> Trying to use a padlock to secure a paper door is not security. You can state
> Java is more secure than other languages -- it may even
> be true. But that still doesn't mean a program written in
> Java is more secure than one written in a different
> language.
>
> If you came home and a burglar had ripped through
> your paper door and cleaned your house out, would you
> pat yourself on the back say "well, at least the padlock held up."?
>
> > Yes, your operating system may have buffer overflows. Yes, your
> > web server may have buffer overflows. Changing from Java to C won't
> > fix those. That doesn't change the fact that, if you write your
> > application in C, your code is highly likely to have buffer overflows,
>
> Perhaps highly likely to have buffer overflows but not guaranteed to.
> In addition, there may be other areas which may require more
> attention (portability, scalability, whatever), that I am able
> to better address with a language other than Java. Java
> may work fine, perhaps it won't -- many considerations. It's
> just one tool in my toolkit.
Right. Java has no buffer overflows does not mean it's any safer than C
program. There's the weakest link somehwere (the paper door, btw I
always design my paper doors with some manga comics on them).
And the fact C program is vulnerable to such programming errors (and these
errors are the most common security problems in C programs) there
is no guarantee there are any, which means Java is as bad as C.
Am I following you?
I agree on one point tho - there is no absolute security. Language as such
can't guarantee absolute security. Never. But what Java does is remove
one of the most common class of security flaws found in C programs,
and that by design. You can't deny that.
> > It depends on the application. Java is, for many applications that
> > run on a full size VM, pretty much "write once run anywhere."
>
> For many, perhaps, but not all. I'm still waiting for one
> streaming media vendor to get their Java app to run on Linux
> (from MSFT). They told me it would be a snap "Java's portable!".
> Hmm. Not sure why it's taken almost 6 months now.
Well. Maybe we all should follow the 'all or nothing' philosophy. Like
lets save 90% of the planet. What? 10% unsaved. This is useless, lets
destroy the planet, why bother.
> It's not surprising to me at all. But I am surprise, that
> it was a surprise to the developers in the CNET article.
> I'm frankly not one to be easily fleeced with ridiculous
> claims like the ones made by Sun or other vendors.
> (Although Sun likes to tell you they don't make those
> kinds of claims, only Bill Gates does).
Lets make million threads and then move the java app from SUN
to Linux. Ouch. Won't work. Guess why ;) Bunch of newbies
writing multithreaded unscalable applications? Common sight.
Oh all the pain.
I've seen unscalable programs in both C and Java. And I've seen
higly scalable application in C and Java. It's not in the language,
it's in the developers. The developer is the weakest link.
> But just because I'm not easily fooled doesn't mean
> that others aren't fooled (like a lot of my customers
> and investors) and that I should just shut my mouth
> and not point this out. Why? Because I've had more
> than one investor say, "You should write you app in Java."
> When I asked why, what will that do for me?
> He said "Java's hot!"
But it is hot. I saw on the commercial. There was vapor coming
off the cup, it was HOT.
Personally I do most of my programming in C/C++ and PHP, rarely
Java. I try to avoid perl because it's a security and maintainability
nightmare ;)
Regards,
Indrek
Received on Mon Sep 9 15:02:43 2002