Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why You Can't Dump Java (Even Though You Want To)

Soulskill posted more than 2 years ago | from the i-think-the-EPA-frowns-on-that dept.

Java 402

snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"

cancel ×

402 comments

Sorry! There are no comments related to the filter you selected.

Dump Java! (-1)

Anonymous Coward | more than 2 years ago | (#39936207)

Acquire Gamemaker!

Accountability (5, Insightful)

amginenigma (1495491) | more than 2 years ago | (#39936213)

Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.

Re:Accountability (-1, Offtopic)

GMBootyFuck (2634797) | more than 2 years ago | (#39936249)

Wow! What do we have here?
A worthless, pathetic Gamemakerless supremacy!
You're exerting such dangerously high magnitudes of Gamemakerlessness that I noticed you immediately!

Return, return, return, return... return your pathetic self to Gamemakerdooooooom!

Gamemaker makes your dreams come true,
Gamemaker's the best,
Nothing's superior to Gamemaker,
Why are you cowering? Switch to Gamemaker today!

Re:Accountability (1)

amginenigma (1495491) | more than 2 years ago | (#39936359)

The confusion sets in...

Re:Accountability (4, Insightful)

icebike (68054) | more than 2 years ago | (#39936795)

Good luck with that, we humans have entire criminal justice systems which are supposed to bring accountability... pretty sure you know where I'm going with this one.

The criminal justice system, and the police are scaled just big enough to keep people from murdering each other and running off with with other people's property on any grand scale. It was never intended that this level of policing should be 100% fool proof. Even in those countries where there is totalitarian control, petty crime is rampant and tolerated simply because you can't lock up everybody.

I doubt you or the author of TFA would want to live in a society so tightly monitored that it was impossible to commit ID theft or internet crime (he seems to equate the two).

There was an opportunity, and actually some proposals for a non anonymous internet once upon a time. Also for absolutely verifiable Email senders. That path wasn't chosen, and would likely have been impossible anyway, with the side effect of turning a lot of petty internet activity into internet crimes, merely because you posted without a license, or made a name up.

less risk? (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39936225)

but we can still remove java and have less risk right ?

Re:less risk? (5, Insightful)

Tough Love (215404) | more than 2 years ago | (#39936765)

but we can still remove java and have less risk right ?

Indeed. I will have to disagree with "security advisor Roger Grimes" and point out that complexity breeds bugs; bugs breed security holes; Java's JIT and supporting libraries are just way too complex for their own good. This problem is made way more severe by Java's closed development model.

Java can be made secure, just not any time soon, not until Oracle gets a clue and opens up the development process.

Re:less risk? (4, Informative)

errandum (2014454) | more than 2 years ago | (#39936827)

You can also not use windows and opt for linux. But is it worth it? For some, yes, I'd say that for most people it isn't.

Java runs some cool software that most have no idea it actually is Java (it can copy the look and feel of your OS). The only way to mostly fix java is to have chrome like updates. Silent, forced on you but safe.

Can't stop crims, can fix holes (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39936241)

He may be right, but he's also totally unrealistic. Nothing you ever do will stop the "underlying problem". But we can fix security holes, and pressure companies to release more secure code.

No point hoping for what is "right", or "best". Aim for something realistic instead.

Re:Can't stop crims, can fix holes (4, Insightful)

jhoegl (638955) | more than 2 years ago | (#39936583)

seems more like he is building a case for rules to govern the internet, justifying "big brother" tactics, and random stealing of servers from server racks by the FBI.

Re:Can't stop crims, can fix holes (4, Interesting)

ChunderDownunder (709234) | more than 2 years ago | (#39936609)

'We' can't do anything to fix security holes in "Java", unfortunately.

Only core virtual machine and class libraries have been released under the GPL + Classpath Exception. The installer, auto updater, javafx, java web start, browser plugin are proprietary Oracle.

OpenJDK might be free but Java (TM) isn't. My bet, [citation needed], is that many of these Java security holes occur in unreleased code.

Re:Can't stop crims, can fix holes (5, Insightful)

icebike (68054) | more than 2 years ago | (#39936905)

You are right of course.

Further, Grimes falls headlong into the punch-bowl of the "Its popular, therefore, its attacked" Koolaid that Microsoft has been serving up for years now. With a few thousand more eyes on that source code its quite possible it could be much more secure than it is now, especially since Grimes himself points out it was originally designed with security in mind. But as long as vendors and bloggers can claim that popular platforms fall to attack simply because they are popular, we will never see much pressure for improvement.

Some popular things, like Gold Ingots, are just harder to steal because Fort Knox has better security. Even with a map, a tour, and three corrupt ex-guards on your payroll you aren't going to succeed.

The idea that we will ship code, vetted by nobody in particular, for execution on some remote machine, and then expect a software sandbox to contain that code successfully, forever, with zero maintenance is just begging for trouble. To do so without publicly vetting the platform in all of its details is foolish.

The other problem (4, Insightful)

MrEricSir (398214) | more than 2 years ago | (#39936247)

Security is one problem -- the other being that you'll get sued for using it. Just ask Microsoft and Google.

Re:The other problem (-1, Troll)

GMBootyFuck (2634797) | more than 2 years ago | (#39936271)

What do you have against Gamemaker? Why are you such a little coward!? Why are you cowering in fear of life itself!?

