More Java-hating!



  • Since I'm stereotyped as a Java-hater, here's more Java-hating!

    That new attack, nicknamed "BEAST", that completely defeats SSL? It's delivered via (duh duh duh) Java! That article is about Mozilla considering putting Java on their block-list for Firefox, which I kind of hope they do because after the last week I want to see Firefox lose all its users and die.



  • Oh BTW, here's apparently what Mozilla posts to their bugtracker when a link to it appears in the mainstream media:

    @Some UberNerd from Mozilla said:

    Engineers and associated participants: the Eye of Sauron is now upon this bug. That shouldn't stop us from doing our job, but it does mean that a certain attention should be paid to the tenor of the discourse. I'd encourage, for instance, avoiding sarcastic hyperbole (kittens are dying while we discuss this!), or rhetorical sidebars (let's just kill all plugins!) that might be taken out of context and seed confusion or concern.

    This raises so many questions. Sooo many questions...



  • @blakeyrat said:

    @Some UberNerd from Mozilla said:
    Engineers and associated participants: the Eye of Sauron is now upon this bug. That shouldn't stop us from doing our job, but it does mean that a certain attention should be paid to the tenor of the discourse. I'd encourage, for instance, avoiding sarcastic hyperbole (kittens are dying while we discuss this!), or rhetorical sidebars (let's just kill all plugins!) that might be taken out of context and seed confusion or concern.

     

    The Eye of Sauron is now upon this bug. That shouldn't stop us from doing our job, but it is upon this bug. 



  • I read about this earlier, too. I guess blocking java would stop this particular implementation, but FTFA:

    @reg said:

    The researchers settled on a Java applet as their means to bypass SOP...

    So, maybe blocking all java plugins would prevent against the proof of concept here, but from the way they put it in the article, what's to stop them from doing something similar in, say, flash? Or whatever. If it were actually some sort of java weirdness that were responsible, I'd think the developers ought to have been quoted saying so. Based on the article, it just sounded like java was just the easiest way for these guys to do it.



  • @blakeyrat said:

    Since I'm stereotyped as a Java-hater, here's more Java-hating!

    That new attack, nicknamed "BEAST", that completely defeats SSL? It's delivered via (duh duh duh) Java! That article is about Mozilla considering putting Java on their block-list for Firefox, which I kind of hope they do because after the last week I want to see Firefox lose all its users and die.

    did moz run over your dog or something?



  • @boomzilla said:

    I read about this earlier, too. I guess blocking java would stop this particular implementation, but FTFA:

    @reg said:

    The researchers settled on a Java applet as their means to bypass SOP...

    So, maybe blocking all java plugins would prevent against the proof of concept here, but from the way they put it in the article, what's to stop them from doing something similar in, say, flash? Or whatever. If it were actually some sort of java weirdness that were responsible, I'd think the developers ought to have been quoted saying so. Based on the article, it just sounded like java was just the easiest way for these guys to do it.

    They didn't have to use java.  It was the easiest way for these guys to do it, but they didn't have to use java.




  •  Is the eye of Sauron some kind of code phrase for "OK, we have to stop dicking around and fix this now" or something?



  • They should also block all HTML documents written in English, because the BEAST researchers published in English rather than any other language.



  • Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!



  • I'm not crazy about Java either, although sometimes I think Java is sort of like Windows Vista -- not nearly as bad as some people claim.  I saw this same article earlier today and I still don't get it. @The article said:

    BEAST injects JavaScript into an SSL
    session to recover secret information that's transmitted repeatedly in a
    predictable location in the data stream. For Friday's implementation of
    BEAST to work, Duong and Rizzo had to subvert a safety mechanism built
    into the web known as the same-origin policy, which dictates that data
    set by one internet domain can't be read or modified by a different
    address."

    The researchers settled on a Java applet as their means to bypass SOP...

    I don't see anything that says "BEAST" is the result of a bug or flaw in
    Java, only that they chose Java to write their application that breaks SSL.

     

     



  • @Master Chief said:

     Is the eye of Sauron some kind of code phrase for "OK, we have to stop dicking around and fix this now" or something?

     

     They were referring to the media attention as the Eye of Sauron.  The post is a reminder to not say anything that the media or easily frenzied public could take out of context or misinterpret.  You get some laymen browsing a bug tracker and one of them takes some nerd joke out of context...  Then next you know, someone is labeled a terrorist.

