Erm, if you'd bothered to read the advisory, you'd realize that UsePriveledgeSeperation is no fix. However, both OpenBSD and FreeBSD feel that this could only lead to a server crash, not a remote exploit. Regardless, their track record is NOT still standing. See OpenBSD Errata.
It should be noted that RedHat does believe this is remotely exploitable, including remote code execution. So Linux boxes are quite possibly far more vulnerable than BSD boxes, but in either case, its a risk either way. I'm finishing up my fifth and sixth upgrades.
You sound a bit elitist to me. I'll agree that there may not be a linear relationship between usage and information; certainly some people could be stricken from the net without the rest of us noticing. But everyone having e-mail is pretty useful, too. Then again, I may not be the one to ask. I don't get spam, and I've been largely unaffected by blaster and sobig.
You know, a machine that I now administer was broken into prior to my taking over by some Russian spammer. He exploited some picture gallery software a user had installed and not updated (stupid of us to not use su-exec or chroot Apache, admittedly) and uploaded a Perl-based SMTP server to send millions of porn spams. We have a compiler on that machine for the users, but he didn't even use it. Seems Perl was the weapon of choice.
Sure, security is multi-layered, but so is usefulness. This attack could have been prevented by removing user access to gcc, Perl, Python, bash, etc, or it could have been prevented by using chroot or su-exec and making sure our users didn't do anything stupid with their webspace. I find the latter to be a bit more in-keeping with our general attitudes of enhancing security in order to provide more usefullness rather than less.
TV and telephone aren't very different. In fact, you have a far greater claim to ownership--and legitimate, uncontrolled right to use of--the airwaves than you do the Internet or phone lines. If ATT wanted to shut off their phone lines, fine (although of course various telecom laws would actually complicate this matter tremendously; these are "artificial" anti-trust measures, not general issues of ownership). Comparitively, the TV airwaves are technically owned by the public and subletted to the license holders in exchange for them performing a number of favors for the civic good, such as showing air-raid warnings and such. You may not agree with this distribution, but the idea really was supposed to be that the airwaves aren't much good without regulation, so we'll make things best for everyone (especially the rich corporations).
The Internet is really the opposite, though. As more people use it, it becomes more valuable, not less. The airwaves are a means of communicating one-to-many. The Internet is many-to-many. If less people were allowed to use it, less would find value in it as well. Yes, irresponsible use like viruses, spam, and so forth do make it difficult sometimes. But if this is the only way to prevent them, it sounds like the cure is worse than the disease. A regulated Internet with only certain people being allowed to access it is an Internet neutered of any of its valuable assets.
And you can say that trojans are solely the fault of the user, but ultimately, they could still be prevented, theoretically, at least, by good programming.
I gave it a shot with a P4 1.3, 384MB machine on WinXP. Just too slow to even use.
I've been trying to figure out a good solution to this question myself, and I think I'm just going to have to make one I like. It's hard to find something someone else has programmed that suits your own needs for such a personalized usage, in my opinion.
What I've planned out is something that would have a calendar, address book, to-do list, misc storage, etc. Problem is, I don't want to have to do all the categorizing myself. So I figured, so long as I enter appointments in a predictable way (e.g. LL1: Date LL2: Time LL3: Place LL4: Comment) I can make the computer work out what kind of information it is. Same with the other types. I can even add simple stuff like URL's I want to remember. Then, I can just enter in a generic text-area any information, and have the machine do the categorization and organizing. Have it recognize dates and give me a timeline for my day, week, month, etc. Have it recognize contacts and store them in my addressbook. Etc.
What I think could make this really nice, though, would be something you see a lot of in Wikis (and some neat ideas like infocalypse)--the ability to link elements together with some sort of simple syntax, e.g. [link]. Better yet, have the machine link it.
The point is that it isn't just the information, but the relationships it makes, that are important. If I have an appointment for a certain job, I might want a list of "relevant links" next to it, such as the contact information of the people involved, any notes I've made in relation to that job, and so forth. I'm not sure how to do this, exactly, by automation (keywords are limited but may work, making me do it by hand defeats the purpose; I'm far too lazy to do anything by hand) but I probably won't actually start coding this for a long time anyway, so I suppose I have time to think. Any suggestions?