You're scared. You know that you're a pathetic loser. You know this. You agree 100%.

But I have a fix. A perfect fix. You need to return to fuckin' Gamemakerdom right this minuteness!

Without a single problem, return to Gamemakerdom today!

Re:The other problem (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#39936319)

I don't think you realize this, but hosts files can prevent some Gamemaker-related security holes. Let me go get three thousand links to other slashdot posts where people talk about hosts files. Why don't you challenge me openly instead of running away, spaghetti everywhere, etc. etc. -APK

Re:The other problem (-1)

Anonymous Coward | more than 2 years ago | (#39936353)

How comical! How comical!

Hosts files are nothing compared to Gamemaker. Absolutely nothing. Hosts files cower in fear of Gamemaker's true ferocity.

Gamemaker can do anything. Gamemaker makes your dreams come true. There is nothing that cannot be done in Gamemaker.

Gamemaker, Gamemaker, Gamemaker, Gamemaker, Gamemaker, Gamemaker, Gamemaker, Gamemaker, Gamemaker!

Re:The other problem (3, Funny)

Dr Herbert West (1357769) | more than 2 years ago | (#39936685)

These posts bear a startling similarity to some of the work of the late, great Michael Kristopeit [slashdot.org] , whose shadow you would probably cower under.

You're completely pathetic.



That was fun, let's do it again sometime.

Re:The other problem (-1)

Anonymous Coward | more than 2 years ago | (#39936865)

Then why did you pick the banana peel of damaging nights?

Therefore, all of your arguments are 100% invalid and you need to fuckin' switch to Gamemaker right this minuteness.

Some things to consider:
1) Gamemaker can do anything.
2) Gamemaker is the next level of programming.
3) Gamemaker will bring joy to your life.
4) You're a mere depressed husk until you try Gamemaker.

How comical! How comical! You're nothin'.

Return to Gamemakerdom today!

Re:The other problem (3, Informative)

Anonymous Coward | more than 2 years ago | (#39936307)

Nobody got sued for using Java. Microsoft got sued because they called something that wasn't Java Java. Google got sued because they used the elements of Java, but not Java itself.

Re:The other problem (3, Informative)

binarylarry (1338699) | more than 2 years ago | (#39936529)

Google got sued because they made a lot of money selling a Java platform to consumers.

Which Oracle/Sun failed horribly for years at doing. (Java ME anyone?)

Fuck Oracle!

Re:The other problem (0)

Anonymous Coward | more than 2 years ago | (#39936665)

Android is not a Java platform, dumbass. There is no JVM.

Re:The other problem (0)

binarylarry (1338699) | more than 2 years ago | (#39936797)

There is a vm though, you dumb fuck.

And everything about Android is centered around Java: the language, the tooling, the libraries, etc.

Re:The other problem (1)

marcosdumay (620877) | more than 2 years ago | (#39936675)

To be fair, Google also didn't get much money selling it. They got nearly all the money from searches.

On nearly all cases, Android is free. The only exceptions are when it comes bundled with a Google product.

This is a stupid article (4, Insightful)

rgbrenner (317308) | more than 2 years ago | (#39936269)

Java isn't insecure, criminals just aren't being punished.

That applies to EVERY piece of software. Why should Java get a free pass?

Re:This is a stupid article (1)

mark-t (151149) | more than 2 years ago | (#39936343)

Why not? Or rather, why pick on Java when every other piece of software has its own problems? The primary problem isn't the software... it never has been. The major attack vector for such malware has always been users who are not practicing diligence in being informed about what packages their computer is really running, when and where to get the latest security updates on software that they require, and whether or not some other programs should ever even be there.

Re:This is a stupid article (1)

rgbrenner (317308) | more than 2 years ago | (#39936585)

Users not installing patches has been an issue for as long as I can remember. That is why we have Windows Update, Mac Software Update, RHN, etc.

So it's a problem with an obvious solution: add an auto-update feature to the JRE and enable it by default on desktops.

Refusing to implement a time-tested solution does not allow them to wash their hands of the problem.

Re:This is a stupid article (4, Insightful)

Sarten-X (1102295) | more than 2 years ago | (#39936663)

You mean the "java update" icon in the taskbar? The one that wants to update every few months?

Yeah, I ignore it, too... It seems every update is a few hundred megabytes, and I don't really want to pay attention to it long enough to tell it to install, then come back to follow up on it. Between all of the "time-tested" self-updaters for Windows, Adobe, Apple, Google, and a dozen more I could track down if I cared to, I'm sick of the whole self-updating thing. Why the hell don't we use RSS (or equivalent) for this yet, and be able to group all the updates together in a single interface, with a single "update now" button?

I guess that'll still be a Linux-only thing for another decade or so...

Re:This is a stupid article (5, Interesting)

PCM2 (4486) | more than 2 years ago | (#39936833)

Yeah, I think the bigger problem is that the updates are weird. It's been a while since I've had Java installed on my main machines, but the way I remember it, you'd end up with a long list of updates in your Programs and Settings panel, even when they all have the same major version number. Like... you could keep Java 1.6.19 even when you uninstalled Java 1.6.12. And they don't seem to be patches, either... like, each one adds another 350MB subdirectory to some folder in your system disk, and they all just sit there like turds.

