OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com)

← Back to Stories (view on slashdot.org)

OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com)

Posted by EditorDavid on Sunday August 27, 2017 @04:38PM from the beyond-the-bylaws dept.

An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

79 comments

Min score:

Reason:

Sort:

!!! WARNING: Game of Thrones Spoiler !!! by Anonymous Coward · 2017-08-27 16:45 · Score: -1

The King Sword and dragon series ends and then some music
1. Re:!!! WARNING: Game of Thrones Spoiler !!! by Anonymous Coward · 2017-08-27 23:07 · Score: 0
  
  a wizard did it. and it was all just a dream.
My penis will choose the leaders. by Anonymous Coward · 2017-08-27 16:45 · Score: -1

Penis! Make your decision and give the winner his spoils!
1. Re: My penis will choose the leaders. by Anonymous Coward · 2017-08-27 16:47 · Score: -1
  
  I guess that's fair, but they must take it all in. Kinda like the Sword in the Stone.
2. Re: My penis will choose the leaders. by Anonymous Coward · 2017-08-28 01:08 · Score: 0
  
  Taking a quarter inch doesn't seem that bad.
Not helping at all by Anonymous Coward · 2017-08-27 16:50 · Score: 0

You know, "open" is right there in the name. OpenJDK.
1. Re:Not helping at all by slickwillie · 2017-08-28 05:54 · Score: 1
  
  They had to close the JDK in order to keep it open. You know, like "We had to destroy the village in order to save it".
The NDA by Billly+Gates · 2017-08-27 17:07 · Score: -1

All your code belongs to US open room implementation or not just like how they screwed Google and Apache.
No thank you and why should we help them with their own incompetence. Java is dead. Let it live in legacy in a dusty MDF somewhere with it's elderly uncle COBOL.

--
http://saveie6.com/
1. Re:The NDA by Frosty+Piss · 2017-08-27 17:11 · Score: 4, Insightful
  
  Java is dead. Let it live in legacy in a dusty MDF somewhere with it's elderly uncle COBOL.
  Is Java "dead"? I'm no expert, but I thought huge giant swaths of "enterprise" code was written in Java? Shit like that doesn't just vanish, it get's maintained and added on to forever - like COBOL code... But also, while it's trendy for all the hip kids to say such things, COBOL is far from dead.
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:The NDA by Anonymous Coward · 2017-08-27 17:22 · Score: -1, Flamebait
  
  Java. Security.
  One of these two words is a joke, together they are a comedy. I tried to stem the Java tide arriving from the Java Mills (aka Colleges and Universities) in the early 00's. "No", said the boss, "YOU should learn Java. It is the future."
3. Re:The NDA by Anonymous Coward · 2017-08-27 17:41 · Score: 0
  
  java is everywhere. hardy useful for mere mortals in the browser, but so much stand-alone software requires it (the runtime, not the browser plugin). not just 'enterprise' stuff either.
  it is the internet explorer of this decade. a problem child that simply refuses to go away.
4. Re:The NDA by Anonymous Coward · 2017-08-27 17:54 · Score: 0
  
  It's hard to take Java security seriously as long as the Java installer tries to push malware.
  I've tried to figure out if it actually is legal for them to do that, but so far I haven't really found any good analysis of the case.
5. Re:The NDA by Plus1Entropy · 2017-08-27 18:32 · Score: 4, Informative
  
  If you're using the Android SDK you are writing in Java.
  Even if that was the sole remaining use-case it would be far from dead.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
6. Re:The NDA by Anonymous Coward · 2017-08-27 19:13 · Score: 2, Interesting
  
  I'm going to set BOTH of you straight:
  COBOL JOBS: 1,501
  https://www.indeed.com/jobs?q=cobol&l=
  JAVA JOBS: 63,769
  https://www.indeed.com/jobs?q=java&l=
  THIS should give you a general idea of the current market for the language
  enter your city to narrow down
7. Re:The NDA by Anonymous Coward · 2017-08-27 19:21 · Score: 0
  
  How many are fake jobs?
8. Re:The NDA by Anonymous Coward · 2017-08-27 19:35 · Score: 0
  
  Malware? Not seen that with Java at all and I deal with dozens of different Java servlets. Oh, wait, you must be using Windows.
9. Re:The NDA by Anonymous Coward · 2017-08-27 19:36 · Score: 2, Interesting
  
