Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why You Can't Dump Java (Even Though You Want To)

Posted by Soulskill on from the i-think-the-EPA-frowns-on-that dept.

snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"

10 of 402 comments (clear)

  1. Can't stop crims, can fix holes by Anonymous Coward · · Score: 5, Insightful

    He may be right, but he's also totally unrealistic. Nothing you ever do will stop the "underlying problem". But we can fix security holes, and pressure companies to release more secure code.

    No point hoping for what is "right", or "best". Aim for something realistic instead.

    1. Re:Can't stop crims, can fix holes by icebike · · Score: 5, Insightful

      You are right of course.

      Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. With a few thousand more eyes on that source code its quite possible it could be much more secure than it is now, especially since Grimes himself points out it was originally designed with security in mind. But as long as vendors and bloggers can claim that popular platforms fall to attack simply because they are popular, we will never see much pressure for improvement.

      Some popular things, like Gold Ingots, are just harder to steal because Fort Knox has better security. Even with a map, a tour, and three corrupt ex-guards on your payroll you aren't going to succeed.

      The idea that we will ship code, vetted by nobody in particular, for execution on some remote machine, and then expect a software sandbox to contain that code successfully, forever, with zero maintenance is just begging for trouble. To do so without publicly vetting the platform in all of its details is foolish.

      --
      Sig Battery depleted. Reverting to safe mode.
  2. Invalid argument... by wbr1 · · Score: 5, Insightful

    We punish drug dealers and users... they keep on pushing and using.
    We punish robbers and gangsters... stores get robbed and people gangbanged every day.
    We punish rapists and other sex offenders...new ones crop up.
    We punish murderers and and wife beaters... people still get killed and wives beaten every day.

    Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
    And somehow Grimes thinks that punishing crackers (not hackers.. I am proudly one of those), is going to make a difference. Even if you did manage to snuff it out in one place (highly unlikely), the internet is worldwide and you will have places with less lax laws or corrupt officials where those of a criminal bent can launch whatever they choose.
    Most crime (not all)is cause by real or perceived poverty or other social disparity. Spending billions to incarcerate the underprivileged does nothing but further this disparity and create -more- crime.
    Try looking at the world with empathy instead of greed and anger and try to lift people up. You may be surprised what a difference it makes.

    --
    Silence is a state of mime.
  3. story summary != story by circletimessquare · · Score: 5, Funny

    Title:

    Why Elephants Are Large

    Story:

    An Elephant's trunk is very flexible. Even more amazing are the flexible snakes in the grass. Click this link to learn all about why bird's eggs are shaped the way they are.

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Get away with crime? by Toe,+The · · Score: 5, Funny

    Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty.

    Beloved, this is not being true! I have sure-fire way to stop crimes and makes you not being victims of many internet crimes ever. Alls I needs is your passwords to your accounts, and I makes them very secures. Especially yours banks passwords accounts numbers, I very much promising. I extra interested if you been scammed before. I help most much.

    To show I most sincere, I also give you free 500 Viagra pills extra-effective man-stick for your every account you wants me protect! Your woman moan against your amazing he umbrella many time.

  5. Re:This is a stupid article by GIL_Dude · · Score: 5, Informative

    Well, in the enterprise space you have a huge catch-22. I deal with this at work all the time. Since Oracle / Sun Java doesn't actually do patches (they just do full versions that introduce new features, break existing code, and deprecate other features), you can't deploy it. You have this trade off of known security vulnerabilities vs. enterprise software that won't work with the new versions. You have banks that require you to run Java versions that are a year old in order to move money. You have vendors whose code won't work with the current version of Java - ever (since they take longer to get their code working on new versions that it takes Oracle to release the next new version). We try as hard as we can to get app owners to test - but every last time we ship a new Java versions apps come out of the woodwork with emergency requests to "stop the push". You can't win. Bust people's critical apps and you lose. Allow machines to get owned by insecure versions of Java? Yeah, you lose there too. Oracle needs to figure out how to do security patches that just fix the vulnerabilities and don't introduce (and remove) features. Until they can do that - yes, it is their fault.

  6. Re:less risk? by Tough+Love · · Score: 5, Insightful

    but we can still remove java and have less risk right ?

    Indeed. I will have to disagree with "security advisor Roger Grimes" and point out that complexity breeds bugs; bugs breed security holes; Java's JIT and supporting libraries are just way too complex for their own good. This problem is made way more severe by Java's closed development model.

    Java can be made secure, just not any time soon, not until Oracle gets a clue and opens up the development process.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  7. Re:This is a stupid article by PCM2 · · Score: 5, Interesting

    Yeah, I think the bigger problem is that the updates are weird. It's been a while since I've had Java installed on my main machines, but the way I remember it, you'd end up with a long list of updates in your Programs and Settings panel, even when they all have the same major version number. Like... you could keep Java 1.6.19 even when you uninstalled Java 1.6.12. And they don't seem to be patches, either... like, each one adds another 350MB subdirectory to some folder in your system disk, and they all just sit there like turds.

    Then there was the time Oracle tried to bundle a McAfee "security scan" in the Java updates. That really inspired confidence. "Hey, I know -- let's interrupt this vital security procedure to push crapware from our marketing partners."

    No, I think Roger Grimes is wrong -- folks can and will uninstall Java. I've been avoiding it just fine, and those bespoke Java applications that we're told all these Fortune 500 companies are sitting on will eventually be replaced with Web applications.

    (None of this is to say Java doesn't have a strong future in the datacenter, though.)

    --
    Breakfast served all day!
  8. That's not how it works by jcupitt65 · · Score: 5, Insightful

    MS wouldn't be patching 3rd party software (you're right, that'd be crazy). MS would provide a general framework for maintaining installed software which 3rd party vendors could hook into.

    Instead of every package implementing its own updater with its own background service and configuration system, they'd be one updater that everyone used which presented updates to the user in a central place. Instead of 10 badly implemented updaters, you'd have one good one.

    This is what all linux distributions do and it works pretty well. I expect the win8 app store will do something like this.

  9. Re:Accountability by emho24 · · Score: 5, Insightful

    I simply cannot understand the position some people take "it's just stuff, it's not worth a life!". You broke into my *home*. This is where I live with my wife and child. I am not going to spend one nanosecond pondering your motives, whether you are here to steal my tv or the life of my family. I'm going to shoot center mass (no, *not* in the legs), and I am not going to stop shooting until the threat is no more. Period. My state has a castle doctrine, but I don't care. It was my doctrine long before it was state law. No one is going to tell me that my life and my family’s lives are worth less than some criminal that broke into my house.

    --
    You must gather your party before venturing forth.