

Indeed, C# exists because Microsoft tried to embrace-extend-exterminate Java early on and Sun pulled their Java license because the violated the terms. Ask Eric Schmidt, now of Google fame, who was there when Microsoft signed the licensing agreements. So Microsoft invented a new language to "be LIKE Java" but not Java.

Re:Java dying?

Considering the glacially slow rate of development, I'd say he's not a strong Java programmer either. :>

My favorite Infiniminer clone ATM is probably Minetest-C55, which is pretty featureful despite being early days, and it runs lightning fast and light. (Word has it somebody hosted 100 players on an Atom notebook.)

http://c55.me/minetest/index.php

Re:Java dying?

[subanark]

No. Matching the host OS look is less important than components being out of place since they weren't fully tested on that particular host OS. If you want to take the time to ensure that despite the sizing differences of components it still looks good on other OSs then you can include the 1 line of code to set the look to be native. If you want to slap something together quickly, then it is better that it look the same on all platforms which brings it closer to the goal of "write once run anywhere" (which still holds mostly true).

Re:Java dying?

[olau]

And this is unique to Java?

No, different languages have different kinds of brainwash. But that doesn't detract from the point that the community programming in Java is suffering from it. And managed to get the non-sense carried over to the C# community. Too Much Inheritance, Too Many Concepts. :)

With C++, there's a similar problem that everyone is focusing so much on performance and painstakingly-specified static types that the language as a whole is missing out on some big opportunities. Most of the things that really save me time in Python could have been done in C++ too with no impact on overall speed. But they aren't, or only half-baked, because otherwise corner cases X, Y and Z may be slower or less precisely typed - and thus my Python programs are much shorter and neater than my C++ programs.

Re:Java dying?

[Sperbels]

If you know assembly, learning any other language is pretty easy

Knowing any programming language makes learning another easier. And I would have to say that knowing a high level language makes learning another high level language easier, but knowing assembly language is less useful in this regard because it's so radically different.

Re:Java dying?

[olau]

And then there's the library system. Some rookie mistakes, like making String final.

I disagree. The best thing Gosling could have done to Java were making all classes final. It's certainly better than the other way around. Inheritance is in many cases one of the fastest ways of turning an otherwise sensible design into OOP spaghetti.

Re:Java dying?

[CubicleZombie]

Windows look and feel should have been the default for every platform.

Re:Java dying?

[ultranova]

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, the good programmers hate Java because it prevents the largest class of programming errors (buffer overflows) by removing some control form the user at the cost of some performance and certain C++isms, and the mediocre programmers hate Java because they have delusions of being good programmers. And of course plenty of programmers hate anything that makes programming easier out of fear that it'll devalue their skills.

Re:Java dying?

[shutdown+-p+now]

If you wanted to pick a "better" language you'd have done better with F#, Haskell, or Clojure.

Except for the whole part when it comes to tooling, IDE support, and ecosystem in general.

Re:Java dying?

[Anomalyst]

I think Java is just maturing not dying.

Two words:Menopause & Osteoporosis.

Re:Java dying?

[shutdown+-p+now]

So Microsoft invented a new language to "be LIKE Java" but not Java.

This was relevant 10 years ago when C# first appeared. Since then, it has evolved at a pace much faster than Java, and has many more useful features. Case in point: C# has had full-featured closures for 7 years now; Java is only getting them in the upcoming release.

Re:Java dying?

[Anonymous+Brave+Guy]

As far as look and feel goes, it's a fallacy that all you have to do to make a GUI feel native is change the chrome. You can't turn a Windows native application into an OS X native application just by altering how you draw a button and a checkbox. No GUI toolkit that is based on the assumption that you can will ever be any good for making professional level user interfaces on any platform (or at least, on any more than one platform that it secretly favours).

Re:Java dying?

[shutdown+-p+now]

A modern JVM doesn't even use the source-language annotations

I find that hard to believe. Can you point at some reference for that, or, better yet, at the code (in, say, Oracle JVM repo)?

Re:Java dying?

[CondeZer0]

Java has become exactly what it was meant to become: The new COBOL.

Re:Java dying?

[shutdown+-p+now]

You don't need Java to manage memory for you - there are plenty of other (better) languages that also do that, and you can have a GC for C/C++ if you really want that.

Re:Java dying?

[CondeZer0]

J2EE is as close to a cancer as software can become.

Re:Java dying?

[shutdown+-p+now]

Hasn't evolved, compared to what? Its big competitor for the rich-client is .NET, which is basically just a wrapper over same old Win32 controls we were using with MFC in the 90's.

It sounds like last time you've used .NET, it was WinForms only. Have you seen WPF? It's been around for, oh, only 6 years now. And its implementation of MVC puts Swing to shame - you can wire up a lot of model/view interaction purely declaratively, without writing a single line of code.

Re:Java dying?

[shutdown+-p+now]

Java is a pretty basic language, so automatically translating it to something else is not all that hard. Libraries are trickier to deal with, but how much does Minecraft use from the standard library? Basic stuff like collections and file I/O is trivially rewritten. And, so far as I can see, for graphics it's essentially just OpenGL with a thin wrapper (LWJGL) that mostly deals with initialization and such, from there it's the usual OpenGL API calls.

Re:Java dying?

[Ksevio]

It's just a pain to work with in general too.

The docs are often lacking and often don't have examples - looking up examples will usually give you a 200 line program in order to use the one function.

The idea of classes and separation seems great, but it creates so much overhead and reduces the "helper" functions that most languages have. Try just reading from stdin or a file without involving half a dozen classes (that all need to be imported too!).

Interfaces are inconsistent and buggy (seen bugs not fixed for several years). Laying out anything is awkward and never looks like the system styling (unless a lot of extra effort is put in).

Security is a mess - partially because java programs are designed to be loaded on the fly off the net, but then there is strange sandboxing like not allowing java programs to access the system clipboard.

Re:Java dying?

[subanark]

Three issues with this:
1. Java uses some of windows assets when doing the windows Look and feel. This can cause legal problems if they allowed the windows look on other platforms.
2. There is a Windows XP and a Windows 6/7 look and feel.
3. Showing someone a Windows look on a non-windows platform may cause more resentment than one that looks a bit of of place.

Re:Java dying?

[TheRaven64]

With C++, there's a similar problem that everyone is focusing so much on performance

More accurately, everyone is focussing too much on microbenchmark performance. C++ is a language designed for an inlining-happy compiler with lots of compile-time specialisation. This results in very large code, which means that you end up with a lot of instruction cache churn. That's a total performance killer on modern hardware for large programs, but new features of C++ (with the possible exception of lambdas) are designed to make it even worse.

Re:Java dying?

[tommy8]

Arn't most android apps written Java?

Re:Java dying?

You may dislike it, but being run on Java has allowed the community to hack it to pieces. Maybe that's why there's so few Java applications.

Re:Java dying?

[dkf]

More accurately, everyone is focussing too much on microbenchmark performance. C++ is a language designed for an inlining-happy compiler with lots of compile-time specialisation. This results in very large code, which means that you end up with a lot of instruction cache churn. That's a total performance killer on modern hardware for large programs, but new features of C++ (with the possible exception of lambdas) are designed to make it even worse.

It doesn't help that C++'s standard library features aren't really all that strong either. Only C is really weaker, but that's a language with a tiny standard library anyway; building your own better version out of the C primitives is quite acceptable. C++ aspires to be better... and fluffs it. Don't believe me? Compare the string handling of C++ with that of Java or C# or Perl or Tcl or ... Well, let's say it like this: C++ gives you the pain of the complexity without nearly enough of the gain of well-implemented features.

The biggest problem with most large C++ programs though is in the way they handle memory. On exit, they like to neatly tidy up everything across their virtual memory space to a lovely pristine state with everything perfect. When the OS can do so much more cheaply (at nearly zero cost) and without stalling everything while every last bit is paged back in just so it can be deallocated. If C++ was a programmer, it would be an asshole with OCD. Just exit already! (Before you ask, I do know why it works the way it does. I just think that the net result is one of total fail from a user's perspective; it's making the computer "act stupid" for no truly good reason.)

