Java Zero-Day Vulnerability Rolled Into Exploit Packs

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

Oh Java...

[AlphaBro]

At this point does any tech savvy user still have the Java Runtime Environment installed? These days it doesn't seem to be good for much beyond extremely reliable arbitrary remote code execution.

Re:Oh Java...

[medv4380]

It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.

Re:Oh Java...

[gstoddart]

At this point does any tech savvy user still have the Java Runtime Environment installed?

Sure, but I have No Script installed to keep it from running except when I need it to.

Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.

In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.

Hell, a lot of the tools I need to run daily for work are in Java.

Re:Oh Java...

[binarylarry]

This isn't a flaw in the runtime but the browser plugin.

Re:Oh Java...

[Mathematiker]

You know the difference between a browser plugin and the JRE?

Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?

Re:Oh Java...

[gl4ss]

my bank requires it.

most browsers today though ask per page if you want to run it, don't they? at least firefox does..

Re:Oh Java...

[The+MAZZTer]

If you play Minecraft you need Java installed.

Re:Oh Java...

[ByOhTek]

I do. I administrate/develop for/run a server that is built on java :-(

Also, anyone who plays mincraft would have it installed.

Re:Oh Java...

[Nerdfest]

Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.

Re:Oh Java...

If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).

Re:Oh Java...

I disable the Java plugin in all browsers except one, for that one I leave the 64bit JRE installed, Since there's only one 64bit browser, clearly I'm talking about MSIE, the browser you usually don't want this crap to run in. Blame Google and Mozilla.

Re:Oh Java...

[medv4380]

Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.

Re:Oh Java...

[TheLink]

Create a browser instance/profile solely for your banking. Then configure the browser to have everything off except for your bank's URLs.

My normal browser runs as a different user from my logged in user account. My bank browser runs as yet another user. So pwning my normal browser still requires a privilege escalation to affect my main user account or my banking stuff.

My main account has access to the files and folders of the normal browser account. But not the other way around.

Re:Oh Java...

[Luuseens]

False. You don't need the Java browser plugin for Minecraft, only the JRE.

Re:Oh Java...

[Bill_the_Engineer]

At this point does any tech savvy user still have the Java Runtime Environment installed?

At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

Re:Oh Java...

[peppepz]

Which is what AlphaBro wanted us to uninstall.

Re:Oh Java...

Java isn't just applets.
Entire application servers run on J2EE ( JBoss, Glassfish, WAS to name a few ).
In this case the exploit is related to applets, but what if there was a zero day in say, the implementation of java.net.ServerSocket ?

Well, I guess that just means patching all the application servers with a hotfix. There goes my vacation.

Re:Oh Java...

Did he say you needed the browser plugin?

Can any of you idiots with 7-digit ids even fucking read?

Re:Oh Java...

[peppepz]

Many tech savvy users write Android applications, for instance. Others play Minecraft. Others contribute to OpenStreetMap. Others even use the Netbeans IDE, lazy them.

Re:Oh Java...

[DickBreath]

> > If you play Minecraft you need Java installed.

> False. You don't need the Java browser plugin for Minecraft, only the JRE.

His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.

Re:Oh Java...

[snemarch]

Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.

And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machines. But I digress. JRE: not a problem in and by itself. Just stay way clear off the browser plugin. And Flash. And AdobePDF.

Re:Oh Java...

[robmv]

and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself

Re:Oh Java...

[GameboyRMH]

Don't forget 64-bit Firefox.

Re:Oh Java...

[molotov303]

I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.

about:config
plugins.click_to_play = true

Re:Oh Java...

[gstoddart]

Noscript also stops most JavaScript, which is another potential source of nuisance.

I prefer to have everything blocked and controllable by default, if I want it, I'll run it -- otherwise, your flashing monkey isn't going to happen.

Re:Oh Java...

[0123456]

Don't forget 64-bit Firefox.

Or all the other 64-bit browsers.

Oh, I just realised he's running on that wacky Windows thing, where the OS is 64-bit but 99% of apps are still 32-bit.

Re:Oh Java...

I am happy to blast M$ anytime, but as a C++ developer I have to attest their 64 bit environment is exactly as good or bad as their 32 bit environment.

So, fuck your comment. It is on the level of M$ propaganda, actually.

Re:Oh Java...

[lgw]

Your bank requires Java, not Javascript? Are you in the US? I've never seen that before, though I hear web-based banking varies considerably between countries.

Re:Oh Java...

[DarwinSurvivor]

I think the last time I saw a Java plugin was on a code example site that showed different types of sorting algorithms or something and that was about 3 years ago. Perhaps you're thinking of Javascript or Flashplayer?

Re:Oh Java...

[DarwinSurvivor]

No but online Java applications such as minecraft may be a problem.

Re:Oh Java...

[sourcerror]

All the Java problems were with applets. Considering how many security problems were with Flash too, maybe the problem is with the browser APIs.

Re:Oh Java...

[dna_(c)(tm)(r)]

Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.

Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.

Re:Oh Java...

[fuhagaga]

http://www.cloud65.com/ til I looked at the draft of $5474, I have faith that my neighbours mother could realy bringing home money part time from there new laptop.. there dads buddy had bean doing this less than 23 months and just now cleard the mortgage on there villa and bourt a new Mazda. read more at,

Re:Oh Java...

[blade8086]

At this point does any tech savvy user still think that Java isn't built into every modern web browser and that you need a plugin for it?

I love java - jQuery is great, especially with HTML5 :D

Re:Oh Java...

[Suddenly_Dead]

We're talking about Java, not JavaScript.

Re:Oh Java...

I was about to enquire why this got a -1 score... until I saw your sig.

Re:Oh Java...

Lol?

Re:Oh Java...

[Mathematiker]

What does "online java application" mean? The app opens a network connection and communicates with some other host?

Such an app would not become more safe if it were written in, say, C++ or C# or most other languages.

The danger about java is in the browser plugin, because it downloads and runs untrusted byte code. This is about as unsafe as using an ordinary browser with java script enabled - which also downloads and runs untrusted code.

Re:Oh Java...

Java Runtime Environment, Java Browser Plugin and JavaScript are three separate things. You're the only one talking about JavaScript.

Re:Oh Java...

[Suddenly_Dead]

Are you responding to me? jQuery is a JavaScript library, and the Java plugin and JRE aren't bundled with every modern browser (or really any that I can think of).

Re:Oh Java...

[uninformedLuddite]

Can any of you idiots with 7-digit ids even fucking read?

What I do in the toilet is none of your business.

Re:Oh Java...

[binarylarry]

Haha! NO ONE expects global warming!

Re:Oh Java...

[leenks]

Applets run in the same environment as webstart these days.

Re:Oh Java...

[dna_(c)(tm)(r)]

Applets run in the same environment as webstart these days.

Not really. They obey similar sandbox rules.

But key here is that applets are embedded objects running in the context of the browser (Java plugin). A webstart application is essentially a download of an xml description file (jnlp) and a new javaws process handles this. You can easily configure your browser to download jnlp files instead of opening them with javaws.

Re:Oh Java...