     



  • @pauly said:

    @Master Chief said:
    Is the eye of Sauron some kind of code phrase for "OK, we have to stop dicking around and fix this now" or something?

    Then next you know, someone is labeled a terrorist.

    Not only that! Hobbit Terrorists!



  • @El_Heffe said:

    I'm not crazy about Java either, although sometimes I think Java is sort of like Windows Vista -- not nearly as bad as some people claim.

     

    QFT.

     



  • @Kazan said:

    did moz run over your dog or something?

    I spent a lot of hours this week working around bugs in their shitty DOM implementation. The ones that were even possible to work around...

    @El_Heffe said:

    I don't see anything that says "BEAST" is the result of a bug or flaw in
    Java, only that they chose Java to write their application that breaks SSL.

    Yes, because Java has a security flaw in it that bypasses SOP. If Flash happens to have one also, then they could probably write BEAST using Flash.



  • The vulnerability is in TLS 1.0, not Java.  Unfortunately, there seems to be no way to solve it without breaking 99.9% of existing SSL relationships.  We need a simultaneous patch of SSL for the entire world to force all clients and servers to upgrade.



  • @hoodaticus said:

    The vulnerability is in TLS 1.0, not Java.  Unfortunately, there seems to be no way to solve it without breaking 99.9% of existing SSL relationships.  We need people to start using TLS 1.1 or 1.2.
    FTFY



  • @Power Troll said:

    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
     

    Which gods are you referring to? Cthulhu? Nyarlathotep?



  • @havokk said:

    @Power Troll said:

    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
     

    Which gods are you referring to? Cthulhu? Nyarlathotep?

    Shiva?  Ragnarok?



  • @hoodaticus said:

    @havokk said:
    @Power Troll said:
    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
    Which gods are you referring to? Cthulhu? Nyarlathotep?
    Shiva? Ragnarok?

    Mictlantecuhtli? Tezcatlipoca?



  • @blakeyrat said:

    @hoodaticus said:
    @havokk said:
    @Power Troll said:
    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
    Which gods are you referring to? Cthulhu? Nyarlathotep?
    Shiva? Ragnarok?

    Mictlantecuhtli? Tezcatlipoca?

     

    Bob.



  • @blakeyrat said:

    Since I'm stereotyped as a Java-hater, here's more Java-hating!
     

    FTFY ;)

     



  •  @blakeyrat said:

    Yes, because Java has a security flaw in it that bypasses SOP. If Flash happens to have one also, then they could probably write BEAST using Flash.

    All you need to bypass SOP is an iframe. Or Flash. Or Java. But here the flaw seems to be on SSL.

    ---

     Btw, just out of curiosity :  @blakeyrat said:

    their shitty DOM implementation
    Gecko is fine. What's your point ?



  • @toshir0 said:

    All you need to bypass SOP is an iframe.
     

    ?



  • @hoodaticus said:

    @havokk said:

    @Power Troll said:

    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
     

    Which gods are you referring to? Cthulhu? Nyarlathotep?

    Shiva?  Ragnarok?

    Ragnarok is not a god of destruction.  It is an event involving gods and destruction, but it's not a god of destruction.




  • @dhromed said:

    @toshir0 said:

    All you need to bypass SOP is an iframe or any other HTML content that you can inject into the origin's DOM by means such as an XSS or MItM rewriting.
     

    ?

    Fixed that a bit.  Also, I would imagine that if the SSL-protected web app doesn't implement CSRF protections, the attack could be performed that way without needing to overcome SOP at all.

    Also, don't java SOP bypass tricks usually require the evil and good domains to be hosted on the same IP address?  Good luck getting co-hosted on ebay.com's servers.




  • @DaveK said:

    @hoodaticus said:

    @havokk said:

    @Power Troll said:

    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
     

    Which gods are you referring to? Cthulhu? Nyarlathotep?

    Shiva?  Ragnarok?

    Ragnarok is not a god of destruction.  It is an event involving gods and destruction, but it's not a god of destruction.


    In order to prevent more post naming gods of destruction I provide this link.

    I wonder what the criteria was for some of those names to be included



  • @serguey123 said:

    In order to prevent more post naming gods of destruction I provide this link.

    I wonder what the criteria was for some of those names to be included

    I feel almost compelled to copy-pasta from that list, I'm not going to, but I feel almost compelled.



  • @serguey123 said:

    I wonder what the criteria was for some of those names to be included
    “Doesn't share political views with me” was obviously one of them.