I suppose there are multiple avenues to success. And while educating the end-user may be ideal, I just don't think its reasonable to expect that it will happen any time soon. Heavy-handed ISP's, as you put it, are a good alternative.
End-users often don't see why they should secure their PC's. They figure they don't have anything important on them, so what's the big deal? Then they are used as launching points for DoS attacks, they spread worms, and so forth. But end users don't have the time or inclination to be security professionals.
ISPs could implement stronger router controls to block DoS attacks from zombied machines. They could implement automatic IDS-based router controls to block the spread of worms. And--egads--perhaps software companies could start focusing on security a bit more (with some added incentive from the legal liability they ought to have, in my opinion). In other words, end users should be taken as end users. We cannot expect that all or most will secure their machines to the extent that you or I may. So we find work arounds.
I'm not sure I follow you on educating the end user. It's definitely a good idea, to be sure, but it does little against worms that require no user interaction to infect the PC, like Blaster. Granted, if the machine were patched, it would help, but not that much. Many users are on slow connections, windowsupdate was unreliable, and the time it takes users to patch--a few hours, a few days--is easily enough time to become infected (I have a friend who connected a new XP machine to the 'Net to run windowsupdate and was infected in minutes).
On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.
This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.
Not that ALL NAT's were for piracy. Just that your particular, deliberately anonymous, untraceable, not-logging network was for piracy (and other suspicious activity--and it most certainly, unfortunately, would be abused).
Re:Wi Fi will become its own internet.
on
MIT Roofnet
·
· Score: 1
This isn't technological warfare. It's legal. The technology is largely incidental.
I say this because the RIAA would most likely first sue the providors of the network. Now, I said, they may not have a great legal case. But that doesn't mean they wouldn't try, and who's going to spend the money to find out.
Freenet is already at this point--in refrence to untraceability--although usability is low. The RIAA has largely avoided Freenet because its not commonly used like Kazaa is. No reason to worry about the small fish. But you don't need Wi-Fi to make anonymous filesharing possible; it just so happens that the popular services which are actually threats to the RIAA aren't anonymous.
Re:So if you run kazaa through something like this
on
MIT Roofnet
·
· Score: 1
Try. If Napster is liable for not taking enough steps to prevent piracy, surely you can be as well?
I could be wrong, of course. You got the chump change to test them on it in court?
Re:So if you run kazaa through something like this
on
MIT Roofnet
·
· Score: 1
Refuse, and you yourself are liable.
Re:So if you run kazaa through something like this
on
MIT Roofnet
·
· Score: 1
Wi-Fi or not, if its not connected to the Internet, I don't think you have a lot to worry about. My point was that this issue is real, but has nothing to do with Wi-Fi mesh networks. Your definition of the network that's crucial here is that it be not connected to the Internet.
And, yes, I know about the students at RIT (or was it RPI?). But that was still a high-profile public network where information was available to the RIAA. Keep it between you and your friends, and you don't have a lot to worry about.
Oh, yeah, and the RIAA doesn't really care, because your friends don't have enough music that they're really bothered. But how is this different than just sharing on a private LAN or using SneakerNet?
Re:Cute, but is it secure?
on
MIT Roofnet
·
· Score: 1
WEP isn't secure at all, but this is hardly the point. Any sensitive information shouldn't be transmitted on a land-line university LAN either, without serious encryption. SSL for credit cards, SSH for remote login, etc.
Although, yes, you could do something like a VPN for extra security.
Re:So if you run kazaa through something like this
on
MIT Roofnet
·
· Score: 1
Same way they do when someone logs on to Kazaa from a dynamic IP on a dialup modem. Send a C&D letter to the ISP demanding the identity of the individual with that IP at that time in exchange for safe-haven status.
Behind a NAT box? Fine. Then they'll just demand the identity of the individual using Kazaa with such-and-such a username at that time. Refuse, and you yourself are liable. That's pretty much how it works for ISPs already.
This issue was already raised in regards to free public wifi hotspots already, and in that case, its actually much more of a concern. But I suspect that if the admins don't keep logs, the RIAA will just try to hold them responsible instead. Though it may be, legally, a tough sell.