Re:Java dying?

OpenJDK is free software.
Therefore you are not really dependent on Oracle.

Re:Java dying?

[dkf]

the fact that NIO isn't promoted very heavily

Using NIO is about as much fun as using the poll() or kqueue() directly in C, i.e., not at all. It's also full of fussy limitations and restrictions. (Want to use NIO with subprocesses? Hah!) A great chance to make things better was wasted with NIO because its authors didn't know jack about what was actually wrong with IO in Java in the first place.

There is much about Java that is good. The IO classes — whether old style or NIO — are not part of that goodness, and the major point of most Java frameworks seems to be that they hide IO away from sight. (Or databases, but they're really just more fancy IO.)

Re:Java dying?

[SplashMyBandit]

The feature that C# doesn't have is 'cross-platform'. This is not a language flaw, it is a library and design flaw - targeting Windows. Mono does not implement the same libraries as the Microsoft .NET stack, and it turn out it never will. Unless you are a Windows only shop (which only households and smaller companies are) then the .NET stack has a lot of wonderful features but will always be technically inferior to Java because of the lack of true cross-platform capabilities. The fact that C# has some nice syntactic sugar is great, but still misses the point that you want your language *everywhere* you need to be. Java adopts features slowly not because the maintainers don't know about closures etc, it is because the language maintainers are trying to avoid Java turning into C++, which is harmful for enterprise adoption (with some lesser skilled programmers). This is one reason Java gets about 3 times the adoption world-wide as C#, despite the C# language niceties (see Tiobe for numbers). I can't see that changing for a long time no matter how many funky features C# gets first.

Re:Java dying?

[SplashMyBandit]

I have developed and released Java desktop applications. People usually like the 'Nimbus' theme (which is cross-platform). In fact, Nimbus generally looks better than native Windows controls (especially all those hideous CTRL3D.dll apps out there). I have never had anyone refuse to use my products because it didn't look exactly like a Windows application. So, I consider your statement a fallacy.

Plus, I don't think you have used a Java desktop application for a long time (there are a lot of them out there, eg. Azureus etc, but most people don't even know they are Java since they bundle their JVM and 'just work' without making a fuss - if the developer knows what they are doing). Your, "15 year old version of Solaris" statement sounds like you have been living in a cocoon. Most applications these days have their own look-and-feel anyway (even the Windows-only ones), and users are used to using them without whinging (the same can't be said of the so-called 'Windows power users', who cling to their environment and 'The Microsoft Way' development model as if it was still the 90s).

Re:Java dying?

[SplashMyBandit]

Lol. You are *very* out of date. No need to use JNI when JNA provides excellent access to native code. Pus, ever since Java 1.6u10 it *screams* (for example, all graphics are implemented as OpenGL or DirectX shaders, depending on the platform). In fact, INRIA found that Java beat C++ for their uses and was approaching FORTRAN for speed, and that was 4 years ago (and Java is faster still now with things like the G1 collector): https://blogs.oracle.com/jag/entry/current_state_of_java_for

I hope that helps get you up to date on why developers and enterprises who know what they are doing continue to use Java (more than any other language, according to the Tiobe index).

Re:Java dying?

[shutdown+-p+now]

Yes, I never argued to the contrary. That said, there are plenty of cases where people really only care about Windows, and plenty of MS shops.

I would also suggest to not rely on TIOBE for "adoption" - they basically measure the chattiness of the community associated with the language and little else, so their numbers are meaningless in most contexts. What you want to look at to estimate adoption are numbers of jobs. And if you do that, you'll see that Java vs .NET popularity varies a great deal between regions - there are some (e.g. AU/NZ) where .NET comes out on top, some (e.g. US) where they are head to head, and some (e.g. Europe) where Java is significantly ahead - which largely reflects the popularity of platforms other than Windows in the industry. I don't think it makes much sense to lump all those figures together and get an average - if you're a programmer in US, I doubt that the fact that Java is more popular in Germany is going to matter to you a lot in practice.

Re:Java dying?

[SplashMyBandit]

Problem with WPF is that it pretty much only works on Windows (Mono does not and never will implement WPF). That is a fail. Swing might be crufty but the parent was right - if you know what you are doing you can do *anything*, and have it work whenever you are. These days I'm on Linux, Mac OS X and Windows depending on which client I'm with at the time. Sadly, WPF can't do that - which is why the Java guys still look down on it (it's easy to get something to look nice on one OS).

Re:Java dying?

[shutdown+-p+now]

What I don't understand is why Java guys, instead of looking down at it, actually do something that can match it in expressivity - declarative markup for UI, data bindings, triggers, styles etc - but is cross-platform as well. It's kinda ironic yet sad that the thing that comes closest today is QtQuick, which is C++ with JS glue - and it's so much easier to do stuff like that in a language that has reflection capabilities built-in, without need for ugly macros you have to use in Qt.

In the meantime, as noted in my other post - there are plenty of tasks where cross-platform capability is plainly not needed. A great deal of in-house line-of-business software runs on Windows only, and will run on it for the foreseeable future. Sure, you can go cross-platform "just in case", but if it takes 2x development time and resources to do so because of reduced convenience of development, it is a waste with nothing to show for it.

Frankly, if you really want cross-platform, a web app is usually a superior choice - it's far easier to remain platform-agnostic on the server, and in any case you can keep it running whatever OS you want while changing the clients out. And with HTML5 these days, there's little a web app can't do that a desktop app (especially one written in pure Swing with no OS-specific hooks) can't.

Re:Java dying?

[SplashMyBandit]

If you want games that were built with Java, then you can also add the original IL-2: Sturmovik (flight simulator) and Bohemia Interactive's Take On Helicopters and Armed Assault 3 (Armed Assault 2 is the currently the best first-person shooting *simulator* - unfortunately not many people know about it) will have Java APIs for modding - which makes me think a fair chunk may be written in Java.

I myself have made plenty of mods for LockOn: Modern Air Combat in Java (moving maps, pilot statistics system, track replay tool etc). At the moment I have stopped modding LockOn/DCS and are working on the far more ambitious objective of developing a complete modern jet combat *simulator* (not game) in Java. What I have now already works on Linux, Mac OS X (where I do most development) and Windows. I couldn't be this productive with any other language/environment (eg .NET wouldn't meet my objectives) and still get my cross-platform goodness (also leveraging things like JInput,, JoGL, JOAL to handle much of the cross-platform stuff already etc). Java is great for games, if you know what you are doing. It is a shame that many developers cut their teeth on Java and write crappy code (since they are starting out) - and people think that crap products are due to Java (rather than the fact that Java allows people without much skill to make [barely] working software).

Java will never go away. Especially now that the GPL-ed OpenJDK is driving things (not Oracle, as many people think).

Re:Java dying?

[SplashMyBandit]

I'm from NZ and the small projects are .NET. Most of the bigger projects (for banks, government etc) are Java (this is where the money is - and has been a total goldmine for me personally). In fact, there limiting factor in Java projects in my part of the country is the scarcity of Java developers. There is a lot of pent-up demand that the statistics don't show (but my contract rate does :) ).

Re:Java dying?

[znrt]

I think Java is just maturing not dying.

Java found it niche. JavaEE is still big, as it is a great platform for Web Services. However Java Applications have never gotten popular because they always end up looking a bit out of date (although it has greatly improved) compared to what the other platforms offer.

java is dying from success. and of course i'm referring to j2ee. java on desktop or browser is anecdotical. it's technically sound but never made it through.

if you think about it, java is the perfect tool for any medium-big size software shop. everything is available: the language is basically sound, the api is endless and rich, there are lots of good tools for building, bug finding, profiling, optimizing, deploying ... you name it. java (j2ee) success in this area is indisputable (in fact, it has busted the .net monkeys thingie, that pursued exactly the same thing, to a limited captive market).

so what's the problem? well ... it's all just too easy. medium-big size software shops rely on all those standards and tools, build workflows on them ... so they can hire armies of clueless developers. and, obviously, produce glorious crap. throw in agile development (understood as blind running forward methodolgy) and you're pretty screwed.

java made cheap software possible. the problem is that there's no such thing as *good* cheap software, because it isn't so much about the tools, but about the brains.

throw in it is now mantained to oracle and you'll see this end in a big, big, big mess.