[leenks]

Applets now run within separate processes. Additionally, they are now deployed using jnlp in the same way as webstart.

Java plugin2 (from Java6u10) changed a lot...

Re:Oh Java...

[lengau]

Several HR-related systems (including the one I unfortunately have to support at work) use java applets.

Just remove Java and get it over with

[Tridus]

At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.

Re:Just remove Java and get it over with

[nebulus4]

Easy for you to say. Here in Norway we are required to have it to do online banking :(

Re:Just remove Java and get it over with

That and those "Open Source" software that are unfortunately coded in Java by lazy developers... e.g. Eclipse, Netbeans, OpenOffice etc.

Re:Just remove Java and get it over with

[medv4380]

Copy the JRE folder into the Minecraft folder and write a batch file to launch it. Then Kill Java. Works for some enterprise environments too, but not all. All Browsers should block Java. Applets are nothing but plague rats now, and should be burned with fire.

Re:Just remove Java and get it over with

As someone who makes a living writing code in Java, I couldn't agree with you more. Java applets are a thing of the past and should be avoided and no reason to run or install the Java browser plugin.

Java has found a nice niche server-side and in enterprise middleware, but is almost non-existent client side, and as you said those few client side Java programs (like Minecraft) dont' need the browser plugin.

Re:Just remove Java and get it over with

[TubeSteak]

If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

This has been my situation for the last few years, )though not for minecraft.)
Adobe's Flash/Shockwave more or less killed java for the average user.

/the mass of exploits that is flash makes for another conversation entirely

Re:Just remove Java and get it over with

[edxwelch]

Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)

Re:Just remove Java and get it over with

[binarylarry]

Yeah because why have one out of date runtime when you could have dozens of out of date runtimes!

Re:Just remove Java and get it over with

But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!

[Typical mid-competency-know-it-all user response to the suggestion to uninstall Java.]

Re:Just remove Java and get it over with

There are a number of java programs that I regularly use, and they have no real alternatives (that don't suck).

The problem isn't Java per se (although I respect the efforts to sandbox it, we all know that's a losing game), but rather that anyone would be crazy enough to allow a web browser to run processes with user level privileges. I blame it primarily on the historical tendency of adding functionality to webpages by relying on plugins; it's inherently insecure design.

captcha: Apology

Re:Just remove Java and get it over with

[Minwee]

But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!

I see. Have you tried turning it off and on again?

Is it definitely plugged in?

Re:Just remove Java and get it over with

Either setup one browser for banking then, or disable java except when you're doing online banking?

Re:Just remove Java and get it over with

Really? Java isn't needed on home user systems?

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

Pretty sure those apps aren't just in the corporate world.

Re:Just remove Java and get it over with

[Bill_the_Engineer]

While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".

Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.

Re:Just remove Java and get it over with

[DigiShaman]

Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

Re:Just remove Java and get it over with

[girlintraining]

At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

It's used on a lot of websites to launch various games and applets to do things like search a database of parts. The same argument could be used for ActiveX controls and yet, you can't go online for very long without running into someone's website that uses it.

But for home users? Just remove it and make your life easier.

It'd be better to use something like NoScript to control access to it. I pair it with other plugins that prevent cross-site scripting, as most of these exploits take advantage of advertising link-ins to popular websites.

Re:Just remove Java and get it over with

[medv4380]

You'd rather have an Up-to-date JRE with major vulnerabilities sitting exposed via your Browser? I'd take the chance of an Out-of-date JRE sitting in a folder that's only used for Minecraft when I'm running it to Any of Them sitting exposed on a Browser.

Re:Just remove Java and get it over with

I am running Ubuntu 10 LTS and firefox comes with QuickJava, which allows you to enable and disable Java, Flash and JS by clicking a single button. I normally disable everything except JS.

Re:Just remove Java and get it over with

[hawkinspeter]

There's a more interesting Ruby exploit (http://www.securityfocus.com/bid/57187) that can allows remote command execution.

Re:Just remove Java and get it over with

[Barlo_Mung_42]

Minecraft.

Re:Just remove Java and get it over with

[Tridus]

You take the TIOBE numbers to mean anything whatsoever? Interesting.

If you actually have something that uses Java on your home machine (though most users don't), disable the browser plugin. That solves the problem, assuming Java's updater doesn't go and turn it back on.

Re:Just remove Java and get it over with

[Tridus]

Which was specifically mentioned in the comment you're replying to. Awesome attempt at reading comprehension though!

Re:Just remove Java and get it over with

[Bill_the_Engineer]

Thanks! It would be more accurate to call it a "Ruby on Rails" exploit since just because it uses Ruby doesn't make it Ruby's fault which is the point of my parent post.

Re:Just remove Java and get it over with

[nebulus4]

Well, Firefox now comes with click-to-play feature so you can activate plugins on demand or white-list sites. Opera has it too. But it's not the point, OP was talking about removing the whole thing and it's just not an option.

Re:Just remove Java and get it over with

[DickBreath]

Support: Have you tried pushing the 10 key?
Customer: The 10 key? Do you mean F10?
Support: No. The 10 key is a black rocker on the back of the computer with a 1 and a 0. Pushing that will make your computer secure.

Re:Just remove Java and get it over with

[snemarch]

Same in Denmark - and we need it for .gov interaction as well. Remove the plugin from your primary browser, keep it in a secondary browser you launch just for Java stuff - and if you're slightly paranoid, keep that secondary browser in a virtual machine.

Re:Just remove Java and get it over with

[snemarch]

None of those rely on the Java browser plugin - which is what gets you pwzned. Having JRE installed isn't a problem as long as you get rid of the browser plugin.

Re:Just remove Java and get it over with

[edxwelch]

Unfortunately, you are right. Updating java re-enables the plugin (very bad :( ). However, Firefox seems to know that the plugin has security hole and disables it.

Re:Just remove Java and get it over with

[SplashMyBandit]

You take the TIOBE numbers to mean anything whatsoever? Interesting.

The TIOBE numbers are considered approximate, yet you fail to provide any alternative numbers and scoff at the approximation. Java rules the Enterprise, many development tools, and some games (IL-2, Minecraft, Take on Helicopters, the upcoming Arma3). The Java browser plugin may as problematic as Flash or the .NET plugin (Silverlight), but the Java Runtime Environment (JRE) itself is solid and very, very fast (which is why many developers, myself included, prefer Java to alternative development platforms).

So please, enlighten us with your numbers showing Java usage is neglible. You can't. Perhaps it's just you think computing is your desktop only, yes? Well, there's a huge amount of computing (eg. the Enterprise) that the average Joe doesn't see or hear about (because enterprises don't always talk about their competitive advantages) - and a lot of that is Java.

Re:Just remove Java and get it over with

[SplashMyBandit]

.... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).

So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.

Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.

Re:Just remove Java and get it over with

Remove Java? How arrogant, myopic and presumptuous of you to think that home users have no legitimate use for Java, Mr know-it-all.

Re:Just remove Java and get it over with

[edxwelch]

Sorry, to correct my previous post.
Java does indeed overwrite system settings, however both Chrome and Firefox ignore the system setting and the plugin remains disabled.