Even were that clearly so--and I don't think the author would agree with you--wouldn't the Balkanization of the WWW an E-Mail be bad enough? Those are likely the two most important parts of the Internet to almost all it's users. Surely the effect would still be pretty bad.
Re:Quick note for those who don't read the article
on
Small Webcasters Sue RIAA
·
· Score: 2, Insightful
That's the gist of it, though you shouldn't encourage not-reading the articles.
The thing I don't understand, though, is why the RIAA necessarily feels its a good thing to form the webcasting industry into a more professional, tightly-knit one. Wouldn't they benefit from a stronger bargaining position when dealing with small independent webcasters who have little leverage and are a dime a dozen?
The only thing I can think of immediately is that the RIAA feels those small guys don't bother always to pay royalties anyway, perhaps.
You're making a lot of baseless assumptions, Thinkit3.
I want them to win if their case is valid. I dislike the RIAA, but the real problem in this general area of law is stupid court rulings, so I wouldn't wish them to win if they have no case. It is entirely possible--especially if they really did demand free rights to pirate RIAA material--that this is just a stupid stunt. I don't know enough about the case to be able to say.
The prediction is accurate, I believe, based on what information I have available. They are a ragtag bunch, mostly one man operations. How much money could they possibly throw at this? The RIAA has deep legal resources and is not afraid of waging legal wars of attrition.
Do you have some deeper comment? Or do you just not like Slashdot. Hey, it has its moments, I'll agree. But when I get bored with it, I just don't read it.
According to this article, the group is actually closer to 400 members, but I'm inclined to trust CNet. Regardless, most are apparently one-man operations and the like; their chances of winning--let alone having the courts "block the major record labels from enforcing their otherwise legitimate intellectual property rights in sound recordings until the alleged violations are remedied" (according to the above atnewyork article)--are, I'd say, slim to none.
It's pretty often that I see an article about what changes need to be made in Linux for it to take hold among mainstream desktop usage. But I really have to wonder sometimes why I should really care.
I don't recommend to my friends and family to use Linux if they don't have some good reason to. It doesn't suit their needs. And I really don't care how much market share Linux has among desktops. It wasn't made as a desktop, and for the ordinary user, no, it isn't a very good one. But why is this a problem?
For me, the lack of choices would be a bad thing. RedHat's Bluecurve is annoying--what happened to being able to choose 6 different window managers on startup? I can certainly understand why RedHat made that decision, and for their profits, it may have been a good one. But RedHat's goals are not my goals; I don't make a buck--or even derive some sort of vague emotional satisfaction--from other people using Linux. So why should I sacrifice my choice in window managers just to make Linux on the desktop a possibility, when I have little or nothing to gain from Linux on the desktop?
I'm not trolling. I simply think that this is a bit of a silly focus, when Linux's greatest strength--and greatest chance of success commercially--is as a server and high-end development workstation.
I know a small amount about statistics, but I'm not familiar with that terminology.
Regardless, I don't think the explanation is anywhere near as simple as there being more Apache websites on the Internet (there aren't more Linux/Apache sites, but there are more Apache, I believe). After all, the number of factors in getting defaced is pretty high. Linux boxes may be numerically more common, but not as common on high-profile machines likely to be hacked. Or the average experience of the admins may differ, as we discussed above. Or Windows machines may be targeted for social or political reasons, as described above (or the opposite; isn't it more fun to brag of hacking an OpenBSD box than some luser's home PC running IIS?). You get the idea.
So I don't think real-world statistics can be accurately interpreted to give any relevent data. We could probably get closer, of course, with stats on things like the number of security vulnerabilitys discovered in a month, mean time between discloser and bugfix, etc. Because when you evaluate a product for security, you don't want to be learning stats about the average experience of the admins who use it. You want to know the actual facts on the product itself, since the experience of the admin is, presumably, not something that changes in relation to which server you buy--this is assuming, of course, that you are the admin (and you should of course choose that with which you are most familiar).
I suppose controlled tests with admins of the same experience and attackers of the same experience could be valuable, but what metric do you use for the experience levels on IIS/Windows and Apache/Linux?
Anyway, you get the picture. I think, unfortunately, that there is little way to get any accurate results from these statistics, and your best bet is just to do a lot of reading, a lot of research, and make decisions based on your own particular situation.
