UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev | Next
Author: mmrmnhrm Big red star, 1000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: of 189604  
Subject: Re: Yet another Java flaw Date: 10/2/2012 8:59 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
I suppose it's not much different at all. But it is different from, say, installing Office or a game or some utility. With those, you know you're installing a program and have some idea of who wrote it and, presumably, you trust them. With these web-based programs, you have no idea what's going on. (Although doesn't ASP run on the server side and not on the client computer?) You're turning over your computer to some unknown programmer. And you may not even realize that you're doing so.
The only difference, in this context, is that a program like Office requires you to consciously go to a store (whether it's brick-and-mortar or an online e-store doesn't really matter) and install it, while a Java program is often automatically executed by the browser without bothering to ask the user first (because, y'know, if they didn't want the program, they wouldn't have come to the website, amiright?). This isn't really the user's fault, but rather the browser's for just running any executable that it happens to encounter along the way. A user can cause just as much damage to their system by opening a malicious Word document as they can by running a Java program. The only difference is that with Word, there's the added step of "Please download and mail this file to begin your warranty claim" (or whatever reason-du-jour provided by the phishing email is).

Really? I've only taken a couple of programming classes (mainly in that venerable BASIC, and a great many moons ago), and handling errors was one of the few things I took away from the class. Maybe I was lucky in the instruction I received.

Still, if they're not doing a good job of handling error situations, that creates the opportunities the black hats are exploiting.

Yup. Though in many instances, it's also a question of scope. By any measure, BASIC was pretty limited in what it allowed one to do with a system: load/save files, make the speaker emit strange noises, draw graphics. But by being limited, the worst you could do to your system was overwrite a system file (oops! boot from floppy and restore). Divide by zero? Program would either crash back to the interpreter command line, or return something silly. Divide zero by zero (c'mon, I know you want to)? Same. Some might say it's the programmer's job to handle all errors (like the academic exercise of throwing junk at a sine function I mentioned earlier), but that just isn't realistically going to happen. Once an error escape's the programmer's scope, it's up to the runtime environment to prevent things from getting out of hand. This is where the *NIX world shines, with very granular limits on both what programs are allowed to do, and also on what users are allowed to do. Not only does the program need permission to do something, but the user running that program also needs permission. If either check fails, the operation also fails. Unfortunately, Windows hasn't gotten to that level yet (which is why, despite the falling number of successful attacks on Windows itself, the problem is getting worse instead of better because such restrictions aren't enforced on client software like Adobe Reader, Word/Excel macros, and, yes, Java).

Perhaps that gets to the action item for us mere mortals. If you refuse to use Java, you may have to use other ways of accomplishing something on the web. If that means you are calling customer service instead of handling it on a company's web site, you're making a statement to the company that their web site is not doing what you need it to do. Call my glasses rose-colored if you wish, but if enough people do that often enough, the company may change their web site to work without Java.
You're going back to blaming the messenger and not the message. There's no reason why *JAVA* is bad. The problem is that browsers just go ahead and execute it without bothering to ask "Hey, I just saw this and, well, webmasters who actually know what they're doing don't typically do this. Do you really want me to run it?" Again, I think you're conflating Java with JavaScript. JS is a whole 'nuther terd, and I really wish it would die in a fire. As it stands, though, it seems that Oracle is doing it's darndest to, well, I'm not exactly sure what. It's like they don't really know what to do with Sun's last great invention, and apart from providing fixes as problems crop up, I haven't seen any huge leaps forward in functionality or speed lately.

(I can't believe the Fool thinks 'terd' with a 'u' is profanity)
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Print the post  
UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev | Next

Announcements

What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Community Home
Speak Your Mind, Start Your Blog, Rate Your Stocks

Community Team Fools - who are those TMF's?
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and "#1 Media Company to Work For" (BusinessInsider 2011)! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.
Advertisement