On two occasions I've had trojan invasion from java scripts. One was from mickysoft and the other from a NZ site I'll not name right now ... no, no .. not here though! You should be able to access the features of any web site without needing java at all. It is only poor coding that encourages the increasing use of java. When WinXP was in beta it was to be released without java but the uproar was so intense that mickysoft had to include this along with other security holes in their software. You can't use hotmail, mickysoft software update or many other sites without java being enabled. IMO the best, and likely more secure sites, don't use java.

Yup the most secure web sites use text, with none of this fancy HTML coding crap, except for the odd link to other pages ;)

The problem is that website developers want to make the site have all sorts of bells and whistles which can't be done with HTML, so they start putting in Flash, java and activex code but then they start doing all the simple things like hyperlinks and all that in the code rather than good ol' html, meaning longer page load times and problems between different platforms/versions of java(1.1, 1.2, 1.3) and all that. Javascript was also designed to be secure and not allow access to local resources like disks printers etc, but of course people find ways around these things...

Anyway I think you'll find MS sites require Activex scripts, not javascript, although the line between the two is exceptionally blurred.

This is a webmaster and programmer speaking.

Normally yes. Always no.

There are MANY, MANY things HTML can't do. HTML is a simplistic static sublanguage of SGML, and as such is relatively limited. It's fine if you want to broadcast information to everyone. For almost anything else, it's undesirable in some form or another.

Java is very secure - a f**k lot better than C, C++ and half the other languages on the planet anyway.

Java is portable, platform independant, bla bla - ( I'm sounding like a Sun rep now :p ). In short, MS would be ostracising many customers by going with anything else. And CGI is a mess.... a good mess, but alas a mess for projects on the scale they're dealing with.

And you seem confused. MS didn't finally decide to go with Java. Rather, they almost didn't get it - their license to use Java was revoked by Sun after several gross contract breaches by Microsoft.

And are you SURE you got a virus directly FROM Microsoft? I'd almost bet money you didn't.....

AAAANNNNDDDD - Java, JScript, JavaScript etc are all completely DIFFERENT. They're not interchangable terms for the same thing - make sure you know which one you're talking about.

Website designer talking here:

Javascripts can only call client sided events and does not allow the use of server side interactions. Javascript is a script which once loaded will only act on the client side, such as that you can't directly interact with the server [i.e the web site] through javascript. Javascript can't even read files such as text files, let along write to files. Javascript is a very watered down type language and it is easy to create effects through javascript than with anything else in a website since its benefits overcome it's size [it's a few kb's of code compared to a few hundred kb's of Flash]. This is what I know about Javascript.

Java is totally different again, it's precompiled Java, so it is a much stronger language but I believe it is this one that 'hackers' [usually smart-alec 12-13 year-olds, who want to feel big cos they can try hack us l33ts] use to try to corrupt your files and the likes.

In the end, I usually try to use caution when finding sites with large amounts of Java and ActiveX, but I don't worry too much when surfing Javascript. Also what kind of site were you surfing? Respected sites such as sites from GameSpy usually tend not to have problems like this, sites such as user ones like Geocities are prone too all sorts of things.

Javascript is fine for me. And I usually treat Java and ActiveX's with caution. I was attacked by a FLASH 'virus' the other day.

Originally posted by KingJackal
This is a webmaster and programmer speaking.

Java is very secure - a f**k lot better than C, C++ and half the other languages on the planet anyway.


And are you SURE you got a virus directly FROM Microsoft? I'd almost bet money you didn't.....


You are a programmer as you confess so its not surprising you would support what pays you. I have java disabled and I get no trojans ... I rest my case.

One trojan certainly came from MS .. there was a warning later on their site about just that. MS products in general are known for their poor security. Of course other OSs have security holes but usually not so many or so damaging.

Originally posted by Solid Snake
Website designer talking here:

Java is totally different again, it's precompiled Java, so it is a much stronger language but I believe it is this one that 'hackers' [usually smart-alec 12-13 year-olds, who want to feel big cos they can try hack us l33ts] use to try to corrupt your files and the likes.

These kids are smart so how is it possible to redirect their damaging behaviour towards something constructive? I know that some or the "smartest" hackers have become the most innovative and and informed security consultants.