Re:Java dying?

[SplashMyBandit]

Aha! But what is the premier development environment for the Web? Google Web Toolkit! and what language and tools do you develop that in? Java, of course. Microsoft saw GWT and coveted it, creating Project Volta, but that is stillborn. Plus, anyone doing raw Javascript is bonkers - GWT handles all of that for you and let's you get on with the really important stuff (writing bug-free code in the presence of a multiplicity of business requirements). So, you can keep your C# thank you very much. For desktop stuff I can use Java. For the Web I can use Java. For embedded systems I have used Java. For Internet-scale infrastructure (tens of thousands of servers) I have used Java. I have used a lot of programming languages and environments (including C#.NET, and all the old Microsoft technologies back to the early Windows versions and DOS days) over two decades but there is only one development environment that pretty much does everything I need most of the time. And that happens to be Java. I like it because it is simple, powerful and ubiquitous.

ps. this is a specialised case, but in my spare time I'm implementing a modern jet air combat simulator in Java (for my purposes JoGL/OpenGL actually has better performance than DirectX, but that is a different subject). Even with WebGL the web is no use for this (neither is C#.NET nor Mono, since this is a cross-platform product to work just as well on my Mac Book Pro as well as my Windows machines, and cheap Linux game servers too). Specialized for sure, and somewhat niche, but something that neither .NET nor the Web can do. Please keep doing your .NET stuff though, someone has to do all the boring form and web page-view applications out there. Meanwhile, I'll keep hoover-up all the high-value Java contracts doing interesting things during the day (programming road-sign and radar detector hardware, medical projects, data visualisation and analysis, geospatial systems) and night (my high-performance combat flight-sim).

Re:Java dying?

[znrt]

No, there are a lot of legitimate reasons to hate Java

hate doesn't need legitimate reasons. but some of your reasons are gratuituous.

mainly because it promised things it couldn't deliver. It promised to be portable, but running it on anything that isn't one of under half a dozen blessed platforms is painful.

it is. for common platforms. more than any high level language, anyway.

That new MIPS server? Sorry, no Java for you! For a long time, even Java on *BSD on x86

like you have .net or any other development environment with the barely necessary tools for that. stop joking or at least try to be funny.

Then there's performance. Java performance is on a par with StrongTalk or Self, yet it's a much lower-level language. Performance is usually okay, but again Java promised C-like performance and then shows misleading benchmarks to demonstrate it.

that promises thing again ... :D ok, i take you're an emotional type (even if i never read that promise, nor would i care) but ... if you wanted C-performance and chose to believe in flying ponies, that's your problem. Java is not C, it could never be as efficient as C, apart from very restricted benchmarks. on top of that, Java developers are different animals than C/c++ developers, expect performance-insensible coding in Java as granted. like in any other high-level, business oriented language. but then again, you realize Java and C are different use cases, don't you?

Next there's the pain of interfacing Java with other languages. If I have a C library, I can trivially call it from most scripting languages, from Objective-C, from C++, from D, from Pascal, from Lisp, and so on. If I have a Java library, it's difficult to use it from anything that's not Java.

now you are being funny. there's no such thing as a Java "library". at most, you got a bunch of classes packed in a jar. you need a fucking vm for those classes to make any sense at all. it's not difficult, you simply can't, it doesn't make any sense. take it or leave it.

Conversely, it's difficult to use existing libraries from Java - JNI is a whole world of pain.

not that much, really. are you being serious? having JNIed a lot myself, I wonder what pain a skilled C programmer could have had with it.

This means that Java often involves reinventing the wheel,

this, for a change, has some truth to it. not that I like it, but Java is Java centric as much as .net is windows centric. life sucks. then again, reinventing the wheel is not the same as reimplementing the wheel, and the latter may often be not such a bad idea at all.

while other languages just provide thin (and often automatically generated) wrappers around libraries written in other languages where appropriate.

only those (and between those) which don't new some sort of vm or interpreter to run, so your point is moot. vm's are there for a reason, if you don't like them that's another story.

Then there's the incompatibilities between versions.

can you provide an example?

Once you've got your write-once-run-anywhere program working on your customer's machine, he installs a new version of the JRE and it stops working.

because of bugs, not because of incompatibilty issues. even c compiler releases have bugs, man.

well, there may have been some incompatibilities. i'm thinking of serialization or binary class format, for instance. but then again consider that Java is a full environment and stuff inevitably changes. C doesn't have this problem because it just doesn't evolve. anyway, backwards compatibilty has been held to very great extent, considering.

Re:Java dying?

End users, well speaking for myself, hate Java because the GUIs are ugly and out of place. Often the client apps are memory pigs and unstable.

Re:Java dying?

[TheRaven64]

Compare the string handling of C++ with that of Java or C# or Perl or Tcl or ... Well, let's say it like this: C++ gives you the pain of the complexity without nearly enough of the gain of well-implemented features.

Strings are a really good example of how C focusses on microoptimisation. You have very fast character access to std::strings. And you have very fast iterators. And that's it. And because none of the methods are virtual, you can't just slot in a subclass that's more efficient in your usage. Compare this to Objective-C strings, which are implemented as a class cluster with different implementations for different uses. For example, when using ICU it's trivial to wrap its internal unicode string ADT in an NSString subclass. Because the accessor used by anything that needs speed copies a range of characters into a buffer, it's fast. In C++, you end up copying the entire string as soon as you find something that wants a std::string, or a QString (Qt) or a WtfString (WebKit) or whatever. Fine for very short strings, not so fine for longer ones.

The focus on microoptimisation in C++ means you end up with very tight coupling, which makes high-level optimisations (where the real performance wins come from) very hard.

Re:Java dying?

[Elrond,+Duke+of+URL]

Slashdot hates Java because they hate anything that isn't Pure GNU open source.

No, I think /. hates Java for many of the same reasons a lot of nerds and power users hate Java: perception.

As has already been mentioned, Java is extremely popular and taught to many students. The end result is a great number of people who know at least a little Java but who are not necessarily good programmers. These people either decide on their own or are told by employers to write program X in Java and the end result is a poor program. The outcome would largely be the same even if a language other than Java were used.

I've written a number of medium to large programs on a few different platforms using a few different languages. I find that I quite like Java. Obviously, it has got its own set of problems and peculiarities, but it is not inherently a bad language.

If you know what you're doing, you can write very effective Java programs that are even decent to look at. The Java language does not force an application to be bloated or use huge amounts of memory. Bad programming is responsible for those problems.

There may be something to the argument that writing bloated/memory hungry applications is easier in Java, but the fault still lies with poor programming from poor programmers.

Re:Java dying?

I believe at my university (I can't speak for certainty as I transferred out of comp sci for "namby pampy web design"; I could do the work, but absolutely hated it) that comp sci students have to take a course on assembly, or at the very least, they are strongly recommended to do so.

I have no idea if all colleges/universities have similar requirements.

Re:Java dying?

"Unless you are a Windows only shop (which only households and smaller companies are)"

I think you'll find that even giant enterprises are Windows only shops when it comes to the desktop.

Re:Java dying?

[Elrond,+Duke+of+URL]

When I originally started my comp. sci. program at the U of Arizona back in 1997, one of the required classes was a systems class where we learned about some of the lower level bits done in an OS. It wasn't an OS class since we didn't create/modify an OS, but rather an overview of some OS topics (for example, we wrote a memory allocator in C).