Then there was the time Oracle tried to bundle a McAfee "security scan" [infoworld.com] in the Java updates. That really inspired confidence. "Hey, I know -- let's interrupt this vital security procedure to push crapware from our marketing partners."

No, I think Roger Grimes is wrong -- folks can and will uninstall Java. I've been avoiding it just fine, and those bespoke Java applications that we're told all these Fortune 500 companies are sitting on will eventually be replaced with Web applications.

(None of this is to say Java doesn't have a strong future in the datacenter, though.)

Re:This is a stupid article (1)

elfprince13 (1521333) | more than 2 years ago | (#39936863)

OS X has the App Store, which is moving heavily in that direction...

Re:This is a stupid article (5, Informative)

GIL_Dude (850471) | more than 2 years ago | (#39936605)

Well, in the enterprise space you have a huge catch-22. I deal with this at work all the time. Since Oracle / Sun Java doesn't actually do patches (they just do full versions that introduce new features, break existing code, and deprecate other features), you can't deploy it. You have this trade off of known security vulnerabilities vs. enterprise software that won't work with the new versions. You have banks that require you to run Java versions that are a year old in order to move money. You have vendors whose code won't work with the current version of Java - ever (since they take longer to get their code working on new versions that it takes Oracle to release the next new version). We try as hard as we can to get app owners to test - but every last time we ship a new Java versions apps come out of the woodwork with emergency requests to "stop the push". You can't win. Bust people's critical apps and you lose. Allow machines to get owned by insecure versions of Java? Yeah, you lose there too. Oracle needs to figure out how to do security patches that just fix the vulnerabilities and don't introduce (and remove) features. Until they can do that - yes, it is their fault.

Re:This is a stupid article (1)

Anonymous Coward | more than 2 years ago | (#39936687)

I'm unaware of any JVM since at least 1.3 that failed to execute code correctly that was compiled for an earlier release. Yes, the migration from 1.0 through 1.1 and up to 1.2 was problematic, but after that there was no backward compatibility issues that I am aware of. What's your excuse for using an old JVM again?

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936717)

his company bought software designed by morons that use com.sun.* packages....

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936851)

LOL, probably fucking true. Oracle JDeveloper hereabouts?

Re:This is a stupid article (0)

thebeige (2555996) | more than 2 years ago | (#39936895)

yeah fuck java, fuckers!

Re:This is a stupid article (1)

Tharsman (1364603) | more than 2 years ago | (#39936697)

I pick the same way on all third party run-time environments. Flash, Silverlight, Java, heck the browsers get a bit of slack because:

1) They get updated very often
2) I would be a Luddite if I don't have at lest one installed.

I don't need third party run-times. Java is not on my system anymore. Nor is Flash. Thanks to the wonders of standardization (sarcasm), every time a website requires flash I launch it on my phone to get a standard HTML version that does not.

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936349)

+1 if you can get rid of java, there's one less thing to worry about

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936543)

That applies to EVERY piece of software. Why should Java get a free pass?

Besides, Java being platform independent, your criticism would apply on all platforms too! ;)

Re:This is a stupid article (1)

Tharsman (1364603) | more than 2 years ago | (#39936669)

This article was brought to you by your friendly neighbor Oracle!

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936829)

That is precisely the entire point of the article. Java shouldn't be treated any differently from everything else.

Re:This is a stupid article (0)

Anonymous Coward | more than 2 years ago | (#39936935)

Generally, "everything else" doesn't try to run arbitrary code from my browser, so yes, treating it like everything else and not installing the browser plugin works pretty well for me. And I'm a Java developer.

soo.. (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39936285)

We should legislate away our technical problems?
No thanks. It's been shown time and time again that not only doesn't it work, but it tends to make the technical problems worse.

If everyone thinks "i can just sue them later" them attention to security will drop even farther.

There are very good security systems out there that very few people and organizations bother to implement or continue.

Great Idea! (0)

Anonymous Coward | more than 2 years ago | (#39936291)

Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty.

Hey, you're right! Okay, here's what we're gonna do, we're going to put together a task force:

100 people here in the US identify the culprits,
1 person (you) travels to Russia and/or China to arrest the mafia/government employed hacker.

We'll prosecute everyone you are able to bring back. We're behind you buddy, all the way!

Invalid argument... (5, Insightful)

wbr1 (2538558) | more than 2 years ago | (#39936293)

We punish drug dealers and users... they keep on pushing and using.
We punish robbers and gangsters... stores get robbed and people gangbanged every day.
We punish rapists and other sex offenders...new ones crop up.
We punish murderers and and wife beaters... people still get killed and wives beaten every day.

Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.
And somehow Grimes thinks that punishing crackers (not hackers.. I am proudly one of those), is going to make a difference. Even if you did manage to snuff it out in one place (highly unlikely), the internet is worldwide and you will have places with less lax laws or corrupt officials where those of a criminal bent can launch whatever they choose.
Most crime (not all)is cause by real or perceived poverty or other social disparity. Spending billions to incarcerate the underprivileged does nothing but further this disparity and create -more- crime.
Try looking at the world with empathy instead of greed and anger and try to lift people up. You may be surprised what a difference it makes.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936405)

"We punish robbers and gangsters... stores get robbed and people gangbanged every day."