Originally posted by BeachBum
You are a programmer as you confess so its not surprising you would support what pays you. I have java disabled and I get no trojans ... I rest my case.
so what tells you that you are getting trojans? Some moron wanna-be security product like blackice? I have javascript enabled and i get no trojans, i have java installed with default settings and I get no trojans... i rest my case. Oh, and yes I do feel very safe and secure on the internet.. I'm sitting behind a smoothwall box and have NAV2003 beta installed and running MS products in general are known for their poor security. Of course other OSs have security holes but usually not so many or so damaging. [/B] have a think about it... how many pc's are equipped with win, now have a think about how many are equipped with *nix or *bsd... do the maths.. i think you'll find that the considerably larger userbase of win allows for more probability of security flaws being found... Also realise that nothing is perfect. lunix will not save your gumboots from the evil garden gnome who looks like evil satan bill gates, no matter what slashdot tells you
These kids are smart so how is it possible to redirect their damaging behaviour towards something constructive? I know that some or the "smartest" hackers have become the most innovative and and informed security consultants.
this is usually based on them growing up emotionally.. has a low chance of happening.

and finally, i'd like to clear this up, read carefully
JAVA != JAVASCRIPT
this means that java is not equal to javascript, they are not the same thing and never will be.

Originally posted by whetu

so what tells you that you are getting trojans? Some moron wanna-be security product like blackice? I have javascript enabled and i get no trojans, i have java installed with default settings and I get no trojans... i rest my case.


I use PC-Cillin which isn't bloat ware like NAV or McAfee. Whether you get trojans or not isn't really important. What is important is that I've had trojans and do not get them with java disabled. You make your money selling java code, scripts and whatever. I make mine, such as it is these days in research, mostly on the net. If I say I get trojans via java and you say you don't then all that suggests is that you are not particularly aware of security and have perhaps not experienced the invasive effects of trojans. As I mentioned the MS WinXP update site warned that there was a trojan that was spreading, possibly from their site. It was from MS, even they admitted it, otherwise is to be blind to what security is all about. Paranoia is one thing but good security practises are something else.

Originally posted by BeachBum
I use PC-Cillin which isn't bloat ware like NAV or McAfee.
misconception #1: Everything from MS or another large company like Symantec must be bloatware
truth: wrong, wrong and wrong. Joel Spolsky (www.joelonsoftware.com) said it best:
Joel who is a smarty man wrote:
But seriously, Moore's law makes much of the whining about bloatware ridiculous. In 1993, Microsoft Excel 5.0 took up about $36 worth of hard drive space. In 2000, Microsoft Excel 2000 takes up about $1.03 in hard drive space. All adjusted for inflation. So stop whining about how bloated it is.
and later on...
Well, most people with encyclopedias only look up 0.01% of the topics in the encyclopedia. But would you rather have the Encyclopedia Britannica or would you rather have a lightweight brochure containing the top 100 topics? (You might answer: on a camping trip, I'd rather have the lightweight brochure. Fine. Get the brochure for your camping trip. But at home, where all that 'bloatware' isn't actually costing you anything, you want the full edition.)

Or, here's an argument that even the youngest slashdotters will understand. The WWW is bloatware. Finding things is impossible because there's so much stuff out there. Think how much hard drive space is wasted on all kinds of web pages that only .00000000001% of the world ever reads. Since the vast majority of people only go to Yahoo, Ebay, and MSN, wouldn't the WWW be better if it only had Yahoo, Ebay, and MSN? It would be much more "optimized."

It only matters if you're being silly and trying to run win2k/xp on 64meg of ram (eg when every spare meg of ram counts)... if like me you have bucketloads of ram, will you notice the difference? nope. never. period.
Whether you get trojans or not isn't really important. What is important is that I've had trojans and do not get them with java disabled. Erm, excuse me but it is important whether or not I get them.. otherwise I wouldnt consider it an issue (as it would thus be unimportant:rolleyes: ).
You make your money selling java code, scripts and whatever. Actually I make money training computer n00bs how to type and use software packages... I am not a programmer and do not make any money by selling any kind of code. I am in a neutral position on this matter and am merely stating an unbiased view to correct your misconceptions, assumptions and regurgitations.
I make mine, such as it is these days in research, mostly on the net. If I say I get trojans via java and you say you don't then all that suggests is that you are not particularly aware of security and have perhaps not experienced the invasive effects of trojans.Sorry if this seems forward but LOL. I am more aware about security issues than you seem to be... for someone who makes money doing research, you dont seem to have researched PC security very well and didnt research AT ALL in your response. (Note I used all the magic of the google to dig up exact quotes from Joel earlier, which suggests I did research ;))

Here's a hint: www.smoothwall.org

False: I am not aware of security and have not experienced a Trojan.
Truth: I have better security than you, and have more experience with dealing with various virii than you.