  Sorry, what exactly is the security issue with Java? Aside from the shitty browser plugin, but that bit's as good as gone these days anyway.
10. Re:The NDA by Z00L00K · 2017-08-27 19:56 · Score: 1
  
  I agree here - plugins are in general a security hole waiting to happen. JavaScript is bad enough from a browser security perspective.
  On the server side it's more a question of if some service can break out of the JVM or do other inappropriate things on the server.
  But even then I can understand the need for a "secret" security team. It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
11. Re:The NDA by Z00L00K · 2017-08-27 20:00 · Score: 1
  
  It's bugging me a bit when they open the web browser to a page of their choice at every install.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
12. Re:The NDA by Billly+Gates · 2017-08-27 20:27 · Score: 1, Insightful
  
  Name one big new project that is popular made in the past 3 years based on Java?
  
  --
  http://saveie6.com/
13. Re:The NDA by Billly+Gates · 2017-08-27 20:28 · Score: 1
  
  It's hard to take Java security seriously as long as the Java installer tries to push malware.
  I've tried to figure out if it actually is legal for them to do that, but so far I haven't really found any good analysis of the case.
  That is Oracle for ya. They are too cheap to pay for the bandwidth. So eyecandy spyware is included to cover the costs since Larry doesn't make enough money.
  
  --
  http://saveie6.com/
14. Re:The NDA by Anonymous Coward · 2017-08-27 20:30 · Score: 0
  
  I agree here - plugins are in general a security hole waiting to happen. JavaScript is bad enough from a browser security perspective.
  On the server side it's more a question of if some service can break out of the JVM or do other inappropriate things on the server.
  But even then I can understand the need for a "secret" security team. It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
  Yeah, it's good for an organization to save face after writing insecure code.
  It's not so good for users. I want to know what the black-hats know so I can perform my own threat assessment, mitigation, and eventual patching. I don't want to be left in the dark while zero-days float around. I don't use OpenJDK but if I did, I would be looking for alternatives right now.
15. Re:The NDA by Billly+Gates · 2017-08-27 20:37 · Score: 0
  
  If you're using the Android SDK you are writing in Java.
  Even if that was the sole remaining use-case it would be far from dead.
  No you are not. Oracle lies which is why they killed opensource and clean room implementations by judicial activism. Google uses Dalvik which does not contain a single line of code written by Oracle that they somehow stole and now own thanks to their lawyers.
  Dalvik is a clean room implementation and does not even use a traditional JVM and would still be around if Oracle didn't threaten to sue Apache out of existence. Another reason not to consider Java as it is immoral to support Oracle.
  
  --
  http://saveie6.com/
16. Re:The NDA by Anonymous Coward · 2017-08-27 21:05 · Score: 1
  
  Minecraft
17. Re:The NDA by angel'o'sphere · 2017-08-27 21:09 · Score: 2
  
  Dalvik is a bytecode specification and a VM, not a language.
  Of course you program in Java, the language, when you code for the Dalvik VM.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
18. Re:The NDA by angel'o'sphere · 2017-08-27 21:11 · Score: 1
  
  I write a bit nee Java code nearly every day ;)
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
19. Re:The NDA by Anonymous Coward · 2017-08-27 23:37 · Score: 3, Insightful
  
  Java is dead? Not likely. It is the most popular programming language in the world by a large margin.
  http://pypl.github.io/PYPL.html
  Been in software development for 15 years and there is always some fool saying "java is dead"
20. Re:The NDA by Anonymous Coward · 2017-08-27 23:38 · Score: -1
  
  9-11 was a Jew job
  ae911truth dot org
21. Re:The NDA by Anonymous Coward · 2017-08-28 02:28 · Score: -1
  
  It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
  Oh really?
  So if Ford were to keep their cards close that their brakes could fail in spectacular ways, you'd feel safe driving a Ford?
  Why is it that when it's computers, it's good to not inform your customers that they are at risk, often for half a year, and in many cases until the problem filters down from black hats to script kiddies and even the antivirus community starts taking notice?
  Any software by companies that have this "keep it secret from the potential victims" mentality is banned on my systems. I could add Java to the list if not for the fact that Java has been banned for lousy security since 2004 or so.
22. Re:The NDA by Anonymous Coward · 2017-08-28 03:17 · Score: 0
  
