feature article
Subscribe Now

U.S. Attacks Java

Homeland Security says it’s Zero Dark Thirty for the software

“Unless it is absolutely necessary to run Java in web browsers, disable it.” That’s the word from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, as posted two days ago on its website.

Ouch. It’s rough when your own government tells you that software is bad for you.

This isn’t the first time DHS has launched a drone strike on Java, either. Oh, no. This is just an update of an earlier post that warned citizens away from Java, saying that bugs in the program were being exploited to commit identity theft and other crimes.

Oracle (now the owner and keeper of Java) released an emergency update to Java after the first government wave-off. But DHS isn’t impressed. Even after the patch, they’re still telling users to jettison Java.

I almost feel bad for Oracle. They’re in a tough spot, what with the government warning people that their product is hazardous. If only someone at, say, Philip Morris could help them deal with this dilemma.

I’ll be honest: I’ve never liked Java, and this latest brouhaha just confirms my long-held bias. Java is a virus-implementation language, pure and simple. It’s slow, pointless, slow, needlessly complicated, slow, resource-hungry, and slow. It’s evidently buggy, too, but so is most software, so I can’t really whack Oracle for that. Oh, wait—yes I can. Java is enabling identity theft, credit-card fraud, and general malfeasance sufficient to attract a public warning from the Federal Freaking Government! That’s about as spectacularly untrustworthy as you can get.

It also seems supremely unnecessary to me. What is the point of Java again? Oh, yeah—to allow programs to run on any platform, anywhere, regardless of processor, hardware, or operating system. “Write once, run anywhere,” right? How’s that working for you?

Last time I checked, there wasn’t a single Java program anywhere that ran on every Java platform. I don’t think even the Java version of “hello, world” works everywhere. There are just too many variables, and trying to create an entire virtual machine on top of a real machine is like building a house of cards in a moving airplane. A biplane. While flying upside-down.

Since embedded designers generally know what hardware/software platform they’re targeting, they have no particular need of Java. On the contrary: Java just adds another layer of software, indirection, and unpredictability between them and their system. Platform-independence, if it even existed, is largely irrelevant.

At the other end of the spectrum, we’ve got desktop programmers targeting PCs, Macs, the occasional Linux box, and whatever other desktop environments still exist. They also know their platforms pretty well. PC architecture hasn’t changed in a couple of decades (it just seems like centuries), and Mac APIs are pretty well-understood. So what incentive do these guys have for chasing platform independence? There’s a reason we don’t see Java-based games or serious applications.

In the middle we have smartphones, most of which run Android, most of which run third-party apps, most of which use Java. With the plethora of different Android-based phones, I can see the allure of Java for reaching the largest customer base possible. But doesn’t that putative independence also exact a big toll on performance, capability, and size?

For most embedded developers, efficiency is important. Maybe not the most important thing—that would be schedules—but right up there near the top. Reliability is also key, and for life-critical systems, the overriding concern. And cost. And determinism. And so on. None of which bodes well for Java in embedded systems. To host Java, you need a biggish system, a lot of memory, and a lot of patience. It’s fine for adding clever animation to the occasional web page, but it’s a poor excuse for a real platform when developing embedded systems.

And according to the guys who tap phones and chase terrorists for a living, Java’s also a security risk. In this case, I’m inclined to agree. 

7 thoughts on “U.S. Attacks Java”

  1. Hi Jim, I whole hardheartedly disagree. I switched a lot of my applications written for Visual C++ over to java because I go tired of being forced to adhere to microsoft’s
    pWhimOfThis->year. I invested in MFC coding at Qualcomm, then MS started advertising Java as the next big thing in Help, showing analogs of the Classes for both languages, then the big .net / java fallout. And now we have to drink the coolaid of silverlight and whatever they think we should conform to next. I currently program in MS C++ and Java about 50/50 for my daily needs.

    Many of your blanket statements about Java not working out, or not used in major applications are screaming that you don’t really know much about Java. Sorry I like you, but disagree.

  2. The original JDK 1.0 security model was to create a “sandbox” for unsecured/untrusted code.

    However, that was abandoned, and in the end, network loadable Java applications with extensive system access, became click to install (and bypass all security) as the accepted norm.

    Sorry … time for Java to go, because the designers forgot the stated security part of it’s mission (which was the justification for it’s existence), and created yet another malware vector for small children (and non-technical trusting adults), with to click to install Trojans along with their desired games or activity.

  3. You do not appear to make any distinction between Java and JavaScript, quote: “It’s fine for adding clever animation to the occasional web page…” The DHS concerns seem to be about Java and not JavaScript (specifically mentioning browsers with a Java plug-in). Can you please clarify?

  4. Dyson: I don’t think anyone is complaining about JavaScript … It’s not Java at all, does not require the java VM, and doesn’t have the features that create the security problems.

