Re: It may be reluctant to do so again,
& we may be reluctant to trust it again if it doesn't.
Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday. The company would not disclose specific details on the nature of the new vulnerability …
This post has been deleted by its author
So it may decrease Java usage AND it annoys Oracle?
I'm just glad I'm not one of the poor chaps who will have to rewrite heaps of bad code in another, less retarded language.
Unfortunately the CS classes all around the world will probably continue to consist mostly of Java for several years.
Unfortunately the CS classes all around the world will probably continue to consist mostly of Java for several years.
Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen to make teaching those fundamentals easier.
Do you really think students will finish a programming course and never learn another language ever again ?
"Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen to make teaching those fundamentals easier.
Do you really think students will finish a programming course and never learn another language ever again ?"
While it may be true on paper, in reality every language has its quirks and oddities and the first laguage you learn does have an influence on how you think about problems, and how you solve them. Of course you can learn new languages, and perhaps shift views as a result, but it's certainly far from instant and one could argue that you will never completely lose the reflexes induced by your first language. I have this co-worker, when reading his code in any language you can just see that he is trying to emulate GOTO every couple tens of lines or so. Yes, that's a pain. But who am I to judge? My code probably has a lot of quirks that annoy him as well.
Also, when virtually everyone knows a language it tends to be used, regardless of the merits of said language. And when students have spent the past couple years programming almost exclusively in java, what language do you think they'll pick for a new project (if given the choice)?
If one language really leaves such a deep mark, then there are problems with the programmer. My teacher used to say: you're supposed to pick up a new language in two weeks tops. She was wrong about many things but not on this.
On the other hand, I haven't seen any details on why you think Java is a retarded language. Why and compared to what?
> If one language really leaves such a deep mark, then there are problems with the programmer.
Not really, no. Compare that to natural speech. Your mother thongue does shape your way of thinking. That's so deep that it's the main reason why deaf people have so much more trouble to adapt in society than blind people.
> My teacher used to say: you're supposed to pick up a new language in two weeks tops.
That's probably the most retarded thing in this thread. It takes years to really master a programming language, and everyone knows that. I'm of course not talking "hello world" here.
She was wrong about many things but not on this.
> Oh yes she was, and so are you.
> On the other hand, I haven't seen any details on why you think Java is a retarded language.
> Why and compared to what?
Interesting question really. It has nothing to do with the language actually. Java is quite good. Not stellar, but not too ugly. It just has an utterly broken governance system, which leads to the current situation where some of the most active contributors are just denied a license to use it, and the Big Boss can't be arsed to fix basic vulns.
Also, Java is basically a scripting language that is used -badly- by many where a compiled language would be needed. Of course that has nothing to do with the language itself, it's just a problem with the morons using it.
> Java is basically a scripting language
What the hell am I reading?
If not, you may want to revise your basic assumptions about "scripting" and what "compilation" is about.
You're funny, mate. Honestly, how long does it take you to learn a new language? I didn't say /master/ - as we all know, it takes about ten thousand hours to become a master in anything. I could fish a reference to studies which come up with this rule of thumb, but what's the point? you're going to tell me I'm wrong, instead of telling me why.
In order to get a basic grasp of PHP and Python, it took me a week total - nothing fancy, but I could read the code and make sense of what was supposed to happen - even make small changes, would you believe that. Granted, I haven't touched either for a year so now I've forgotten all of it. Just like spoken languages, now that ypou mention them. My French is not as good as it was when I was studying it, and my Spanish and German keep being very bad. On the other hand, I can pick up American very easily.
</warning: contains a joke>
Oh I see, now you backtrack and say Java is a scripting language, but it's quite good - when that was not exactly what you said before. Gonna pick a side?
No stake in the whole Jave is good/Java is terrible thing, but I do agree that learning one language tends to make learning other languages quite a bit easier. It applies equally to programming and spoken languages.
I learned Pascal at college (6th form, that is) over two years. When I left I learned PHP in... well yes, actually, about two weeks. After a couple of years I was a reasonably good amateur coder.
Yes, in PHP. Yes, I know, shut up.
At university I learned the basics of C in just a couple of lessons. Four or five hours to get from never having read the language to understanding (if not necessarily any sort of skill). Got top marks on that module because I tried something more advanced than merely replicating the tutor's instructions.
I wish I'd stuck with that, come to think of it...