You make a good point; one of the explanations I've seen for statistics similar to those the article posting cites (61% of defaced machines being Linux) is that when an amateur wants to set up a personal website on his cable modem, he doesn't usually install IIS. He installs Linux and Apache. When he wants a really basic comment board or CMS, he uses PHP-Nuke. For his e-mail server, he uses Sendmail.
Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.
As the previous reply pointed out, Java has worked fine on FreeBSD for some time. This is no real change for anyone other than lawyers.
In regards to your comment about the "older version of the JVM", I'd be curious which classes are an issue for you. I'm sure there are some; I've occasionally run into issues with stuff I wrote in 1.4 not working on 1.3, but for the most part, it's not a big deal. Although you really can simply compile 1.4 yourself if you care.
Apparently the whole point is merely that Sun is now offering a license for the FreeBSD binary, which allows the FreeBSD team to distribute a binary pkg. There are a number of jdks available in the ports collection for you to build yourself; I have no intention of changing the setup on my FreeBSD machine, since the sdk I compiled myself works fine.
Getting Java itself to run on FreeBSD was no problem for me. Getting Tomcat to work was pretty difficult, but as far as I can tell, this is largely due to Tomcat, not FreeBSD (as in, the same problems exist, to a greater or lesser extent, on Linux).
Tomcat itself works fine, actually, but mod_jserv or mod_jk are a bit of an issue for me; jserv is no longer maintained and is outdated, while jk apparently doesn't play well with Apache 1.3. Like I said, this is apparently more of an issue with Tomcat than with FreeBSD. Though I did manage to get mod_jk and Tomcat working in a matter of minutes on Debian, this speaks more of the beauty of apt-get than the ease of mod_jk or Tomcat installation.
Slashdot Mirror
It should be noted that RedHat does believe this is remotely exploitable, including remote code execution. So Linux boxes are quite possibly far more vulnerable than BSD boxes, but in either case, its a risk either way. I'm finishing up my fifth and sixth upgrades.
You sound a bit elitist to me. I'll agree that there may not be a linear relationship between usage and information; certainly some people could be stricken from the net without the rest of us noticing. But everyone having e-mail is pretty useful, too. Then again, I may not be the one to ask. I don't get spam, and I've been largely unaffected by blaster and sobig.
Sure, security is multi-layered, but so is usefulness. This attack could have been prevented by removing user access to gcc, Perl, Python, bash, etc, or it could have been prevented by using chroot or su-exec and making sure our users didn't do anything stupid with their webspace. I find the latter to be a bit more in-keeping with our general attitudes of enhancing security in order to provide more usefullness rather than less.
The Internet is really the opposite, though. As more people use it, it becomes more valuable, not less. The airwaves are a means of communicating one-to-many. The Internet is many-to-many. If less people were allowed to use it, less would find value in it as well. Yes, irresponsible use like viruses, spam, and so forth do make it difficult sometimes. But if this is the only way to prevent them, it sounds like the cure is worse than the disease. A regulated Internet with only certain people being allowed to access it is an Internet neutered of any of its valuable assets.
And you can say that trojans are solely the fault of the user, but ultimately, they could still be prevented, theoretically, at least, by good programming.
Actually, I just downloaded the newer Haystack release. Runs usably. Much better. More on this later.
I've been trying to figure out a good solution to this question myself, and I think I'm just going to have to make one I like. It's hard to find something someone else has programmed that suits your own needs for such a personalized usage, in my opinion.
What I've planned out is something that would have a calendar, address book, to-do list, misc storage, etc. Problem is, I don't want to have to do all the categorizing myself. So I figured, so long as I enter appointments in a predictable way (e.g. LL1: Date LL2: Time LL3: Place LL4: Comment) I can make the computer work out what kind of information it is. Same with the other types. I can even add simple stuff like URL's I want to remember. Then, I can just enter in a generic text-area any information, and have the machine do the categorization and organizing. Have it recognize dates and give me a timeline for my day, week, month, etc. Have it recognize contacts and store them in my addressbook. Etc.
What I think could make this really nice, though, would be something you see a lot of in Wikis (and some neat ideas like infocalypse)--the ability to link elements together with some sort of simple syntax, e.g. [link]. Better yet, have the machine link it.
