The Motley Fool Discussion Boards

Previous Page

Computers, Phones & Internet / Help with this STUPID computer!

URL:  http://boards.fool.com/peter-you-start-off-ok-but-then-kinda-lose-it-30295603.aspx

Subject:  Re: Yet another Java flaw Date:  10/2/2012  3:31 PM
Author:  mmrmnhrm Number:  182038 of 189846

Peter, you start off ok, but then kinda lose it, as the blame lies just as much in the programmer as it does with Java itself.

Java is a programming language. What makes it handy for web site designers is that the user has to install a program on their computer that handles all of the details of making the program run on any specific kind of computer. It's a program that runs other programs.

So all the web guy has to do is write the program to do what they want it to do. They don't have to worry about all of the differences between Windows and Macs and UNIX users. That's handled by the Java piece the user has to install.

So far, so good. Let me take you back to the early childhood of personal computing... 1985. The lingua franca of the world, and an ancestor of Java (in spirit if not flesh), is BASIC. Functionally, it is identical. It is, in your words, "a program that runs other programs." It didn't matter whether you wrote (or copied out of a magazine) the code to an IBM PC-XT, a Commodore 64, an Apple IIc (or one of them newfangled Macintosh thingies), an Amiga, or an Atari XL, as long as the computer had a BASIC interpreter, it would run the program. If by some miracle you could find a computer that could read disks other than its own native format, you could even copy the programs from one to the other, make no changes, and have them work! Just like your modern-day web programmer.

You might be able to see the problem here. If you let a program run on your computer, you're giving that program access to your computer.
This is where you begin to wander off the trail. There is no problem here. The very act of running a program gives it access to your computer. It doesn't matter whether the program is written in Java, C, C++, C#, FORTRAN, COBOL, LISP, VB, .NET, ASM, or any other number of languages, both arcane and common. Is C# somehow more secure than C++? Or COBOL more secure than Java? No. In fact, some languages have even less ability to protect the user from malware than Java, as they lack the security certificate mechanisms (which are currently giving me all sorts of grief as I try to get an older program running again).

And with Java, you're giving access to some random web site designer to do an awful lot of things on your computer.
And this is different from .NET, PHP, ASP, VB, Flash, and HTML5 how, exactly?

One of the bad guys favorite things to do is to create errors. (That would be something like trying to divide by zero.) Programmers generally are pretty good at handling errors, but they're not perfect. So the bad guys poke around a lot until they find some kind of error that isn't handled correctly. That can make the computer do unexpected things. Those baddies find out what that unexpected thing is and then take advantage of it to get more access to your computer than you think you gave them.

Often, they'll take advantage of that additional access to install another program on your computer without your permission. That stuff is malware. It generally does bad things. At best, it just makes your computer run slower. At worst, it steals various pieces of information and sends them on to the baddies, who figure out a way to convert that information into money.

And here we're getting to where I think you're going wrong. Programmers *SUCK* at detecting and handling errors, to the point that college exercises are designed specifically to make students think about what happens if unexpected input is received. If the assignment is to return the sine of an angle, and you store it as type integer, what happens when the user feeds you a float? How about if you store a float, but the user provides a double? Or worse, a string!! Bad People(tm) take advantage not of the language directly, but of programmer inexperience, incompetence, or sheer laziness. Sanitize your input, and it doesn't matter what is fed in, garbage in = try again loser!

Often, they'll take advantage of that additional access to install another program on your computer without your permission. That stuff is malware. It generally does bad things. At best, it just makes your computer run slower. At worst, it steals various pieces of information and sends them on to the baddies, who figure out a way to convert that information into money.
Yes, but again, how is this any different from exploiting holes in Internet Explorer, Firefox, Chrome, Safari, and Opera, or any of their plug-ins (I'm looking at you, Flash and Adobe Reader)?

And that's my translation of the problem with Java. It's not that Java is a badly written program. On the contrary, it's fairly well-written. The problem is that by its very nature it creates security holes. And those holes are difficult to impossible to close. The only real way to close the security holes is to get rid of Java completely. That means you might not be able to do some things on some web sites. But that's the price to pay for eliminating this particular security threat.
No, just because it exists doesn't create security holes. Or rather, it enables only the security holes the programmers or compiliers create by not testing their software, or assuming someone/something else will handle protecting users. Get rid of Java completely? Then what will programmers use when cross-platform compatibility is needed? Sorry, but I don't think anybody wants to figure out how to extend BASIC to handle high-res 3D graphics and optimal path routing. I suppose it sort of goes back to a discussion I had with my father back in the late 90's, when I told him Microsoft was pants-down stupid to be turning things on left and right when they weren't needed (and causing all sorts of hacking problems as a result). Dad's view was "someone might need it!" My view was "Then don't turn it on until it's actually asked for!"

All that said, whether or not Java belongs on the web *IS* a legitimate question. Personally, I don't think it does. Java is for applications, not for games on Facebook. Everything a web designer might want to accomplish can usually be handled through the browser itself, maybe with the help of JavaScript (which is usually what people are thinking of when they talk about Java exploits, a separate issue of its own) and/or Flash (which has security issues of its own). Pick the right tool for the job. If you don't need the broadsword, then by all means leave it home and just carry a dagger instead!
Copyright 1996-2014 trademark and the "Fool" logo is a trademark of The Motley Fool, Inc. Contact Us