This is why I can't get away with reading slashdot at work.

Re:Invalid argument... (1)

SCPRedMage (838040) | more than 2 years ago | (#39936459)

If I had been drinking something when I had read that line, I'm betting a spit-take would have been the inevitable result.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936451)

There are some countries in the world where the punishment for some crimes is a sound beating on the person's bare ass with a cane. It is incredibly painful, and in our western culture, it's considered dehumanizing, but it's worth nothing that those countries don't really have a serious repeat offender problem.

Punishment can indeed be a deterrent... it just needs to be sufficiently harsh to scare the living shit out of anybody who is capable of thinking rationally.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936483)

It's immoral for the same reason that the death penalty is immoral: they could be innocent. Now the government, something which should be protecting the people to the best of its ability, has more than likely irreversibly scarred/destroyed an innocent person.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936561)

I don't think it's particularly immoral as a general practice. It can become so when innocent people are punished, but that doesn't mean that the entire system is invalid, since this is not something that generally happens when the system is functioning normally, and its purpose still is being met - which is to deter people from repeating offenses. Cars kill people every day... yet people continue to drive their cars because killing people is not a typical consequence of them when they are being operated correctly, and they offer a distinct advantage over not driving.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936703)

No, it's immoral. I'm against hurting others in general.

but that doesn't mean that the entire system is invalid, since this is not something that generally happens when the system is functioning normally

No system will ever be perfect. Ever. If you kill someone or scar them for life, that's it. Things like that cannot be fixed. That's why I'm against the death penalty and whatever evil solution you're suggesting in all cases. I'd rather let more criminals run around.

which is to deter people from repeating offenses.

The ends don't justify the means. I care far more about innocents than you do, apparently. You strike me as the kind of person who would readily sacrifice freedom for security.

Cars kill people every day... yet people continue to drive their cars because killing people is not a typical consequence of them when they are being operated correctly, and they offer a distinct advantage over not driving.

What kind of analogy is that? That's their own personal choice. No one is executing them or hurting them. The fact of the matter is this: we have a choice of what to do with accused criminals. Car accidents are just that--accidents. Few choices involved (except to drive the car). We don't have to hurt the accused criminals. That's completely within our power.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936779)

These are bald assertions and could be argued any way.
For example, by not providing justice to victims, or stopping criminals, you don't care about innocents.

Re:Invalid argument... (1)

SnapaJones (2634697) | more than 2 years ago | (#39936911)

Ridiculous. The government isn't here to permanently injure its own citizens. That is the difference between actual criminals and the government, and that is why we have due process. If the government hurt its own citizens left and right, people would lose faith in it and it would undoubtedly be a government that isn't for the people.

The government punishing someone isn't the same thing as criminals hurting others, and you'd be foolish to argue that.

"It's better that 100 guilty men go free than one innocent man suffer."

As much as possible, I subscribe to that notion. Especially when talking about things such as the death penalty.

It doesn't matter if they are innocent (1)

tlambert (566799) | more than 2 years ago | (#39936721)

Swift public punishment of convicted offenders is intended to act as a deterrent for the rest of society. It's not to reform the offender, and it's not to provide justice for the victim or the victims family.

I don't necessarily agree with taking Rousseau's Social Contract to that extreme, but that's the theory in practice in these situations.

-- Terry

Re:Invalid argument... (1)

PCM2 (4486) | more than 2 years ago | (#39936919)

There are some countries in the world where the punishment for some crimes is physical torture. It is incredibly painful, and in our western culture, it's considered dehumanizing, but it's worth nothing that those countries don't really have a serious repeat offender problem.

FTFY. I think we've found a solution to America's problems right here.

Re:Invalid argument... (2)

Concerned Onlooker (473481) | more than 2 years ago | (#39936497)

Well, it's not necesarily about deterrence. It's about accountability and keeping a criminal from doing the same thing again. That shouldn't be that hard to figure out.

Re:Invalid argument... (4, Insightful)

wbr1 (2538558) | more than 2 years ago | (#39936741)

It doesn't work at that either though. Many criminals would like a better life and a better chance, and don't want to make the same mistakes again. Not all, of course there are exceptions. But you take a man, put him in prison for 5 or 10 or 15 years at the prime of his life, give him some opportunities to learn, but most are bogus, and most of what is learned is -more- criminal mentality, and more hatred of -the system-. Then you put him out on the street with strict rules, little money, most of his family and friend have probably deserted him (if he had much to begin with) during his time in prison so he has little if any healthy support systems in place. No add to the fact that everywhere he turns he cannot get a job. If he owes court fines he may not even be able to get a drivers license until he can pay part of his fees, further limiting his chance of employment. Is it any wonder if he goes back to robbing stores or dealing drugs? It is what he knew and all he has left.
And even if you made him a ward of the state forever, now the state has weakened whatever family he had, and made it more likely for others in his family to follow the same path. And there will ALWAYS be more criminals to replace him.
So no, it is not about deterrence. It is not about accountability even. In the United States it is about making victims feel better, and about making money for the government. Bringing in tax dollars through fear.