Re:Just remove Java and get it over with

[mcgrew]

Here in Norway we are required to have it to do online banking :(

I refuse to bank online, and I would ESPECIALLY refuse to bank online if the bank demanded java. If I want to check my balance I'll call them; I never heard of anyone getting rooted over a voice-only phone call.

In fact, I use my credit card as little as possible online. Yes, I'm paranoid... but my computers haven't been infected with anything since my daughter installed the XCP trojan Sony provided on a CD she bought at the store she worked at.

If I do get rooted, there's no sensitive information whatever on my PCs or phone.

Re:Just remove Java and get it over with

So, except Minecraft, what are the uses of Java for a home user ?

Re:Just remove Java and get it over with

[Anonymous+Brave+Guy]

You must have an old computer. My 10 key is next to the cup holder on the front.

Re:Just remove Java and get it over with

[lgw]

never heard of anyone getting rooted over a voice-only phone call.

Bank fraud is hardly new to the internet. You can bank on the internet quite safely if you do it from a VM that you only use for thta purpose - and I strongly recommend that approach. I use a credit card freely online, but it's one with a $0 fraud protection guarentee.

Re:Just remove Java and get it over with

[antdude]

How do we play Minecraft then? :P

Re:Just remove Java and get it over with

I need it for LibreOffice. There are some features in LO that won't work without Java. Whatever happened to the plan to remove the need for Java from LO?

Re:Just remove Java and get it over with

[zixxt]

Here here, The amount of updates released to keep .Net secure is the same or more than the security updates for JRE/JDK/JVM.

People just seem to get off on basing Java it seems.

Re:Just remove Java and get it over with

[DigiShaman]

That's good at least. Typically JRE is (was) required a fews years back by major corporate banking sites. Typically, it was used for scanning checks and uploading them to the site. For some god forsaken reason, not only must JRE not be updated (as it will break the web app), but sites required an older version of IE.

Now if you ask me, I would tell the bank to eff off. But money talks and I'm not the CFO. In fact, typically MIS dept falls directly under accounting. So that's *never* going to happen. The leaves two other options. Create a stand-alone kiosk specialized for nothing, and (I mean nothing) but check scanning to the website in question, or have the user use a VM assuming the check scanner hardware will pass through and enumerate. The accountants bitch, the CFO listens, and instead they just use an outdated version of JRE on their machine with IE that shouldn't be updated. Deep Freeze utility is required which causes further administrative headaches. Essentially, now each accounting machine must be treated and coddled like fucking file servers with regards to their importance. Seriously, when they can't process data, the world stops for them. You IT job depends on it lest you piss off the CFO.

Life. Is. Grand!

Re:Just remove Java and get it over with

Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

Have you tried using a real OS with a central package manager? No in-tray update utils. No unwanted re-enablements.

Re:Just remove Java and get it over with

No JAVA language really is bad.

Re:Just remove Java and get it over with

[darthflo]

I never heard of anyone getting rooted over a voice-only phone call.

Hi. (Online) Security Officer for a large bank here. I deal with Phishing, Malware and the likes on a daily basis. You are partially right: Most of the attacks we observe tend to rely on an online vector. However, mixed-media has seen a great rise throughout 2012, the most popular attack being phishing coupled with voice-only phone calls.
From our point of view, we can bring a lot of defense mechanisms into our online services, while phone-based authentication isn't quite up to scratch. Leaving phone-based attacks aside, simply forging your signature on a payment order tends to be easier than obtaining access to your online banking account.

That being said: I don't work for your bank and am not aware about its security deployment. If you are interested in banking online but worried about security, shop around and compare security mechanisms. Whenever possible, favor two-factor solutions whose secondary factor is some device that is not connected to your computer (e.g. PhotoTAN, Flickering or a card reader); avoid mTAN and any variations of printed code matrices.

Re:Just remove Java and get it over with

[mcgrew]

Thank you for that, it was informative. I really don't have any reason to bank online, and know better than to give any sensitive info to anyone who calls me.

Re:Just remove Java and get it over with

If ;you want to use that logic, then we should remove all MS Windows based systems, Mac has had a few expoits, android, and every other smart-phone O/S. Some versions of Linux have had a few, then we can all use UNIX, Unisys, maybe freebsd ( I am not sure if there have been any exploits for this one).

Re:Just remove Java and get it over with

The only problem is how long did it take Oracle to respond to the hast hole? 2 months? 3?

Re:Just remove Java and get it over with

Nope. I do online banking in Norway - without Java. The bank "Skandiabanken" does not require java. Java makes the online bank a bit smoother, but it falls back to a html-only solution if you don't have java.

Seriously, write to your bank and demand a java-free alternative - or you'll switch to another bank. 15 years ago, some banks demanded "internet explorer" for online banking. So I told them:

* this costs them customers, as those not running windows cant use internet explorer
* there is NO security, because - surprise surprise - the browser string can lie. Specifically, mozilla could pretend to be IE.

And guess what - they changed things quickly. Windows had over 90% market share then, but banks do not want to loose even 5%-10% of customers by demanding software the customer doesn't want. (Or cannot run at all - windows doesn't run everywhere either.)

Today - you can tell them that you think java has a bad track record for security, and that you at least want the option to not use it. Implementing a html fallback is not particularly hard for them, and then the bank will work for all sorts of java-less platforms. Such as phones...

Changing banks are not hard either. If you really like your stubborn bank, you don't have to leave it completely. Get an account in a bank that works without java - you don't have to get rid of the old bank at the same time. Then, do more and more of your transactions in the new bank. Drop the old bank when the new one works better for you, if they still haven't seen the light about non-java solutions.

Java Web Start

Is this exploit possible via Java Web Start, or only applets?

LOL

But Java is supposed to prevent all these security issues according to its evangelists! Seems to be meaningless when its own JVM is a threat vector. Apparetly the JVM writers fail at writing secure code. Throw Java on the trash heap and be done with it. Even Flash Player has less vulnerabilities. And that's really saying something when your software is less secure than shit that Adobe puts out.

Re:LOL

It's also unfortunate that Java developers have been unable to find a way to force AC's to actually RTFA and understand it.

Miscreant?

The repetitive use of miscreant in TFS begs the question: aren't there more modern pejoratives that might be applied here? You know: blackguard, knave, footpad, malefactor, cad, ...

Re:Miscreant?

Yes: mendicant and buffoon?

Best practices?

INTERNET SURFERS: Enforce your browser/s so not run scripts and remove all instances of Java - congratulations, you're almost safe to browse the internet now but have you updated your flash player, Windows and all your non-Windows software? ...there are programs out there that can scan yout machine to alert you of out-of-date software. I seem to remember Trend Micro online scanner doing this, but you needed Java to run it! I know there are others but I can't name them... just use legitimate ones and don't just ask google to look for anitvirus 2013 lol.

Re:Best practices?

