15 messages in net.java.dev.jugs.jug-leaders[jug-leaders] Re: Java 7 0day| From | Sent On | Attachments |
|---|---|---|
| Tobias Frech | Aug 27, 2012 4:55 am | |
| John Yeary | Aug 28, 2012 6:49 am | |
| Víctor Orozco | Aug 28, 2012 8:46 am | |
| Hildeberto Mendonça | Aug 30, 2012 12:34 am | |
| John Yeary | Aug 30, 2012 5:27 am | |
| Víctor Orozco | Aug 31, 2012 3:46 pm | |
| Georges Saab | Sep 1, 2012 11:04 pm | |
| Frans Thamura | Sep 1, 2012 11:19 pm | |
| Mattias Karlsson | Sep 11, 2012 5:51 am | |
| Frans Thamura | Sep 11, 2012 5:56 am | |
| Donald Smith | Sep 11, 2012 6:01 am | |
| Tobias Frech | Sep 11, 2012 9:27 am | |
| Donald Smith | Sep 11, 2012 9:35 am | |
| Toth, Csaba | Sep 11, 2012 12:53 pm | |
| Hildeberto Mendonça | Sep 12, 2012 12:48 am |
| Subject: | [jug-leaders] Re: Java 7 0day | |
|---|---|---|
| From: | Toth, Csaba (csab...@Vanderbilt.Edu) | |
| Date: | Sep 11, 2012 12:53:51 pm | |
| List: | net.java.dev.jugs.jug-leaders | |
Maybe we can talk about this:
"What should I do as JUG Leader and Java Champion?
Stand up to the newspapers! (for that to happen, I would like some "inside" info
on this OR the Java Champions" mailing lists... I would like to help and
stand-up!)"
I'm involved with the Linux User's Group for example, and they had questions
about JVM 0-days. They more IT administrators than developers and view things
from security standpoint. As someone who is also into security I can understand
those voices who advocate removal of JVM.
I wonder what could be good communication practice to calm down outsider groups
about this issue. OK, security-keen guys will be a tough one.
I personally told to people that probably any other platform which has
intermediate VM like Java have security problems. Java is just the most
wide-spread one and therefore it is obvious attack target for hackers. (BTW: the
way these exploits are multi-platform prove how Java is really multi-platform!).
Other question was: which JVMs are affected. I know OpenJDK and IcedTea and
other derivatives probably.
I also told people that Oracle has a new rock-star security engineer, and Oracle
is working hard on getting things better. In my opinion, Oracle is learning and
maybe goes through some phase other big companies (like Microsoft) went through,
and those companies still improve.
I just interviewed my twin-brother not so long ago, who uses Hardened Gentoo (I
don't know if anybody is familiar with that, but this is super geek and paranoid
distro).
He says that we indeed have JVM on our own family servers, and it compiles well
with pic (position independent code, ASLR will work well), and these days only
MPROTECT has to be disabled in order to run it, but that's not system-wide, it
is for the JVM only. The situation improved since like 5 years before now. So
kudos for that.
The whole system's security shouldn't rely on the JVM's security, good luck to
any hacker to break into our system :>>>>>
Csaba
________________________________________ From: Mattias Karlsson [matt...@gmail.com] Sent: Tuesday, September 11, 2012 5:52 AM To: jug-...@jugs.java.net Subject: [jug-leaders] Re: Java 7 0day
Dear JUG Leaders,
I have tried to keep a calm and balanced view on this topic. Unfortunately
that's not the case for the rest of the world...
FUD or not... it effects many people. AND not only "Applets" or "plugins" The
entire Java Platform... and the growth and acceptance for it.
Today our largest "tabloid" IT magazine woke up and published this LARGE first
page...
http://twitpic.com/atdzr8
The Experts - "Dump Java" "The Java Platform has serious security issues"
Continued:
"Critics storm has recently reached hurricane strength and several security
experts advise against company's from using Java" (not applets Java in general?)
It then continues more with the Security Officer at .SE (largest domain
controler in Sweden)
"It can be very serious for everybody. We have turnd Java off. Problems arise
because it is complex software that has been patched and repaired long enough.
Personally, I would be happy if Java was abandoned. Unfortunately prioritize
software companies to come out with products to market quickly, rather than
spending time at safety."
This said by a safety profile!
.SE's Safety Manager that has been named the 2012 safety profile of Safety
Awards.
https://www.iis.se/en/om-se/ses-sakerhetschef-utsedd-till-arets-sakerhetsprofil
What should I do as JUG Leader and Java Champion?
Stand up to the newspapers! (for that to happen, I would like some "inside" info
on this OR the Java Champions" mailing lists... I would like to help and
stand-up!)
OR at least expect Oracle to at least meet the journalists? "Oracle declined to comment on the criticism" http://translate.google.com/translate?hl=sv&sl=sv&tl=en&u=http%3A%2F%2Fcomputersweden.idg.se%2F2.2683%2F1.465018
:(
Regards, Mattias Karlsson www.linkedin.com/in/mattiask<http://www.linkedin.com/in/mattiask>
Jfokus 2013 CfP is OPEN http://www.jfokus.com
2012/9/2 Frans Thamura <fra...@meruvian.org<mailto:fra...@meruvian.org>> my opinion
i like more bugs publication... and java case is different with windows case, this is a push, to manage it, share how to fix it, or lets the media recommended, remove Java in your desktop, like IE6 .
windows is propietary and close development
i think that will be better these bugs to become part of OpenJDK rather Java SDK, and there are a community program to become patch team to fix the bugs.
i believe the bugs will become part of java ecosystem
should we wait oracle to fix it? how hard to fix it ? is there people that smart enough out there to fix it?
Frans