Thursday, October 14, 2010
Suddenly, a huge collection of security updates for Java
Oracle is not wasting any time coming up to speed at releasing updates now that it has recently become the owner of Java. Their recent update for Java 6 fixes a huge number of bugs.
Here is a short article about the recent Java 6 security update by computer security reporter Brian Krebs, formerly with the Washington Post.
Java 7 has not been released yet. It is still under development. So Java 6 is probably the version of Java that most people have.
If you have a Mac, Apple generally rolls these patches out periodically in their own subsequent updates to Mac OS X.
If you have Windows, Microsoft does not since they are not involved with optimizing Java for their platform or contributing improvements back to Sun (now Oracle) like Apple does. However, on the other hand you can get these updates sooner than Mac users do in many though definitely not all cases.
Regardless of which OS you run, you should update your Java when the updates become available. Like any software, make sure you get them from the vendor. Not from random, convenient-looking web sites you find by doing a web search or unofficial torrents. Get patches for the Windows version from oracle.com, and the Mac version gets updated when you run your Software Updates command.
By the way, the Flash update that came out in the middle of 2010 fixed more holes than this Java patch did.
I guess the real number in the back of people's minds after the huge bundles of patches that came out in the first half of October 2010 for Flash, Java, Windows IE, and Windows itself is ... how many more exploitable security flaws are left in each of these?
And of those that are left, how many will be exploited?
Here is a short article about the recent Java 6 security update by computer security reporter Brian Krebs, formerly with the Washington Post.
Java 7 has not been released yet. It is still under development. So Java 6 is probably the version of Java that most people have.
If you have a Mac, Apple generally rolls these patches out periodically in their own subsequent updates to Mac OS X.
If you have Windows, Microsoft does not since they are not involved with optimizing Java for their platform or contributing improvements back to Sun (now Oracle) like Apple does. However, on the other hand you can get these updates sooner than Mac users do in many though definitely not all cases.
Regardless of which OS you run, you should update your Java when the updates become available. Like any software, make sure you get them from the vendor. Not from random, convenient-looking web sites you find by doing a web search or unofficial torrents. Get patches for the Windows version from oracle.com, and the Mac version gets updated when you run your Software Updates command.
By the way, the Flash update that came out in the middle of 2010 fixed more holes than this Java patch did.
I guess the real number in the back of people's minds after the huge bundles of patches that came out in the first half of October 2010 for Flash, Java, Windows IE, and Windows itself is ... how many more exploitable security flaws are left in each of these?
And of those that are left, how many will be exploited?
Labels: java, oracle, security, snafus
Friday, September 24, 2010
How Oracle lost James Gosling, father of Java
Java is a famous programming language. It is probably the most popular language in the United States today and maybe the world. So it is kind of a surprise than when Oracle, bought Sun - it got Java which is one of its best known assets - but lost Gosling, who invented it.
It is kind of like they got a fish but lost the fisherman.
Gosling invented much, much more. He wrote Gosling Emacs, and while at Sun some other programming languages - plus a neat graphics subsystem.
People will argue whether Oracle made a mistake or not but for most of us, the answer is meaningless. The heavy fact is he is not working where Java is and so Java has lost its daddy. Gosling was deft at a lot more than just designing a new language and throwing cool feature in it. He knew what to leave out.
Everyone knows that throwing the wrong features or too many features into a programming language is what kills it.
Look at PL/1; does everything you can imagine and stuff you would never dream of and gives you shocking unexpected bugs as a consequence. Look at Ada, the programming language that sank under its own weight. Pascal killed it by being simpler and cleaner.
Last but least, look at C++. It wound up being bloated, complex, and difficult to impossible to write reliable, stable, long-running programs in it. If you do not believe me, and you probably do not - go look up exception handling, memory management, constructors, and initializers in the spec and see if you can figure out how to handle an exception being filled off in the initializer of a constructor without leaving dangling pointers or references, partly uninitialized objects, or leaking any memory!