[MouseAT]

Secunia PSI will do what you're looking for - it pulls down a list of the latest versions of common applications, checks them against the applications you have installed and alerts you to any that require updates or that are no longer supported. It's free for non-commercial home use, and gets installed as standard on any machine I use at home. I believe they do a corporate version as well, but I never paid any attention to it beyond the fact that it exists, and has a price tag somewhere in the general region of "my boss is never going to approve it".

Paunch?

[Big+Hairy+Ian]

There's a hacker called Paunch? You are Kevin Smith and I claim my five pounds!

How has the exploit maker gone unfound?

[Wokan]

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

Re:How has the exploit maker gone unfound?

[durrr]

Follow the money and you probably find that various three letter agencies are his main customers.

Re:How has the exploit maker gone unfound?

[Mathematiker]

Is finding a bug and writing an exploit for it illegal yet?

Re:How has the exploit maker gone unfound?

[i+kan+reed]

The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down?

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.

If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

Re:How has the exploit maker gone unfound?

[Nerdfest]

There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.

Re:How has the exploit maker gone unfound?

There exist several companies who do this. "Weaponizing" is illegal, though, except if you are authorized by government, of course. See StuxNet.

Re:How has the exploit maker gone unfound?

[hawkinspeter]

It depends on where in the world you are and who your friends are.

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

Explain laws against selling drug paraphernalia, subsections of the DMCA, or consumer protection against malware laws in several states like California, Arizona, Indiana and others...

Re:How has the exploit maker gone unfound?

[DarkOx]

I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are

1. not really in the business of protecting the ordinary citizen.

2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating systems riddled with so many other unmitigated vulnerabilities its mostly irrelevant from a security posture standpoint.

Its all more valuable to them to passively watch what sorta of organized crime folks appear out of the wood work.

Re:How has the exploit maker gone unfound?

[DarkOx]

One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.

There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.

Duct tape, a short baton, party mask, toy or real pistol are all things that are perfectly legal to sell by themselves. I bet the local DA will do something about you pretty quickly if you put them all together in one box label "Rape Kit" and attempt market them though.

Re:How has the exploit maker gone unfound?

I do think your are overestimating the intelligence of FBI personnel by a large degree. They simply don't give a shit because the guy actually doesn't do anything criminal. His customers might do, but the same can be said about sellers of fertilizer.
They are after people who use fertilizer to build Diesel-fertilizer bombs, though. And certainly after people who use viruses for criminal activity such as collecting CC numbers and account details. But they are also realistic and know that 50% of Windows PCs worldwide are already infested by dozens of viruses. So...what ?

Re:How has the exploit maker gone unfound?

While that is not a bad deal I think the problem is that dealing with the individual would have to be done through back channels. For one thing he probably would not sell if he knew it was one of those companies so you would have to create some sort of front.

Payment, taxes, etc would be a big issue when trying to handle you subscription to this guy's work as well. The black/gray market would probably have much less issue.

Plus if he ever gets pinched your company could be in trouble for supporting a criminal.

Re:How has the exploit maker gone unfound?

They offer a hosted service, they don't give the exploits to customers.

Re:How has the exploit maker gone unfound?

[DarkOx]

I did not mean to imply he necessarily was working for them. Although I would not discount that as possibility. I do expect they know who he is one way or another, and as I stated they probably view these java exploits as not a threat to someone who is not most likely already a victim.

My guesses would be one of the following are true:

1. He is direct FBI plant, on the pay roll and informs on his customers.
2. He has a handshake agreement with the FBI to let him run his little racket and make what money he can while they get to gather intelligence.
3. He has not specific relationship with him but they keep a close eye on things; they could pick him up anytime they want but find it more useful to let a small fish like him keep swimming so as to see which sharks get drawn into the vicinity.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

Explain laws against selling drug paraphernalia,

"Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is. That's why you can buy a brand new "water tobacco pipe" from a head shop, but not a used bong (water pipe that has been used to smoke marijuana), even though they are the exact same piece of equipment.

subsections of the DMCA,

Such as?

consumer protection against malware laws in several states like California, Arizona, Indiana and others...

A) Again, such as? If you can't cite specific ordinance, I'm inclined to call bullshit.

B) State law != federal law. I'm certain some municipalities have laws against selling slim-jims (automotive lock picks), but that doesn't make them illegal to sell nationwide.

Here's a link that can help you develop a basic understanding of the difference between state and federal laws.

Re:How has the exploit maker gone unfound?

Maybe, maybe not. There was a story a year ago or more how USG used the services of "security" companies to take over botnets from the Mafia, so that USG could use the Botnets for USG intelligence gathering.

So, USG is running botnets !

Imagine all the noises if the Chinese did this.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools.

One could argue that about hardware stores, too, but that person would get laughed out of the room, and rightly so.

There absolutely are laws that bar you from selling tools specifically designed for criminal use.

On a federal level? Cite the statute, or STFU.

There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.

Preface: Cars are often used for criminal acts.

So, to bring out the oft-over used car analogy - what you're saying here is that you believe would be legally OK for GM to release the instructions on how to make a car, but if they actually build cars and sell them, they're guilty of encouraging crime?

I shouldn't even have to point out how ridiculous that theory is.

Duct tape, a short baton, party mask, toy or real pistol are all things that are perfectly legal to sell by themselves. I bet the local DA will do something about you pretty quickly if you put them all together in one box label "Rape Kit" and attempt market them though.

Well, sure, if you blatantly say, "the only purpose of this thing I'm selling is to break the law." But that's not the case here, and as far as I'm aware, never is.

If you can't see a use for an exploit kit outside the commission of crimes, I'd waver a guess you've never worked in any form of security.

Re:How has the exploit maker gone unfound?

[DarwinSurvivor]

If you have to pay a guy $10K for a exploit pack to JAVA do you really think you're smart enough to break his DRM?

Re:How has the exploit maker gone unfound?

[mjwalshe]

why would they pay him or allow him to work outside their controll

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

"Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is.

Wishful thinking. Let me introduce you to 21 USC 863 specifically where it defines the term drug paraphernalia:

The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introducing into the human body a controlled substance, possession of which is unlawful under this subchapter. It includes items primarily intended or designed for use in ingesting, inhaling, or otherwise introducing marijuana, [1] cocaine, hashish, hashish oil, PCP, methamphetamine, or amphetamines into the human body, such as—

(1) metal, wooden, acrylic, glass, stone, plastic, or ceramic pipes with or without screens, permanent screens, hashish heads, or punctured metal bowls; (2) water pipes; (3) carburetion tubes and devices; (4) smoking and carburetion masks; (5) roach clips: meaning objects used to hold burning material, such as a marihuana cigarette, that has become too small or too short to be held in the hand; (6) miniature spoons with level capacities of one-tenth cubic centimeter or less; (7) chamber pipes; (8) carburetor pipes; (9) electric pipes; (10) air-driven pipes; (11) chillums; (12) bongs; (13) ice pipes or chillers; (14) wired cigarette papers; or (15) cocaine freebase kits.

This statue was used as the basis for Operation Pipe Dreams where 55 people were indicted and charged for trafficking in illegal drug paraphernalia.

subsections of the DMCA,

Such as?

17 USC 1201 section (2) states:

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that —
(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

consumer protection against malware laws in several states like California, Arizona, Indiana and others...