Paranoia is one thing but good security practises are something else.Exactly... you are missing the point that my security practises are better than yours, hence I have not received any virii in months. I would go so far as to say that you are a perfect example of paranoia vs practises.. with you being captain paranoid himself.

Sorry if this seems harsh, but before you go and accuse me of something.. it would help if you got your story straight ;)

LOL.. hehe i have to wonder from your posts if you walk around with tinfoil on your head, have surrounded the outside of your house with 3metre barb-wire fences, and pick up your telephone with oven-mits as you read once that some guy got electructed by using his phone....

But seriously, there are many problems with your origional post and subsequent posts:
- Your posts contain errors, ie Java vs JavaScript.
- You made wild acusations without any proof (URL's from reputable news sites backing up your cliams would be a good start).
- When confrunted with questions, you didn't answer any and instead repied with more acusations.
- In your replies you clearly show that you have no time for what others have to say, and didn't acknowledge anything possibly wrong that may have been pointed out.




As already mentioned, JavaScript and Java are not the same thing.

JavaScript in this instance is a client-side scripting language. When used in an HTML page, it only has access to objects contained in the current browser window, and does NOT have access to the local machine. It is able to interact with any HTML items that may be on the page through the document's DOM. These may be things such as HTML select boxes, blocks of text, or images. The code may also change things such as the browser status text, size or position.

You could not use JavaScript to say open a file on a users computer or view information in the registry, as it is technically impossible to do so. Even if you could, because the code would be run on the clients machine, you would then have to somehow send that information to a server or other machine elsewhere.

There are many reasons for developers choosing to use JavaScript in their page. They may want to develop a menu that expands and collapses as you move over parent/child items. They may want to check what a user entered on a form before they submit it and provide quick feedback, to save a server-round trip. JavaScript would be used on alot of sites that you visit frequently. Have you ever seen a site where if you move your mouse over an image, that the image changes?? It is likely that this was implemented with JavaScript. Even on this site, when editing a message you will notice that above the editing screen, when you move your mouse over the buttons such as B I U Size, etc, that the text below it changes. This is done with the help of JavaScript.

Java on the other hand I don't know too much about, so what I post may be incorrect, and if so could someone please point any problems out. From what I understand, there are different types of java "applications", or different enviroments in which java could be used. Two of these being java applets and java aapplications.

For most websites you visit, they will be using Java-Applets which are run inside the web browser, through "embedding" (not correct word, but will do :)) them in the HTML page. These Java-Applets run in a sandbox and only have access to other items in the same browser window, similar to JavaScript contained in an HTML page. Again it would not be possible to access your machine from a Java-Applet. One could implement a Tic-Tac-Toe game using a Java-Applet. I don't know if there is such a thing as a signed java-applet that might possibly be allowed more access to the local machine.

Java Applications would be no different than say other applications on your computer. They would need to be downloaded and executed, and once executed would have as much access to your machine as any other application would that you choose to run.

ActiveX again is different. ActiveX contols do have access to the local machine - as much acess as the currently logged on user. For this reason, ActiveX controls could be malicious. As a precaution, and by default, Internet Explorer does not allow the downloading or running of unsinged ActiveX controls. If a control is signed, then Internet Explorer by default will prompt you, asking you if you would like to install/run the control. At this point, information on the publisher is presented and it is upto the user to determine if the code should be allowed to run. Since ActiveX controls have access to the local machine, they are generally used for different purposes than JavaScript or JavaApplets. Windows Update as an example is implemented through the use of an ActiveX control. For an intranet evironment it might be very useful to use an ActiveX control in your site.

All three of the above have their uses and places in web development. Generally thou, for Internet or pubically accessible sies, developers will try to use only features that are supported by the majority of projected site visitors - unless something really requires some feature to work. JavaScript when used correctly helps to increase the users experience, and without it, things would be well boring in some circumstances. Using something that potentialy increases the users experience does not make the developers sloppy.