The fingerprints on the dagger in C++'s back, by the way, are Java. Java handles exceptions going of in constructors just fine. It had a clean design by a man who knew and could think about all those issues and a raft load more at once. In C++ and a lot of other complex or messy languages, when you are struggling to do something the "right" way, and realize there is not one in the language you wish the inventor had been more like Wirth or Gosling.
The disappointment that came from reading the interview is that Gosling did not say what he would be doing next. I think it would be pretty exciting to see him at IBM or Google. Both companies are using Java very heavily to make billions of dollars every year. Gosling's handiwork has been good to them. Perhaps he could do some more for them.
Apple is another popular roost with language inventors. If memory serves, Niklaus Wirth and/or Alan Kay worked there for a while.
At one point years ago, Gosling said Apple did not get Java. But Gosling got an Apple PowerBook, and Apple made some of the best stability improvements in Java JDK 1.4, leading to the very robust JDK 1.4.2 release.
I have programmed a little in Objective-C and based on the software Gosling has done in the past, I imagine there are things he would really like about it as it is now and some things he would like to change about it. I imagine there are some things Apple would like to have him figure out news ways to do things more elegantly in Objective-C too.
If you look at only the concrete things in programming languages, Apple and Gosling have done things differently in the 1990's. However, recently, Apple has added some very Java-like features to Objective-C. And in the past, Gosling did things that are more similar to Objective-C than Java.
If you take a couple of steps back and regard something a little less tangible but perhaps even more potent, engineering philosophy - I think Apple's OS engineers and Gosling are very, very simpatico.
They like stuff that by design is hard to make fail on purpose and not fool you into doing something you think is safe when it is not, even when you are not the biggest genius on the planet with nothing else on your mind that day.
Google has a brain trust of programming language engineers right now that includes the inventors of Python and C. Apple has lead engineers from FreeBSD and Konqueror but so far no well known, highly skilled and educated programming language inventors.
In a way, Gosling would do a very good job of providing parity between Apple and Google. And I think in a lot of ways, that is something that Google really likes. Google seems to seek out a form of equilibrium with Apple.
I think Apple hiring Gosling would validate Google's current forays into programming language development, and also help the two companies work shoulder to shoulder each knowing the other company had peers that could understand each other. Because they would. Peer-to-peer matters in technology companies working together. Helps things go better and a lot faster.
The planet is pretty Gosling-compatible right now.
It is kind of like they got a fish but lost the fisherman.
Gosling invented much, much more. He wrote Gosling Emacs, and while at Sun some other programming languages - plus a neat graphics subsystem.
People will argue whether Oracle made a mistake or not but for most of us, the answer is meaningless. The heavy fact is he is not working where Java is and so Java has lost its daddy. Gosling was deft at a lot more than just designing a new language and throwing cool feature in it. He knew what to leave out.
Everyone knows that throwing the wrong features or too many features into a programming language is what kills it.
Look at PL/1; does everything you can imagine and stuff you would never dream of and gives you shocking unexpected bugs as a consequence. Look at Ada, the programming language that sank under its own weight. Pascal killed it by being simpler and cleaner.
Last but least, look at C++. It wound up being bloated, complex, and difficult to impossible to write reliable, stable, long-running programs in it. If you do not believe me, and you probably do not - go look up exception handling, memory management, constructors, and initializers in the spec and see if you can figure out how to handle an exception being filled off in the initializer of a constructor without leaving dangling pointers or references, partly uninitialized objects, or leaking any memory!
The fingerprints on the dagger in C++'s back, by the way, are Java. Java handles exceptions going of in constructors just fine. It had a clean design by a man who knew and could think about all those issues and a raft load more at once. In C++ and a lot of other complex or messy languages, when you are struggling to do something the "right" way, and realize there is not one in the language you wish the inventor had been more like Wirth or Gosling.