For a week or two we learned about assembly language. Specifically, we were using ARM assembly and ran the small bits of code using SPIM (the MIPS emulator). These days... I don't know if such a thing is still required, but I'm fairly sure it's at least an option.

Personally, I had already done a fair bit of DOS x86 assembly in high school and wrote some simple programs and TSRs (Terminate and Stay Resident, if you remember those). And then later in college I did a fair bit of work in ARM assembly on actual hardware (a small embedded board). More recently, I've been working on a machine simulator for a stack based CPU (written in Java, too) and all of the code you execute in the simulator is written in the CPUs "stack assembly".

So, in my case, the small amount of assembly work done in class wasn't very useful since I already had more extensive prior experience. But, I definitely agree that it is a very useful topic for comp. sci. students to know about. Not because you're all that likely to actually use it, but more because it provides a more rounded understanding of what actually occurs in a computer.

Re:Java dying?

The company I work for** is currently effectively a Windows laptop/desktop only company. We won't be for much longer. Like many large companies we are moving to a 'buy and use your own devices' model. In about 2 years the Windows monoculture will have been replaced by Windows/Mac/Linux laptops, Android/iOS/Windows smartphones and tablets. Any software not flexible enough for this setup will be replaced (except for limited specialist needs).
Why? It's actually cheaper for the company (and more productive for us) to give us the money to buy and maintain our own devices than to provide and maintain them for us. and yes, the figures do appear to add up.

** Company is an international information technology services company with 2011 revenue of over EUR 8 billion and 70,000+ employees.

Mozilla gives middle finger to enterprise again

[jellomizer]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems.

So now we have to be sure that we upgrade our Java first then Firefox... However we had planned to do Fire Fox this week and Java next month, after you know we test our applications that we need to run our business with the new Java version.

The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Re:Mozilla gives middle finger to enterprise again

[i+kan+reed]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Re:Mozilla gives middle finger to enterprise again

That's fine, the enterprise can simply be left behind.

Pretty soon their ie6 wont even work on non internal websites

Re:Mozilla gives middle finger to enterprise again

[jellomizer]

A lot of enterprises would love to give Firefox or Chrome as their standard browser. Much better use of the standards and faster and predictable running of modern stuff. So if you want to move away from your Legacy Java Applets to a new System Mozilla is a good choice for an enterprise technically to standardize on. However the Mozilla foundations are being a bunch of Elitists Richards, and seemed hell bent to make sure that Mozilla isn't incorporated in an Enterprise environment. And Enterprises need to make a policy of saying we do not support this product. So as we migrate away from those old legacy Java Applets, which can take years to do. We are replacing them with Apps specialized and optimized for IE because we don't have any other logical choice. Because IE is the only browser that will allow the Enterprise run its own way.

Re:Mozilla gives middle finger to enterprise again

From the article:

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The block isn't compulsory. Undo the block and keep working in the mean time.

Re:Mozilla gives middle finger to enterprise again

Who gives a shit what these money-laundering enterprises do or don't do?

Re:Mozilla gives middle finger to enterprise again

[nashv]

And you would deserve it. If you maintain an insecure system, you are a threat not just to yourself, but to the entire internet.

You foster malicious code that can be used to pit your system against others. Everyone is connected on the Internet, and if you chose to be a weak link, you are everyone's problem.

I am usually sympathetic to upgrade issues, but if you are going to be in the wild of the internet, fix your software. You are on an internal closed network, no one is forcing you to upgrade Firefox. Maintain your legacy setup.

Re:Mozilla gives middle finger to enterprise again

[Kagato]

Enterprise customers don't just roll out browsers. They do testing, they tweak the configuration and then they roll it out. Having to take the extra step to configuring some settings doesn't sound like a deal breaker. If anything, it sounds like a feature enterprise could really use. If your organization is whining about this, they likely aren't following due diligence in testing the browsers in the first place.

Re:Mozilla gives middle finger to enterprise again

[oh_my_080980980]

BFD. Business don't want their employees surfing the web for non business related business.

Re:Mozilla gives middle finger to enterprise again

Chrome has a better solution. It blocks ALL java applets by default (user can whitelist per site). The average user will likely NEVER see an applet unless it is malware.

Re:Mozilla gives middle finger to enterprise again

[mounthood]

I don't know why all the fuss is about breaking our version scheme so the Enterprise has a harder time planning appropriate upgrades to their work stations. And now we decided to break compatibility with your legacy Java systems. ... The enterprise doesn't stick with IE because they think it is a good browser they know how much it sucks. They stick with it because it can be maintained and managed properly in an enterprise environment.

Large/Enterprise organizations value version stability more than security? That's poor judgment. What does "maintained and managed properly" mean if it doesn't include security? It means two things: IT can cover their asses and blame problems on Microsoft, and IT can keep using vulnerable software rather then upgrading when there's security issues. Using vulnerable software is convenient for IT, but a poor solution to keeping production running.

You theorize that IE is used because it's broke but version stable. I think it's dumb inertia combined with sentiments like 'nobody ever got fired for buying Microsoft' and 'you touch it, you own it', rather then a considered and reasoned decision to use IE. Your post echoes complaints about upgrades that many others have made, but they always sound like IT complaining about having to do their job, and I can tell you from experience that the upgrade cycle never ends, and the desktop issues are nothing compared to server-side systems. IT needs to get over it and fix the problem in a way that's either (relatively) long term or easy to replicate.

Finally, here are two alternatives to IE: They could use Mozilla Firefox Extended Support Release and get both security and stability. Or they could disable Java in the browser and use Java Web Start for their important Java apps.

Re:Mozilla gives middle finger to enterprise again

[PlusFiveTroll]

Just wait till their internal website gets pwnt by a disgruntled employee and the network goes up like the Triangle Shirtwaist Factory.

Running exploitable software is Russian Roulette, one day the trigger is going to get pulled and it's going to blow your head off.

Re:Mozilla gives middle finger to enterprise again

[supremebob]

I hear ya.... I needed to scramble this morning to disable this warning message on two dozen kiosk systems, even though I configured Firefox to never check for plug-in updates.

Thank you once again for screwing up my production environments without any warning, Mozilla. I'm switching my kiosks over the Chrome, where the option for disabling plug-in checks actually works as promised.

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

So there is EXACTLY ONE version of Java that is usable: 7u3. There is NO PATCHED version of jre6 or jdk6 that is available for our 80,000+ workstations managed by Tivoli that have jre6 installed. Upgrading to 7 requires going through Field Certification of months of application compatibility checking.

Not to mention the servers that have jdk6 installed to a specific path, jdk7 would go in a different path and require changes to configuration files and regression testing. This is a 2-3 month process usually rolled into other development processes and doesn't just drop on the datacenter in one day. I think at least five departments would be involved in getting this change implemented.

No, Mozilla should be forcing this on Oracle to release a patched and updated 6u31 that can be automatically pushed to all machines, then wait two weeks and drop the hammer on anyone left behind.

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

I'd like to correct myself, 6u31 has been made available - it just isn't updating automatically yet. We might be testing it internally before beginning the workstation push. Either way I think Mozilla jumped the gun a little bit, this update must have just come out.

Re:Mozilla gives middle finger to enterprise again

[__aaltlg1547]

I think anything that forces my enterprise to update its clay tablets is a good thing. But this is not that thing. IT will just say, "You could just use Internet Explorer." And they'd be right. Who has the time to go on a project of updating enterprise apps every time a browser changes?

I use Internet Explorer exclusively now (when at work) because the current version works adequately with everything else I use. Firefox used to, but then they updated it and it didn't work right with some of our enterprise apps. I could get it to work by loading the right plugins. Then it mysteriously stopped working. Then it started working. Now it doesn't work.

It ain't worth the trouble. The next time I consider switching browsers it will be because IE has stopped working for some enterprise app that I must use to do my job. The only way I'll end up using two browsers in the same week is if one of them works right for one of my enterprise apps and the other works right for another indispensible app.

Re:Mozilla gives middle finger to enterprise again

[__aaltlg1547]

I do. They pay my salary and your unemployment check.