  It's still Java. It just doesn't use Oracle's JVM.
23. Re:The NDA by Anonymous Coward · 2017-08-28 03:40 · Score: 1
  
  I work for SAP and our cloud based software is written in Java. This includes the Concur, Ariba, and SuccessFactors business units. We have started many projects written in Java within the past 3 years and the language is so centric to our business that we we created our own JVM.
24. Re:The NDA by JohnFen · 2017-08-28 03:48 · Score: 1
  
  If you're using the Android SDK you are writing in Java.
  Or in C#. Or, if you don't care about platform independence, even C or C++.
25. Re:The NDA by Anonymous Coward · 2017-08-28 04:03 · Score: 0
  
  While I don't disagree that Java is likely the most widely used language, I'm not sure that link is reliable. In my experience while Python is hyped it isn't widely used for software development. Similarly PHP's entire popularity is probably WordPress.
26. Re:The NDA by Anonymous Coward · 2017-08-28 04:41 · Score: 0
  
  Devs can use Kotlin if Java is to be avoided -- Android Studio officially supports it.
  Personally I'm hoping Google ends up making a project Fuschia/Magenta based smartphone so VM languages can be ditched completely and we can go back to native development. (One can dream).
27. Re: The NDA by Anonymous Coward · 2017-08-28 04:53 · Score: 0
  
  Sluggish RAM eaters which Take 10 minutes to start Up, i assume.
  My condolences.
28. Re:The NDA by Anonymous Coward · 2017-08-28 04:53 · Score: 0
  
  that's VM, he means android sdk needs jdk. It won't run otherwise. As for me, I can't get it work on openjdk tho, I always need to install oracle jdk. I use mac and linux.
29. Re: The NDA by Anonymous Coward · 2017-08-28 04:55 · Score: 0
  
  Larry the greasy Tycoon wants to Control the Java SPIN. Thats all.
  Pros use Rust or Swift.
30. Re:The NDA by phantomfive · 2017-08-28 05:06 · Score: 1
  
  It doesn't matter too much for this point though, almost any way you measure it, Java comes out on the top of the language popularity lists.
  
  --
  "First they came for the slanderers and i said nothing."
31. Re:The NDA by Anonymous Coward · 2017-08-28 06:52 · Score: 0
  
  I suspect that most of them are real jobs but that they don't require Java.
  Java is the IP65 of programming languages. People who doesn't know what they need specify it instead of asking an expert what would be good for their particular case.
  Unfortunately that also means that Java ends up in some cases where it don't belong.
32. Re:The NDA by farble1670 · 2017-08-28 07:57 · Score: 1
  
  Name one big new project that is popular made in the past 3 years based on Java?
  About 70% of the software at my company?
  Surely though you have a good point. We'd have been better off using on WhizBang!JS for this quarter's new projects. So what if it'll be unsupported in a year and we have to re-write everything. Job security eh?
  Also, don't let numbers get in the way either:
  http://www.codingdojo.com/blog...
33. Re:The NDA by Plus1Entropy · 2017-08-28 10:36 · Score: 1
  
  Then you are not using the Android SDK. You are using the NDK, a game engine, or some other development environment.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
I smell something strangely familiar... by Frosty+Piss · 2017-08-27 17:07 · Score: 4, Insightful

The vulnerability group and Oracle's internal security teams would work together
Two things: I thought Oracle wanted to cut Java free? No? And really, when has Oracle been willing to work with anyone outside Oracle on Java?
I mean, it could be true...

--
If you want news from today, you have to come back tomorrow.
1. Re:I smell something strangely familiar... by Gravis+Zero · 2017-08-27 17:31 · Score: 4, Interesting
  
  I thought Oracle wanted to cut Java free? No?
  Oracle wanted to burden someone else with maintaining Java EE, an extended version of Java. This would allow them to do the lesser job of extending Java SE if they so choose and free them from having to bother with security (Who knew security was so complicated? Nobody knew!). Since Java EE is a superset of Java SE, the Java EE maintainers would have clean up the messes Oracle makes when they add features.
  