  5. Studley-

    What I’m hearing is that Java is better than Microsoft. You’ll forgive me, but that’s faint praise. Microsoft’s attitude toward APIs is all over the map, as you point out. Multiply that frustration for embedded development.

    As a third option, there are many embedded operating systems that have solid APIs, deterministic performance, good development tools, and zillions of working installations. Express Logic, Green Hills, Micrium, LynuxWorks, and dozens of others have many happy customers, and all without either Java or Microsoft.

  6. Hi Jim, Not exactly saying that. I do use both daily for my own PC based apps and utilities.
    Each has its strengths, but Java has a better track record for not pulling the rug out and forcing a new porting effort for older tried and true programs I’ve written in the past when I revisit them to add a feature.

    For Embedded( whole different animal ), I have used many of the ones you mention. I like rolling my own for simple things( state-based ) and Micrium(uCos) from Jean Labrosse has great documentation. We used(and debugged) Mentor’s Arm offerings at Hypercom. I have a BlueCatRt diploma from LynuxWorks.
    See:
    http://www.infoworld.com/d/application-development/java-tops-c-in-language-popularity-assessment-not-much-185808?source=footer

    I just think a blanket statement saying Java is not popular( sorry, it’s one of the most widely used languages out there.) and should go away used is not good and reeks of some SW-political overtones.
    Java’s ability to escape the browsers control IMO is a failure of the browser’s sandboxing or JavaEngine implementation and yes Oracle needs to fix some things, but an exploit can be written in any language. Both Java and Javascript are being targeted( as opposed to some odd claims above ) and I challenge you guys to disable it in your browsers and surf. Many sites like Google, Gmail and others will not work in any but the most basic modes. It’s a good discussion but I ask you all to be open minded. Thx -Lee Studley

  7. an article “Java security settings can be ignored by malware” in infosecurity is pretty blunt.

    For me it’s pretty difficult to trust the engineers and company behind a product that is sold based on the foundation of being a secure sandbox, that is anything but secure. Freckin clueless.

    So are the developers that are still claiming sand box security exists.

Leave a Reply

featured blogs
Sep 21, 2023
Wireless communication in workplace wearables protects and boosts the occupational safety and productivity of industrial workers and front-line teams....
Sep 21, 2023
Labforge is a Waterloo, Ontario-based company that designs, builds, and manufactures smart cameras used in industrial automation and defense applications. By bringing artificial intelligence (AI) into their vision systems with Cadence , they can automate tasks that are diffic...
Sep 21, 2023
At Qualcomm AI Research, we are working on applications of generative modelling to embodied AI and robotics, in order to enable more capabilities in robotics....
Sep 21, 2023
Not knowing all the stuff I don't know didn't come easy. I've had to read a lot of books to get where I am....
Sep 21, 2023
See how we're accelerating the multi-die system chip design flow with partner Samsung Foundry, making it easier to meet PPA and time-to-market goals.The post Samsung Foundry and Synopsys Accelerate Multi-Die System Design appeared first on Chip Design....

featured video

TDK PowerHap Piezo Actuators for Ideal Haptic Feedback

Sponsored by TDK

The PowerHap product line features high acceleration and large forces in a very compact design, coupled with a short response time. TDK’s piezo actuators also offers good sensing functionality by using the inverse piezo effect. Typical applications for the include automotive displays, smartphones and tablet.

Click here for more information about PowerHap Piezo Actuators

featured paper

Intel's Chiplet Leadership Delivers Industry-Leading Capabilities at an Accelerated Pace

Sponsored by Intel

We're proud of our long history of rapid innovation in #FPGA development. With the help of Intel's Embedded Multi-Die Interconnect Bridge (EMIB), we’ve been able to advance our FPGAs at breakneck speed. In this blog, Intel’s Deepali Trehan charts the incredible history of our chiplet technology advancement from 2011 to today, and the many advantages of Intel's programmable logic devices, including the flexibility to combine a variety of IP from different process nodes and foundries, quicker time-to-market for new technologies and the ability to build higher-capacity semiconductors

To learn more about chiplet architecture in Intel FPGA devices visit: https://intel.ly/47JKL5h

featured chalk talk

DIN Rail Power Solutions' Usage and Advantages
Sponsored by Mouser Electronics and MEAN WELL
DIN rail power supplies with their clean installation and quiet fanless design can be a great solution to solve the common power supply concerns that come along with industrial and building automation applications. In this episode of Chalk Talk, Kai Li from MEAN WELL and Amelia Dalton discuss the variety of benefits that DIN rail power supplies can bring to your next design. They examine how these power supplies can help with power buffering, power distribution, redundancy and more.
Nov 28, 2022
35,275 views