Java - AVS Forum
Forum Jump: 
 
Thread Tools
post #1 of 29 Old 08-12-2013, 05:02 PM - Thread Starter
Newbie
 
caroln's Avatar
 
Join Date: Jul 2013
Posts: 6
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 10
Hello All,
I still have Java disabled on my computer. I haven't heard anything about that it's safe yet. Is there any current information on whether Java is safe to use yet?

Thanks.
Carol
caroln is offline  
Sponsored Links
Advertisement
 
post #2 of 29 Old 08-13-2013, 05:32 AM
 
cybrsage's Avatar
 
Join Date: May 2007
Location: Harrisburg, PA
Posts: 8,074
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 147
Depends on what you mean by safe. If you mean "will not crash my compluter", then it is safe. If you mean "will never have a vulnerability found" then it is not safe - but neither is the web browser you used to post this question.

Basically, if you find you need Java for things then you should download and install it. Make sure you keep it patched (check regularly) and you will be fine. Sun does a good job with closing the holes found in Java. If you have no need for it, don't install it. Why add a potential problem?
cybrsage is offline  
post #3 of 29 Old 08-13-2013, 05:05 PM - Thread Starter
Newbie
 
caroln's Avatar
 
Join Date: Jul 2013
Posts: 6
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 10
Thanks for the reply.

There's only one thing I have found that would work better with Java, so I guess it's not worth the bother of having to stay on top of all the patches all the time.

Could you please elaborate on what you mean about the web browser I'm using not being safe? I use IE. Is that not safe?
caroln is offline  
post #4 of 29 Old 08-13-2013, 05:09 PM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
To answer your question, no Oracle has still not fixed the hole that James Grosling did not know that he created such a large security risk, at the time he came up with it, back in 1995. Since Oracle now owns Java, they have obviously figured that it is not worth fixing, or the security holes would no longer be there.

Chrome has written their own version of Javascript for their browser, and that they "Sandbox" the browser, it does help to keep the risks down, but still regardless, they are still there.
gregzoll is offline  
post #5 of 29 Old 08-13-2013, 05:20 PM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Quote:
Originally Posted by cybrsage View Post

Depends on what you mean by safe. If you mean "will not crash my compluter", then it is safe. If you mean "will never have a vulnerability found" then it is not safe - but neither is the web browser you used to post this question.

Basically, if you find you need Java for things then you should download and install it. Make sure you keep it patched (check regularly) and you will be fine. Sun does a good job with closing the holes found in Java. If you have no need for it, don't install it. Why add a potential problem?
Sun no longer owns Java, Oracle does. As for closing the holes, they actually have not fixed anything. See http://nvd.nist.gov/ and http://www.us-cert.gov/ncas for current list of vulnerability's

Latest update for Oracle Java was in June, and like I stated, did not address the longest hole that has been in there. Even worse, the Android platform is having its own problems with Bitcoin, due to Java.
gregzoll is offline  
post #6 of 29 Old 08-13-2013, 05:29 PM
Member
 
wraslor's Avatar
 
Join Date: Feb 2009
Posts: 140
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
Liked: 15
Lmao define safe? Anything connected to the internet will never be "safe" having sharp utensils in your house is not "safe".

You will be as safe using java as you are using internet explorer. Why do you think using java would make you unsafe?
wraslor is offline  
post #7 of 29 Old 08-13-2013, 05:55 PM
AVS Special Member
 
Sammy2's Avatar
 
Join Date: Mar 2011
Location: Right next to Wineville, CA
Posts: 9,662
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 25 Post(s)
Liked: 169
Quick! Unplug the ethernet patch cord!






It is no less a problem than any other app. A lot of us use server software such as Plex and have open ports in our routers without issues.