However, for Intranet sites, or sites that may only be visible to employees in a company on the companys network, developers may choose to more actively use these technologies. This is because usually it is known what browser all desktops will be using, and as such the developers can take full advantage of the features offered by that browser - to make both their life easier, and the users experience better.

I am a programmer and have worked developing both Internet and Intranet sites.

In your first post you mention the JVM. This is what you MS "left out" of Windows XP, almost implying its because they thought it was silly or buggy or something, or because people are realising there are problems, I dont' really know what you were implying. Either way, the reason MS didn't include it I think has more to do with a recent ruling after Sun took MS to court. I think MS isn't allowed to update their JVM, which is now quite outdated, and even then is only allowed to ship it until a set date. This may have been MS's way at taking a hit at sun. Either way, MS's JVM is not the only JVM in town. One could easily download another JVM say from Sun, or a JVM could be packaged with an application you buy/download/etc. The JVM was not fully removed either, as to my knowedge, if you went to a site that used Java Applets (remember applets, not javascript :)) then the browser would have prompted you and asked you if you wanted to download the JVM. Sort of a like an install-on-demand approach.



Just because a technology has the potential to cause harm then that does not fault the technology. It faults the person that used the technology to do that. Not all programmers are out there to cause problems, and programming languages/enviroments are not created with mischief in mind - they are not created so all the would-be hackers of the world can use it to annoy people. People can get killed by idiots driving cars while drunk - does this make cars a bad invention, and does this mean that cars are esentially flawed? Cars were certinately not created with the intention of being used to kill people, they were created with the intention of being a form of transport.



You mention trojans, yet you don't give any specifics. What were they, how did you know you had a trojan, and how were you so sure as to where they came from? More details would be appreciated.



I am confused by your constant reply along the lines of "you will back what is paying you". What are you implying here? That everyone must be working with unnamed technology x? How can you not even know anyone yet make acusations like this, and also assume we are backing up something that we ourselves know are bad. This is what you are implying, you are implying we know its bad, but we use it anyway because it pays the bills.


I would like to see you prove me wrong and try and answer some of the questions put to you.

I think you'll also find that a HUGE proportion of sites use javascript web monitoring (which you will never actually notice) ;)

Thanks for saying the same things my much shorter post said, DiSCLAiMER :p :p
:D

I believe it IS possible to gain access to files in a Java Applet. You shouldn't be able to, ( it's an illegal function of the language - breaking its own designs ) but it IS possible to a limited degree via a couple of little loopholes.

Alas, teh [H]a><0r is now rusty, and I'd have to go read up again to find them - but I know it IS possible ( Applets, not Script, as you obviously realise ).

BeachBum, I don't suppose you have a link to the MS knowledge database articles mentioning the MS-Trojan that works via JavaScript?
( In case you're wondering, the MS knowledge database is notoriously hard to search, you can spend fruitless hours there.... :( :rolleyes: )

Thanks for saying the same things my much shorter post said, DiSCLAiMER
LOL, yea I kinda started writing and forgot to stop, even thou I realised most stuff had been said before.. hehe the stuff you get upto when your bored I guess :)

The net is an unlimited source of reference material both to support or refute any thesis. I've only spent a little time collecting the few pointers towards enhanced security that are noted below but am convinced that although the visual experience of the net may not be as spectacular with java disabled it is both faster and more secure.

I admit to much confusion between the various forms of java but then I'm not a professional programmer or security consultant. I *am* aware of security issues though on my own equipment and am appalled by some advice I have heard relating security to access to dubious sites. Be safe, do your own research.