The disappointment that came from reading the interview is that Gosling did not say what he would be doing next. I think it would be pretty exciting to see him at IBM or Google. Both companies are using Java very heavily to make billions of dollars every year. Gosling's handiwork has been good to them. Perhaps he could do some more for them.
Apple is another popular roost with language inventors. If memory serves, Niklaus Wirth and/or Alan Kay worked there for a while.
At one point years ago, Gosling said Apple did not get Java. But Gosling got an Apple PowerBook, and Apple made some of the best stability improvements in Java JDK 1.4, leading to the very robust JDK 1.4.2 release.
I have programmed a little in Objective-C and based on the software Gosling has done in the past, I imagine there are things he would really like about it as it is now and some things he would like to change about it. I imagine there are some things Apple would like to have him figure out news ways to do things more elegantly in Objective-C too.
If you look at only the concrete things in programming languages, Apple and Gosling have done things differently in the 1990's. However, recently, Apple has added some very Java-like features to Objective-C. And in the past, Gosling did things that are more similar to Objective-C than Java.
If you take a couple of steps back and regard something a little less tangible but perhaps even more potent, engineering philosophy - I think Apple's OS engineers and Gosling are very, very simpatico.
They like stuff that by design is hard to make fail on purpose and not fool you into doing something you think is safe when it is not, even when you are not the biggest genius on the planet with nothing else on your mind that day.
Google has a brain trust of programming language engineers right now that includes the inventors of Python and C. Apple has lead engineers from FreeBSD and Konqueror but so far no well known, highly skilled and educated programming language inventors.
In a way, Gosling would do a very good job of providing parity between Apple and Google. And I think in a lot of ways, that is something that Google really likes. Google seems to seek out a form of equilibrium with Apple.
I think Apple hiring Gosling would validate Google's current forays into programming language development, and also help the two companies work shoulder to shoulder each knowing the other company had peers that could understand each other. Because they would. Peer-to-peer matters in technology companies working together. Helps things go better and a lot faster.
The planet is pretty Gosling-compatible right now.
Labels: apple, google, java, oracle
Tuesday, June 08, 2010
out of date Java virtual machines blamed for browser security problems
Brian Krebs recently published an article on how web hackers are most successful at breaking into computers via the web browser.
Java applets were slightly ahead of Adobe fare this time.
Obviously, people need to keep updating their Java on their computer or turn it off or remove it until they can start updating it again regularly. Java on Windows has come with a tool for a long time that automatically alerts you when your Java is out of date and offers to update it for you. So I am not sure what the problem is.
Adobe has one for Flash, but ironically it only works if you have Flash turned on and is in fact written in Flash. It is boondoggles like this that make it fairly certain that Adobe does not yet get the problem of Flash security.
Other surprising facts in the article is that it is apparently easier for hackers to hack a computer if it is running IE 8 than IE 7, despite IE 8 being a lot newer. The trend does not look like newer versions of IE being safer.
The underlying problem is of course bugs. Many security problems arose out of nowhere with the web. They have nothing to do with the Internet itself, the underlying HTML/CSS standards or the HTTP web protocol. They have everything to do with buggy software that reads and presents HTML, CSS, PDF, applets, Silverline, Flash, etc.
Java applets were slightly ahead of Adobe fare this time.
Obviously, people need to keep updating their Java on their computer or turn it off or remove it until they can start updating it again regularly. Java on Windows has come with a tool for a long time that automatically alerts you when your Java is out of date and offers to update it for you. So I am not sure what the problem is.
Adobe has one for Flash, but ironically it only works if you have Flash turned on and is in fact written in Flash. It is boondoggles like this that make it fairly certain that Adobe does not yet get the problem of Flash security.
Other surprising facts in the article is that it is apparently easier for hackers to hack a computer if it is running IE 8 than IE 7, despite IE 8 being a lot newer. The trend does not look like newer versions of IE being safer.
The underlying problem is of course bugs. Many security problems arose out of nowhere with the web. They have nothing to do with the Internet itself, the underlying HTML/CSS standards or the HTTP web protocol. They have everything to do with buggy software that reads and presents HTML, CSS, PDF, applets, Silverline, Flash, etc.
