UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev | Next
Author: mmrmnhrm Big red star, 1000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: of 190819  
Subject: Re: Yet another Java flaw Date: 10/2/2012 3:31 PM
Post New | Post Reply | Reply Later | Create Poll Report this Post | Recommend it!
Recommendations: 8
Peter, you start off ok, but then kinda lose it, as the blame lies just as much in the programmer as it does with Java itself.

Java is a programming language. What makes it handy for web site designers is that the user has to install a program on their computer that handles all of the details of making the program run on any specific kind of computer. It's a program that runs other programs.

So all the web guy has to do is write the program to do what they want it to do. They don't have to worry about all of the differences between Windows and Macs and UNIX users. That's handled by the Java piece the user has to install.

So far, so good. Let me take you back to the early childhood of personal computing... 1985. The lingua franca of the world, and an ancestor of Java (in spirit if not flesh), is BASIC. Functionally, it is identical. It is, in your words, "a program that runs other programs." It didn't matter whether you wrote (or copied out of a magazine) the code to an IBM PC-XT, a Commodore 64, an Apple IIc (or one of them newfangled Macintosh thingies), an Amiga, or an Atari XL, as long as the computer had a BASIC interpreter, it would run the program. If by some miracle you could find a computer that could read disks other than its own native format, you could even copy the programs from one to the other, make no changes, and have them work! Just like your modern-day web programmer.

You might be able to see the problem here. If you let a program run on your computer, you're giving that program access to your computer.
This is where you begin to wander off the trail. There is no problem here. The very act of running a program gives it access to your computer. It doesn't matter whether the program is written in Java, C, C++, C#, FORTRAN, COBOL, LISP, VB, .NET, ASM, or any other number of languages, both arcane and common. Is C# somehow more secure than C++? Or COBOL more secure than Java? No. In fact, some languages have even less ability to protect the user from malware than Java, as they lack the security certificate mechanisms (which are currently giving me all sorts of grief as I try to get an older program running again).

And with Java, you're giving access to some random web site designer to do an awful lot of things on your computer.
And this is different from .NET, PHP, ASP, VB, Flash, and HTML5 how, exactly?

One of the bad guys favorite things to do is to create errors. (That would be something like trying to divide by zero.) Programmers generally are pretty good at handling errors, but they're not perfect. So the bad guys poke around a lot until they find some kind of error that isn't handled correctly. That can make the computer do unexpected things. Those baddies find out what that unexpected thing is and then take advantage of it to get more access to your computer than you think you gave them.

Often, they'll take advantage of that additional access to install another program on your computer without your permission. That stuff is malware. It generally does bad things. At best, it just makes your computer run slower. At worst, it steals various pieces of information and sends them on to the baddies, who figure out a way to convert that information into money.

And here we're getting to where I think you're going wrong. Programmers *SUCK* at detecting and handling errors, to the point that college exercises are designed specifically to make students think about what happens if unexpected input is received. If the assignment is to return the sine of an angle, and you store it as type integer, what happens when the user feeds you a float? How about if you store a float, but the user provides a double? Or worse, a string!! Bad People(tm) take advantage not of the language directly, but of programmer inexperience, incompetence, or sheer laziness. Sanitize your input, and it doesn't matter what is fed in, garbage in = try again loser!

Often, they'll take advantage of that additional access to install another program on your computer without your permission. That stuff is malware. It generally does bad things. At best, it just makes your computer run slower. At worst, it steals various pieces of information and sends them on to the baddies, who figure out a way to convert that information into money.
Yes, but again, how is this any different from exploiting holes in Internet Explorer, Firefox, Chrome, Safari, and Opera, or any of their plug-ins (I'm looking at you, Flash and Adobe Reader)?

And that's my translation of the problem with Java. It's not that Java is a badly written program. On the contrary, it's fairly well-written. The problem is that by its very nature it creates security holes. And those holes are difficult to impossible to close. The only real way to close the security holes is to get rid of Java completely. That means you might not be able to do some things on some web sites. But that's the price to pay for eliminating this particular security threat.
No, just because it exists doesn't create security holes. Or rather, it enables only the security holes the programmers or compiliers create by not testing their software, or assuming someone/something else will handle protecting users. Get rid of Java completely? Then what will programmers use when cross-platform compatibility is needed? Sorry, but I don't think anybody wants to figure out how to extend BASIC to handle high-res 3D graphics and optimal path routing. I suppose it sort of goes back to a discussion I had with my father back in the late 90's, when I told him Microsoft was pants-down stupid to be turning things on left and right when they weren't needed (and causing all sorts of hacking problems as a result). Dad's view was "someone might need it!" My view was "Then don't turn it on until it's actually asked for!"

All that said, whether or not Java belongs on the web *IS* a legitimate question. Personally, I don't think it does. Java is for applications, not for games on Facebook. Everything a web designer might want to accomplish can usually be handled through the browser itself, maybe with the help of JavaScript (which is usually what people are thinking of when they talk about Java exploits, a separate issue of its own) and/or Flash (which has security issues of its own). Pick the right tool for the job. If you don't need the broadsword, then by all means leave it home and just carry a dagger instead!
Post New | Post Reply | Reply Later | Create Poll Report this Post | Recommend it!
Print the post  
UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev | Next

Announcements

Foolanthropy 2014!
By working with young, first-time moms, Nurse-Family Partnership is able to truly change lives – for generations to come.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Post of the Day:
Macro Economics

Looking at Currency Ratios
What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
Community Home
Speak Your Mind, Start Your Blog, Rate Your Stocks

Community Team Fools - who are those TMF's?
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and "#1 Media Company to Work For" (BusinessInsider 2011)! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.
Advertisement