Here are a few quotes:-

"Chapter 3 delves more deeply into the existing Java security model by focusing attention on some of the well-publicized problems that have been discovered. This is where our discussion of hostile applets begins. We introduce some terminology that divides hostile applets into two camps --- very dangerous attack applets that involve security breaches and merely annoying malicious applets that are more of a nuisance than anything else."

http://www.cigital.com/javasecurity/preface.html

"The Java(tm) language allows Java-compatible Web browsers to download code fragments dynamically and then to execute those code fragments locally. However, users must be wary of executing any code that comes from untrusted sources or that passes through an insecure network."

http://www.w3.org/Conferences/WWW4/Papers/197/40.html

"A collection of increasingly hostile applets put together by Mark LaDue, a graduate student at Georgia Tech. In our terminology, these are all malicious applets.
Georgia Tech kicked Mark off their site, so his page is now hosted by Reliable Software Technologies, though Mark retains complete editorial control over content and RST does not endorse or necessarily agree with his opinions."

http://www.cigital.com/javasecurity/applets.html

now we are getting somewhere (albeit FINALLY :rolleyes: )

I'm sure the discussion here is erudite yet somehow I know that if I want to truly understand the implication of java on security then I'll have to do my own research. I think that I've learnt less about java here than I have about the people who have responded to my original post. Perhaps that is the way of the technocrats, and I mean no poor reflection of anyone here.

It is hard enough keeping up with the changes I've seen in technology but somehow refreshing to reflect that the people managing, or at least trying to, these wonderful innovations have remained static. For a knowledge economy to succeed we really need people who have a more encompassing view other than what they learnt at university or polytech.

Good luck with your java whether it be script, interpreted or compiled. I have security at heart. Both my son and son-in-law are security advisors so I suppose it must rub off on the old man eh? :)

we really need people who have a more encompassing view other than what they learnt at university or polytech.

wrong place to say this ;)

disclaimer for example has NO formal programming qualifications, he is self taught.

most people here have an intense interest in computers, it is their hobby, their knowledge comes from reading around many places outside what they learn at tertiary level.

If I regurgitated what I'm being taught at tech right now, I'd be a laughing stock. Fact is, I am relatively self taught at computers and overclocking, I would have a student loan of 40-50,000+ if I had formally learnt what I currently know.

Furthermore, tertiary institutions dont really teach you much about computers.. they primarily train you to be an efficient independant studier, because that's one of the biggest things about this fast moving industry: you gotta do a sh*tload of reading and study to keep up.

your statement would be better suited to say.. the pc section of the trademe community message boards

The main issue with this thread is you havent acknowledged an understanding that javascript has absolutely nothing to do with java, until that issue gets closure, most of the guys here wont be bothered continuing on helping.

Take a look in the general help or troubleshooting boards, there are threads entitled "how to ask questions the smart way"
You may learn a few things about how to communicate effectively with computer geeks.

So, how many portscans have you had today?

lol

OK, I'm just gonna say something here....

I hate poorly coded Javascript, and excessive/bloated Flash and other active content(56k user here0. It is just a pain, especially I often see a site where even the links are done by javascript, but it is somehow coded wrong and nothing on the site works properly, this is just plain old incompetence on the part of the web designer rather than a problem with javascript itself(ok maybe not entirely with the designer, it may have been corrupted somehow or something but you get my point)

I blame frontpage...pox on wysiwyg :).. pox on cluttered sites...

script kiddies don't need to be bright (hell poision could be one :) ), they just need to know how to follow instructions

I suppose if you look long and hard enough at any topic you may find references that will both refute or substantiate any claim. Politics is about just this. Security is an intense and deep issue and likely to remain so as long as there are those who threaten it. What is there to admire in those that hack into others computers?

Here is a quote from an article I read recently ...

"Since the introduction of Java Script, the language has been plagued with security concerns. The problems stem from the nature of JavaScript, which allows executable content to be embedded in web pages. Therefore, security precautions are required to prevent malicious code from entering, executing, and retrieving data from the underlying system. Over the last several years, numerous bugs have been discovered relating to this issue. Some of the primary issues are listed here: "

http://polaris.umuc.edu/~mgaylor/Issues.html

Somehow, somewhere someone is making money through inappropriate use of the net. To counter the hackers and virus/trojan writers there are companies who develop smarter firewalls and antivirus programs. It is cyclic ... like upgrading your PC :-)

Originally posted by varkk
OK, I'm just gonna say something here....

I hate poorly coded Javascript, and excessive/bloated Flash and other active content(56k user here0. It is just a pain, especially I often see a site where even the links are done by javascript, but it is somehow coded wrong and nothing on the site works properly, this is just plain old incompetence on the part of the web designer rather than a problem with javascript itself(ok maybe not entirely with the designer, it may have been corrupted somehow or something but you get my point)

Agree totally! I use hotmail, many do and I really hate waiting for all the advertising crap about xtra and MS partnership to load. Not only the time wasted but, as you say, the errors in the scripts. Is this a reflection of those doing the codeing, the perceived need for flashy visual web sites or a broader picture of the web out of control?