  --
  Anons need not reply. Questions end with a question mark.
2. Re: I smell something strangely familiar... by KGIII · 2017-08-27 17:33 · Score: 4, Insightful
  
  I'm usually fairly mild mannered, but fuck Oracle. I trust those fuckers about as far as I can throw a fucking yacht. They came in to provide a database, consultants and all. The fucking fuckers were there for more than six months and never actually got it all working. So, I kicked them out. Shortly after, they had us in court and wanted a seven figure sum. It cost nearly that much just to defend ourselves and I have no idea how much was lost in productivity and due to morale. Fuck Oracle, fuck them right in the face.
  I feel better now.
  
  --
  "So long and thanks for all the fish."
3. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 18:14 · Score: -1
  
  You sound like the worst manager ever. The guy posting about his penis is smarter than you.
4. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 18:47 · Score: 0
  
  You sound like a stupid kid whining about the bad man who used the f-word.
5. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 19:02 · Score: 0
  
  You sound like a Neo-Nazi.
6. Re: I smell something strangely familiar... by KGIII · 2017-08-27 19:05 · Score: 3, Funny
  
  They probably are smarter than I am. I'm dumb enough to respond to you.
  
  --
  "So long and thanks for all the fish."
7. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 19:25 · Score: 0
  
  Mein Hitler!
8. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 19:33 · Score: 0
  
  Oddly enough, that sounds like how Oracle (the America's cup yacht team) work as well.
  (Yes, it's the same Oracle - funded by Ellison)
9. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 21:07 · Score: 0
  
  They probably are smarter than I am. I'm dumb enough to respond to you.
  Heh. You see, Slashdot mods, this is what a "+5 Funny" post looks like.
  It looks like that. Not like another damned repetition of another stupid meme that comforts you because you knew it was coming and now you feel like part of a subculture. That whole process is sad and lonely, not "+5 Funny". Yes, I once saw that movie too, only I've gotten over it now.
10. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-27 22:31 · Score: 0
  
  Fucks sake, this is gamergirl all over again.
11. Re:I smell something strangely familiar... by Anonymous Coward · 2017-08-27 22:50 · Score: -1
  
  Oracle has a long history of crap security in their products (search "oracle security sucks"). When they took over Java I knew that could not be good.
  Not that Java had a history of being secure before. Java has always been shit. Google has spent ungodly amounts of money to try to fix it because they went all-in on Android which is probably one of the biggest mistakes they have ever made.
12. Re: I smell something strangely familiar... by StormReaver · 2017-08-28 00:01 · Score: 1
  
  We had Oracle throw every incentive they had at us, but we kindly showed them the door and switched to PostgreSQL. It was an awesome day.
13. Re: I smell something strangely familiar... by Anonymous Coward · 2017-08-28 02:10 · Score: 1
  
  "When dealing with oracles, sign only fixed contracts." -- Ancient Greek proverb
14. Re: I smell something strangely familiar... by KGIII · 2017-08-28 06:41 · Score: 1
  
  Yeah... In their defense (as I'm loathe to post it), it wasn't a trivial setup. We were doing "distributed computing" before it really had that name. The DB was supposed to span multiple CPUs, stacks of RAM, and disks. It was a failure BUT the fuckers said they could do it. They requested, and received, extensions. They sent in new and more people. They failed. I kicked them out. Then, they sued us. (I was the owner.)
  
  --
  "So long and thanks for all the fish."
Time limit by bugs2squash · 2017-08-27 18:03 · Score: 1

If this group doesn't fix the vulnerability within a few weeks then the vulnerability details should be published more widely to let what remains of the community address them and to allow users to adopt security measures of their own.

--
Nullius in verba
1. Re:Time limit by Anonymous Coward · 2017-08-27 19:23 · Score: 1
  
  Give the OpenBSD folk a fat donation in return for auditing their codebase - or several other competent orgs..
  The payback is if they like what they see - they have first dibs at other products in their closet needing remediation.
  People with security reputations need no agreements - people who know who is who. Management saying security is important - indicates their brains have just ticked over.
2. Re:Time limit by Alain+Williams · 2017-08-27 21:27 · Score: 1
  
  The same should apply to minutes/email-list/... of the private forum. Being private the initial report and then while a fix/... is devised is reasonable but there must be a guarantee that it will, eventually, be published. How long is much harder to define: well defined bug -> fix -- a few weeks; something deeper & more fundamental -- it could take longer.
3. Re:Time limit by drinkypoo · 2017-08-28 00:18 · Score: 0
  