...and the world is full of 'programmmers' who have spent a week studying the syntax, can read the code and suddenly (consciously or subconsciously) think they know the language.
It may start with an unimportant small changes, but small changes pile up and if the programmer can't step back and consider the program as a whole, because they haven't mastered the language, then the program will slowly become a mess of gaffer tape.
As an analogy, it's like getting a man in to fix a hole in power plant component. Yes, he can see how you've used metal and weld a patch over this unwanted hole. However, you wouldn't then say, "This power station is basically made of metal, you appear to have mastered that, congratulations you have learned power stations", and set him loose to wander round making edits to your power station as he saw fit.
Compare that to natural speech.
Natural language use and programming are not comparable. They employ different mental facilities.
Your mother [tongue] does shape your way of thinking.
More vague handwaving.
That's so deep that it's the main reason why deaf people have so much more trouble to adapt in society than blind people.
Ah. Handwaving, unsupported assertion, irrelevant comparison, and offensive. That nicely sums up your entire argument.
"On the other hand, I haven't seen any details on why you think Java is a retarded language. Why and compared to what?"
Because it's not Lisp that is why :-) just a pretender to the throne like all others.
(anaphoric-if (figure-out *god*)
(format t "Figured out god is: ~a" it)
(format t "God remains a mystery."))
AAAGH!! A Lisp developer!! Ya'll better watch out. They do come unhinged really easily (Is that an AK-47 under your coat sir?) Im just saying this because Ive never met a lisp developer that wasn't completely batshit crazy.
And whoever said it only takes two weeks to learn a new language is just as nuts. Might take you two weeks to learn the basics of whatever but its going to take much much longer to master anything, even Java.
Lots of insanity in this thread from what Ive read so far. All we need is that big stupid guy or whatever the fuck his name is, as well as amanfrommars, with Barry Shitpeas on the side as a substitution and its basically the El Reg insane asylum.
"My teacher used to say: you're supposed to pick up a new language in two weeks tops. She was wrong about many things but not on this."
The trouble is, there's a world of difference between "picking up" a language, and learning/mastering it. On a simple level, it is often possible to use a new language in a very similar way to the language you're used to. However, this isn't really learning the new language, and won't allow you to reap whatever benefits it offers when used by someone who actually understands, has mastered and can think in the language.
Its not just a problem with the language - <when I was a kid> none of the languages had the features that modern languages like C and Pascal offer but we were aware of the techniques that they used and implemented them in different ways. We didn’t have unit testing but we threw shit at subroutines to see if they held together or made sure they didn’t get fed shit.
If you found some new problem you worked out a way to prevent it happening again. I used to use several different languages to create tests over huge trees of code. Even with state of the art modern stuff like visual C 4 we used to do software management outside of it. Using the command line on the Vax cos DOS couldn’t do jack!!!
Most of the whippersnappers I've worked with since MS infiltrated colleges cant seem to work without their toys and don’t seem capable of bootstrapping the things they need.
The revolution will not be fixed in the next release. Its been available for 30 years. Java is NOT shit - its the fuckwits 'managing' and some coding in it that are giving that impression.
A bad workmen always blames his tools - notice how stonehenge built with antlers is still there and ask how long skyscrapers last. Making it easy to do things doesn’t mean they're the right thing to do.
</when I was a kid>
"While it may be true on paper, in reality every language has its quirks and oddities and the first laguage you learn does have an influence on how you think about problems, and how you solve them. Of course you can learn new languages, and perhaps shift views as a result, but it's certainly far from instant and one could argue that you will never completely lose the reflexes induced by your first language."
I started with Pascal - can't remember any of it now. I do know Java, Python and a few other languages fairly well though ... Python and Java are quite distinct, and it does take at least 5 minutes to move from one mindset to the other.
the first [programming language] you learn does have an influence on how you think about problems, and how you solve them
Evidence, please. Can you point to any methodologically-sound studies supporting this claim? Or is it just a belief founded on anecdote that you're parading as fact?
The first programming language I learned was BASIC on the Commodore PET. I defy you to demonstrate a single significant way in which it influences "how I think about problems" or "how I solve them", in general or in any of the code I've written in the past two decades. (Want examples of the latter? Search for my Usenet posts that contain code samples; I've been on Usenet since '92.)
Surely the job of a programming course is to teach the fundamentals of programming, etc. The language(s) used are likely to be choosen [sic] to make teaching those fundamentals easier.