Re:Invalid argument... (2)

C3ntaur (642283) | more than 2 years ago | (#39936899)

In the United States it is about making victims feel better, and about making money for the privatized prison industry.

FTFY

Re:Invalid argument... (1)

wbr1 (2538558) | more than 2 years ago | (#39936929)

I agree.. look at my reply to What? below

Re:Invalid argument... (2)

dkleinsc (563838) | more than 2 years ago | (#39936625)

Punishment it little if any deterrent. In countries with far less harsh criminal penalties than the United States, the crime rate stays about even to all other industrialized countries, even given the lesser punishments.

What is a strong deterrent, though, is a high risk of getting caught. For instance, if you put your criminal justice resources into hiring police, training them to be more effective at tracking down crimes, and building trust with the citizens (so they'll be more likely to volunteer information), that gives you a lot better results than putting your money into keeping people in prison longer for having a bag of weed.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936699)

You could have knocked me over with a feather when I came across this sentence:

Most crime (not all)is cause by real or perceived poverty or other social disparity.

You probably also believe that crime rates have been dropping for decades, and if anyone says otherwise, it's all in their heads.

Re:Invalid argument... (0)

Anonymous Coward | more than 2 years ago | (#39936839)

It is an undeniable fact that poor areas have significant more crime, at least of some types, than rich areas. If poverty wasn't a key factor how do you explain that fact ? Also since the gap been rich and poor has been increasing over the past few decades why would the original commenter believe the crime rates have been dropping, surely it would logically follow that crimes rates would increase, surely!

what? (2)

circletimessquare (444983) | more than 2 years ago | (#39936771)

there are people who grow up in grinding poverty who would never do anything unethical

then there are assholes like this:

http://en.wikipedia.org/wiki/Leopold_and_Loeb [wikipedia.org]

very intelligent, very rich, and they decided to kill a 14 year old just for the hell of it. why? because evil is real in this world, and it exists independent of poverty, neither as cause nor effect, and independent of stupidity, neither as cause nor effect

class != morality != intelligence

there are poor people who are good

there are dumb people who are rich

there are smart people who are evil

mix and match to your heart's content and please get your simpleminded idiotic way you think about your world out of your head

we punish criminals on PRINCIPLE. it's not about deterrence. it's not about revenge. it's about morality

you'll get it some day, i hope

Re:what? (2)

wbr1 (2538558) | more than 2 years ago | (#39936867)

The examples you claim are exceptions to the rule. I agree that you can mix and match those categories. You can find evil rich people (just look at the heads of the banks and most of congress).
But by and large, walk into any prison in America and take a census. You will find that at a minimum 70%-80% grew up in poor, broken homes with dysfunctional families.
If this country spent as much effort and resources in helping to fix families, in making sure children had proper role models, in truly ending poverty as it does on punishment, then the number of new prisoners would drop by half or more in 18-20 years.
However this is not in the interest of the powers that be. Both federal prisons, and most state prisons have contracts with private corporations where prisoners are employed for extremely low wages, in often unsafe and unmonitored and unsanitary conditions, with almost non-existent medical care, and the government gets a cut of the profit. Look at models like Virginia Correctional Enterprises.
In addition, in many states, prisons are a boon for state legislators of poor districts. Build a prison in their district and create jobs, and business to support the prison and it employees, get tax dollars to improve infrastructure, and more. It also has the effect of lowering the welfare rolls in the district where it is built.
I know the prison industrial complex from two different sides, and it is a corrupt, stinking beast whose purpose is not about PRINCIPLE, and if you think it is, you need to take a closer look around you and stop living in fear.

Re:Invalid argument... (2, Informative)

Anonymous Coward | more than 2 years ago | (#39936875)

Actually, most crime is the result of opportunity, not poverty. It's not so much class psychology or class deprivation (in the Western world real deprivation is uncommon), but that lower income people tend to live in communities where crime is easier because of 1) underfunded enforcement and 2) cheaper targets. Crime is an evolutionary strategy, and there's no reason to think that the genes aren't evenly spread throughout the society, especially considering how the lower and upper classes mix so readily through the generations. Place groups of rich and poor people in a 7-11 with the understanding that there's no surveillance and in fact no repercussions whatsoever (not even peers) if they steal, and the same number of people from each group are likely to shop lift eventually. Others will never shop lift, because they're reciprocity instinct is just too strong, and still others will fall in between.

That's why punishment is ineffective. The supposition held by a perpetrator is that he would not get caught. You don't need harsher penalties (no matter what the economists say); you just need better policing and fewer opportunities (in the software case, safer software).

story summary != story (5, Funny)

circletimessquare (444983) | more than 2 years ago | (#39936299)

Title:

Why Elephants Are Large

Story:

An Elephant's trunk is very flexible. Even more amazing are the flexible snakes in the grass. Click this link to learn all about why bird's eggs are shaped the way they are.

Wisdom of the crowd (0)

oldhack (1037484) | more than 2 years ago | (#39936599)

That's why nobody RTFA. The smart ones don't bother with the summary either.

Re:story summary != story (1)

robot256 (1635039) | more than 2 years ago | (#39936815)

Why is this modded funny? It should be modded insightful. I was thinking the same thing about the summary.