Re:Mozilla gives middle finger to enterprise again

Don't know if I'm missing something obvious but jre6u31 has been released, in fact it was released a couple of weeks ago. It's also the jre6 enterprise baseline version.

Re:Mozilla gives middle finger to enterprise again

[archen]

Either way I think Mozilla jumped the gun a little bit, this update must have just come out.

Try late Febuary.

Re:Mozilla gives middle finger to enterprise again

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Unfortunately you can't always update these.

There are a number of Cisco java crapplets that require a specific old version of java to run.

I never understood why Cisco makes these crappy java GUI management tools, unless it is to encourage you to learn to use the command line.

Re:Mozilla gives middle finger to enterprise again

[Wrath0fb0b]

If you have to choose between clearly dangerous infection vector and updating ancient and fragile legacy java applets, I'd say Mozilla is the least of your problems.

Unless I have (an) admin machine(s) configured to access only intranet resources for the purpose of managing my legacy java applets. In that case, it would probably be nice to have an switch somewhere in about:config (maybe with a warning) to disable the blacklist. That's the problem with thinking about security without clearly identifying the context in which the policy is being deployed. For a home user Mozilla should absolutely default to not allowing outdated JREs*, for those within other environments, the calculus might be different.

* By the way, can't they just hire the Google dudes that designed Chrome's "I'm always updated but I never bother you" updater? Can't everyone just do that already? It's been shown to be feasible, workable and damned convenient.

** Of course, * comes with a switch to disable auto-updates for enterprise/OCD consumers that want to manage it themselves. I'm talking about default settings, not forcing everyone onto the silent-update train against their will.

Re:Mozilla gives middle finger to enterprise again

[Nyder]

I think it's Enterprise that gives the middle finger to us users, really. Anyways, I don't think Mozilla makes firefox for the Enterprise (Star Trek, or business). I think it's for normal users, which is mostly what uses the web.

Anyways, Java doesn't sit on 1 version, it gets updated all the time, like any good software, so are you saying that Enterprise Users need to have old, outdated software that can be compromised to gain access to your computer? Sounds to me that isn't what the Enterprise needs.

Not sure which reality you pay attention to, but here, in the real world, software has bugs and those bugs need to be updated. Regularly.

Re:Mozilla gives middle finger to enterprise again

Tell that to those of us using Firefox in an Enterprise system where we are(sadly) required to make use of websites needing Java. Today was a nightmare because 500+ copies of Firefox decided to say "lol no". If you think the end users read that notification you are mad.

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

I didn't see that SE 6 and SE 5 patches had been released as well, and mistook the wording of TFA to imply that one HAD to update all previous versions of Java to 7u3. That just wouldn't fly in an Enterprise without testing.

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

Either way I think Mozilla jumped the gun a little bit, this update must have just come out.

Try late February.

And it's impossible to find any dates on the Java websites or release notes in my 10 minutes of looking. Then it was lunch time.

Re:Mozilla gives middle finger to enterprise again

So as we migrate away from those old legacy Java Applets, which can take years to do.

It is not about old Java _Applets_, but about the installed Java Runtime, which is normally easy to update (especially when using GNU/Linux distributions with a built-in update manager).
So, if you care about security, there really should be no problem for you to update any software in short time.
When some companies don't care about secure and updated software they can use internet explorer 6 for the next 500 years anyway, nobody forbids them to do so.

Re:Mozilla gives middle finger to enterprise again

[dropadrop]

So don't update firefox? Fork your own enterprise build and release new ones on your own cycle.

For non-technical users this is a good advancement, they will be notified of an insecure application before they get infected. Are you saying they should give it up because some corporation thinks it's ok to run applications that are actively exploited? With that mentality we'd still be running IE6... I understood the active lifecycle of a given exploit is generally pretty short, by the end of the month it will already be mostly replaced by another variant.

Re:Mozilla gives middle finger to enterprise again

[dkf]

Large/Enterprise organizations value version stability more than security? That's poor judgment.

When you've got idiots pushing out significant incompatible major changes in point versions (too much software for me to enumerate) you start to get really keen on version stability too, and such keenness spreads from being just about some pieces of software to being about everything, even where you might think it makes no sense at all. Yes, large enterprises want security, but they also want security from some random asshole on the internet breaking things "for their own good". As a developer, I respond by trying to avoid doing changes that break any public API (or, where that's impossible, to provide a documented mitigation and migration strategy). It constrains my creativity, but people (coders, managers, you name it) downstream love it; it values their time over mine.

Re:Mozilla gives middle finger to enterprise again

My org uses IE because it updates automatically using Windows Update. An up-to-date IE is more secure than an out-of-date 3rd party browser.

Re:Mozilla gives middle finger to enterprise again

im tired of people whining about the rolling release cycle... they made a long term supported version so that companies that rely on firefox can count on the software staying the same for periods of time.

im an IT man myself...and this smells of laziness. get the newer java and get back to work

Re:Mozilla gives middle finger to enterprise again

[archen]

True. The only way I knew that myself is due to the time stamp where I put the installer...

Re:Mozilla gives middle finger to enterprise again

[kwrzesien]

So I found out from our enterprise group that JRE 6u31 will get pushed out to all the workstations later in April. I guess we either aren't that alarmed by our exposure to this vector or we just found out about how dangerous it is and this is the soonest week available that doesn't have other M$, Adobe or Symantec junk pushing.

Sounds good to me

[omfglearntoplay]

I assume you have to be on the most recent release to get this Firefox update. That should be clarified in the article somewhere obvious.

It's not always easy to get time to deal with all the rogue computers we have floating around, and the damned Java vulnerabilities are killing us. We go to all the trouble to make users actual users and not admins despite a huge backlash, then next thing you know they are getting viruses as regular users mostly due to Java problems. WTF? Middle sized businesses can't keep up at least from what I've seen.

I think this is a nice idea from Firefox to help protect users. I hope it works. I guess IT depts still have to deal with getting everyone up to date on Firefox to do it though... it never ends. Maybe it is time to go virtual desktop for 90% of users.

Re:Sounds good to me

[jorgevillalobos]

Plugin blocks apply to all versions of Firefox and they don't require you to update it. Firefox downloads the blocklist regularly to see if there are new add-ons or graphics drivers that need blocking.

How about a huge blinky warning instead?

[khasim]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity."
vs
"Fuck, it broke!"

Re:How about a huge blinky warning instead?

[leuk_he]

THe java updater should have done that. Why didn't it? It flashes so often it's annoying. maybe it is not doing its job?

Re:How about a huge blinky warning instead?

[afidel]

Better would be to add whitelist support, like say a trusted zone? Yeah, it's one thing I love about IE, I can lock down the default configuration and allow all sorts of known bad configuration changes to the trusted sites zone to allow for legacy compatibility. It's exactly why IE's marketshare in the enterprise isn't going away.

Re:How about a huge blinky warning instead?

[khasim]

Something like NoScript but with more granularity and that can be pushed to each workstation?

Sounds good. And 100% better than the course Mozilla did choose.

Re:How about a huge blinky warning instead?

[Windwraith]

Do you realize that a warning is for average users to ignore? "Oh, wow. I should upgrade as soon as I get the opportunity" only works for people like us. Most people will do "CANCEL CANCEL CANCEL".

Re:How about a huge blinky warning instead?

[ArhcAngel]

Ever heard the story of the boy who cried wolf?
Yeah, he got eaten...

Re:How about a huge blinky warning instead?

Most of the operating systems I use don't have a "java updater". On windows, I hate updating java because it doesn't UNINSTALL the old version. Instead they just put another copy into a new directory. I have to remove java and then reinstall it. Plus the java updater tends to focus on JRE updates, but i have to go through crap to update a JDK including futzing with my IDE sometimes. It's a fail.