You might think so, mightn't you. Unfortunately today's CS students seem to expect to be spoon fed a language that will enable them to find gainful employment on graduation without any further mental effort.
... oh, wait. That can't be right, they're learning Java!
Beer 'cos there's no coffee-cup icon!
"The language(s) used are likely to be choosen to make teaching those fundamentals easier."
Cough, sputter, sputter. Read this: http://www.joelonsoftware.com/articles/ThePerilsofJavaSchools.html
Java is one of the worst languages to teach fundamentals of programming because it has one too many failsafes. In fact in java you cannot teach even the most basic things like reference/dereference and pointer manipulation. It should be taught as an elective after (and on top of) basic CS material which uses something more low-level in which you can teach students basic data handling.
That's a popular article, but it's entirely speculative; Spolsky admits in it that it's based on his anecdotal experience.
Show me a methodologically-sound study that supports his thesis, and you might have a point. But as it is, it's just as easy for someone to claim that it's best to teach starting with a "safe" language and moving to more "dangerous" ones, than in the other direction.
I'd argue (indeed have argued elsewhere) that the key is teaching students to move across levels of abstraction, in both directions. And no, I don't have a study to demonstrate that; but it's as good a claim as Spolsky's, and in fact I'd suggest it's a stronger one, since it's more general and doesn't rely on the purported special pedagogical properties of certain kinds of abstractions.
(The article also makes other, far more dubious claims - for example about MapReduce and functional programming. Personally, I've never seen why people like Spolsky are so impressed by MapReduce; I think the core concepts are pretty obvious to an experienced practitioner. Certainly they're not far from a number of algorithms I've implemented over the years, in school and industry. While I like functional languages, I think their educational benefits have been overestimated by some.)
You obviously don't know what your talking about and that stement makes no sense, its the JVM not the language that is the issue, and then again only the bit used by applets. You might as well throw the same criticism at the dozen or so other languages that run on it. Additionally, it may only be oracles implementation of the JVM and not IBM's or Googles, or the many other open source implementations.
you might as well blame all windows virus's on C# or apple virus's on objective-C
its the JVM not the language that is the issue
No, actually, it's the Java Platform (Java's equivalent to C's Standard Library or the .NET Framework). At any rate, that was true for the first round of Security Explorations' Java vulnerability disclosure, and based on their statements about this round, it still appears to be the case.
While SE haven't released all the details, there's enough information in what they have published (on Bugtraq and elsewhere) to get this right.
and then again only the bit used by applets
I don't see anything to that effect in any of the SE postings I've read, and I don't see why that would be the case. The first vulnerability was due to an insufficiently-restricted elevated-privilege method in AWT, which is just as accessible from Java applications (or anything else that can call the Java Platform, which means any language that runs in the JVM) as it is from applets.
In short: the problem is not in the Java language. It is not in the JVM. It is in some of the code Oracle supply alongside Java, specifically in code for rendering GUIs (the AWT).
Which just goes to show that the real problem is GUIs, and if people would go back to using the command line then goodness and peace would reign o'er the earth. Lawn, kids, &c.
I'm shocked to hear that Java is taught as a "first" language.
In my mind, the "problem" with Java is that most of the people that use it seem to have no appreciation of what happens "under to hood" (to use that dreadful American expression). As a result, they quite happily write a few lines of code that look cool and do the job in hand, but they completely fail to understand the massive complexity and (often) massive inefficiency going on behind the scenes. Because of this, their Java code might work and it might "do a job" but it does it in a hugely inefficient way.
If you learn something like plain old C, or assembler, then you (should!) never fall into this trap because the stark realities of what is going on is blindingly clear to you, and you are forced to think (or at least you should be) of efficient ways of doing stuff.
A related problem is that Java is simply too high level. You don't need to think about what's going on underneath to make it work, so you don't. And so you never actually learn the low level stuff. And without the low level knowledge, you can't hope to write good software that is fast, efficient, fully debugged, and stable. I quite like PHP (or I used to - I fear it's going down the same bloated path as Perl), but I would never consider using it for anything "serious".
Java is the Visual Basic of the modern age (not that it's that modern any more); yes, it works. Yes, it might "do a job", but it promotes some very very bad habits, and, quite frankly, crappy programmers, because they don't actually understand what they are doing, even if they think they do. It's the equivalent of doing one of those numpty courses to teach you how to use MS Word, and then declaring that you "can do computers". It's exactly why the industry is is constantly complaining that the quality of graduates is not good enough.
