dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
14
share rss forum feed

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to goalieskates

Re: Feds warn PC users to disable Java

said by goalieskates:

That overreaction may be due at least in part to the fact DHS is involved. We've seen a lot of vulnerabilities over the years, some of which went unpatched for years - but I don't recall DHS getting into the act before. The warnings came from software houses or researchers or independent testers. I don't want to minimize a danger, but the skeptic in me wonders if this isn't some sort of test - by DHS.

Federal government sites use java. So wtf?

I think it's nice DHS said something.

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

It appears both the open and proprietary Java versions should be considered vulnerable until someone demonstrates the open code isn't the same and is not vulnerable. Also waiting for Java proprietary to be patched, assuming the open source code is identical, sort of mitigates some of the claimed virtue of open source. Shouldn't the open source community have fixed this long ago?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

said by pandora:

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable. Not sure were you got that from.

In fact the advisory has been updated and OpenJDK and IcedTea are both listed as affected.

Does that change anything as far as I am concerned? No it does not. I am not disabling or removing Java from my machines. When a patch is released for OpenJDK I will apply it.
--
Chris
Living in Paradise!!

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

1 edit

said by chrisretusn:

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable.

The first post I replied to in this thread, indicated the solution (his solution iirc) was to disable Windows. As if this were a Windows problem. Upon follow up, I was assured the solution was open Java.

It doesn't appear either is a solution for this problem. Windows has earned a reputation for vulnerability on Internet over many years, and Linux a reputation for reliability. Windows has greatly improved it's security, while Linux when used as a desktop or desktop-like system (tablet, very smart phone) is almost always hackable (someone can find a way to get any phone or tablet rooted). Worse most customers are easily hacked by simple social engineering (almost any app will be installed regardless of what it does after installation).

The themes I was fascinated with were; 1) That Windows was the problem (in the case it isn't), and 2) Open source would save users from this hack (apparently not true in this case).

Sorry.
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


Selenia
I love Debian
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to pandora

Not saying the open code doesn't have certain vulnerabilities. It is fairly unlikely it is the same vulnerabilities though. The open source people have to use different code to achieve their goal, or run a severe risk of being slapped with a nasty lawsuit by Oracle. Same has long applied for things like Linux graphics drivers, too(btw, the open source radeon driver kicks the snot out of proprietary fglrx on my laptop, in terms of OpenGL performance, with no worries that upgrading my X or my kernel will break it. DirectX support is limited but I really don't need it for what I do in Linux.). There has also been no security alerts on the Open Java. With the number of devs that have been working on that project, I am pretty sure somebody has checked this out. It is not Linux perse that would protect against this vulnerability. It is running different code altogether that would. Oracle Linux users would be just as vulnerable, unless of course, they manage to comprehensively sandbox the app in question(Java). I used to run Firefox sandboxed, due to all its vulnerabilities, but found another browser I liked(Chromium) that sandboxes 1 of the biggest security liabilities on its own(Adobe Flash).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.