  • @Sir Twist said:

    @serguey123 said:

    I wonder what the criteria was for some of those names to be included
    “Doesn't share political views with me” was obviously one of them.

    Not sharing political views with Hitler or Torquemada is a good thing.

    Also, "Gorgonzilla"?  Is that a giant gorgon or a big cheese?



  • @DaveK said:


    Also, "Gorgonzilla"?  Is that a giant gorgon or a big cheese?

    It could be the lovechild of a gorgon and Godzilla.  The japanese would love the idea.



  • @blakeyrat said:

    Since I'm stereotyped as a Java-hater, here's more Java-hating!

     

    Stereotyped?  As in "all intelligent people hate Java"?  You're right, it is a stereotype, but a well  deserved one. MOST intelligent people do hate java.



  • @Medezark said:

    @blakeyrat said:
    Since I'm stereotyped as a Java-hater, here's more Java-hating!

    Stereotyped? As in "all intelligent people hate Java"?  You're right, it is a stereotype, but a well  deserved one. MOST intelligent people do hate java.

    You're not being clear. What's the connection to blakeyrat?



  • I generally don't like Java very much, either, but I don't think there's a reason to rage about it here. This is not your run of the mill bug like you get every other week with Flash, this could have affected (and more or less did) almost every other software.

    There's a serious bug in TLS 1.0 and afaict they only used Java to get around SOP to exploit that. I'd bet you $10 they could have exploited a bug like this in Flash, too.

     

    @Medezark said:

    MOST intelligent people do hate java.
    Citation needed?



  • @boomzilla said:

    @pauly said:
    @Master Chief said:
    Is the eye of Sauron some kind of code phrase for "OK, we have to stop dicking around and fix this now" or something?

    Then next you know, someone is labeled a terrorist.

    Not only that! Hobbit Terrorists!

    Well, they say terrorism can be a hard hobbit to break...



  • @topspin said:

    @Medezark said:

    MOST intelligent people do hate java.
    Citation needed?

    I hate Java.  That should be good enough, because I hate Java.



  • @toshir0 said:

    @blakeyrat said:

    Yes, because Java has a security flaw in it that bypasses SOP. If Flash happens to have one also, then they could probably write BEAST using Flash.

    All you need to bypass SOP is an iframe.

    If you can prove that, you can make huge bug bounties from a lot of browser teams. I suspect you're talking out your ass. Or about some pre-alpha buggy browser nobody uses. EDIT: Or the last time you looked into the issue was 1997 when it was still possible for a lucky bug-hunter to find a bug of that nature.

    @toshir0 said:

    @blakeyrat said:
    their shitty DOM implementation
    Gecko is fine. What's your point?

    It's fine at some things. It sucks shit at DOM. Probably because nobody's made a simple Acid-like test that reads out DOM compliance in a single number.

    And let's be clear: DOM itself does suck shit, so even if their implementation wasn't 100% it would still suck. The problem is, they're not even close to 100%.



  • @havokk said:

    @Power Troll said:

    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
     

    Which gods are you referring to? Cthulhu? Nyarlathotep?

    I showed this to a coworker, and he said "no, Loki.  Or maybe Kali."

     



  • @DaveK said:

    Ragnarok is not a god of destruction.
    Thanks!  That's two days in a row that I've learned something on TDWTF.



  • @Sir Twist said:

    @serguey123 said:

    I wonder what the criteria was for some of those names to be included
    “Doesn't share political views with me” was obviously one of them.

    The best thing I can say about the Left is that they don't reproduce very much.



  • @hoodaticus said:

    @Sir Twist said:


    @serguey123 said:
    I wonder what the criteria was for some of those names to be included
    \u201cDoesn't share political views with me\u201d was obviously one of them.

    The best thing I can say about the Left is that they don't reproduce very much.

    I would have disputed your claim, but then I realised that you probably live somewhere where the only role the poor are allowed to have in the political process is to execute a politician from time to time.



  • @__moz said:

    @hoodaticus said:
    The best thing I can say about the Left is that they don't reproduce very much.

    I would have disputed your claim, but then I realised that you probably live somewhere where the only role the poor are allowed to have in the political process is to execute a politician from time to time.

    Your comment is a non sequitur and largely incoherent. Please allow me to be more coherent and less random by introducing the Roe Effect. Also, the proponents of zero population growth (or at least reductions) seem to come from the Left (e.g., Paul Ehrlich, Chinese Communist Party, Al Gore).