A) Again, such as? If you can't cite specific ordinance, I'm inclined to call bullshit.

Here's a page with some links to State ordinances related to malware

Re:How has the exploit maker gone unfound?

>why would they pay him to make him think he is working outside their control

Geee... I don't know.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

"Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is.

Wishful thinking. Let me introduce you to 21 USC 863 specifically where it defines the term drug paraphernalia:

The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introducing into the human body a controlled substance, possession of which is unlawful under this subchapter. It includes items primarily intended or designed for use in ingesting, inhaling, or otherwise introducing marijuana, [1] cocaine, hashish, hashish oil, PCP, methamphetamine, or amphetamines into the human body, such as—

(1) metal, wooden, acrylic, glass, stone, plastic, or ceramic pipes with or without screens, permanent screens, hashish heads, or punctured metal bowls; (2) water pipes; (3) carburetion tubes and devices; (4) smoking and carburetion masks; (5) roach clips: meaning objects used to hold burning material, such as a marihuana cigarette, that has become too small or too short to be held in the hand; (6) miniature spoons with level capacities of one-tenth cubic centimeter or less; (7) chamber pipes; (8) carburetor pipes; (9) electric pipes; (10) air-driven pipes; (11) chillums; (12) bongs; (13) ice pipes or chillers; (14) wired cigarette papers; or (15) cocaine freebase kits.

Yet I can still walk into any of the dozen or so head shops in town, and walk out with any of those items, legally. All the proprietors have to do is put a little sticker on the object that states, "FOR TOBACCO USE ONLY," and bip-bang-boom, not drug paraphernalia.

This statue was used as the basis for Operation Pipe Dreams where 55 people were indicted and charged for trafficking in illegal drug paraphernalia.

According to the link you provided, the only arrests made were in Pennsylvania and Iowa. not really what I would consider the national dragnet that you're making it out to be.

subsections of the DMCA,

Such as?

17 USC 1201 section (2) states:

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that — (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

As I said before, if the sole purpose of the kit was crime, you'd have a point. However, as the kit can also be used to prevent crime, harden networks, discover bugs, et. al., the DMCA clauses cited above would not apply.

well, that and the fact that 17 USC 1201 section (2) specifically encompasses copyright, and nothing else. Context is pretty important, you know.

consumer protection against malware laws in several states like California, Arizona, Indiana and others...

A) Again, such as? If you can't cite specific ordinance, I'm inclined to call bullshit.

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

Let's go back to your post:

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.
If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

You gave a premise that the government could not legally 'shut down' anyone and everyone capable of using a tool for crime.

I gave three of where "the government" could and have. You didn't say what type of government - you said "the government".

I should of known that since you accused me of "bullshit" that you wouldn't accept counter examples to your statement. One day you may figure out Google.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

Let's go back to your post:

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

You gave a premise that the government could not legally 'shut down' anyone and everyone capable of using a tool for crime.

I gave three of where "the government" could and have. You didn't say what type of government - you said "the government".

Fair enough, I was under the assumption that references to "the government" were pretty much defacto references to federal government, but I suppose I could have further clarified for the laymen who don't pay attention to politics. Sometimes I forget Slashdot has an international audience, many of whom are ignorant of American political lingo.

Of course, as an American, you don't really get to use that excuse.

I should of known that since you accused me of "bullshit" that you wouldn't accept counter examples to your statement. One day you may figure out Google.

Now, now, there's no need to be petulant - it does nothing to move the discussion forward, and really only serves to makes yourself look like an uptight asshole who can't handle having a disagreement without getting all butthurt about it.

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

I was under the assumption that references to "the government" were pretty much defacto references to federal government, but I suppose I could have further clarified for the laymen who don't pay attention to politics. Sometimes I forget Slashdot has an international audience, many of whom are ignorant of American political lingo.
Of course, as an American, you don't really get to use that excuse.

I believe most people will equate the "government" as being either federal, state, or local. You don't see discussions limited to federal government on Slashdot. If you look back at what's been presented on Slashdot, you'll find plenty of stories that talk about state and local government actions as they relate to technology. Besides the first examples I gave you were federal, only the last example were state laws.

Now, now, there's no need to be petulant - it does nothing to move the discussion forward, and really only serves to makes yourself look like an uptight asshole who can't handle having a disagreement without getting all butthurt about it.

I'm the petulant one? I'm not the one declaring someone's comments as bullshit nor am I the one calling people asshole. All I do is give information. I can bring the horse to water but I can't make him drink.

By the way, moving the goal posts isn't the same as moving forward.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

Now, now, there's no need to be petulant - it does nothing to move the discussion forward, and really only serves to makes yourself look like an uptight asshole who can't handle having a disagreement without getting all butthurt about it.

I'm the petulant one? I'm not the one declaring someone's comments as bullshit nor am I the one calling people asshole. All I do is give information. I can bring the horse to water but I can't make him drink.

I never declared anyone's comment as bullshit, you inferred that because that's what you wanted to think; if you go back and re-read my comment, I said that I would be forced to call bullshit on your claims if you failed to provide reference. The reference was provided, and I did not declare the claims bullshit as a result.

In the same fashion, I never called anyone an asshole - I merely pointed out that by making such petulant accusations as

I should of known that since you accused me of "bullshit" that you wouldn't accept counter examples to your statement.

Followed by needless snark:

One day you may figure out Google.

makes you look like an uptight asshole. Note that "look like" and "are" have completely different meanings.

By the way, moving the goal posts isn't the same as moving forward.

Completely agree, and it's a non-starter to this discussion - it appears the issue in this case is less about moving the goalposts, and more about failing to properly establish their location to begin with, which I take full responsibility for.

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

No harm no foul.

I still don't understand why you consider jurisdiction significant.

Re:How has the exploit maker gone unfound?

but... but... They give you $100 bug bounties!

Re:How has the exploit maker gone unfound?

Because he lives in mother russia?

Re:How has the exploit maker gone unfound?

[blade8086]

Riiight.. because people who even know multiple customers willing to pay $10k for an exploit kit aren't seriously connected to other fraudsters and shady mafia types, and so on - e.g. 'oh hey - need to get some money sent? - I have a network of 50 people willing to accept transactions under 1k via their $account_type - I can get this to you for only a 25% transaction fee', 'I have this set of 100 accounts which are completely legal but otherwise dormant and unmonitored', 'oh, just buy 500 items from my bogus web dildo store', etc.

Re:How has the exploit maker gone unfound?

[DarkOx]

Funny thing I do work in IT security. I pretty familiar with many of the exploit kits out there and regularly work with (I won't drop names) one of the developers of a more popular one.

The thing is while they are fun to play with I don't seem them adding lots of value. I am not suggesting any information be censored here. Publish your whitepaper with details about how an exploit work, publish the source code even! I draw the line a slick little binary with GUI interface. Things like Backtrack just being out there for all to download I think is counter productive. To be totally frank the pentester argument is crap, there are some really go pentesters out there but the vast vast majority are irresponsible, incompetent, or both.