Sammy2 is offline  
post #8 of 29 Old 08-13-2013, 06:24 PM
Advanced Member
 
Dropkick Murphy's Avatar
 
Join Date: Dec 2008
Posts: 581
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 6 Post(s)
Liked: 57

Dropkick Murphy is online now  
post #9 of 29 Old 08-13-2013, 07:46 PM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Quote:
Originally Posted by wraslor View Post

Lmao define safe? Anything connected to the internet will never be "safe" having sharp utensils in your house is not "safe".

You will be as safe using java as you are using internet explorer. Why do you think using java would make you unsafe?
You are only as safe as the person using the computer, driving the car, handling a hand gun or rifle, hitting a baseball. It is called educating the user, is how you make them understand how to be safe out on the Internet, and that is by letting them know the dangers, not hiding the info from them, and acting like they do not need to know.
gregzoll is offline  
post #10 of 29 Old 08-13-2013, 07:48 PM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Quote:
Originally Posted by Sammy2 View Post

Quick! Unplug the ethernet patch cord!
It is no less a problem than any other app. A lot of us use server software such as Plex and have open ports in our routers without issues.
If you are operating with open ports on your router, you have no business managing one, or even in the business of IT if you feel that it is safer to leave it wide open. As for Plex, it has its problems just like everything else out there, because Plex is only as safe as the Operating system you are running it on.
gregzoll is offline  
post #11 of 29 Old 08-13-2013, 08:18 PM
AVS Special Member
 
Sammy2's Avatar
 
Join Date: Mar 2011
Location: Right next to Wineville, CA
Posts: 9,662
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 25 Post(s)
Liked: 169
Little bit hard to do remote management without it or serve content off site. Maybe I chose the wrong word. Is forwarded ports better?

Sammy2 is offline  
post #12 of 29 Old 08-14-2013, 05:27 AM
 
cybrsage's Avatar
 
Join Date: May 2007
Location: Harrisburg, PA
Posts: 8,074
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 147
Quote:
Originally Posted by caroln View Post

Thanks for the reply.

There's only one thing I have found that would work better with Java, so I guess it's not worth the bother of having to stay on top of all the patches all the time.

Could you please elaborate on what you mean about the web browser I'm using not being safe? I use IE. Is that not safe?

MS finds flaws with IE from time to time and puts out patches. Basically, all software has security flaws in it in varying degrees of horribleness, but that is the nature of the beast. Just stay patched.
cybrsage is offline  
post #13 of 29 Old 08-14-2013, 05:30 AM
 
cybrsage's Avatar
 
Join Date: May 2007
Location: Harrisburg, PA
Posts: 8,074
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 147
Quote:
Originally Posted by gregzoll View Post

Sun no longer owns Java, Oracle does. As for closing the holes, they actually have not fixed anything. See http://nvd.nist.gov/ and http://www.us-cert.gov/ncas for current list of vulnerability's

Latest update for Oracle Java was in June, and like I stated, did not address the longest hole that has been in there. Even worse, the Android platform is having its own problems with Bitcoin, due to Java.

Oracle owns Sun now...but you are right, the company name on the bottom now says Oracle instead of Sun. I suspect the same team is still working on it, though.
cybrsage is offline  
post #14 of 29 Old 08-14-2013, 05:43 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Yes the same team pretty much is working on the project, but until they fix all the holes that have been there since day one, it will still be considered a security risk by US Cert.
gregzoll is offline  
post #15 of 29 Old 08-14-2013, 05:45 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Quote:
Originally Posted by cybrsage View Post

MS finds flaws with IE from time to time and puts out patches. Basically, all software has security flaws in it in varying degrees of horribleness, but that is the nature of the beast. Just stay patched.
Actually MS does not find the flaws, it is third party individuals that find the holes. As for MS patching them, it can take months or years before they do. They also have some that have been there since the beginnings of NT, that have not been patched.
gregzoll is offline  
post #16 of 29 Old 08-14-2013, 05:47 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Quote:
Originally Posted by Sammy2 View Post

Little bit hard to do remote management without it or serve content off site. Maybe I chose the wrong word. Is forwarded ports better?
Even if you forward ports, they should still be in Stealth mode. You know what I do for remote management on machines, it is Team Viewer. If it is a Server, you should never have it routers, or managed switches, set up for remote management.
gregzoll is offline  
post #17 of 29 Old 08-14-2013, 07:16 AM - Thread Starter
Newbie
 
caroln's Avatar
 
Join Date: Jul 2013
Posts: 6
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 10
It seems I've opened a can of worms. Sorry. Bottom line here, I guess, is the problems with Java persist and one should use at their own risk.

