|
|
Featured White Papers
- Why choose an Open Source BPM?
- 10 FAQs on Business Process Management
- Best Practices for Getting Started with BPM
- Free Your Devs From The Pain Of Java Redeploys
- Increase Velocity 40% by Using JRebel
- What Developers Want: The End of Application Redeploys
- Developer Productivity Report: Java Tools, Tech, Devs, and Data
- Coding with JRebel: Java Forever Changed
- Utilizing Fast Testing to Transform Java Development
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Yellow Journalism Meets The Web... again...
Submitted by Ted Neward on Sun, 07/15/2007 - 02:07.
For those who aren't familiar with the term, "yellow journalism" was a moniker
applied to journalism (newspapers, at the time) articles that were written with little
attention to the facts, and maximum attention to gathering attention and selling newspapers.
Articles were sensationalist, highly incorrect or unvalidated, seeking to draw at
the emotional strings the readers would fear or want pulled. Popular at the turn of
the last century, perhaps the most notable example of yellow journalism was the sinking
of the Maine, a US battleship that exploded in harbor while visiting Cuba
(then, ironically, a very US-friendly place). Papers at the time attributed the explosion
to sabotage work by Spain, despite the fact that no cause or proof of sabotage was
ever produced, leading the US to declare war on the Spanish, seize several Spanish
colonies (including the Phillipines in the Pacific, which would turn out to be important
to US Pacific Naval interests during World War Two), and in general pronouce anything
Spanish to be "enemies of the state" and all that.
Vaguely reminiscent of Fox News, now that I think of it.
In this case, however, yellow journalism meets the Web in two recent "IT magazine"
pieces that have come to my attention: this
one, which blasts Sun for not rolling out updates in a more timely fashion to
its consumers, despite the many issues that constant update rollouts pose for those
same consumers, but more flagrantly, this
one, which states that Google researchers have found a vulnerability in the Java
Runtime Environment that "threatens the security of all platforms, browsers,
and even mobile devices". As if that wasn't enough, check out these "sky-is-falling"
quotes:
" 'It’s a pretty significant weakness, which will have a considerable impact if the
exploit codes come to fruition quickly. It could affect a lot of organizations and
users.'"... anyone using the Java Runtime Environment or Java Development Kit is at
risk." 'Delivery of exploits in this manner is attractive to attackers because even though
the browser may be fully patched, some people neglect to also patch programs invoked
by browsers to render specific types of content.'"... the bugs threaten pretty much every modern device.
" '... this exploit is browser independent, as long as it invokes a vulnerable Java
Runtime Environment.'"... the problem is compounded by the slim chance of an enterprise patching Java Runtime
vulnerabilities.
Now, I have no problems with the media reporting security vulnerabilities; in fact,
I encourage it (as any security professional should), because consumers and administrators
can only take action to protect against vulnerabilities when we know about them. But
here's the thing: nowhere, not one place in the article, describes what the
vulnerability actually is. Is this a class verifier problem? Is this a buffer
overflow attack? A luring attack? A flaw in the platform security model? A flaw in
how Java parses and consumes image formats (a la the infamous "picture attachment
attack" that bedevils Outlook every so often)?
No details are given in this article, just fear, uncertainty and doubt. No quote,
no vague description of how the vulnerability can be exploited, not even a link to the
original report from Google's Security team.
Folks, that is sensationalist journalism at its best. Or worst, if you prefer.
Mr. Tung, who authored the article, should have titled it "The Sky is Falling! The
Sky is Falling!" instead. Frankly, if I were Mr. Tung's editor, this drivel would
never have been published. If I were given the editor's job tomorrow, I'd thank Mr.
Tung for his efforts and send him over to a competitor's publication. Blatant, irresponsible,
and reckless.
Now, if you'll excuse me, I'm going to try and find some hard data on this vulnerability.
Any vulnerability that can somehow strike across every JVM ever written (according
to the article above) must be some kinda doozy. After all, I need to learn how to
defend myself before al Qaeda gets hold of this and takes over "pretty much every
modern device" and uses them to take over the world, which surely must be next....
Enterprise consulting, mentoring or instruction. Java, C++, .NET or XML services.
1-day or multi-day workshops available. Contact
me for details.