Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Java (http://www.velocityreviews.com/forums/f30-java.html)
-   -   Article: Why you can't dump Java (even though you want to) (http://www.velocityreviews.com/forums/t946067-article-why-you-cant-dump-java-even-though-you-want-to.html)

Gene Wirchenko 05-08-2012 03:51 PM

Article: Why you can't dump Java (even though you want to)
 
This was in the morning's trade articles:

http://www.infoworld.com/d/security/...ou-want-192622
InfoWorld Home / Security / Security Adviser
May 08, 2012
Why you can't dump Java (even though you want to)
So many recent exploits have used Java as their attack vector, you
might conclude Java should be shown the exit
By Roger A. Grimes | InfoWorld

Comments?

Sincerely,

Gene Wirchenko

Arved Sandstrom 05-08-2012 08:14 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 12-05-08 12:51 PM, Gene Wirchenko wrote:
> This was in the morning's trade articles:
>
> http://www.infoworld.com/d/security/...ou-want-192622
> InfoWorld Home / Security / Security Adviser
> May 08, 2012
> Why you can't dump Java (even though you want to)
> So many recent exploits have used Java as their attack vector, you
> might conclude Java should be shown the exit
> By Roger A. Grimes | InfoWorld
>
> Comments?
>
> Sincerely,
>
> Gene Wirchenko


I tend to agree with what Grimes wrote on the second page of his
article. As he pointed out, popular software always gets exploited. Part
of it is due to defects in the software, so in Java in this case, but a
major part of it for a programming language and platform (JVM) is how
people code in it. How many Java programmers have genuinely absorbed the
lessons in "Secure Coding Guidelines for the Java Programming Language",
or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
percent? No way is it any higher than that.

The main problem is the human being, whether coder or user.

AHS
--
Never interrupt your enemy when he is making a mistake.
--Napoleon

Nasser M. Abbasi 05-08-2012 08:36 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 3:14 PM, Arved Sandstrom wrote:

>
> The main problem is the human being, whether coder or user.
>
> AHS


There are now Trojans and viruses that attack the PC
using JavaScript.

One can't really shut down JavaScript in the browser like they can
with the Java plugin to prevent applets from running.

I think the whole internet is doomed. no where to run and hide
any more.


--Nasser


markspace 05-08-2012 08:51 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>>
>> The main problem is the human being, whether coder or user.
>>
>> AHS

>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.



Yes you can. I run Firefox with NoScript, an add-on that blocks
JavaScript. Most sites work OK without JavaScript. If I really need
to, NoScript makes it easy for me to temporarily enable a single website.

In some cases, the problem is the platform. I.e., JavaScript, or
ActiveX. But there's work-arounds too.


markspace 05-08-2012 08:59 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:

> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>
>> The main problem is the human being, whether coder or user.
>>


> I think the whole internet is doomed. no where to run and hide
> any more.



Arved wins this argument. From the article:

"Sure, I could opt not to use those Java-enabled services or install
Java and uninstall when I'm finished. But the core problem isn't
necessarily Java's exploitability; nearly all software is exploitable.
It's *unpatched* Java. Few successful Java-related attacks are related
to zero-day exploits. Almost all are related to Java security bugs that
have been patched for months (or longer)."


Again I use FireFox. After a recent upgrade of FF, it disabled the Java
plugin (a recent one, version 6 update 22 or so) calling it insecure.
OK whatever, so I downloaded a new one. It bugged me at the time but
now I see why: FF was forcing me to upgraded to a later patch. This
I'm removes known vulnerabilities.

It takes effort to stay on top of these things but it can be done. Now,
who's at fault for the Mac Java exploit? Oracle? Or Apple for
allowing users to run old, insecure versions of Java?


Nasser M. Abbasi 05-08-2012 09:01 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 3:51 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>
>>>
>>> The main problem is the human being, whether coder or user.
>>>
>>> AHS

>>
>> There are now Trojans and viruses that attack the PC
>> using JavaScript.
>>
>> One can't really shut down JavaScript in the browser like they can
>> with the Java plugin to prevent applets from running.

>
>


> Yes you can. I run Firefox with NoScript, an add-on that blocks
> JavaScript. Most sites work OK without JavaScript. If I really need
> to, NoScript makes it easy for me to temporarily enable a single website.
>
> In some cases, the problem is the platform. I.e., JavaScript, or
> ActiveX. But there's work-arounds too.
>


Well, I know I can turn off Javascript from firefox, it is
easy. Tools->Options->Content->uncheck Javascript.

