Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Article: Why you can't dump Java (even though you want to)

Reply
Thread Tools

Article: Why you can't dump Java (even though you want to)

 
 
Gene Wirchenko
Guest
Posts: n/a
 
      05-08-2012
On Tue, 08 May 2012 16:41:31 -0500, "Nasser M. Abbasi" <(E-Mail Removed)>
wrote:

>On 5/8/2012 4:15 PM, markspace wrote:
>> On 5/8/2012 2:01 PM, Nasser M. Abbasi wrote:
>>
>>> The point is, browsing the internet is almost useless when
>>> JavaScript is off.


>> Read what I wrote again. "NoScript makes it easy to temporarily enable
>> JavaScript for a single website."


>And you read what I wrote again. I said it is very easy for
>me to turn off Javascript and turn it on.
>
>But for me, this is no way to browse the internet.
>
>When I click on something and it does not work, then I
>have to turn on javascript. Then remember to turn it off
>again, then on again, then off again. I'll be spending
>my day turning off and on Javascript.


When I try opening a door and it is locked, then I have get out
my keys and unlock the door. Then I have to remember to lock the door
again. Unlock and lock. I will be spending my day unlocking and
locking doors.

>If this works for you, fine. Not for me.


Leaving the barn door open has advantages but also significant
downside.

Sincerely,

Gene Wirchenko
 
Reply With Quote
 
 
 
 
markspace
Guest
Posts: n/a
 
      05-08-2012
On 5/8/2012 2:41 PM, Nasser M. Abbasi wrote:

> And you read what I wrote again. I said it is very easy for
> me to turn off Javascript and turn it on.



What you said was:


"> The point is, browsing the internet is almost useless when
> JavaScript is off."



Which is false.

> When I click on something and it does not work, then I
> have to turn on javascript. Then remember to turn it off
> again, then on again, then off again. I'll be spending
> my day turning off and on Javascript.



This is what I'm trying to explain to you, if you'll listen. NoSript
DOES NOT WORK LIKE THIS.

I enable JavaScript for ONE SITE. No other sites. I don't have to turn
JavaScript back off because it's still off for all other sites. Usually
I just use the "temporary" option so JS is enabled for one session.
When I quit, JS is back off again for all my temporary sites.

Sometimes I visit a site often enough that I enable it permanently, but
I have relatively few of those.

GET NOSCRIPT ALREADY and stop complaining that "it doesn't work" because
you have no idea what you are talking about.


 
Reply With Quote
 
 
 
 
Joshua Maurice
Guest
Posts: n/a
 
      05-08-2012
On May 8, 1:36*pm, "Nasser M. Abbasi" <(E-Mail Removed)> wrote:
> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>
>
>
> > The main problem is the human being, whether coder or user.

>
> > AHS

>
> There are now Trojans and viruses that attack the PC
> using JavaScript.
>
> One can't really shut down JavaScript in the browser like they can
> with the Java plugin to prevent applets from running.
>
> I think the whole internet is doomed. no where to run and hide
> any more.


I will also second (or third?) firefox and noscript. Yes it's a pain,
and yes there's some websites that require javascript to work, but
it's better than nothing for a little amount of hassle.
 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 4:51 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.

>>
>> There are now Trojans and viruses that attack the PC
>> using JavaScript.
>>
>> One can't really shut down JavaScript in the browser like they can
>> with the Java plugin to prevent applets from running.

>
>
> Yes you can. I run Firefox with NoScript, an add-on that blocks
> JavaScript. Most sites work OK without JavaScript. If I really need to,
> NoScript makes it easy for me to temporarily enable a single website.


That worked fine 10 years ago.

In these AJAX times the number of sites working without
JavaScript must be dropping pretty steep.

Arne
 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 4:59 PM, markspace wrote:
> On 5/8/2012 1:36 PM, Nasser M. Abbasi wrote:
>> On 5/8/2012 3:14 PM, Arved Sandstrom wrote:
>>> The main problem is the human being, whether coder or user.

>
>> I think the whole internet is doomed. no where to run and hide
>> any more.

>
> Arved wins this argument. From the article:
>
> "Sure, I could opt not to use those Java-enabled services or install
> Java and uninstall when I'm finished. But the core problem isn't
> necessarily Java's exploitability; nearly all software is exploitable.
> It's *unpatched* Java. Few successful Java-related attacks are related
> to zero-day exploits. Almost all are related to Java security bugs that
> have been patched for months (or longer)."


????

Java should automatically update these days.