The point is that it isn't just the information, but the relationships it makes, that are important. If I have an appointment for a certain job, I might want a list of "relevant links" next to it, such as the contact information of the people involved, any notes I've made in relation to that job, and so forth. I'm not sure how to do this, exactly, by automation (keywords are limited but may work, making me do it by hand defeats the purpose; I'm far too lazy to do anything by hand) but I probably won't actually start coding this for a long time anyway, so I suppose I have time to think. Any suggestions?
End-users often don't see why they should secure their PC's. They figure they don't have anything important on them, so what's the big deal? Then they are used as launching points for DoS attacks, they spread worms, and so forth. But end users don't have the time or inclination to be security professionals.
ISPs could implement stronger router controls to block DoS attacks from zombied machines. They could implement automatic IDS-based router controls to block the spread of worms. And--egads--perhaps software companies could start focusing on security a bit more (with some added incentive from the legal liability they ought to have, in my opinion). In other words, end users should be taken as end users. We cannot expect that all or most will secure their machines to the extent that you or I may. So we find work arounds.
On the other hand, security professionals can usually whip up IDS signatures in a pretty short amount of time--Blaster, CodeRed, what-have-you all have pretty easy-to-detect signatures--which could easily be implemented on a system plugged into the routers of ISPs. Detect a worm infected machine and lock it out. Simple. The same could be done with managed switches at corporate LANs.
This was actually suggested in a previous story; it's not that big a deal and probably in use various places already. Seems like IBM's only innovation is in detecting a pattern of behaviour rather than just the attack signature itself, in the hope that it will work, without updated signatures, to detect as-yet unknown worms. And even that's not that big a leap.
Not that ALL NAT's were for piracy. Just that your particular, deliberately anonymous, untraceable, not-logging network was for piracy (and other suspicious activity--and it most certainly, unfortunately, would be abused).
I say this because the RIAA would most likely first sue the providors of the network. Now, I said, they may not have a great legal case. But that doesn't mean they wouldn't try, and who's going to spend the money to find out.
Freenet is already at this point--in refrence to untraceability--although usability is low. The RIAA has largely avoided Freenet because its not commonly used like Kazaa is. No reason to worry about the small fish. But you don't need Wi-Fi to make anonymous filesharing possible; it just so happens that the popular services which are actually threats to the RIAA aren't anonymous.
I could be wrong, of course. You got the chump change to test them on it in court?
Refuse, and you yourself are liable.
And, yes, I know about the students at RIT (or was it RPI?). But that was still a high-profile public network where information was available to the RIAA. Keep it between you and your friends, and you don't have a lot to worry about.
Oh, yeah, and the RIAA doesn't really care, because your friends don't have enough music that they're really bothered. But how is this different than just sharing on a private LAN or using SneakerNet?
Although, yes, you could do something like a VPN for extra security.
Behind a NAT box? Fine. Then they'll just demand the identity of the individual using Kazaa with such-and-such a username at that time. Refuse, and you yourself are liable. That's pretty much how it works for ISPs already.
This issue was already raised in regards to free public wifi hotspots already, and in that case, its actually much more of a concern. But I suspect that if the admins don't keep logs, the RIAA will just try to hold them responsible instead. Though it may be, legally, a tough sell.
Even were that clearly so--and I don't think the author would agree with you--wouldn't the Balkanization of the WWW an E-Mail be bad enough? Those are likely the two most important parts of the Internet to almost all it's users. Surely the effect would still be pretty bad.
The thing I don't understand, though, is why the RIAA necessarily feels its a good thing to form the webcasting industry into a more professional, tightly-knit one. Wouldn't they benefit from a stronger bargaining position when dealing with small independent webcasters who have little leverage and are a dime a dozen?
The only thing I can think of immediately is that the RIAA feels those small guys don't bother always to pay royalties anyway, perhaps.
I want them to win if their case is valid. I dislike the RIAA, but the real problem in this general area of law is stupid court rulings, so I wouldn't wish them to win if they have no case. It is entirely possible--especially if they really did demand free rights to pirate RIAA material--that this is just a stupid stunt. I don't know enough about the case to be able to say.
The prediction is accurate, I believe, based on what information I have available. They are a ragtag bunch, mostly one man operations. How much money could they possibly throw at this? The RIAA has deep legal resources and is not afraid of waging legal wars of attrition.