Thanks all.
caroln is offline  
post #18 of 29 Old 08-14-2013, 08:10 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
There are few sites out there that rely on Java. Most have moved to html5, to get away from TragicX, Java and Flash.
gregzoll is offline  
post #19 of 29 Old 08-14-2013, 08:29 AM
AVS Special Member
 
StardogChampion's Avatar
 
Join Date: Dec 2007
Location: New Hampshire, USA
Posts: 2,995
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 31 Post(s)
Liked: 117
Java pays the bills. I would recommend though also learning HTML5, CSS, iOS, Objective-C, JavaScript (JQuery, etc.) to remain marketable.

BTW, Java is an Oracle product. There is no such things as Sun Microsystems. smile.gif

 

 

StardogChampion is offline  
post #20 of 29 Old 08-14-2013, 11:38 AM
AVS Special Member
 
Sammy2's Avatar
 
Join Date: Mar 2011
Location: Right next to Wineville, CA
Posts: 9,662
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 25 Post(s)
Liked: 169
Quote:
Originally Posted by gregzoll View Post

Quote:
Originally Posted by Sammy2 View Post

Little bit hard to do remote management without it or serve content off site. Maybe I chose the wrong word. Is forwarded ports better?
Even if you forward ports, they should still be in Stealth mode. You know what I do for remote management on machines, it is Team Viewer. If it is a Server, you should never have it routers, or managed switches, set up for remote management.

They are in stealth mode and it isn't a server in that sense of the word. I use Plex and the new MB3 server to play content to my phone away from home.

Sammy2 is offline  
post #21 of 29 Old 08-14-2013, 12:43 PM
Senior Member
 
cdru's Avatar
 
Join Date: Jul 2005
Posts: 331
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 13
Quote:
Originally Posted by caroln View Post

It seems I've opened a can of worms. Sorry. Bottom line here, I guess, is the problems with Java persist and one should use at their own risk.
If your HTPC is used solely as a HTPC, you are quite likely to be perfectly fine as long as you use trusted software. Don't run every app that you find everywhere, obviously don't run anything someone just sends you, etc.

Any java application that you would run outside of a web browser is going to be no different then any native app that you might run, so it's really more a matter of do you trust the author? If you manually run the app, it's going to have the same system access to your file system, network shares, etc that every other app does. So if this is where you have problems, you're already screwed whether it's a java app, a .net app, a native c++ app, whatever.

What's more of a security issue is if you use your HTPC for other activities such as web browsing. You may visit a webpage that has been compromised, it runs a java app that exploits a security hole, and then your system becomes compromised in some form all before you have any idea there is even a problem. Easy solution to that is don't install java in your browser, disable it, or just don't use your browser on your HTPC (which is quite difficult so the first two options are easier to implement).
cdru is offline  
post #22 of 29 Old 08-14-2013, 08:19 PM
 
cybrsage's Avatar
 
Join Date: May 2007
Location: Harrisburg, PA
Posts: 8,074
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 147
Quote:
Originally Posted by gregzoll View Post

......

Did you know your posts do not show up with a Thumbs Up button? Everyone else's does.
cybrsage is offline  
post #23 of 29 Old 08-15-2013, 04:03 AM
AVS Special Member
 
Bruce Embry's Avatar
 
Join Date: Feb 2001
Location: East Coast
Posts: 1,088
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 11
As a developer, I can say Java is a great development environment. It allows you to write once and run the program on any platform. As with anything on a system, it only as safe as the tools that are used to protect the system (i.e. firewall, virus scanner, shields, etc) .