Re:story summary != story (1)

catmistake (814204) | more than 2 years ago | (#39936893)

Every time I read one of your modded up comments I think, "why can't all slashdot comments be like this one?"

I thought this was going to be about the language. (0)

Anonymous Coward | more than 2 years ago | (#39936311)

I don't want to dump the Java runtime, I want to dump the horrible language. And that I can do; I can write Ruby, Clojure, or Scala to run on the JVM.

Re:I thought this was going to be about the langua (0)

Anonymous Coward | more than 2 years ago | (#39936655)

I don't want to dump the Java runtime, I want to dump the horrible language. And that I can do; I can write Ruby, Clojure, or Scala to run on the JVM.

If the exploits are with the JVM it doesn't matter what language you are using.

Get away with crime? (5, Funny)

Toe, The (545098) | more than 2 years ago | (#39936361)

Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty.

Beloved, this is not being true! I have sure-fire way to stop crimes and makes you not being victims of many internet crimes ever. Alls I needs is your passwords to your accounts, and I makes them very secures. Especially yours banks passwords accounts numbers, I very much promising. I extra interested if you been scammed before. I help most much.

To show I most sincere, I also give you free 500 Viagra pills extra-effective man-stick for your every account you wants me protect! Your woman moan against your amazing he umbrella many time.

The problem of accountability (3, Insightful)

c0lo (1497653) | more than 2 years ago | (#39936365)

They (cyber criminals) almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.

Hang on... what about the accountability of the software producer? Oh, yeah, the DISCLAIMER in the copyright/license legalese... it passes the responsibility to deal with the effects to the users. So why are the users complaining?

Before you jump on my throat: I reckon the "social cost" of going after hackers would be higher than the cost of the "war on drugs" (even if only because a running software is intangible and the attack vectors are easier to anonymize).
Even more, the "cost of discovering/deterring/preventing the cyber criminals" will be supported from taxes, even if the bug allowing the exploited is caused by the software producer... feels like a great incentive to reduce the cost of quality assurance stages in a software project, by externalizing them to the society... that's what corporations are excellent at, ain't it?

Re:The problem of accountability (1)

Sir_Sri (199544) | more than 2 years ago | (#39936581)

Well maybe the issue is more about making it obvious to the user that they need to install updates, making that process as unobtrusive as possible, and providing incentives to companies to do this well. God forbid, maybe even government regulations (although I don't think we're at that stage yet) on how these things have to behave, so that my java updates, my adobe updates my windows updates, my firefox/chrome/ie updates all come in roughly the same style and roughly the same way and with an ease of understanding that if this is to address a 0 day exploit that's made clear.

You're right, making it about going after hackers isn't going to work. Murder is illegal, people still get murdered. I would venture to say that it's hard to find a law on the books some people don't violate. Hacking adds a layer of complexity because the hackers need not even be in your country. So systems should be more secure, and more easily secured by design, that doesn't mean you ignore attempts at hacking but it may mean that the government (or more likely government funded universities) have to interact with companies to help them either be more secure, or face consequences for willfully disregarding secure practices. You know, the same way there's an NTSB in the US for travel accidents. Mistakes happen, but if you're upfront about trying to deal with them, fix the issues (recalls in the case of cars) that's one thing, if you willfully ignore a problem, hide evidence from investigators and generally refuse to be a positive participant in the process then expect to not be allowed to do business in whatever country it is.

Re:The problem of accountability (1)

Anonymous Coward | more than 2 years ago | (#39936621)

Hang on... what about the accountability of the software producer? Oh, yeah, the DISCLAIMER in the copyright/license legalese... it passes the responsibility to deal with the effects to the users. So why are the users complaining?

Well, java has been a steaming pile for many years, but the recent mac java viruses are entirely due to Apple.

Apple made a deal with Sun (and later Oracle) that only Apple could release java for the mac.

So when yet another enormous security hole is discovered in java and made public, Sun/Oracle releases a new version of java for every platform except the mac. Apple then takes many months to release a patched version of java.

As a result, exploiting java on the mac is very easy, all because Apple is full of control freaks.

And Java's not patched because... (1, Interesting)

Anonymous Coward | more than 2 years ago | (#39936381)

... it can't be patched.

I run a Windows 7 computer with auto-updating turned on for both Windows and Java. Every time I boot, I get a message telling me there are Java updates to apply. I click 'Yes' to apply them, and nothing happens. No update, and no error message to give a clue as to why.

Maybe it's an admin privileges thing. But most processes give options to get around that requirement. Java Update doesn't.

So there it is, an unpatched Java installation. I've tried to uninstall it, and that's a similar usability nightmare but long story short, that doesn't work either.

Incompatabilities... (3, Insightful)

linatux (63153) | more than 2 years ago | (#39936393)

I'm sure Java would be kept a lot more up to date if version 'x' could still run software built when version 'n' was current.

Yuo f4Il it. (-1)

Anonymous Coward | more than 2 years ago | (#39936429)

The point more corpse turne3 over

Java Update for Windows sucks; Java's fault. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39936453)

The Java Update notification shows up in the tray (on Windows Vista and XP), you click on it and get an error message to the effect of Java couldn't be downloaded or installed. What I have to do is logout and log back in as the Admin. Now, it would be nice if there were some program in the Programs list were I could click on it and just do an update, or easily bring up the java console - like Windows Update is easy to find and run. With Java, I have to search the web or better yet, bring up a page with a java applet which then brings up the Java console and then I can update - because the auto update sucks.