My problem with this plan is that Mozilla already makes it a nightmare to manage their browser on supported platforms, but now they're going to complain about java versions too. Think about this from a OS project standpoint. They have to release new java binaries BEFORE updating firefox now. It's going to suck for Linux distros and be even worse for *BSD. When Java is part of your OS like Mac OS or Solaris, what do you do then?

Re:How about a huge blinky warning instead?

Enterprise customers have no money to spend.

Enterprise customers have no expertise in their IT departments they can use.

Enterprise customers developed software ONCE back in 1973 and expect said software to work without any maintenance at all and expect it to work with all the latest and greatest software out there. Nevermind that their "software development" was never intended to be more than a quick hack to fix a problem 10 years ago. Never mind the fact that the quick hack depends on a fucking bug that really should be fixed. Never mind the fact that the deep pocket enterprise customers should have migrated to a better more robust solution at probably 9 years ago.

Are enterprise customers really worth satisfying? It just seems that the small shallow pockets of the long tail are easier to please and it's more productive to do so.

Re:How about a huge blinky warning instead?

[PlusFiveTroll]

I do believe somewhere around Java 6r16 they started removing the previous version when you ran the update, that said it doesn't remove any older secondary copies that were still around, but for most people your complaint has been addressed.

On the second part, why can't the distros deal with this themselves, since they do have the source they can have this check behave how ever they want... that said, I DO NOT WANT your broken distribution spreading AIDS on the internet. Enterprises, power users, and the uninformed still need to know that they are like a whore with syphilis when the browser they are using will gladly catch an infection from the first site that manages to ram it in. Google learned a lot about this not too long back.

Re:How about a huge blinky warning instead?

[nashv]

This is a philosophical decision. Any setting that compromises security should be OPT-IN by design, not the default.

IT Professionals of minimal competency will read complete release notes before rolling out a new version of any software. So if you have a "Fuck it Broke" situation, blame it on your IT guys.

Re:How about a huge blinky warning instead?

Except if you're like me, you don't allow the damn updater to connect automatically. Hell if I need a new version of Java, I'll grab it myself and install it after I uninstall the existing version for security/safety reasons. Personally, if it wasn't for a single Java App, It wouldn't be installed on my system at all because the damn thing is a damn cpu hog.

Re:How about a huge blinky warning instead?

[mspohr]

As others have pointed out and as the website points out, it does give you a "huge blinky warning" and it doesn't automatically disable it so please, calm down, sit down, take a few slow deep breaths and go away.

Re:How about a huge blinky warning instead?

[jorgevillalobos]

Instead of Mozilla just fucking DISABLING it, how about adding a huge blinky warning to it?

"Oh, wow. I should upgrade as soon as I get the opportunity." vs "Fuck, it broke!"

That is almost exactly what we did. You get a warning with the option to ignore it and continuing like nothing happened.

Re:How about a huge blinky warning instead?

[mcgrew]

It isn't the users, it's their OS. I almost never boot the Linux box; I don't have to. When an update comes up the pike I update, one click and keep working. No problem.

The notebook still has Win7. Almost every update for any program requires a reboot, and damn it, There's a book I'm working on open, with Firefox tabs to other stuff (labeling sampled music, etc). So I almost always hit "not now"... because I don't want to spend twenty minutes updating something that just got updated a few weeks ago, including the time it takes to reboot, open all the programs and browser tabs I had open, etc.

If Windows didn't require a reboot every damned Patch Tuesday (and other programs don't restrict themselves to MS's schedule so I wiond up with one widget or another needing an update at least weekly) and if the patches didn't require reboots, like Linux, and especially if it was able to come back to life after a reboot in the same state it was in, like Linux, people using Windows would update far more often.

PEBKAC is almost always a design flaw. Users hitting "cancel" when they're served updates? That's YOUR fault for making their lives harder. If updating weren't a royal pain in the ass people would update. Your tools are supposed to make work easier, not harder. MS could fix the problem easily, they simply choose not to. As Lily Tomlin always said in her AT&T monopoly skits, "we're the phone company. We don't HAVE to!"

Re:How about a huge blinky warning instead?

[rastos1]

You get a warning with the option to ignore it and continuing like nothing happened.

Are you talking from experience or only based on the article? Because over here I just got a window saying that the plugin is going to be disabled. The only options that I have is 'Restart now' or 'Restart later'. If I choose 'Restart later' the plugin is not disabled, however as I close FF an start it again it is already disabled and cannot be enabled anymore. So the only option is never to close FF, or move to another version of java plugin.

Indeed for corporate use this sucks.

Re:How about a huge blinky warning instead?

[jorgevillalobos]

I'm talking from experience - I work for Mozilla and was partly in charge of the block. Unless you're using a Firefox version older than 3.5, you should see a checkbox next to the plugin name in that window you just mentioned. Unchecking it should prevent the plugin from being disabled.

Re:How about a huge blinky warning instead?

[jorgevillalobos]

Quick update: it looks like something broke in the blocklist after the block was put in place, so many users are seeing a hardblock and not a softblock. We're working on fixing this now.

Re:How about a huge blinky warning instead?

[rastos1]

In that case something is wrong. The notification window in Firefox 11.0 has no checkbox. The Add-Ons->Plugins does not have one either. (Note: the links will expire in one month.)

Re:How about a huge blinky warning instead?

[jorgevillalobos]

See my other comment below. We discovered a problem and we're trying to get it fixed now. After the block is fixed, you should be able to re-enable the blocked plugin.

Re:How about a huge blinky warning instead?

[mallyh]

Well below was my reaction last night, I have calmed down a bit, but my opinion has not changed, the discussion on more effort on supporting IE than Mozilla has come back to haunt us: ------ Have you lot gone stark raving fucking crazy !!!!!!!! Our entire Support department is going to be driven totally nuts tomorrow, not to mention the loss in revenue on our site which nobody will be able to use as Mozilla decided to automatically disable Java. So, I mean its only a couple of years back that we told everyone to use Mozilla as IE had problems, tomorrow we will be telling them all to use IE, which will be music in the ears to all the IT people we have spent hours and hours and days convincing that Mozilla it the place to be. These people get sent on Microsoft courses, they love Microsoft, the only way we could convince their users to use Mozilla was that it was more stable, faster and with a smaller foot print. Meanwhile one needs an extra Gigabyte to install it and you can use it for 2 hours per day as the other 22 its busy updating itself (or in this case disabling Java). Honestly I hate Microsoft as much as any of you lot, but I tell you Mozilla just shot itself in the foot by doing this. I will now be spending the rest of the evening installing Chrom and Safari so that I can at least give the Customers some potential alternatives in the morning, however as the plugin also requires Admin permissions, this is going to cause pandemonium as none of the normal users will be able to update their Java without having to chase their Microsoft friendly IT guys with "we have a problem with Mozilla". You know what those IT guys are going to say ??? Honestly I cannot believe this, I am in a nightmare, please tell me its all a bad dream

Re:And there was me believing managed code was saf

[subanark]

The codespace where an exploit can occur is limited to only a subsection of VM's code. It is not perfect, but it offers better protection than running C code, and more flexibility than non-scripting HTML does. The same concept is used when running code as non-root even if you do have sudo access.

disable?

[X0563511]

I can't find any means to disable this in about:config.

I -HAVE- to have older versions of java installed on my workstation to replicate problems with old releases of our software.

Re:disable?

https://wiki.mozilla.org/Extension_Blocklisting:User_Interface

Preferences for controlling the blocklist
The common user should not be allowed to override the automatic updating and application of the blocklist, but there are valid use cases for doing so.

The following preferences should be created to govern this behaviour:
        * extensions.blocklist.enable (boolean), toggles blocklist enabled on/off

Other applications or distributions may want to provide their own backlist update url which will be controlled by the following pref:
        * extensions.blocklist.url (string), url to the blocklist file

The interval in which the blocklist runs will be defined by the following pref:
        * extensions.blocklist.interval (integer), the interval in which to download a new blocklist file

These preferences should be documented on developer.mozilla.org and any announcements for developers about the blocklist functionality.

Re:disable?