The point is, browsing the internet is almost useless when
JavaScript is off. How will you browse Yahoo, Google, etc..
with no JavaScript? Many things do not work any more. Some do yes,
but many things needs JavaScript to work.

It feels like driving a car with no wheels attached to it. Not
a fun thing to do.

--Nasser

markspace 05-08-2012 09:15 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:

> The point is, browsing the internet is almost useless when
> JavaScript is off.



Read what I wrote again. "NoScript makes it easy to temporarily enable
JavaScript for a single website."

Emphasis on the "makes it easy" and the "single website."

Using that feature allows me to browse safely, while still retaining the
option to quickly turn JS back on if I need it for a given website.


Nasser M. Abbasi 05-08-2012 09:41 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 5/8/2012 4:15 PM, markspace wrote:
> On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
>
>> The point is, browsing the internet is almost useless when
>> JavaScript is off.

>
>
> Read what I wrote again. "NoScript makes it easy to temporarily enable
> JavaScript for a single website."
>


And you read what I wrote again. I said it is very easy for
me to turn off Javascript and turn it on.

But for me, this is no way to browse the internet.

When I click on something and it does not work, then I
have to turn on javascript. Then remember to turn it off
again, then on again, then off again. I'll be spending
my day turning off and on Javascript.

If this works for you, fine. Not for me.

--Nasser

Gene Wirchenko 05-08-2012 10:05 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On Tue, 08 May 2012 16:01:07 -0500, "Nasser M. Abbasi" <nma@12000.org>
wrote:

>On 5/8/2012 3:51 PM, markspace wrote:
>> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:


>>>> The main problem is the human being, whether coder or user.


>>> There are now Trojans and viruses that attack the PC
>>> using JavaScript.
>>>
>>> One can't really shut down JavaScript in the browser like they can
>>> with the Java plugin to prevent applets from running.


>> Yes you can. I run Firefox with NoScript, an add-on that blocks
>> JavaScript. Most sites work OK without JavaScript. If I really need
>> to, NoScript makes it easy for me to temporarily enable a single website.
>>
>> In some cases, the problem is the platform. I.e., JavaScript, or
>> ActiveX. But there's work-arounds too.


>Well, I know I can turn off Javascript from firefox, it is
>easy. Tools->Options->Content->uncheck Javascript.
>
>The point is, browsing the internet is almost useless when
>JavaScript is off. How will you browse Yahoo, Google, etc..


Not even close. I use Firefox and NoScript as well. There are
few sites that I frequent that need JavaScript.

>with no JavaScript? Many things do not work any more. Some do yes,


You need better examples. Both Yahoo! and Google work without
JavaScript (at least, the basic search function).

>but many things needs JavaScript to work.
>
>It feels like driving a car with no wheels attached to it. Not
>a fun thing to do.


No, it is like driving a car with no chrome on it. One might
miss it a bit, but it is not necessary in order to drive.

Some sites do make it very difficult. On some sites, clicking on
a link requires JavaScript to be executed. The <a> tag works fine
without JavaScript so this is bogosity. I tend to very quickly leave
such sites and not go back.

I have wondered why no one has come up with a limited JavaScript
that does not allow such attacks.

Sincerely,

Gene Wirchenko

Arved Sandstrom 05-08-2012 10:12 PM

Re: Article: Why you can't dump Java (even though you want to)
 
On 12-05-08 05:51 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>
>>>
>>> The main problem is the human being, whether coder or user.
>>>
>>> AHS

>>
>> There are now Trojans and viruses that attack the PC
>> using JavaScript.
>>
>> One can't really shut down JavaScript in the browser like they can
>> with the Java plugin to prevent applets from running.

>
>
> Yes you can. I run Firefox with NoScript, an add-on that blocks
> JavaScript. Most sites work OK without JavaScript. If I really need
> to, NoScript makes it easy for me to temporarily enable a single website.
>
> In some cases, the problem is the platform. I.e., JavaScript, or
> ActiveX. But there's work-arounds too.
>


I do the same thing: as much as possible I use various combos of Adblock
Plus/Opera Adblock, Do Not Track Plus, Ghostery, Priv3, NotScripts etc
in all of my browsers on all OS's. Not to mention cranking up the
browsers' own mechanisms as much as possible. I also find that most
sites work when imposed with severe restrictions - the ones that don't I
just dismiss, unless they are among a handful that I need and I
temporarily enable the minimum just like you.

AHS
--
Never interrupt your enemy when he is making a mistake.
--Napoleon


All times are GMT. The time now is 03:17 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.