Now, I understand about the permissions and all that because I have a similar problem with Firefox and other Mozilla programs BUT I can do a "Run As" and run them as an admin and continue with the install - not really a problem. Java, on the other hand, requires an entire new download and then installing - only from the Admin account and digging for the damn Console in the control panel. BTW, the Java icon can only be found in the "Classic" view. And if I, an ex-programmer IT person thinks this is a pain, I wonder how many people get the error and then forget about the update?

tl;dr Updating Java is a pain in the ass if you run your machine under a user account. Java needs an easier way to bring the Java console. And this security problem is Java's fault.

Not just unpatched Java (4, Insightful)

Hentes (2461350) | more than 2 years ago | (#39936487)

The big security problem with Java software is that you can't differentiate between them since they all run on the jvm. For example, you can't block net access from a Java program in a firewall, because you would have to block the whole jvm.

Re:Not just unpatched Java (1)

Anonymous Coward | more than 2 years ago | (#39936903)

The JVM has its own firewall. It is called the security manager. Indeed, this is the reason why Java security is so hard to get right. It implements a whole other model atop your OS. And in the Java 1.2 days, this was the main selling point of that release, so the people at Sun cared, and so it worked. But as Java suffered from more feeping creaturism in later releases, the security (like a lot of other things) broke. And not a lot of people cared. Indeed, in my experience a lot of programmers were happy about, because most of the time they spend trying to escape the sandbox. Signed applets anybody?

R U Trolling?? (0)

Anonymous Coward | more than 2 years ago | (#39936501)

So we in law enforcement seek something as simple and straightforward as extending CLEA authority to new technologies and you bitch up a storm and then turn around and complain on slashdot about LE not catching the criminals?

Zero day exploits sure...but zero month?? (2)

optimism (2183618) | more than 2 years ago | (#39936505)

Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes.

I'd like to see a reliable reference for this.

Would also like to know the impact of "zero month" exploits. Much more relevant, since Java's auto-updater pings once a month.

Personally I only use Java for a handful of local applications, and I always disable the auto-updater attack vector.

DEP and ASLR. (1)

vistapwns (1103935) | more than 2 years ago | (#39936535)

Now, it's been a while since I looked into this so don't bite my head off if my information is not current, but last I checked Java had problems with DEP and ASLR and did not opt into them (on Windows). Even if a flaw is not 0-day, it's much easier to attack without DEP and ASLR, so in my opinion that's another reason to heap a high level of scorn upon it. Found this from June 2010: http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf [secunia.com] - not sure if anything has changed with java but I know some of the other apps have switched on DEP and ASLR.

Re:DEP and ASLR. (0)

Anonymous Coward | more than 2 years ago | (#39936733)

That is why I use opt-out, instead of of opt-in. Most programs don't have a problem; and those that do, are games I downloaded off the internet and they could have tried to attack me anyway, so in the trash they go.

Does anybody still run Java applets? (1)

Animats (122034) | more than 2 years ago | (#39936539)

I haven't had Java installed on my desktop machines in years, and don't seem to be missing out on anything. Some of the less important OpenOffice functions didn't work, but that was about it.

Yes, but very few (1)

MtHuurne (602934) | more than 2 years ago | (#39936693)

I have Java installed on my systems, but have the Java plugin disabled in the web browsers I regularly use. I came across exactly one site that required a Java applet to run in the last year or so: a system to book appointments at the local government office. Maybe it's different in the enterprise; the last big company I worked for had some kind of SAP front-end as a Java applet. But for home use Java is no longer necessary on a daily basis.

That's an odd conclusion. (1)

SeaFox (739806) | more than 2 years ago | (#39936541)

But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished.

This conclusion doesn't really seem to follow the premise. If the security issue is already-patched exploits being used for attacks, isn't the real issue people not keeping their Java up-to-date with security fixes. We're always quick to jump on Joe Sixpack for not keeping their Windows installation current on hotfixes, or the webserver team for not keeping PHP/Apache/etc behind, how is this any different?

You know what would make this a lot less of a problem? Silent automated updates The Java updater appears often enough to be a nuisance for some (me included), yet Java itself is obscure enough to the end user some don't know what it is, unlike Flash. "What? A new version of Java is available? What's that? Don't click 'install' dear, I've never heard of it, it might be spyware!" I'm sure this happens more often than Oracle thinks.

Re:That's an odd conclusion. (0)

Anonymous Coward | more than 2 years ago | (#39936661)

You know what would make this a lot less of a problem? Silent automated software braking! The Java updater appears often enough I cant be arsed to click "ok"

FTFY

captcha: Heckle

Blame the developers... (1)

pkinetics (549289) | more than 2 years ago | (#39936559)

The problem isn't applying patches. The problems occur when applying the patch causes a mission critical application, or a very critical application to the end user to stop working. The end result is the IT department ends up fielding a ton of phone calls from irate users, and / or getting blamed for the patch, even if they have nothing to do with it.

It is no wonder IT departments are always behind on getting patches rolled out. They need / want to test them.