Labels: browsing, java, security, snafus, web
Monday, March 01, 2010
just now installed JavaFX SDK
Just now installed JavaFX for Mac OS X in my NetBeans 6.8 IDE.
Labels: java, javafx, netbeans, programming, software
NetBeans updated to 6.8
I downloaded NetBeans 6.8 this morning.
It has been a while, but not super long, since I updated NetBeans. The version I had was 6.5. However, I learned that version 6.8 was out last night.
This is the first time I downloaded netbeans since Oracle acquired Sun.
It has been a while, but not super long, since I updated NetBeans. The version I had was 6.5. However, I learned that version 6.8 was out last night.
This is the first time I downloaded netbeans since Oracle acquired Sun.
heard from an old colleague
Heard from an old colleague a week or so ago.
He learned Java. Back when we worked together, Java had just come out and we were doing C++.
He is going to be sending me some code to review. Should be fun.
He learned Java. Back when we worked together, Java had just come out and we were doing C++.
He is going to be sending me some code to review. Should be fun.
Labels: java
Thursday, January 28, 2010
Oracle wasted no time rebranding Java from Sun to Oracle
Sun completed its acquisition of Sun very recently. A few days ago, the java.sun.com web site looked pretty much as it always had. Today, I got on there and notice it has been re-branded from Sun to Oracle.
That makes the merger seem pretty real to me.
That makes the merger seem pretty real to me.
Labels: java, oracle, sun, web
Saturday, January 16, 2010
Big disappointment over Java programming magazines I used to read
I started learning Java as soon as it came out in 1995. I built up a set of resources like magazines and web sites, that I could use to learn to keep up with it.
Unfortunately, Java journalism is not what - or at least where - it used to be.
My two favorite magazines back in the day for a while were Java World and Java Report. Today, I found the Java Report site was down. Last night, I found the Java World site was more like a blog than the rich, stunning, program/tutorial packed magazine it used to be.
One of my Java magazine links is still great, though - Eclipse Developer's Journal. It has many fresh articles with useful, instructive information, lots of illustrations - just like the others were in the old days.
Unfortunately, Java journalism is not what - or at least where - it used to be.
My two favorite magazines back in the day for a while were Java World and Java Report. Today, I found the Java Report site was down. Last night, I found the Java World site was more like a blog than the rich, stunning, program/tutorial packed magazine it used to be.
One of my Java magazine links is still great, though - Eclipse Developer's Journal. It has many fresh articles with useful, instructive information, lots of illustrations - just like the others were in the old days.
Labels: java
Monday, January 11, 2010
Google App Engine has a terrific tutorial video for Java developers
Google added Java programming language support to their AppEngine cloud service last year.
Here is one of the finest demo/screencast tutorial videos I have ever seen on the web for programmers. Text in the screencast portion is readable even in regular-sized video mode.
I was pretty amazed that Google supports both JPA and JDO. You can use either of those two APIs to store your Java web application in the Google Datastore web service. That gives your App Engine applications a very easy, natural way to store data in the cloud!
Plus, of course it supports JSP, servlets, etc. They really have made AppEngine a seriously powerful tool.
They made it easy to do web user interface, object-oriented data persistence, and so forth. It is basically the power of an enterprise-like runtime environment in the clouds, for free use by mere mortals.
They limit how much resource you can use in a day, and I think per minute as well. It makes sense. Of course they have to throttle things somewhat to prevent DoS (denial of service) do to application programming errors or malicious programmers.
If you are a Java programmer, I really think you should watch this video.
Personally, I would really like to try my hand at writing a Java AppEngine web app in the Google cloud using JDO with App Engine to handle data storage needs. Being able to publish a Java application that uses JDO and the latest web technology is a nice capability. Being able to pubilsh it myself - for free, is way beyond any expectations I ever had.
