Why You Can't Dump Java

snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"

Re:This is a stupid article

[mlts]

Don't forget the toolbar that usually wants to come for the ride, so one has to be very careful when clicking on the Java update icon, or else one's Web browser may have a little companion with it...

Yes, it is removable, but a security update shouldn't come with crapware.

I wish Oracle would start looking for the future. Java is a gem, but eventually it will be passed up for existing solutions (C#, Flash, HTML5 on the client end, ASP on the server end) unless Oracle does something.

For example, Java updates on Windows should automatically use MS installer files and if the user sets the option, checks the update server, fetches the MSI/MSP file, makes sure the signature is intact, and go from there. If a JVM is open, prompt the user to close it, then kill all active processes.

Yes, it would cost Oracle something for development and packaging, but they really should look long term -- Java has a lot of advantages, from being able to be used in embedded controllers, to being good sandboxes for apps (assuming proper security testing is done.)

Maybe Oracle can actually expand Java. Oracle owns silicon, so why not make a processor that is designed from the ground up for Java bytecode? Perhaps even build it into the SPARC architecture [1].

It may not be short term good, but long-term, if Oracle kept maintaining Java and kept it relevant to both consumers and IT departments, they will make money in the long run.

[1]: Of course, there are issues, but having Java be able to natively execute in hardware would help things server-side.

Re:Accountability

[Surt]

I think this may be coming from the death throes of reddit. A similar phenomenon happened as digg imploded. Desperate to stop the hemorrhaging of users, they started spamming slashdot relentlessly in an effort to drive users back to digg. When digg finally went belly-up, it stopped, and there was a relative peace for quite a while. Now that reddit is going through a period of user flight, we seem to be getting a lot of angry reddit users posting odd stuff.

Re:Accountability

[lightknight]

Therein lies the rub. The argument goes like this: a man's life (man here meaning men, women, and children) is his own, and cannot be owned by anyone else (anything else is tantamount to slavery, which I do not feel the need to point of the evils thereof); a man is free, in so far as life without freedom is death (a slave has no right to his own property, as it is supposed to be ultimately his master's property); finally, a man's thing are his own, in so far as he is free to pursue his happiness as he likes, provided it does not violate the former two items (life and liberty) of others. To steal a man's thing is to deny him the happiness that comes with pursing such things, as well as the liberty associated with it (by stealing his things, you are effectively profiting from him, ergo you have made him your slave, if only in this manner). As the life of a slave is one of death, you have sent the man into a state that is considered quasi-death. As such, a man, having gotten his wealth through no ill-means, is free to kill another man in defense of that wealth, as he would his life or someone who wished to rule him.

That's the 5-minute argument, of which I am very hastily making. Do not consider it the authority on such thinking, as anyone can find holes or points I have oversimplified; however, it does provide some understanding into the ideas behind defense of property. If you wish to understand more about this concept, I'd point you to the history of every major civilization, with a note that as property laws degraded, those civilizations fell. Finally, the irony of these words is not lost on me, as despite their inclusion in a very important document (as an American), they were summarily discarded when others felt a desire to be rulers of what where considered less-civilized men. Men != property, under any interpretation of the law. And yet, I get the feeling that civilization is about to test that law once again, to see if it still holds; I do not think this country will survive such a test.