|
Just as Feedburner was the flagship feed stats clearing house, Google Reader is the dominant feed aggregator on the web. Millions of people spend large amounts of time in Google Reader, yet the app has only received visual downgrades over the past two years. Google Reader is feeling its age in a time when iOS feed readers are pushing the limits every day. Yet, there is still no real competitor. Feeds and feed readers are outside of Google's advertising space. So why should they care?
|
|
|
|
|
There were lots of reactions to my blog post Everything's broken and nobody's upset. Some folks immediately got the Louis CK "Everything's Amazing and Nobody's Happy" reference. Some folks thought it was a poorly worded rant. Some folks (from various companies) thought I was throwing developers under the bus, accusing them of not caring. Others saw a meta-goal and started a larger discussion about software quality. Is it easy for your users to report a bug?
|
|
|
|
|
|
With any product, if you decide to deploy it to production you need to be sure you fully understand its architecture and scaling profile. This is even more important with newer products like MongoDB because there is less community knowledge and understanding. This is partly the responsibility of the developers using those tools but also the responsibility of the vendor to ensure that major gotchas are highlighted. Let’s take a look at a few of the complainers to see what the issues were.
|
|
|
|
|
First reply there: "MongoDB sucks."
|
|
|
|
|
IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available to anyone else. Using the data to gain insights into the engineering and scientific community.
|
|
|
|
|
Clickety[^] [Forbes]
If you temporarily disabled Java during the last round of attacks on Oracle’s ubiquitous, buggy program, here’s more evidence that the time has come to remove it altogether.
/ravi
|
|
|
|
|
I find it funny that when it's Java that has a major security flaw, it's a big deal, but the weekly Windows Updates I get that say "fixes a vulnerability that could allow a remote attacker to take over the computer" are not an issue. Maybe I should uninstall Windows too?
|
|
|
|
|
+1
See how we've all been indoctrinated
|
|
|
|
|
It has been ever thus - just as when an OSX or Linux vulnerability is discovered it tends to get more press (in proportion to OS prevalence) than a new Windows vulnerability. Trouble is, Windows is ubiquitous (which makes it more of a target), and has had holes of various sorts for so long, finding more is both expected and not newsworthy.
It seems to me that the risk of dropping or replacing Java needs to be assessed against the risk of the incoming system being more vulnerable or less mature...
I attended a talk yesterday evening where it was pointed out that the entire country is effectively run entirely by knee-jerk reactions to events. It would be nice to think that our industry isn't like that, but I must admit it's getting very hard to see through these rapidly darkening rose-tinted spectacles!
|
|
|
|
|
Mike Winiberg wrote:
It seems to me that the risk of dropping or replacing Java needs to be assessed against the risk of the incoming system being more vulnerable or less mature...
Indeed, it's so easy to throw the baby out with the bathwater when these decisions are made (often by people without the technical expertise to do so).
It's a similar problem to that faced by countries which undergo a coup or revolution and replace the government with a completely new one - historically, the new government has frequently been an utter disaster.
And going back to software, I read a nice article a while ago discussing our tendency as programmers to point at dirty old "ball of mud" projects and say "oh what a mess that is, let's throw it out and start from scratch, having learned from those mistakes".
But then it turns out that most of that "mess" was there because you (or whoever wrote the code) had discovered and fixed many bugs and corner-case behaviour. So the new "clean" code starts out simple, but as these corner cases are rediscovered, the same thing happens all over again.
Two years later, you've moved on and the next programmer arrives, looks at your "clean" codebase and says "tut tut, what a mess... maybe we should..."
|
|
|
|
|
It's not news when it's a Windows box. You'd have no time to report anything else if you treated Windows vulnerabilities as news.
|
|
|
|
|
So we should start reporting the lack of any [current] vulnerabilities (if and when it happens) in Windows as news?
|
|
|
|
|
And replace it with....? .NET? Oops, it's got the same or worse flaws, even referenced in the same article.
|
|
|
|
|
Am I going blind? I see no mention of .NET in the Forbes article, let alone any claims that it has worse security flaws than Java.
According to Secunia, .NET 4.0 has 14 patched vulnerabilities[^], and none unpatched. I have yet to see Microsoft take four months to patch a .NET vulnerability, or wait until it's being actively exploited before treating it seriously.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Maybe not, this is what happens when you read far too many of these last week. The better story[^] detailing the real issue behind the partial story in Forbes. So no, it's actually not a Java Exploit, but a browser exploit.
With all that said, if I'm running as a non-privileged user and this exploit gives the attacker full control of my machine (windows most likely) then there's bigger issues afoot than a mere exploit in the JRE. This would imply an OS problem. Add to this that he references the Flashback exploit of several months ago as being a similar hole, note that for macs, at least, this "exploit" merely offered up to the user a request to install a trojan, nothing more, nothing less, and it required user intervention. From what I can tell, the windows version gives direct access to the machine, bypassing the user and security entirely.
So perhaps if people ditched windows, they'd be safer? After all, that's no more sensationalist a line than "time to ditch Java".
|
|
|
|
|
If you're referring to the vulnerability patched by last week's IE security update[^], it didn't give the attacker full control of your machine; it gave then the same user rights as the current user. If you're surfing the net as a local administrator with UAC turned off, then the problem isn't the OS!
And you've now digressed from your original claim that ".NET (has) got the same or worse flaws (as Java)".
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
No, I'm actually talking about the hole in .NET, which really is a hole. But apparently it was far enough back that it fell off my 3 week history. Shows you how time flies. The difference between .NET and JRE flaws is that under .NET under windows it can take over your machine, not just run with the current user privs. Despite removing the ability to manipulate tokens, or in spite of, it's still quite possible to dynamically inject code into DLLs and have them run as SYSTEM. That's also true of the JRE browser plugin flaws I suppose, although I haven't looked into it any deeper.
|
|
|
|
|
Which hole in .NET? I have yet to see a report of a .NET vulnerability which bypasses UAC.
For example: the most recent patch, MS12-038[^], states: "an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user."
Can you post a link to a single .NET vulnerability, patched or otherwise, which allows remote code execution under the system account?
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
How about this one? http://www.osvdb.org/71013 (although I'll note that my system does not appear to be affected, so perhaps it's a local problem?)
|
|
|
|
|
OSVDB: Location: Local Access Required
...could allow a local attacker to execute arbitrary code... ...the attacker would need to be a part of the Power or Domain user group...
So not exactly a remote-code execution vulnerability.
I suppose there's a possibility that an unpatched RCE could be used to get code onto the computer which could then take advantage of a local escalation of privilege vulnerability to execute further code as the system user, but that's not specific to .NET, and I'd be surprised if you couldn't do the same thing on a Mac.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Hi. It's a shame that this is passing with the "vendor standard" implementation of Java (or being more correct the JVM), but uninstall it is not necessary, what should be done is disable it by default in the web browsers (as it isn't as needed as it used to be), and enable it only on demand and only in some user approved web sites, another "fix" is to take a look at the Open Source implementations of Java and use those instead.
|
|
|
|
|
REMOVE IT ALTOGETHER!!!
It gives me allergies!
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
----
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
I think you need less coffee - I mean Java.
/ravi
|
|
|
|
|
Now that you mention it, I really hate the taste of coffee (for real) and rely on energy drinks to get my caffeine dosage. Funny coincidence
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
----
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|