I have stood over the shoulders of these guys and watched them download tools, that they can't authenticate the publisher for, not read any source code, compile, and stopped them right before they were about to execute on secure machines. A good portion of the time these guys ARE the vulnerability.

I have seen guys from one of the big audit firms (again not going name drop) download a binary from the web, from a site not verified by any certificate or anything, not check the said binary matches any known safe hash, and get ready to run it on one of my domain controllers. I asked him to leave after that.

These folks often don't know the first thing about exploit development. If they had to try something on their own they'd be completely in over their heads. I doubt many have even run a debugger or could tell you what a program counter is. I have also had some teams in with folks who were creating exploits against apps we run on the spot they'd never seen those guys are out there too.

From a Blue team perspective a possible vulnerability should be treated the same as a proven one; closed in one way or another as soon as possible.

Re:How has the exploit maker gone unfound?

[CanHasDIY]

No harm no foul.

I still don't understand why you consider jurisdiction significant.

Because it is.

Consider this case of the exploit kit maker: Presuming he lives in a city/county/state that does not have a law that explicitly makes his sale of the exploit kit a criminal act, then he cannot be charged with any crime, as there definitely is not a federal law against making available tools which can be used for crime (assuming, of course, this isn't the tools only stated purpose; with the exploit kit, it is a reasonable assumption that the tools can be used to prevent crime as well, and thus they are not crime-exclusive tools).

Conversely, if he lives somewhere that has a local/state ordinance making the sale of potential crime tools a crime in itself, then he most definitely could be arrested, and subject to prosecution.

The point is, OP stated their opinion in such a way as to indicate their belief that, regardless of locality, selling the kit would be a punishable offense in the US. I merely intended to point out how and why that is not the case, albeit doing an apparently piss-poor job of clarifying my intended meaning.

Re:How has the exploit maker gone unfound?

[Bill_the_Engineer]

I don't think the OP took locality in account, and you must admit in today's political environment it doesn't take much to make a federal case out of any issue.

For the record, the items that I went into detail were federal statues.

Re:How has the exploit maker gone unfound?

As a honeypot.

Re:How has the exploit maker gone unfound?

[greg1104]

They offer a hosted service, they don't give the exploits to customers.

When I said before that I couldn't have any less respect for things hosted "in the cloud" for no good reason, I see I was wrong.

Safer browsing

[ArcadeMan]

Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".

What do you mean, your browser can't display H.264 natively? Get a real browser.

The bigger surprise...

[Last_Available_Usern]

The Java exploit is much less surprising to me than how casually we include the fact that this guy (and others) are selling exploit kits online. I remember when stuff like this used to be so underground you had to "know someone who knew someone" to find it. Perhaps what he's selling isn't technically illegal, but it's still surprising to read.

Here's A Real Programming Language

Sappeur:

+ Memory Safe
+ No VM
+ No GC but reference-counted smart pointers
+ extremely quick startup times (down to 10ms)
+ almost all C and C++ style high-performance features such as stack allocation, value arrays, destructors available
+ memory safe even for multithreaded applications
+ destructors
+ RAII

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/

Is it 100% delivering the security it promises ? Probably not at this point, but my guess is that with the same amount of engineering work as has been put into the JVM, Sappeur could be almost 100% delivering the advertised security. It is actually a quite simple concept.
Currently, it is in the proof-of-concept stage.

Re:Here's A Real Programming Language

[SplashMyBandit]

• - no standard networking library.
• - no standard UI library.
• - no standard Web library or application servers.
• - no standard memory/CPU profiler (JVisualVM r0x0r!!!)
• - no standard database access.
• - no standard dependency injection framework.
• - no standard XML handling framework.
• - no standard logging framework.
• - no standard way to integration with LDAP/Active Directory
• - compiles to C++ so requires porting to every destination platform.

• ... etc

It is the libraries that matter, not the language. Add libraries and you get hugely increased functionality and productivity, but unfortunately some security holes also creep in as different parts interact (this is true for any development language). I'd rather take the productivity, thanks.

Re:Here's A Real Programming Language

- compiles to C++ so requires porting to every destination platform.

Because Java programs work on different platforms through magic rather than having to port the JVM to each of the platforms? Also, it is nonsense to say that a C++ program needs porting to each platform. I write complex Qt apps that need ZERO source porting between platforms.

Re:Here's A Real Programming Language

Most of the things you mention are already there in their infancy (e.g. Socket class in http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/sample1/TCP.ad ) or they could be created by any competent C++ programmer very quickly.

I once created an ODBC Wrapper class for C++ in less than a week. You can also easily wrap existing C++ libraries into Sappeur classes very quickly. Of course that could incur security risks in these libraries.

Profiling and debugging can be done using standard C++ toolchains such as gdb, gprof or msvc and all the windows profilers.

As long as you are a skilled C++ developer your Sappeur/C++ code will run on anything from the mainframe down to the Android phone and RPI. I assume it would even work very nicely on S40 phones. There is absolutely no platform-specific C++ code, but the system calls are of course Windwos and POSIX. Add your zOS calls, if you want to run there. No big deal.

Re:Here's A Real Programming Language

I have to add a little correction: Of course there are some basic dependencies on Windows and POSIX API calls such as the pthreads and x86 locking constructs. But adding code to run on other platforms would really be no big deal, as the platform-specific stuff is very, very small. And the Sappeur compiler is just 10k lines of code. Out of that, the platform-dependent stuff is about 100 lines. And "platform" includes "all of Unixoid lumped into the POSIX meta-platform". So you can run on HPUX, Solaris, AIX, cygwin, Linux, BSD on something like 10 different microprocessors. All you need is a recompilation using gcc or the local compiler (xlCr, SUNCC, etc).

Re:Here's A Real Programming Language

Java sucks on all platforms, while proper C++ code rocks on all platforms with only minimal love to port it to a different platform. It usually boils down to "oh, this bug only appears on Windows, let's fix it now".

Of course you need to use Qt, wxwidgets and similar libraries and shun the platform-specific ones such as MFC.

Re:Here's A Real Programming Language

Why port the JVM when there is one already written for most platforms? Oh yea, you were making a false premise.

I write complex Qt apps that need ZERO source porting between platforms.

Good for you... how large is that distribution file? Also with Java you only compile once and have to maintain less (if not a single) distribution file. Using C++ with Qt requires you to maintain a release for every platform you target.

Re:Here's A Real Programming Language

OMG, you need to run the compiler for five minutes every couple of weeks for every target platform. That is a terrible price to pay for compact, efficient, snappy and ergonomic (non-freezing) software.

Better compromise on all that to ease the work of a low-level R&D guy. Makes huge sense. That's why Apple uses Java. Not.

Re:Here's A Real Programming Language

Why port the JVM when there is one already written for most platforms? Oh yea, you were making a false premise.

So the JVM as released in 1995 poofed into existence supporting every platform it does today? Oh right it didn't. It had to be ported to them all after the fact. Gee, no different than a C++ framework.

Good for you... how large is that distribution file?

Non-existent.

Using C++ with Qt requires you to maintain a release for every platform you target.