Do you have some deeper comment? Or do you just not like Slashdot. Hey, it has its moments, I'll agree. But when I get bored with it, I just don't read it.
According to this article, the group is actually closer to 400 members, but I'm inclined to trust CNet. Regardless, most are apparently one-man operations and the like; their chances of winning--let alone having the courts "block the major record labels from enforcing their otherwise legitimate intellectual property rights in sound recordings until the alleged violations are remedied" (according to the above atnewyork article)--are, I'd say, slim to none.
I don't recommend to my friends and family to use Linux if they don't have some good reason to. It doesn't suit their needs. And I really don't care how much market share Linux has among desktops. It wasn't made as a desktop, and for the ordinary user, no, it isn't a very good one. But why is this a problem?
For me, the lack of choices would be a bad thing. RedHat's Bluecurve is annoying--what happened to being able to choose 6 different window managers on startup? I can certainly understand why RedHat made that decision, and for their profits, it may have been a good one. But RedHat's goals are not my goals; I don't make a buck--or even derive some sort of vague emotional satisfaction--from other people using Linux. So why should I sacrifice my choice in window managers just to make Linux on the desktop a possibility, when I have little or nothing to gain from Linux on the desktop?
I'm not trolling. I simply think that this is a bit of a silly focus, when Linux's greatest strength--and greatest chance of success commercially--is as a server and high-end development workstation.
Regardless, I don't think the explanation is anywhere near as simple as there being more Apache websites on the Internet (there aren't more Linux/Apache sites, but there are more Apache, I believe). After all, the number of factors in getting defaced is pretty high. Linux boxes may be numerically more common, but not as common on high-profile machines likely to be hacked. Or the average experience of the admins may differ, as we discussed above. Or Windows machines may be targeted for social or political reasons, as described above (or the opposite; isn't it more fun to brag of hacking an OpenBSD box than some luser's home PC running IIS?). You get the idea.
So I don't think real-world statistics can be accurately interpreted to give any relevent data. We could probably get closer, of course, with stats on things like the number of security vulnerabilitys discovered in a month, mean time between discloser and bugfix, etc. Because when you evaluate a product for security, you don't want to be learning stats about the average experience of the admins who use it. You want to know the actual facts on the product itself, since the experience of the admin is, presumably, not something that changes in relation to which server you buy--this is assuming, of course, that you are the admin (and you should of course choose that with which you are most familiar).
I suppose controlled tests with admins of the same experience and attackers of the same experience could be valuable, but what metric do you use for the experience levels on IIS/Windows and Apache/Linux?
Anyway, you get the picture. I think, unfortunately, that there is little way to get any accurate results from these statistics, and your best bet is just to do a lot of reading, a lot of research, and make decisions based on your own particular situation.
Yes, I've ran into hobbyists running IIS for fun--by which I mean I discovered his CodeRed infected box on my network--but the cost of a Windows Server license is prohibitive of amateur use, even if plenty of people just pirate it. So in the end, the inexperienced users with no time to spend securing their boxes turn to RedHat with Apache and Sendmail. Which isn't necessarily a bad thing. If I had to choose between Linux or Windows for which to leave alone without regular maintanance, the choice is pretty clear.
In regards to your comment about the "older version of the JVM", I'd be curious which classes are an issue for you. I'm sure there are some; I've occasionally run into issues with stuff I wrote in 1.4 not working on 1.3, but for the most part, it's not a big deal. Although you really can simply compile 1.4 yourself if you care.
Apparently the whole point is merely that Sun is now offering a license for the FreeBSD binary, which allows the FreeBSD team to distribute a binary pkg. There are a number of jdks available in the ports collection for you to build yourself; I have no intention of changing the setup on my FreeBSD machine, since the sdk I compiled myself works fine.
Tomcat itself works fine, actually, but mod_jserv or mod_jk are a bit of an issue for me; jserv is no longer maintained and is outdated, while jk apparently doesn't play well with Apache 1.3. Like I said, this is apparently more of an issue with Tomcat than with FreeBSD. Though I did manage to get mod_jk and Tomcat working in a matter of minutes on Debian, this speaks more of the beauty of apt-get than the ease of mod_jk or Tomcat installation.