  Java should be permitted to die the death it deserves within a few weeks.
  Anyone who uses Java for a new project while it is still controlled by Oracle is an enemy of all that makes fucking sense.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re: Time limit by Anonymous Coward · 2017-08-28 05:03 · Score: 0
  
  Larry wants to Control all the Bad news, this is NOT About Security at all
How will they get around... by Anonymous Coward · 2017-08-27 18:04 · Score: 0

This swing/awt application that hypothetically exists that could hypothetically run in javascript via gwt without any visual elements and silently listen to every keypress?
Java is flawed from the ground up, because of a million small but insane design decisions made in the name of getting things to market quicker or helping users understand.
1. Re:How will they get around... by Anonymous Coward · 2017-08-28 00:55 · Score: 0
  
  You sound like the type of person who'd be shocked to find out their phone has their email password. Software running on my PC can capture key presses *gasp*!
Fuck Java by Anonymous Coward · 2017-08-27 18:43 · Score: -1

mod Insightful
Please check my Website :- http://www.divit.co.in/ by SexyDivitModel · 2017-08-27 19:51 · Score: -1

Hello Your site is very good! I like it!!. It is very helpful site. Thank you so much Please check my Website :- http://www.divit.co.in/goa-ind... https://slashdot.org/submissio...
So the name of the group will be...? by hlavac · 2017-08-27 20:13 · Score: 3, Funny

New Secret Advisory? Non-public Security Abatement? Never Seen Accomplishments?
1. Re:So the name of the group will be...? by Anonymous Coward · 2017-08-27 21:25 · Score: 0
  
  Knowing Oracle, it's probably Four Secret Bughunters.
Trusted members, yet NDA? by Anonymous Coward · 2017-08-27 20:20 · Score: 0

Either you only include trusted people, then what do you need the NDA for?
Or you expect it will include people not trustworthy, then maybe you shouldn't do it.
Excluding the bad guys from getting access to security issues, sure.
But I can't see NDAs do any good. At best, they cause legal concerns for those who want to be involved, at worst, it will be a way to force people to keep major undisclosed security issues that nobody feels like fixing secret and unfixed "forever".
A.S.M.C.! by Anonymous Coward · 2017-08-27 20:35 · Score: 0

It's bugging me a bit when they open the web browser to a page of their choice at every install.
Odd, my package manager (Gentoo's Portage) doesn't do that ever, no matter how many times I install a JDK.
Another satisfied Microsoft customer??
1. Re: A.S.M.C.! by that+this+is+not+und · 2017-08-28 00:05 · Score: 1
  
  On Windows, the installer tips it's hand.
2. Re:A.S.M.C.! by Anonymous Coward · 2017-08-28 01:40 · Score: 1
  
  Even on Windows, the JDK installer never installed that yahoo/Ask crap or whatever it was/is.
  Only the JRE installer snuck it in there if you weren't watching carefully.
3. Re: A.S.M.C.! by Anonymous Coward · 2017-08-28 04:59 · Score: 0
  
  So your agree Java is bundled with the greasy Business practices of Larry e.
  In the late 90s you could Crash Oracle listener by means of telnetting and a bunch of random keypresses.
  Oracle is full of shitty Security and shady Business practices.
biTch by Anonymous Coward · 2017-08-27 22:04 · Score: -1

SSe. The number Lite is straini8g and its long term On baby...don't too much formality our cause. Gay Usenet posts.
Well, technically... by Anonymous Coward · 2017-08-27 23:48 · Score: 0

... Minecraft is older than 3 years.
Re:Please check my Website :- http://www.divit.co. by Anonymous Coward · 2017-08-28 01:12 · Score: -1

Me chinese. Me play joke. Me go peepee in your coke.
Benjamin Franklin by hduff · 2017-08-28 02:56 · Score: 1

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin

--
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Disable Browser Integration by Anonymous Coward · 2017-08-28 03:18 · Score: 0

Avoid 60% of Java's security issues by disabling it in the browser.
What a load of crap by JohnFen · 2017-08-28 03:46 · Score: 1

Never trust anyone who says "trust me".
1. Re:What a load of crap by boudie2 · 2017-08-28 05:59 · Score: 1
  
  Never trust any guy with a pony tail unless it's Willie Nelson.