[oneandoneis2]

So keep an older version of Firefox installed to run older versions of Java with. Why would you want a cutting-edge browser to replicate legacy problems?

Re:disable?

[X0563511]

Because the browser is not related, but the irritating block messages are.

Re:disable?

[supremebob]

This plug-in block warning doesn't seem to be version specific. I've seen it happen on versions of Firefox as old as version 3.6.

Re:disable?

Hi, I'm from mozilla.

We don't care. Go away.

OSX

I thought that Java for OSX was still dicated by Apple... If they add a blocklist for OSX, won't that mean that sometimes there will be no option to upgrade to?

Re:OSX

[jorgevillalobos]

Yes. Unfortunately there's no alternative, so we must favor warning users. We haven't added the Mac OS X block yet, but we will probably do so soon. Like the Windows block, though, users, will have the option to keep the vulnerable plugin enabled.

Re:OSX

[jorgevillalobos]

Apple released a Java update today, so everybody should be checking Software Update now, before we block on Mac.

Got bit yesterday

[ArhcAngel]

Don't know what site was infected but I saw the JAVA icon pop up in the system tray on my windows 7 pc and the next thing I know there are a hundred popup windows telling me my HDD had failed and one window for S.M.A.R.T. HDD telling me I needed to purchase the full version to remove viruses. I spent all morning and much of the afternoon cleaning that crap up...

Re:Got bit yesterday

[ifrag]

I spent all morning and much of the afternoon cleaning that crap up...

Usually it's faster to just use a system restore point. Typically these drive by mass attacks are not going to be smart enough to infect system backups. Although perhaps once enough of it starts running other pieces of malware start getting retrieved as well. I'd also immediately pull the ethernet cable if that nonsense starts up, then boot to safe mode.

Re:Got bit yesterday

[FlatEric521]

I had the same thing happen to me on Sunday. I swear the only sites I had open were my college's e-courses page and Slashdot.

However, per the other reply, performing a system restore from safe mode was really fast as clearing out the problem. From there, found out the A/V software was no longer updating (fixed that), found my JRE was not updating (fixed that), and found Flash was out of date (probably not the cause, but also fixed that).

what i would like to see in a downloader

[RobertLTux]

Personally i hate this trend of A bundling other "stuff" with a download B having the direct link to the payload TOP SECRET BURN BEFORE READING

All i ask for is a link to the complete actual program no "smart downloader" no bundled C4 and let me save the file so i can use it on another computer.

Yeah, if you run only one Java program

[tepples]

its often slower C/C++, so the simple presence of the Java icon makes both programmers and users exasperated and annoyed.

After recent improvements in the VM, the only time it's noticeably slower than C++ is if the VM has to be started for the first time. If you run more than one program written in Java, it's less noticeable.

Thirdly, it is abstracted away from machine code

So is C++. In fact, some critics believe that wading through a rat's nest of C++ templates is so abstracted that it's harder to know what's going on in a program than it would be in Java.

Re:Yeah, if you run only one Java program

[shutdown+-p+now]

GP talked about being abstracted from machine code. C++ templates aren't abstracted from machine code - they cannot be, because they're purely a compile-time artifact, and are untangled before there is any machine code to run (which is why the result can still be as close to the metal as you want, and correspondingly fast).

Re:Yeah, if you run only one Java program

[tepples]

C++ templates [...] are untangled before there is any machine code to run

So is CIL or JVM bytecode, which gets translated to native code before it is run.

Re:Yeah, if you run only one Java program

[shutdown+-p+now]

Sure, but a lot of abstractions that are defined on source code level, and remain on bytecode level, are mapped pretty much one to one in the resulting native code - virtual methods, for example. With templates, there's no such thing, because pure TMP does not generate any runnable code per se - only definitions.

Re:WINDOWS AGAIN

from TFA:

we have added affected versions of the Java plugin for Windows

Think about that for a bit.

[khasim]

Which is easier for the average corporation?

a. Fixing the crap code that they've accumulated over the years?

b. Sticking with IE because it allows them to run the crap code from a?

Mozilla may have chosen the moral course in this but they won't achieve anything except to further marginalize themselves in corporations.

Fixing code costs money. Sticking with IE is free.

Re:Think about that for a bit.

[sg_oneill]

If the IT department in your enterprise is forcing you to use insecure software, make an apointment with the head of IT, punch him in the head, and fuck his wife. Its a win-win scenario.

Re:Think about that for a bit.

[mounthood]

Fixing code costs money. Sticking with IE is free.

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense). Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

What should Mozilla do? Clearly they should focus on security. What should your "average corporation" do? Also care about security! But if they aren't going to and they want their software to stay static and unchanging, there are any number of solutions including: Go to "about:config" and change "app.update.auto" to false.

Re:Think about that for a bit.

[jellomizer]

There is a place for that type of action. It is called Jail.
For the most part these insecure systems are designed to be ran on the companies intranet. Where your attempt to hack into the system you will only be able to obtain information you can get much easier other ways So on the list of IT priorities, the security of that legacy application made/Updated in the mid 1990's is rather low compared to other issues.

Re:And there was me believing managed code was saf

[rudy_wayne]

that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited.

No software is perfect. No software will ever be perfect. Any non-trivial code will contain some bugs, but there's something seriously wrong here.

Software like Java, Flash and Acrobat Reader aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of resources. The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

It would be funny if it wasn't so stupid.

Re:And there was me believing managed code was saf

[TheRaven64]

Every so often, someone says to themselves 'software is complex, and therefore prone to bugs. Some of these are exploitable, giving security holes. I bet we can fix that by adding another layer of complex software.' The most surprising thing is that people actually believe them.

I don't like the all or nothing approach.

[khasim]

Not fixing anything is cheaper then fixing it (in terms of immediate cash expense).

Yep. That's the core problem with computer security. It is always cheaper to not do anything (right up until you lose critical data to a cracker) as long as it runs "good enough".

Doesn't mean sticking with IE is the right decision, or a reasonable decision, or even that someone made a decision instead of ignoring the problem.

Even the decision to ignore the problem is a decision. Again, as long as it runs "good enough" there will be problems getting it changed.

But if they aren't going to and they want their software to stay static and unchanging, there are any number of solutions including: Go to "about:config" and change "app.update.auto" to false.

I don't like the all or nothing approach.

How about white lists instead? Recognize that there will be instances where X is not safe for use on the Internet but you still need X for your corporate apps.

So X is whitelisted only for specific apps / servers / IP ranges / whatever and blocked for everything else.

NoScript already does a pretty good job on most of that. But it needs more granularity.

Re:I don't like the all or nothing approach.

[jorgevillalobos]

It's not an all or nothing deal. You are free to ignore the block and continue using the vulnerable versions of the plugin.

it's about time!

[tommeke100]

I'm getting a bit fed up paying a 100 euro fine because the Bundespolizei tells me they found illegal stuff on my computer!

Re:it's about time!

Kannst du das bitte erklaeren?

OT - your sig

[mcgrew]

Credit goes to Robert Heinlein. I forgot which short story it was from.

Ubuntu/Debian users, do not tick this!

[David+Gerard]

If you're using Ubuntu/Debian, you don't have to block IcedTea - per comments on their blog, it's the Debian version of IcedTea, and has been blocked in error. The IcedTea maintainer concurs. Hopefully Mozilla can re-enable it ...

Idiots

[TheRealGrogan]

Well then, people's applications fail and they say fuck Firefox. That's what such arrogance causes.

I did a new build of Chromium not long ago that refused to load a perfectly good libflashplayer.so because they decided it was too old. I don't have time for that shit. There might not have even been a newer x86_64 flashplayer available. It's not their job to force security. Load the plugin or fuck off. I find that offensive, so I just went back to my previous build (I tar up the old before replacing it). I wasn't happy with a regression in WebGL (with ATI drivers at least) anyway. My previous build worked better.

A lot of people (Windows users) will just click that big blue e to go to their arcade sites etc. instead of dealing with this. They cancel the Java update prompts because they are intrusive and pop up at annoying times.