  • @__moz said:

    you probably live somewhere where the only role the poor are allowed to have in the political process is to execute a politician from time to time.
    You almost had me there.  For the privilege of executing politicans from time to time, I was just about to click the "Submit" button on InTrade to bet my life savings on Obama's re-election.



  • @__moz said:

    you probably live somewhere where the only role the poor are allowed to have in the political process is to execute a politician from time to time.

    Ours are long overdue

     



  • @topspin said:

    I generally don't like Java very much, either, but I don't think there's a reason to rage about it here. This is not your run of the mill bug like you get every other week with Flash, this could have affected (and more or less did) almost every other software.

    There's a serious bug in TLS 1.0 and afaict they only used Java to get around SOP to exploit that. I'd bet you $10 they could have exploited a bug like this in Flash, too.

     

    @Medezark said:

    MOST intelligent people do hate java.
    Citation needed?

     

    I can't even format my sgnature correctly, and you expect me to provide citations to validate my trolling? Ok, uh - havent read the page but it has HATE and JAVA in it .......



  • @blakeyrat said:

    @hoodaticus said:
    @havokk said:
    @Power Troll said:
    Awesome!! Hopefully they'll switch to a framework blessed by the gods themselves like Microsoft Silverlight!!!
    Which gods are you referring to? Cthulhu? Nyarlathotep?
    Shiva? Ragnarok?

    Mictlantecuhtli? Tezcatlipoca?

    Kernighan and Ritchie.



  • charlie:Hello World charlie$ ls
    Hello.class hello.java
    charlie:Hello World charlie$ cat hello.java
    /* my test java program */

    class Hello {
    public static void main(String[] args) {
    System.out.println("Hello World!");
    }
    }
    charlie:Hello World charlie$ java Hello.class
    Exception in thread "main" java.lang.NoClassDefFoundError: Hello/class
    Caused by: java.lang.ClassNotFoundException: Hello.class
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
    charlie:Hello World charlie$ java Hello
    Hello World!
    charlie:Hello World charlie$

    I just started learning Java (I have to for my uni course). Seriously, WTF?



  • @Medezark said:

    I can't even format my signature correctly, and you expect me to provide citations to validate my trolling?
    Point taken, my bad.

    @Medezark said:

    Ok, uh -
    havent read the page but it has HATE and JAVA in it .......

    Just skimmed the headlines: talks about destructors instead of finalizers...

     



  • @charlie said:

    charlie:Hello World charlie$ ls
    Hello.class hello.java
    charlie:Hello World charlie$ cat hello.java
    /* my test java program */

    class Hello {
    public static void main(String[ args) {
    System.out.println("Hello World!");
    }
    }
    charlie:Hello World charlie$ java Hello.class
    Exception in thread "main" java.lang.NoClassDefFoundError: Hello/class
    Caused by: java.lang.ClassNotFoundException: Hello.class
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
    charlie:Hello World charlie$ java Hello
    Hello World!
    charlie:Hello World charlie$

    I just started learning Java (I have to for my uni course). Seriously, WTF?

    Did you try compiling it first, or did you just try to run a file that's not there?



  • @Sutherlands said:

    ...Did you try compiling it first, or did you just try to run a file that's not there?

    I'll forgive you as I didn't run javac, but yes I did compile it, as seen in my ls command (hello.java and Hello.class are both there). The WTF is that java Hello.class returns an error whereas java Hello successfully runs the program.

    bonus points for linking to win32 documentation when I've used ls and cat commands.



  • @charlie said:

    charlie:Hello World charlie$ ls
    Hello.class hello.java
    charlie:Hello World charlie$ cat hello.java
    /* my test java program */

    class Hello {
    public static void main(String[ args) {
    System.out.println("Hello World!");
    }
    }
    charlie:Hello World charlie$ java Hello.class
    Exception in thread "main" java.lang.NoClassDefFoundError: Hello/class
    Caused by: java.lang.ClassNotFoundException: Hello.class
    at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
    charlie:Hello World charlie$ java Hello
    Hello World!
    charlie:Hello World charlie$

    I just started learning Java (I have to for my uni course). Seriously, WTF?

    Complete and utter bullshit. The program wouldn't have compiled - you have a syntax error in your main method's parameter (missing ]). Way to be a part of the problem.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.