Bruce.in.Triangle NC
Firewire is alive and kicking!
Bruce Embry is offline  
post #24 of 29 Old 08-15-2013, 04:22 AM
AVS Special Member
 
Nevcairiel's Avatar
 
Join Date: Mar 2010
Location: Germany
Posts: 1,004
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 6 Post(s)
Liked: 107
Quote:
Originally Posted by gregzoll View Post

Chrome has written their own version of Javascript for their browser

JavaScript has absolutely NOTHING to do with Java, or Oracle/Sun, or the Java security issues.
The name "Java" in JavaScript was only a choice done by Netscape back in the early days that has caused confusion all around, but they are not related at all.

To the original topic, no software is ever 100% safe. Just because there are no known security issues does not mean there aren't unknown issues that are maybe known by some security researchers, or maybe even completely unknown today, but what about tomorrow?
You can always spread FUD about all kinds of software and call out small security flaws to make software look bad. The big problem with Java is/was its stupid applet browser plugin, which is a badly designed tech from the beginning, but luckily i haven't seen such a thing in years (short of some admin consoles on some HP switches i maintain, but thats all local network).
Nevcairiel is offline  
post #25 of 29 Old 08-15-2013, 06:31 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
Nevcairiel, care to read what I posted, of who came up with Java back in 1995. If it was not for James Gosling, Java would have never happened. Java has nothing to do with Netscape. As for the FUD, sorry, but there is no FUD out there, on the fact that the holes that have been there since day one, are still there. FF, Chrome, Opera lock Java in Sandboxed mode, that it is not allowed to run, whether it is Java or Javascript, because it is still considered a security risk.

As for the father of Java, see http://en.wikipedia.org/wiki/James_Gosling it was invented by him, when he worked for Sun from 84-2010, which he continued to work on the project, until he left the company, when Oracle acquired it. As for Javascript, yes it was invented by Brenden Eich, when he worked at Netscape, which was started by two U of I grads. Originally named Mocha, due to the name Java was owned by Sun. The whole intention of Javascript was to battle Microsoft, but also like the fact that Gosling, Eich never knew at the time the security flaws that would pop up later on, and because of the fact that they are the original inventors of both, and have sold the rights of their software to the companies that now hold them (Mozilla for Javascript, which Eich is CTO of, Oracle for Java, which Gosling has no more day to day control of his language). http://en.wikipedia.org/wiki/Brendan_Eich

To go back to the OP question, Javascript still has its issues of being a huge security risk, that Mozilla made the right decision to block it from running, due to this, to keep the government off its back, Chrome & Opera followed suite, but Microsoft as usual has continued to turn their heads on these issues, and act like there is no problem.
gregzoll is offline  
post #26 of 29 Old 08-15-2013, 07:12 AM
AVS Special Member
 
StardogChampion's Avatar
 
Join Date: Dec 2007
Location: New Hampshire, USA
Posts: 2,995
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 31 Post(s)
Liked: 117
I've always thought the real fundamental issue with JavaScript and the like is the browser as a platform was never really meant to do all this "stuff". It was meant to view pages/documents in a folder structure. It's a constant battle against that paradigm and the application paradigm to get web-apps to work. It never seems to really get much better. There's just a new hack that comes along (e.g. AJAX). I was working on a JS app using JQuery, Knockout, etc. a few month ago after having been away from front-end development for a long time and lo' and behold what do you know, the friggin' back button is still the same headache as it was in 1998. It's 2013!