I second that, but to be honest Java started to smell like a "resting" fish long before Oracle came in to liberally add another layer of fail to it.
(BTW the current situation is exactly why RMS and others were warning people against Java since the dawn of time, only to be seen as loonie zealots by too many people. Well, guess who was right -again!)
> RMS and others were warning people against Java since the dawn of time
RMS preaching in the desert, foretelling the Apocalypse of Sunacle via the Number of Larry, while Philistines give him the palestinian equivalent of the middle finger and program away on Java 1.0 stone tablets, -4000 AD or so? Sounds likely.
Still, what did they say?
"Trying to find an alternative to Virtualbox?"
if you are flush VMWare stuff is just much better than VirtualBox. Like, much, much, much better. They don't even compare. At the very least one order of magnitude difference in speed.
If you are short in cash but are using hardware that supports virtualisation QEMU comes reasonnably close to VirtualBox in terms of speed and ease of use. Certainly much closer than VirtualBox is to VMWare. I for one moved all my personnal VirtualBox machines over to QEMU the instant "VirtualBox" became "Oracle VirtualBox" (yes, I very much dislike Oracle and its habit to screw over customers. In that case Oracle's official roadmap including removal of a lot of base I/O features from the free version did it for me. They kept their word, too.). Not looking back so far.
"f you are short in cash but are using hardware that supports virtualisation QEMU comes reasonnably close to VirtualBox in terms of speed and ease of use."
Maybe for simple tasks but not for demanding apps. Which is not surprising considering that QEMU is *NOT* virtualization, it's an emulator. VirtualBox (as the name says) on the other side is a true virtualization platform.
"I for one moved all my personnal VirtualBox machines over to QEMU the instant "VirtualBox" became "Oracle VirtualBox""
So why did you move from virtualization to an emulator, when there are many other alternatives to VirtualBox out there (i.e. VMWare Player)?
We should, soon find an alternative. Something works, Gnu/FSF or Apache should start something by talking to Intel and AMD.
Or, IBM with their one of true open source licenses.
Virtual box is doing fine because of initial codebase. Companies like oracle can spoil everything.
From what I understand these holes exist when running java code from a web browser. With Freenet you are essentially running a proxy, so your browser does't need to run any java code. Just disable java in the browser (or use a simple java-less browser like dillo or even w3m, linx etc). Although Freenet does suffer a lot from being written in Java (well, it's a pig to run to begin with).
Oh I don't mean the Java bug. I mean another round of inevitable comments from people writing "who uses Java these days" and other such informed wisdom.
I think I'll write an app which automatically posts such a comment every time a story with the word "Java" is published. In Java.
This post has been deleted by its author
I remember reading somewhere that some of the previous bugs (or similar) did exist in at least one other JVM (an OSS one) but had been squashed when they were found. I cannot remember where I read it or which JVM, so you might want to do some fact-checking, but there you have it.
As this new one apparently arises from Oracle's poor patch, they should be specific to Oracle's JVM.
I did not really check seriously though, as I try to avoid using Java whenever possible -still have it installed on most of my machines, natch- and I would certainly never allow it to run within a web browser, ever.
(I know, some persons kind of have to, but in that case I made my own luck really: that was one of my criteria when choosing a bank, and I did rewrite some stuff at work -in python mostly, and I had a webmonkey bake some PHP also. He dislikes Java as much as I do so it did not take much persuasion, I just gave him an excuse in case someone higher up the food chain would throw a hissy fit over it. And yes, I know, Python and PHP are not perfect yadda yadda yadda. Watch me not giving the slightest hint of a fuck. At least they're not Oracle's, to list only the top reason)
The main vulnerability (something asinine like allowing removesecurity() to run without checking permissions) that led to this patch was specific to Oracle's official distro of 1.7 - versions 1.6 and OpenJDK (the default version of Java for most Linux distros) were not vulnerable.
Of course, that's one of 20+ vulnerabilities reported earlier this year. Odds are that most of them are not new regressions to the Oracle stream... as for which of these are present in OpenJDK who knows.
