Why is Java insecure? Buggy or vulernable open source components

[laminutederire]

On Thursday, October 20, 2016 at 5:56 PM, M.Yurizaki said:

I'm curious about this because why would you use a language that requires to run essentially a VM for an embedded system?

I think he uses custom processor with just the instruction he needs.

I think he chose java because it allowed him to make specific components of the OS.

If I remember right, the arithmetic he uses allows for error detection more easily. As in specific signatures which helped him build something which doesn't crash and can handle tasks nicely in distributed embedded systems, like in anything with a bunch of sensors. (If my memory is right, that signature stuff makes it easier to detect faulty sensors )

( Their website if you want to snoop there :) )

[luckydog32]

So java isn't really to blame, its more the open source package that turned out to have a bunch of vulnerabilities. Changing to a different programming language isn't going to help with that.

[patrick3027]

Well if open source components are vulnerable, maybe they should check the code before releasing it?

 

Seriously...

[cesrai]

On 10/21/2016 at 8:32 AM, dexxterlab97 said:

Half Life 2, CSS

Source engine code isn't open source afaik.

[Sauron]

Any language/platform is unsafe if you use vulnerable libraries. That's not a flaw of the language. I can use vulnerable components with C just as well as I can with java, python or javascript. As a general rule, when you use someone else's work you should at least check if there are any known vulnerabilities, but a lot of these so called "programmers" don't even know the basics of software engineering. They just know how to hack together something that kinda works using premade functions someone else kindly provided. Of course writing everything from scratch is unthinkable, but a little more quality control couldn't hurt.

[Sauron]

7 minutes ago, patrick3027 said:

Well if open source components are vulnerable, maybe they should check the code before releasing it?

 

Seriously...

It's not like there are comments in the code saying stuff like "oh by the way, this part is vulnerable"

[patrick3027]

1 minute ago, Sauron said:

It's not like there are comments in the code saying stuff like "oh by the way, this part is vulnerable"

Well the whole point of making open source software is that people can read and check the code.

[Mira Yurizaki]

4 hours ago, patrick3027 said:

Well the whole point of making open source software is that people can read and check the code.

Except bugs sometimes aren't that easy to find because it's such a corner case it wasn't something that crossed your mind.

 

Here's a fun bug I found at my last company that caused a crash, seemed obvious to fix, but the root cause took me weeks (maybe months) to find:

 

The way to cause it to crash was flood the system with messages. This was triggered by a laser communication system, so we blasted the detectors. The crash happened because the buffers filled up and would quit because this is considered a serious problem.

 

So the "obvious" solution is to increase the buffers right? My supervisor commented this: if the buffers are filling, it doesn't matter how big the buffers are, you'll eventually fill them up.

 

So what was the problem? An issue with how the communication protocol was handling things. It considered sending acknowledgements high priority, but it got stuck somewhere so it would fill up the receiver buffers because those wouldn't get serviced

 

There was also another one at my current job, this time involving a memory leak. We found out that one bit of code hadn't been updated in years. Was that the problem?

 

No, it was because someone changed the pass code to talk to an interface and since the interface didn't respond, the messages that were being sent out just stayed in memory.

 

So these things aren't just "obvious". If they were, either software developers are dumber than chipmunks or we'd have perfect software

[System Error Message]

im not quite sure why many seem to want java to die, java is a really nice language to code for and is used by android. Fact is java's portability and abstraction allow for making software that you would with C++ or object orientated C that isnt tied to an OS or platform.

 

.NET isnt the future, its tied to microsoft so for those who do networking, admin and managing servers .NET is not an option as many use linux. Infact .NET has its own share of vulnerabilities and problems even before java and even more so.

 

Heres a funny video on the .NET vs java.

instead of java perhaps consider C++ with openCL. OpenCL will runs on many processors and you only need to recompile the C++ bit for the platform.

[suicidalfranco]

18 minutes ago, System Error Message said:

im not quite sure why many seem to want java to die, java is a really nice language to code for and is used by android. Fact is java's portability and abstraction allow for making software that you would with C++ or object orientated C that isnt tied to an OS or platform.

 

.NET isnt the future, its tied to microsoft so for those who do networking, admin and managing servers .NET is not an option as many use linux. Infact .NET has its own share of vulnerabilities and problems even before java and even more so.

 

Heres a funny video on the .NET vs java.

instead of java perhaps consider C++ with openCL. OpenCL will runs on many processors and you only need to recompile the C++ bit for the platform.

where can i buy this movie!? i must watch it now!