And if an individual or department have some sort of 3rd party software that is not well defined and IT does not know about, there is no guarantee that they include it in testing.

Basically, patching is strongly needed. But end users get incredibly leery when patching the blasted stuff breaks the application, especially when the patch does not address the end user's prioritization of problems.

Huh? What? (0)

Anonymous Coward | more than 2 years ago | (#39936571)

Who says i can't dump java... Bloated slow ass system invasive piece of junk that lets any moron write a 'program' and shit it out on people.

It's not difficult. I got rid of and blocked java years ago.

Havent missed it at all either. Or sure every once in awhile i hit a site that wants it... And so far whatever they had... i could go get somewhere else that didnt shove that crapware on me.

So fuck you article. you can get rid of java just fine.

Wrong! (1)

forgottenusername (1495209) | more than 2 years ago | (#39936589)

I dump java all the time. Try kill -3 `pidof java`

Re:Wrong! (1)

marcosdumay (620877) | more than 2 years ago | (#39936751)

Do you have any religious aversion to the 'killall' command?

Also, what is the difference between SIGTERM and SIGQUIT?

Penalties (2)

PPH (736903) | more than 2 years ago | (#39936635)

Because we can't do anything. We're helpless (never mind keeping up to date on Java patches). It's all hopeless. We need authority to trace the criminals and possibly take preemptive measures to shut them down and seize their servers.

And then all you do is chase down people sharing Lady Gaga MP3s. Yeah, right.

The real answer (1)

rabtech (223758) | more than 2 years ago | (#39936647)

As much as it sucks to have a vendor pushing patches without explicit dialogs/permission, I would argue that the global damage from lack of patches far outweighs the downsides at this point.

This is one area Chrome gets right. Java (along with Firefox, Windows, et al) should automatically download and apply all security patches without prompting or notifying the user in any way unless you go in and manually disable it.

I've seen people see the Windows Update dialog and immediately click cancel. They just see it as another annoying useless dialog box and dismiss it.

Java sucks cock. Criminals suck cock. (0)

Anonymous Coward | more than 2 years ago | (#39936657)

We all agree on that.
But human criminality is a problem we will ALSO never get rid of.
As much as I want accountability for criminal's actions, expecting that to actually happen is like shaking your fist at the sky hoping for God to fix things.
And since there is no god, it won't happen.
So we plod along doing what we always do, dealing with criminals if we can, and dealing with software bugs if we can.

I dumped Java a while back (1)

93 Escort Wagon (326346) | more than 2 years ago | (#39936707)

At least in my web browsers. Can't say I've noticed that anything useful has been affected. Heck, I'm not sure I've seen any affect at all.

Besides, understanding what the real root cause of these Java exploits is has very little bearing on whether I can dump Java. I can choose to dump it regardless of its relative security. On the web, client-side Java tends to make Flash look light and nimble - so I said no thanks to Java some time ago.

If I could dump Java, I would (1)

billybob_jcv (967047) | more than 2 years ago | (#39936709)

But that isn't going to happen as long as we have $600K of Oracle ERP software running in the company.

Re:If I could dump Java, I would (2)

catmistake (814204) | more than 2 years ago | (#39936931)

But that isn't going to happen as long as we have $600K of Oracle ERP software running in the company.

dooooood.... don't you know it instantly loses the better half of its value the moment you drive it off the lot? Oracle software is like an oversized RV, or a boat, even a really nice expensive boat. It doesn't matter that it cost $2.4 million to build it, the day you bought it for that, it was really only worth half that, and after its been in the water, its often worth negative fortunes.

Oracle v. Google is why I want to dump java (1)

Qubit (100461) | more than 2 years ago | (#39936891)

One of the reasons that I can't dump java is because I still use a bunch of software written in java like, say, apps on Android. And don't forget that there are pieces of software like LibreOffice [documentfoundation.org] that still have legacy dependencies on java. Sure, LO is working on rewriting those pieces, but it won't happen overnight.

Even if Oracle loses regarding copyright and patents on the Java language, the Java APIs, etc.., they have shown that they regard the Java language as a business bargaining chip and not as an unrestricted computer programming language. Why take the hassle and risk? Just go use someone else's language like Python or Ruby.

With all of the shit that Apache has gotten from Sun/Oracle re: the JCP, Harmony, and the TCK, I'm surprised that they haven't just said that they're going to fork Java. I guess the problem is that (1) Apache doesn't think that they have enough clout to make their fork dominant (or at least viable), and (2) Oracle could just go after the fork with their patents. At this point, I'm not even sure that Apache could get Google onboard for a fork, as that might hurt all of Google's need-for-compatibility claims in the current litigation.

Zero-day vulnerability (0)

Anonymous Coward | more than 2 years ago | (#39936913)

Completely specious. All 1-day, 2-day, 90-day, 260-day, 15-year vulnerabilities started out as a 0-day vulnerability. The real problem is that Java suffers from brain-dead design and brain-dead updating.

If you permit the execution of untrusted code on a computer, such as java / javascript / or acticrap, then you will get exactly what you permitted.

The Reason Why You Can't Dump Java... (2)

Xarun (1524715) | more than 2 years ago | (#39936927)

...because you need it to run Minecraft. Or am I missing something?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>