InfoWorld – clueless beyond rescue (and JavaWorld reprints it unread)

I recently stumbled across one of the most clueless Java-bashing articles ever published in a Java magazine. JavaWorld reprinted a piece (I would not call it ‘article’) from Infoworld called “How to kill Java dead, dead, dead“.

I don’t mind killing Java in the browser, along with flash and all the other garbage that clogs up my CPU. I have enough bad things to say about the crapware-installing Java-Installer Oracle (and before that Sun) produce. As if there are not enough toolbars out there for unsuspecting users to catch.

No, what I despise is the level of unprofessional ranting from the intern who wrote that article. Seriously, don’t you have any journalists who know how to research an article anymore?

Java in the browser is dead. The Java security model is as flawed as the Flash sandbox model – nice idea but once you get big enough it becomes too complex to handle it safely.

But lets wade through the article.

First, someone please explain that guy that there is a difference between a Java JRE installed on a system and a Java Plugin added to your browser. A program on your system does not necessarily cause a problem. The problem only starts when someone from outside can run programs on your computer without your consent.

When you use your browser (the internet viewer, dear author), then that browser runs programs for you. These programs, in the form of JavaScript or Java-Applets come from a outside source (the web-server) and run on your local machine. So if your browser or one of the plugins has a flaw that allows the outsider to run dangerous stuff, then he can gain control over your computer.

To fix this, fix your browser. Remove the plugins that you don’t need, block JavaScript by default (and use NoScript to enable it when needed), and you will be quite safe. When you remove the Java Plugin, then it does not matter whether your Java installation itself is unsafe, as your browser does not make use of it without a plugin.

After a few paragraphs of clueless rants, he then comes to describe how the Flashback virus was caused by a bad Java installation. Oh, my. Read the first paragraphs of the analysis of Flashback and you learn: It came as a drive-by infection via web-sites. What do you use to view web-sites? A browser. So what do you need to fix? Your browser!

The feds recommended that users disable Java in the browser, and they should. But that still leaves Java on the desktop where it can be exploited, as Mac users found out a couple of years ago to Apple’s chagrin.

Well, let me repeat. Computer do not run stuff on their own. If you are computer-illiterate it may look like it, but someone somewhere has to initiate that communication and tell your computer to invoke a program. If you don’t visit web-sites with your browser, it is unlikely that someone will do something on your system. (If you have a firewall, as Windows users affected by SQLSlammer found out.)

Apple disabled Java mainly for political reasons. First, maintaining a separate JDK fork was expensive and second, Apple wanted to foster a bit of vendor lock-in with its App-Store and hopefully everyone coding Objective-C forever. A platform independent programming system is not good if you are selling a closed platform.

On to page 2 of the article.

Websites using Java? What is this – 1999? None of the banks I know in Germany, Ireland and the UK use Java. None of the Airlines I use (Lufthansa, British Airways, Aerlingus, KLM, etc) use Java. Heck, even Ryan-air does not use Java, even though their website looks like it is from 1999.

Claiming that Java (as applet) is used for thousands of mission critical websites is probably true. The same goes for IE6 along with old ActiveX controls. Internal web-sites of companies are slow to change. But the same companies have administrators who should be able to secure their systems. As a start, they can ensure that separate browsers are used for intranet and internet. If they can’t do that, how about firing them?

(Fact: They don’t. I get two waves of spam delivered and filtered on my servers. One between 9 and 10 my time, and one between 9 and 10 US east coast time. No waves on weekends and public holidays.)

Then he goes on claiming that Java is critical and hard to disable, because of French ex-territorial voters. What? If a french person decides to leave Gods own country to live amongst English speaking people, isn’t that alone reason to take their voting rights away? Or maybe the french government is as clueless as every other government when it comes to technical decisions.

But claiming that a few thousand French people’s reliance on Java for voting every 4 years or so makes Java indispensable is ridiculous.

And he goes on that

“unscheduled outages” would be devastating if OS X and Windows suddenly blocked Java, as the feds essentially asked us to do this week.

Didn’t he state on page one that Apple, literally overnight, disabled Java in the browser. And did the world stop? How about Microsoft not shipping Java since somewhere around 2002? How did that stop the world?

And now my favorite sign that your author is not educated in computer terms:

But here’s what Apple and Microsoft can and should do: Announce that the next major versions of OS X and Windows will not run Java, period.

An operating system is not able to stop users from running software of their choice unless that system is so locked down that only approved software can run, like IOS or MacOS when you crank up the paranoid mode to only allow apps from the App-store.

I guess Apple, world dominator with ambitions, would love that model. But here’s the catch: You can only do that when you lock out everyone. No more custom software for you, naughty author. And once every computer is locked down, whoever holds the key holds the power. Yes, I know, Steve Jobs always wanted that, but I would not accept it.

And filtering it out? Apart from the legal implications of anti-competition laws, so far no OS vendor was able to filter out virus- and trojan software.

I stop here, as afterwards the poor author goes into rambling mode after exhausting any sensible argument.

I end it with the quote from the last page:

If Microsoft and Apple don’t make Windows and OS X Java-free platforms like [..] Android…

and go back to my JDK to write a Android application while it is not yet outlawed.

Lessons learned:

Now that all journalists are fired and after they moved into PR, we are left with interns to fill our brains with garbage.
And we need more regulation to get Java off the streets, so that kids can start playing with guns instead of applets.
And the world would be a better place if computer were not allowed to run dangerous stuff, so guvn’r please rescue us.

This entry was posted in Rants on by .

About Thomas

After working as all-hands guy and lead developer on Pentaho Reporting for over an decade, I have learned a thing or two about report generation, layouting and general BI practices. I have witnessed the remarkable growth of Pentaho Reporting from a small niche product to a enterprise class Business Intelligence product. This blog documents my own perspective on Pentaho Reporting's development process and our our steps towards upcoming releases.