Arne

 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 4:14 PM, Arved Sandstrom wrote:
> On 12-05-08 12:51 PM, Gene Wirchenko wrote:
>> This was in the morning's trade articles:
>>
>> http://www.infoworld.com/d/security/...ou-want-192622
>> InfoWorld Home / Security / Security Adviser
>> May 08, 2012
>> Why you can't dump Java (even though you want to)
>> So many recent exploits have used Java as their attack vector, you
>> might conclude Java should be shown the exit
>> By Roger A. Grimes | InfoWorld
>>


> I tend to agree with what Grimes wrote on the second page of his
> article. As he pointed out, popular software always gets exploited. Part
> of it is due to defects in the software, so in Java in this case, but a
> major part of it for a programming language and platform (JVM) is how
> people code in it. How many Java programmers have genuinely absorbed the
> lessons in "Secure Coding Guidelines for the Java Programming Language",
> or now the "CERT Oracle Secure Coding Standard for Java"? 5 percent? 1
> percent? No way is it any higher than that.


I think we need to distinguish between:
A) malicious applet code that gets unauthorized access to desktop
PC's when their users just browse the internet
B) hackers that break into a Java web app using various
security holes

A is what I assume the article is about. And the security
problems is caused by bugs in JVM and Java runtime.

B is caused by bugs introduced by the Java web app
developers. And this seems to be what that coding
standard try to address.

Arne

 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 11:51 AM, Gene Wirchenko wrote:
> This was in the morning's trade articles:
>
> http://www.infoworld.com/d/security/...ou-want-192622
> InfoWorld Home / Security / Security Adviser
> May 08, 2012
> Why you can't dump Java (even though you want to)
> So many recent exploits have used Java as their attack vector, you
> might conclude Java should be shown the exit
> By Roger A. Grimes | InfoWorld
>
> Comments?


The article is true but still completely BS.

There is a need for code running client side in web
solutions.

That code runs sandboxed and in theory does not have access
to anything on the client PC.

In practice there are some security bugs in the sandbox that
allows malicious code to gain access that it was not supposed
to have.

Same story whether it is Java applet, Flash, Silverlight,
JavaScript/HTML5 or even to some extent JavaScript/oldHTML.

As long as there is a need for code running client side
then the problem will exist.

Whether it is Java or something else does not matter.

So suggesting disabling Java in the browser is BS.

On can suggest disabling Java, Flash, JavaScript etc.
and see if one can live with the 1996 feeling.

Arne

 
Reply With Quote
 
markspace
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 6:03 PM, Arne Vajh°j wrote:
> That worked fine 10 years ago.
>
> In these AJAX times the number of sites working without
> JavaScript must be dropping pretty steep.



A lot of sites don't work without JavaScript enabled. But many work
well enough. It's a matter of playing the odds. The more sites you go
to with JavaScript disabled by default, the less likely it is that
you'll get some sort of malware from them.

Sure I often have to enable JS, but only after I've seen the site first.
If it looks dodgy, I just leave. And often I can still click on a few
links or read an article without JS. It's rare I'll enable JS if I just
need one thing from a site.

 
Reply With Quote
 
markspace
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 6:04 PM, Arne Vajh°j wrote:
>
> Java should automatically update these days.



The article specifically mentions Apple, who didn't patch their own
special version of Java for several months, until they got bit hard by a
trojan or something.

Yes, Oracle's new version for the Mac does enable auto-updates. But
there's enough old Java out there that I guess many don't have it.

 
Reply With Quote
 
Eric Sosman
Guest
Posts: n/a
 
      05-09-2012
On 5/8/2012 11:52 PM, markspace wrote:
> On 5/8/2012 6:03 PM, Arne Vajh°j wrote:
>> That worked fine 10 years ago.
>>
>> In these AJAX times the number of sites working without
>> JavaScript must be dropping pretty steep.

>
>
> A lot of sites don't work without JavaScript enabled. But many work well
> enough. It's a matter of playing the odds. The more sites you go to with
> JavaScript disabled by default, the less likely it is that you'll get
> some sort of malware from them.


For even more security, disable HTML.

--
Eric Sosman
http://www.velocityreviews.com/forums/(E-Mail Removed)d
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dump complete java VM state as core dump (not via OS) possible? halfdog Java 12 02-21-2013 06:14 AM
why why why why why Mr. SweatyFinger ASP .Net 4 12-21-2006 01:15 PM
findcontrol("PlaceHolderPrice") why why why why why why why why why why why Mr. SweatyFinger ASP .Net 2 12-02-2006 03:46 PM
why does the complier complain undeclare identifier even though i have included the header file? thinktwice C++ 3 02-10-2006 12:57 PM
Want PIX to log messages 305001 though 305004, says not found? Scott Townsend Cisco 2 04-20-2005 09:56 PM



Advertisments