"I did rewrite some stuff at work -in python mostly, and I had a webmonkey bake some PHP also. He dislikes Java as much as I do so it did not take much persuasion"
> Wants to get rid of Java apparently for no good reason whatsoever expect it's Java
> Rewrites "some stuff" at work in Python/PHP with a webmonkey on the side
> 100% sure he hasn't upgraded the attack surface, possibly to "access all areas"
I wouldn't place the entire blame, actually very little, on Oracle nor Sun. Fundamentally it comes down to reflection and security contexts, especially the inheritance of security contexts. Inheritance, and their idiotic reliance on reflection to make things *easier*, is true of many (most?) software language designs today. Dump reflection, since dumping inheritance would be considered too extreme, would fix this. Then again, some people might have to really *think* about the class of problems that reflection was supposed to help with.
I've seen the languages come and go, quite often taken out of the game by, in relection (pun intended), a desired feature with major unintended consequences.
Maybe they are still thinking that all publicity is good publicity.
I don't like Java, but I'm pretty sure that this is a problem of the run-time not the language.
"The revolution will not be fixed in the next release."
-Very nice, quotable statement. I'd probably get fired if I said that at work (they would think I was talking the company product) :P
Which Frank? I hate Java too, but its not me.
Hell, I dont even have Java installed on any of my machines anymore except the one I use for Army Knowledge Online because the Army's dumb enough to require Java for damned near everything on AKO. Its really dumb considering some of the information that goes across that network.
My first language was basic on an Atari 800 XL, then Turbo Pascal in High School, at the university level Fortran, then Modula-2.
After the first introduction to programming class, people finished their assignment in whatever language they wanted. Everyone learned C and at least some C++, Java was less popular. If you actually wanted to be taught a language it was a 1 credit hour pass/fail class, but people only took that when they needed more credits to reach full time status.
Obviously the class on x86 required assembly language and a lot of the Knowledge Based Systems/A.I. classes used languages like Scheme and LISP.
I don't think the languages you learn has much importance, unless your the type to learn just enough to get by then stop.
I personally wasn't that great a C++ programmer, until I read a couple good book on design patterns.
I'm kind of sick of half-open things becoming de facto standard. In a way, it's worse than having fully closed things like Windows, because Oracle pretends it to be open. I'd really like a nice W3C approved binary/VM web standard.
On the Web-Java side we have IcedTea which doesn't work much. On Flash, we have Flashdevelop, Haxe, and Gnash, which doesn't work much. Oracle has Java sewn up, like Adobe has with Flash. HTML 5 is very limited as to the binary you can stream at the moment. Something completely different might be called for. These latest security blips are just convincing me more.
Anyone know of anything like that? I wouldn't mind forcing my users to download a "plugin" if I knew it was GPL'd, and cross-platform W3C standard (and it worked!)
I wonder if all (/some of) these "mission critical" programs written in java could be saved by compiling java code to native machine code (I believe compilers do exist).
Might allow people/companies to keep using the java programs they rely on and have invested time and money in, but without all the risks of leaky-bucket java runtime.
Of course. It's similar to how Android works with it's Dalvik version of Java (java bytecode is compiled closer to machine code on package installation).
And it's easy to do yourself anywhere: http://en.wikipedia.org/wiki/GNU_Compiler_for_Java
But the GNU version a bit on the flakey side, and cannot compile everything. There is a 'commercial' option that works more relaibly, but it costs: http://www.excelsior-usa.com/jet.html
Also, be aware that compiling to machine code in advance can actually *decrease* execution speed, since the JVM watches how the code is executed to gather information on how methods should be compiled for optimal efficiency, especially when the JVM is run in 'server' mode using the -server flag to enable way more aggressive optimization.
But none of these options will have any effect on the bugs in this article, since they all appear to only have any effect on 'sandboxed' applications run in a web browser. Applications run directly are not placed in a sandbox, just as straight machine code isn't.
With all the patent litigation flying around the tech sector, it's nice to see a part of the IT community where real, genuine competition still thrives. Oracle is competing with Adobe to make the most insecure, vulnerable software available, and we as computer users reap the bountiful rewards of that competition.
From Friday, 31 Aug 2012:
"... Today we sent a security vulnerability report along with a Proof of
Concept code to Oracle. The code successfully demonstrates a complete
JVM sandbox bypass in the environment of a latest Java SE software
(version 7 Update 7 released on Aug 30, 2012). The reason for it is
a new security issue discovered, that made exploitation of some of
our not yet addressed bugs possible to exploit again."