Warn (nag at runtime even), but do not disable. Even Microsoft, with their infinite arrogance, knows this.

Re:And there was me believing managed code was saf

[Mister+Whirly]

The fact that these programs still have to constantly be patched to fix gaping security holes, is beyond absurd.

I think this is addressed by your first statement-

No software is perfect.

But some bits of software are closer than others

[Anonymous+Brave+Guy]

Maybe no software is perfect, but some bits of software are a lot closer to perfect than others.

Much of this comes down to choice of tools. For example, if you're writing security-sensitive software in something like C or C++ in 2012 and the software in question isn't something very low-level like an OS kernel, you're probably making a mistake as far as security goes. The fact that much of the industry makes this mistake doesn't negate the preceding statement, it just means much of the industry is choosing to allow commercial pressures to override technical merit.

Much of it also comes down to choice of processes. We know very well how to write highly reliable software. Even for cases where ultra-high reliability isn't required, we know of relatively easy changes to processes that can reduce bug rates by almost an order of magnitude over the industry norm. If you're writing security-sensitive software in 2012 and not using these processes, you're also probably making a mistake as far as security goes. The fact that much of the industry makes this mistake doesn't negate the preceding statement, it just means that much of the industry is choosing to prioritise letting developers concentrate on the fun stuff over improving the quality of the work done by those developers.

Re:And there was me believing managed code was saf

[Anomalyst]

[They] aren't weekend projects thrown together in a few hours by a highschool student. They have been around a long time and are produced by large companies with lots of highschool dropouts

FTFY

Re:And there was me believing managed code was saf

[Anonymous+Brave+Guy]

There are two ways of constructing a software design.

One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies.

The first method is far more difficult.

C. A. R. Hoare, 1980 Turing Award lecture

Speaking as a language afficionado...

[warrax_666]

I'd probably rather be programming in C# than Java, but Java is where the enterprise is (at least in my general vicinity), so that's what I use professionally. For me, it's actually not a lot of features which are deciders, but "no checked exceptions", "usable generics" and "lambda" are heavily in C#'s favor.

However, Haskell is light years ahead of both of those as a programming language. You don't actually need that IDE support when you're programming in Haskell since you don't have ridiculous numbers of classes to keep track of. A good editor is all you need. The ecosystem around Haskell is also pretty strong these days -- maybe you haven't looked at it recently? Is there anything in paritcular you're missing? (That's not to say that an IDE isn't useful, but it's definitely not necessary for coding in Haskell.)

(I can't speak specifically about F#, but I've also been very happy with O'Caml in the past whose bastard child F# is. That was a few years ago and the "ecosystem" was definitely poorer than Java at the time -- I don't know that the current status is.)

to "fix" this....

you can go to about:config in the address bar and set extensions.blocklist.enable to false.

Re:And there was me believing managed code was saf

[CondeZer0]

This is one reason why I love Go, it is more safe than C while it actually removes layers of complexity, it doesn't even depend on libc and its stdlb is extremely clean and lean.

Shame they didn't block all Java versions.

[CondeZer0]

The Java is too fundamentally broken to be fixed, the world would be better off if it was completely deprecated.

java blows wangs

too bad steve jobs couldnt have killed java a long with flash but still killing flash pretty good

Re I can confirm it was slashdot

I emailed Thinkgeek to let them know.

A rogue ad last saturday and sunday claiming to be virgin mobile made Avast 7 go through the roof. It used a javascript exploit to download a java malware app. Thankfully unlike some idiots here I believe in anti virus software as I am educated enouhj to know malware is not just from clicking links.

I have java disabled too in all my browsers too.It was rated most sevre so if I were you I wpuld reformat your whole drive as this one downloads several more. Next time follow my steps and you wont get infected.

Re:But some bits of software are closer than other

[Raenex]

We know very well how to write highly reliable software. Even for cases where ultra-high reliability isn't required, we know of relatively easy changes to processes that can reduce bug rates by almost an order of magnitude over the industry norm.

Please be specific and state what these easy changes are.

Re:But some bits of software are closer than other

[Anonymous+Brave+Guy]

An obvious example is doing technical reviews throughout the development process. That includes code reviews, but also earlier stages like checking that requirements are understood up-front and checking that a proposed design strategy is reasonable.

A good peer review process identifies potential bugs earlier, when they are easier and cheaper to prevent. Based on empirical data from real world studies, we know a systematic review proces can cut the number of bugs that escape into production by as much as an order of magnitude. Typically, it also saves a substantial amount of time and money, because correcting bugs in production is orders of magnitude more expensive than spotting an ambiguous requirement or design flaw in the early stages or at least catching a bug before it gets in front of customers.

However, when you start mentioning code reviews, a lot of developers who've been around the block a few times immediately envisage a heavyweight, Fagan-style review process where life becomes dominated by long, tiresome meetings. These developers may become hostile as soon as the words "code review" are even mentioned, without even knowing about modern processes and tools.

More recently, some developers favour Agile processes with very rapid release cycles, sometimes pushing code into production several times a day, and perhaps TDD. These process elements naturally conflict with a peer review process of the kind I described, and so the best you are likely to see is pair programming or a token second-pair-of-eyes glance over code before it's merged into production. While better than no review at all, such processes are nowhere near as effective as a structured peer review.

Of course, I'm only concentrating on one possible process improvement in this post. There are plenty more ideas that could help many projects but aren't nearly as widely used as they could be, ranging from relatively simple things like using automated test suites to much heavier things like formal methods.

Moreover I'm sticking to processes here because that's what you asked about, but of course there are also many different programming languages and related tools that inherently close off entire attack vectors left wide open by a lot of software today, hence my criticism of using C or C++ for most security-sensitive work.

In the Internet age, where networking code and communication clients might be used by millions of people, and where a single exploit might therefore lead to downtime, data leakage or becoming part of a botnet for millions of people, is it so unreasonable to expect that software like web browsers and e-mail clients should be written by something a little more advanced than glorified trial-and-error?

Re:But some bits of software are closer than other

[Raenex]

Based on empirical data from real world studies, we know a systematic review proces can cut the number of bugs that escape into production by as much as an order of magnitude.

Do you have a reference for this?

Re:But some bits of software are closer than other

[Anonymous+Brave+Guy]

You're probably better off reading some of the published work on the subject than relying on any small number of anecdotes I can remember off the top of my head right now. A lot of my background comes from an extended training/process improvement exercise I took part in, but unfortunately as I'm no longer in the same role I've now handed on or filed away most of the detailed reference material from that period.

If you have a copy of Code Complete, that's an obvious place you could start, because there's definitely a section in there that cites some surveys, which in turn cite plenty of real world case studies with rather consistent results. If memory serves, McConnell also gives separate statistics on the effectiveness of code reviews and design reviews, and compares them with other techniques such as unit testing, beta testing, and so on.

If you want something more detailed, there are also books dedicated entirely to software testing or even to peer review specifically. These typically cite plenty more studies with hard data to back up their case. Jason Cohen and a few others published a collection of essays about peer review in 2006, and probably have more material since then given that A Smart Bear makes software to aid in performing reviews. Karl Wiegers wrote a book specifically on reviews somewhere around 2002. Ed Kit's company SDT gives dedicated technical review training and cited plenty of sources when we worked with them, so anything on the subject that they are publishing these days is probably relevant.

Re:And there was me believing managed code was saf

[petermgreen]

I think there is an important distinction to be made between writing your code in java and allowing untrusted code to run on your JVM.

Writing your code in a "safe" language like java rather than an "unsafe" language like C is good for security because it eliminates whole classes of vulnerability. Java simply will not let you cause memory corrupotion by running off the end of an array or using a stale pointer to a memory block that has been freed and reused.

Letting untrusted code run on your JVM is inherently risky, sure it's SUPPOSED to be sandboxed but one small error in the sandboxing code (and there is a LOT of it) can allow it to break out.