 

 

StardogChampion is offline  
post #27 of 29 Old 08-15-2013, 07:45 AM
 
gregzoll's Avatar
 
Join Date: Jun 2009
Posts: 2,524
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Liked: 32
It was StardogChampion. This is what it was intended as:

JavaScript was originally developed by Brendan Eich. Battling with Microsoft over the Internet, Netscape considered their client-server solution as a distributed OS, running a portable version of Sun Microsystems' Java. Because Java was a competitor of C++ and aimed at professional programmers, Netscape also wanted a lightweight interpreted language that would complement Java by appealing to nonprofessional programmers, like Microsoft's Visual Basic (see JavaScript and Java).[9]
Developed under the name Mocha, LiveScript was the official name for the language when it first shipped in beta releases of Netscape Navigator 2.0 in September 1995, but it was renamed JavaScript[10] when it was deployed in the Netscape browser version 2.0B3.[11]
The change of name from LiveScript to JavaScript roughly coincided with Netscape adding support for Java technology in its Netscape Navigator web browser. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web programming language.[12][13]

http://en.wikipedia.org/wiki/Javascript

I do like this part from the wikipedia article "JavaScript is a prototype-based scripting language with dynamic typing and has first-class functions. Its syntax was influenced by C. JavaScript copies many names and naming conventions from Java, but the two languages are otherwise unrelated and have very different semantics. The key design principles within JavaScript are taken from the Self and Scheme programming languages.[6] It is a multi-paradigm language, supporting object-oriented,[7] imperative, and functional[1][8] programming styles."

The good thing is, that Linux, and Apple keeps up on the security holes and risks, by fixing stuff, where as Microsoft chooses to ignore a majority of them, and/or pushes them off for fixes months or years later.
gregzoll is offline  
post #28 of 29 Old 08-15-2013, 08:11 AM
AVS Special Member
 
Chronoptimist's Avatar
 
Join Date: Sep 2009
Posts: 2,559
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
Liked: 203
I refuse to install Java or Flash on my system - they are big security risks as far as I am concerned.
There always seems to be new Java or Flash exploits out there, which can take some time before they are patched. (though Adobe seem to be better about this)

I have one application that relies on Java, and to use that I simply downloaded a "portable" version of Java, which allows that program to run when placed inside its directory and renamed to "jre".
I'm not even very happy about this, but it seems to be a lot safer than allowing any application on my system to use Java. (I've checked, and other Java apps will not run)

As for JavaScript - I run the "NoScript" and "Request Policy" extensions in my browser, so nothing is running unless I grant it permission.
Chronoptimist is offline  
post #29 of 29 Old 08-17-2013, 10:15 AM
Member
 
aufVidyZen's Avatar
 
Join Date: Sep 2004
Location: Redwood City, CA
Posts: 72
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Liked: 17

Relying on fixing and securing all the individual PCs, Macs, tablets, etc. is a futile quest. It's better to focus on maintaining security in the network devices. If no one can get to your HTPC, then running Java on it, or any other software, is "safe"

 

Check the manual for your firewall/router, and see if it can support VLANs. It's a corporate level  networking IT feature finding it's way into the more recent home consumer routers (past 2-3 years). If it doesn't, I would recommend buying one, and setting up  multiple VLANs configured to your needs..

 

VLANs are "virtual LANs". All your ethernet cabling remains the same, but now you can set up the router with several sub-nets and assign one or more devices to run on each (unique) sub-net. Then you define security rules for what traffic (if any) can flow between VLANs (sub-nets).

 

I have one VLAN for all the HTPC related equipment in the house. Another VLAN connects my kids computers to the internet only, but the "Kid-net" can't exchange traffic with the HTPCs and my computer. So if their machines gets hacked, they can't attack any other machines in the house.

 

The "Vid-net" isn't route-able to, or from, the internet; so for all intents and purposes it's on it's own separate protected network. When I travel, I have temporary rules to allow access from my iPad, and only my iPad, to the Plex server.

 

You can set "priority" (QoS) on VLAN traffic, so that someone playing World of Warcraft online doesn't slow down your 1080p streaming. Right around dinner time a new temporary QoS rule comes into effect making WoW unbearably slow. Now my kids come down from their rooms and ask when dinner's ready. Internet access is cut off automatically at 11PM,  Sun-Thu.

 

VLANs solve lots of problems.

aufVidyZen is offline  
Reply Home Theater Computers

User Tag List

Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off