No, it simply requires setting up automated building using VMs which is trivial these days. If you consider this to be a hard task you're most likely a retard.

Re:Here's A Real Programming Language

Too many morons afraid of any language without a VM... Qt FTW.

cluelessness of slashdot

Of course you need Java (JRE). More so on servers. Of course you don't need Java plugin, which is the only thing that has security issues. Clueless "security researchers" feeding bad info to clueless consumers.

Re:cluelessness of slashdot

Of course you need Java (JRE).

For what exactly? Name a single piece of irreplaceable Java software for the average home user.

Re:cluelessness of slashdot

[SplashMyBandit]

Name any piece of irreplaceable software for any user. Windows? nope, not for Mac users or Linux users. Firefox? not for Chrome users. The only irreplaceable software is based on C, but customers don't need to be aware of that. There are plenty of great Java programs out there that are without peer for users that need them (which doesn't happen to include you). So your argument is bunk - you just made it because you don't like Java - but you are lacking the insight to see that your argument extends to all software technologies (with the exception of C, which is pretty much core to all systems). So get real, eh? Java has plenty of uses - unless all you do all day is consume web content like Facebook and make mindless statements as an AC on Slashdot.

Re:cluelessness of slashdot

There are plenty of great Java programs out there that are without peer for users that need them

Such as...? Notice how I asked for examples not more hand-waving assertions.

Re:cluelessness of slashdot

[cbhacking]

For fun? Minecraft.
For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.

Re:cluelessness of slashdot

[drkstr1]

Eclipse is not just for Java developers, you insensitive clod! For example, I use it for c#/.NET, Flash, Python, any kind of web development, etc.

Why does Slashdot glorify hackers?

[GodfatherofSoul]

These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

Re:Why does Slashdot glorify hackers?

[girlintraining]

I suppose because on some level, we identify with the hacker. Our way of life is under constant assault by well-financed interests. The collective geek culture rejects the notion that ideas can be owned. Knowledge is power, and because of that, it should be shared freely and widely. Our culture rejects the limitations of online freedom that everyone wants -- whether it's bloggers in Iran being disappeared for providing updates on what their government is up to, to China's appetite for supressing western influences, to our own government's desire for internet kill switches and pervasive monitoring. All of this gets in the way of free and unfettered access to information, something geeks believe is a cultural heritage and the right to access granted to all human beings. Geeks... are idealists and creatives.

And when we see our creations turned against us, used to corrupt the ideals that gave birth to them, there is a certain artistic desire to destroy it because its beauty has been tarnished. It's something that you can find historical and literary examples of dating back to pre-greek times. So on some level, we identify with the so-called "bad guys", because they're hurting the people who are hurting us.

Sure, morally, ethically, we can recognize that its wrong and destructive. We know that it only emboldens the destroyers and usurpers of our lifestyle to pass even more restrictive edicts and arrest more people, but psychologically it doesn't matter. We ourselves are powerless so when we see others in the same boat doing powerful things against powerful people, it's very enticing to support them no matter their motivations.

Re:Why does Slashdot glorify hackers?

+5, Funny

Re:Why does Slashdot glorify hackers?

These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

Hackers have talent (as opposed to the script kiddies that pay $10000 for easy-use exploit packs). Slashdotters admire talent, even though it might get misused.

I am much more pissed off at the idiots who deploy and distribute software with known security bugs. Bugs the have known for a long while, but doesn't bother with because "almost nobody knows yet". In this case, Oracle knew the bug for months before this so-called "zero-day" exploit. They could have fixed long ago - once you know them, security bugs are easier than, say, performance bugs.

The hackers are useful evil in such cases. They force vendors to implement and deploy bugfixes - or get dropped by the customers. If we didn't have hackers and the script kiddies smashing websites "for fun", there would be a lot more vulnerabilites. Vulnerabilities to be exploited by people with more sinister motives: industrial spies, terrorists, mafia, foreign secret police, ...

WebEx

..is one of the few really good Java apps. But I certainly suggest to disable Java except for these occasions. It is clearly a major security risk, if "on by default".

Ask Mr Gosling

If that guy had been a real engineer as opposed to something else, this thing would have never been this bag of fleas.

But hey, robustness is not hip. Let's deliver 1001 "standard library classes" and give shit about security. Make it complex as hell, because That's Cool !!

Instead they set up all sorts of cool crap-processes such as the "JCP" and pile more poo on their already sizeable craphill. These guys never understood what really matters, namely reliability and quality. I take a reliable, old Pascal compiler any time over a fancy bag of fleas with all sorts of "cool" features. And yes, I did some serious Java time. Now I am back to C++ for work.

Re:Ask Mr Gosling

I work in cellular. For several years I did all of the real-time, call processing work in C. Never had a problem. Since I had no bugs left to fix they moved me on to working on the billing/provisioning stuff. It's all in Java and a complete disaster. Many of the people working on it don't want to do it in Java (opting for something a little less complex) but management insisted on Java.

I don't think a great majority of people who write in Java don't want to. The language and architecture have lots of problems. But people often don't understand that a de facto standard in software doesn't often work well.

Sigh.

Re:Ask Mr Gosling

[DiegoBravo]

C was never used as a platform for web applets. Guess what could happened in that way (hint: 99% of the Microsoft Windows/Office/Adobe/etc viruses.)

Setting browser preferences is enough

In Opera Preferences you can set that any plugins should only start after you explicitly click on the rectangle in which they appear. Chrome by default does prompts the user before running Java applets. Internet Explorer 9 by default enables installed add-ons everywhere, but you can remove the "*" from the list of allowed sites, and after that it prompts before it runs that plugin. I do not find a solution for Firefox yet.

Two Words

Bitcoin, TOR.

There is one sure way to keep your computer safe.

The IT department would like you to no loner turn on your computer to protect you from harmful viruses. We are going to coming around over lunch and install a safety device (by drilling a hole through your CPU / Disk). After the install you will be safe to use your computer as you see fit.

Well

In the world of MBAs they want CHEAP developers. How do they get that ? Use a "simple" language many people are fluent in. That's Java.

What the MBAs will never grasp that "cheap" is only cheap on the short run. On the long run, using Java means buying whopping amounts of hardware and attracting lots of Junior and generally crappy developers. On the long run, investment into expensive C++ developers and their more expensive development efforts pays off nicely. These people know that the "new" operator comes at a price and use it wisely. Just as an example.

Now, I am a C++ guy, so maybe I am not objective on this. I am confident the darwinism of the market will sort this out. Let's see.

A "license" or a "copy/key"?

How can a _license_ for an exploit kit cost anything? A license is a legal term, and I would expect that you can't enforce a license for an exploit kit, neither from the position of the buyer nor of the seller.

It's like saying that the Mafia gives out licenses for blackmail.

Re:A "license" or a "copy/key"?

[cbhacking]

Exploit kits are not illegal. They have legit uses for testing your own security. For example, see Metasploit, which includes a large suite of exploits.

SlashVertisement much

no more please

java is shit

and if you use it you're a little bitch.

There are 2 archetypes of bad Java coders

I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:

1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.

2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.