Originally posted by BeachBum

I use hotmail

Oh....


*Hands BeachBum a sympathy card*

I am a java developer by choice.

IMHO java applets are (or at least should be) a dead technology. They very rarely offer anything that cannot be achieved without competing technologies (i.e. scripting, DHTML, Flash or templating (ASP,JSP,PHP etc)).

Java should be kept server-side in the form of JSP engines and J2EE containers.

Originally posted by varkk


Oh....


*Hands BeachBum a sympathy card*

rofl ... I reckon :eek:

Somehow, somewhere someone is making money through inappropriate use of the net. To counter the hackers and virus/trojan writers there are companies who develop smarter firewalls and antivirus programs. It is cyclic ... like upgrading your PC :-)

some of the hackers and virus/trojan writers are the people who develop smarter firewalls and antivirus programs... find a few holes, get your name on buqtraq a few time and someone will offer you a four figure salary

4 figure salaries? Don't you mean 6 :D ;) :p.

The thing is do you trust a hacker's firewall. I mean a firewall would be a good program to make as spyware, because everyone trusts it.

Originally posted by Wibber


some of the hackers and virus/trojan writers are the people who develop smarter firewalls and antivirus programs... find a few holes, get your name on buqtraq a few time and someone will offer you a four figure salary

Mmm ... I could do with some of their expertise. I had 40 port scans today along with 4 "new" trojans .. ones my firewall doesn't know about yet but the virus scanning program thinks it does. Its depressing. How do I know what these things are aiming at on my system? These were executables dled into my IE cache .. something that is not supposed to happen .. but did :( It seems several sites I visit have been hacked today, certainly they behaved in a very strange way. Perhaps that is where the trojans come from? I don't visit those sites that seem to be so poplar among certain of our school teachers :o Do those particular teachers want more money too? :( :( I suppose there is a bright side to it all in that as you say some of the virus/trojan authors do turn into something better.

don't worry about being port scanned, 99.99999999% of the time nothing will come from it, that is becuse 99% of hackers are just script kiddies looking for a box that is vulnerable to an exploit they know how to do, the other 1% that know what they're doingalmost certainly don't want anything from your machine, so wouldn't bother trying to crack it.
you must get a crud load of mail if you were attacked by four trojans, if that's the case you probably don't need a virus checker as much as you need a spam filter :). more likely, as they are "new" trojans, you probably paranoidadly set you scanner to aggressive heuristics and its just warning you that some code could be malicious when its not :)

It seems several sites I visit have been hacked today, certainly they behaved in a very strange way. Perhaps that is where the trojans come from?
yeah man, never trust a p0rn site :)

Originally posted by Wibber
you must get a crud load of mail if you were attacked by four trojans, if that's the case you probably don't need a virus checker as much as you need a spam filter :). more likely, as they are "new" trojans, you probably paranoidadly set you scanner to aggressive heuristics and its just warning you that some code could be malicious when its not :)

You know xtra have just announced that they are filtering all email b4 distribution. Wonder if they are using a coffee filter ... :D

What you say is true for how am I to know what is harmful and what is not when firewall, virus scanner or whatever announces this? I suppose I could spend hours looking to see what the suspect file is trying to access but I've better things to do so just remove anything that the software has declared as suspicious. I am paranoid about security but not because there is anything on my machine that could cause the next war, unseat a government or demonstrate how to genetically engineer hops into something else altogether. :D Yeah, and it is backed up to CD-ROMs. :)

Originally posted by BeachBum
I am paranoid about security

Let me get this straight, you are "paranoid" about security yet use internet explorer?

Originally posted by haytona


Let me get this straight, you are "paranoid" about security yet use internet explorer?

Eh? Would you use netscape then? :eek: Yeah, I know there are lots of browsers to choose from these days but it seems to me that those I've tried have their own and different problems regardless of security issues. No, I'd never claim IE is either secure or stable. :( I've tried Mozilla, Netscape & Opera and thats about it. What else is worth a try? With WinXP you can really remove IE, not just a pretend. You know the saying: double your free disk space ... delete windows. :D