Ajax user interfaces (asynchronous JavaScript and XML) is something that has been popular on web sites for half a decade. Amazon online store and a lot of Ruby-based social web sites were the first to really dive into this and make it popular.
Eventually, it became pretty much de rigeur to do web interfaces this way, instead of traditional cilck-button-and-wait web user interfaces. The reason is pretty simple. Traditional HTML or DHTML applications were like running an old-fasioned "block mode" terminal back in the 1970's. You fill out a form, click a button, then wait for the server to process the data and send you a new screen-full to look at or fill out.
An Ajax application, on the other hand - makes a web application look & behave to the user just as if it was a desktop GUI application. This was the prevalent type of user interface for computers in the 1990's. The highly interactive Ajax GUI makes a web application feel just the way bulk of computer users today are used to from computers.
Someone has created a screencast demo of a Java app engine application that has an Ajax application. Watch Appirio's experience with Java App Engine and GWT (video).
That video shows a free Google App Engine application with a very nice-looking, modern user interface (GUI) can be written and deployed on the Google cloud. The Ajax functionality in the Java application is obtained by using Google's GWT GUI components.
My opinion is that Google is on the vanguard of popularizing cloud computing. They have pushed down barriers to entry for both users and developers alike. Their free components and free web services have revolutionized modern computing.
Java developers have joined Python developers as part of the movement that helps bring this to life. It does not take a company anymore. It just takes you.
Here is one of the finest demo/screencast tutorial videos I have ever seen on the web for programmers. Text in the screencast portion is readable even in regular-sized video mode.
I was pretty amazed that Google supports both JPA and JDO. You can use either of those two APIs to store your Java web application in the Google Datastore web service. That gives your App Engine applications a very easy, natural way to store data in the cloud!
Plus, of course it supports JSP, servlets, etc. They really have made AppEngine a seriously powerful tool.
They made it easy to do web user interface, object-oriented data persistence, and so forth. It is basically the power of an enterprise-like runtime environment in the clouds, for free use by mere mortals.
They limit how much resource you can use in a day, and I think per minute as well. It makes sense. Of course they have to throttle things somewhat to prevent DoS (denial of service) do to application programming errors or malicious programmers.
If you are a Java programmer, I really think you should watch this video.
Personally, I would really like to try my hand at writing a Java AppEngine web app in the Google cloud using JDO with App Engine to handle data storage needs. Being able to publish a Java application that uses JDO and the latest web technology is a nice capability. Being able to pubilsh it myself - for free, is way beyond any expectations I ever had.
Ajax user interfaces (asynchronous JavaScript and XML) is something that has been popular on web sites for half a decade. Amazon online store and a lot of Ruby-based social web sites were the first to really dive into this and make it popular.
Eventually, it became pretty much de rigeur to do web interfaces this way, instead of traditional cilck-button-and-wait web user interfaces. The reason is pretty simple. Traditional HTML or DHTML applications were like running an old-fasioned "block mode" terminal back in the 1970's. You fill out a form, click a button, then wait for the server to process the data and send you a new screen-full to look at or fill out.
An Ajax application, on the other hand - makes a web application look & behave to the user just as if it was a desktop GUI application. This was the prevalent type of user interface for computers in the 1990's. The highly interactive Ajax GUI makes a web application feel just the way bulk of computer users today are used to from computers.
Someone has created a screencast demo of a Java app engine application that has an Ajax application. Watch Appirio's experience with Java App Engine and GWT (video).
That video shows a free Google App Engine application with a very nice-looking, modern user interface (GUI) can be written and deployed on the Google cloud. The Ajax functionality in the Java application is obtained by using Google's GWT GUI components.
My opinion is that Google is on the vanguard of popularizing cloud computing. They have pushed down barriers to entry for both users and developers alike. Their free components and free web services have revolutionized modern computing.
Java developers have joined Python developers as part of the movement that helps bring this to life. It does not take a company anymore. It just takes you.
Labels: cloud, java, programming, web