The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.

Re:There are 2 archetypes of bad Java coders

Different office, different people. I've see my share of archetype #1 coders who are supremely convinced they are God's gift to programming. One in particular never did understand why Production was a special place that deserved special caution.

As for the archetype #2 folks, I suggest you dismount the Java FanBoi Horse and spent a little time trying to understand their concerns. They actually *may* be idiots, but you won't know for sure until you honestly ponder what they're saying.

Re:There are 2 archetypes of bad Java coders

Which one are you?

Re:There are 2 archetypes of bad Java coders

[greg1104]

The most troublesome Java coders are the ones who see themselves as genius design pattern architects rather than common coders. What drove me away from Java was trying to use libraries with names like AbstractSingletonFactoryBridgeAdapterDecoratorFacadeStrategyObserver. That group has turned using Java from something straightforward you could keep the design of in your head--an underrated benefit of C impacting why C++ never displaced it--into one where you need a tool like Eclipse just to figure out how methods are called.

He needs got

[ThatsNotPudding]

Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).

Re:He needs got

Right, because if bad guys stop using the internet then oppressive regimes will magically stop caring about online anonymity or political dissent.

Re:He needs got

People like Paunch are a drop in the ocean and their instant eradication would do nothing to slow the cataclysmically evil people that rise to power from removing "liberty" from the internet. Instead, it behooves those of us who dislike this scenario to work towards other potential outcomes closer to fruition. Some focus on forms of government only recently made possible with the rise of the internet. I favour developing AI that can assume power over us (I guess I'm just tired of being told what I may and may not do by humans).

Re:He needs got

Malicious code isn't the real reason for internet censorship, its to control the flow of information. China isn't afraid of malware it is afraid of its people becoming to well informed.

Nice

,,how you defend the absoultely lazy and ignorant approach of Oracle. Everbody is as crappy as Oracle and M$. The Law Of Bill And Larry, I suppose.

Are you a $hill, by chance ?

Re:Nice

[SplashMyBandit]

Are you a $hill, by chance ?

No such luck, I wish I could get paid for promoting Java. I just use it everyday for development. If find that there is still no alternative to Java that meets *my* requirements (and I understand it meets the needs of many others for lots of reasons, which I won't go into here). That's why I choose to address the anti-Java hysteria.

You Are the Local Government $hill Here ?

This guy is doing everbody a service, because he openly sells exploits. He demonstrates what kind of royal crap Java actually is. Then, there is freedom of speech. There are people who do not believe in the infinite wisdom and power of government.

Does the guy kill, rape or maim ? No he does not. He demonstrates how insanely crappy a certain piece of software is. Something to be defended against government meddling - I am quite positive.

But, I will be nice to you Mr $hill and ask you what would happen if we outlawed his activity: Chinese intelligence would silently use Java to subvert thousands of critical computers worldwide. So would the Russian Mafia do.

This guy ensures people simply deinstall or disable this abomination called Java. Thank God this man exists and does his business !

bigger interests are at play

[SethJohnson]

This Paunch guy needs to watch his ass. There are larger, darker players who were using this exploit for their own purposes. Some of them invested heavily in developing it. By bringing it out into the open like this, Paunch has directly limited their use of this vulnerability. I would not be surprised if this is the last we hear of mr. Paunch. A cleanup team has likely been engaged and is working on tracking him down in the physical world as I type this...

Seth

Muahahaha

The people you refer to use pork-companies such as HBGary. And they do know they need to shut up or the pork will stop flowing.

You should stop viewing cheap men-in-black movies.

Re:Muahahaha

I'm guessing GP meant Russian Mafia types, not three-letter agency types (although there might be a fair number of former KGB in Russian Mafia).

Re:Muahahaha

[greg1104]

In Soviet Russia Java exploits you!

Well

..I think you nailed it. But you could explain your opinion next time to those who never got a proper education. Maybe some of them would understand and change their language.

Bull

what the guy does is expose crappy work which poses a risk. He earns money in the process. 100% the right thing to do.

If the Java crappers have issues with him, they can switch to Perl, FreePascal, Ada, C++ or Sappeur any time. But these people are so shallow they will never consider this option. It would require some effort without instant reward.

Circle Of Crap

So you need Eclipse to debug other pieces of bloated, randomly freezing crap ?

Hint: there are real languages and real IDEs out there to create excellent, efficient and cross-plaform software.

Here is a little list:

Lazarus
Delphi
Code::Blocks
Qt Creator

"Great Minds Think Alike"... apk

"DO YOU READ 'SUTTER CAIN'? (from "the Mouth of Madness") -> http://en.wikipedia.org/wiki/In_the_Mouth_of_Madness

Ah - I see you do! Just a bit of "weird humor" there, per the subject-line above is all... now:

See subject above & this from myself on 1/7/2013 (though I've posted on it many times here before then):

---

http://betanews.com/2012/01/25/the-top-10-web-security-threats-you-should-avoid/

Pertinent quote/excerpt:

"The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG. Another 10.6 percent are tricked into downloading exploit code -- many times, without their knowledge -- by clicking on links on pages to sites hosting malware... It also found that faked pharmacy sites are a popular attack method, seen in about 10.4 percent of all attacks. Fake antivirus scanners remain a popular malware injection method at 8.4 percent. "

---

* Fact is, what I noted, in compromised sites, comprises 77% of malware installations - not what users download & install themselves (ala shareware/freeware sites like download.com etc./et al)...

---

Whitelisting COULD help stop that too, per what I stated above, along with other "layered-security"/"defense-in-depth" measures commonly used today already.

Even "walled gardens" do, albeit imo @ least? Not as much due to the above statistics from AVG & imo, lastly, in malscripted sites (only doing what I do in Opera which is in & of itself, a 'whitelisting' approach too, via its "by site preferences" - ONLY allowing scripting, cookies, plugins, frames/iframes, javascript, java, etc. on SOME sites only that REQUIRE THEM FOR FULL FUNCTION - the rest are in global policy, disallowing their usage (lessening the chance of attack))" - by Anonymous Coward on Monday January 07, @12:17PM (#42506533)

---

SO - As I said above & in my subject-line? "Great Minds DO think alike"...

(That is, IF you thought of that yourself, it's very possible you did (or, of course, you saw what I wrote there since it predates your statement)).

It'll work vs. all the things Opera can set "by site" prefs on, including JAVA's browser plugin!

This option built in natively to Opera helps make it "The SUPERIOR WARRIOR" amongst its browser peers with many other things... especially considering what AVG put out this year also quoted above, no less!

(Still - that you should UNLOAD from your system unless you ABSOLUTELY NEED IT, for the time being!).

APK

P.S.=> Either way? You're "spot on" correct...

... apk

underweb

what is this now? 4chan?

Does it run on Linux?

[dgharmon]

Java Zero-Day Vulnerability Rolled Into Exploit Packs?

OpenJDK vulnerable?

[richwales]

Does this security hole affect OpenJDK/IcedTea (6 or 7)? Or is it only an issue with Oracle's code? If OpenJDK/IcedTea is affected, which versions (if any) have been fixed?