[jitsi-users] Jitsi and Java


#1

So most of you probably already know about how much trouble Oracle has had with Java exploits lately. With so many problems, I'm finding it harder and harder to justify keeping Java on my system just to run Jitsi or recommended Jitsi to my privacy concerned friends, clients, and family.

How is everyone handling the exploits? Are you moving away from Jitsi? If so, what are you moving to? If not, what are you doing? Keeping up with patches simply isn't enough anymore. What are the chances of Jitsi moving off of Java?

Thanks!
Anthony


#2

In fact, this is a very good point to make.

Why does everything have to use google, or oracle or any others which gather information as a main function?
Is it that impossible to build cool tools without having to have java or flash and countless other things which end up being dependent on software supplied by such companies?

···

From: Anthony Papillion

Sent: Thursday, September 27, 2012 2:05 PM
To: Jitsi User List
Subject: [jitsi-users] Jitsi and Java

So most of you probably already know about how much trouble Oracle has had with Java exploits lately. With so many problems, I'm finding it harder and harder to justify keeping Java on my system just to run Jitsi or recommended Jitsi to my privacy concerned friends, clients, and family.

How is everyone handling the exploits? Are you moving away from Jitsi? If so, what are you moving to? If not, what are you doing? Keeping up with patches simply isn't enough anymore. What are the chances of Jitsi moving off of Java?

Thanks!
Anthony


#3

Listen, troll, the problems were related with the browser plug-in
NOT the JRE itself. Running Java apps -if you disable the browser
plug-in- has NO EFFECT WHATSOEVER related to the latest scaremongering
articles.

Last week there was a 0-day exploit that Microsoft knew for MONTHS yet
they only fixed after it was publicized. Do you advise people to
"remove IE from Windows" too?.

FC

···

On Thu, Sep 27, 2012 at 4:05 PM, Anthony Papillion <anthony@papillion.me> wrote:

So most of you probably already know about how much trouble Oracle has had
with Java exploits lately. With so many problems, I'm finding it harder and
harder to justify keeping Java on my system just to run Jitsi or recommended
Jitsi to my privacy concerned friends, clients, and family.

--
During times of Universal Deceit, telling the truth becomes a revolutionary act
Durante épocas de Engaño Universal, decir la verdad se convierte en un
Acto Revolucionario
- George Orwell


#4

Hey Anthony,

So most of you probably already know about how much trouble Oracle has
had with Java exploits lately. With so many problems, I'm finding it
harder and harder to justify keeping Java on my system just to run Jitsi
or recommended Jitsi to my privacy concerned friends, clients, and family.

This is important indeed so let me be as clear as possible:

The so called "Java" vulnerabilities that have been surfacing lately do
not impact Jitsi in any way whatsoever.

Those vulnarabilities occur in browsers. Browsers download and execute
code from wherever the user points them to. Some of that code can turn
out to be malicious and end up compromising your system.

There is nothing even remotely similar in Jitsi. The only application
that the JVM in Jitsi is going to execute is Jitsi itself. That's it!

Unfortunately the news agencies announcing the issues have been
oversimplifying them as "Java" vulnerabilities which is misleading at
least. Use of Java in the browser (which is the only case where these
issues occur) is way less popular than its uses for server and desktop
applications and neither of these are impacted by those security
vulnerabilities.

Emil

···

On 27.09.12, 21:05, Anthony Papillion wrote:

How is everyone handling the exploits? Are you moving away from Jitsi?
If so, what are you moving to? If not, what are you doing? Keeping up
with patches simply isn't enough anymore. What are the chances of Jitsi
moving off of Java?

Thanks!
Anthony

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#5

Do you advise people to "remove IE from Windows" too?.

Great idea, why didn't I think of that! :wink:

···

On 9/27/2012 1:28 PM, Fernando Cassia wrote:

On Thu, Sep 27, 2012 at 4:05 PM, Anthony Papillion <anthony@papillion.me> wrote:

So most of you probably already know about how much trouble Oracle has had
with Java exploits lately. With so many problems, I'm finding it harder and
harder to justify keeping Java on my system just to run Jitsi or recommended
Jitsi to my privacy concerned friends, clients, and family.

Listen, troll, the problems were related with the browser plug-in
NOT the JRE itself. Running Java apps -if you disable the browser
plug-in- has NO EFFECT WHATSOEVER related to the latest scaremongering
articles.

Last week there was a 0-day exploit that Microsoft knew for MONTHS yet
they only fixed after it was publicized. Do you advise people to
"remove IE from Windows" too?.

FC


#6

Hi Emil,

You're very correct in stating that the vulnerabilities are indeed in
the browser. I should have clarified that in my post and I apologize for
any confusion I caused by not doing so.

But here's my concern: arguably the web browser is the most publicly
facing and largest attack surface on a users machine. If Oracle didn't
catch these vulnerabilities in the browser plugin, what vulnerabilities
are sitting in the JVM waiting to be exploited in offline "mode"? I
think, more than anything, this shows that we should have some MAJOR
concerns around Java as a platform.

Anthony

···

On 9/27/2012 3:09 PM, Emil Ivov wrote:

Hey Anthony,

On 27.09.12, 21:05, Anthony Papillion wrote:

So most of you probably already know about how much trouble Oracle has
had with Java exploits lately. With so many problems, I'm finding it
harder and harder to justify keeping Java on my system just to run Jitsi
or recommended Jitsi to my privacy concerned friends, clients, and family.

This is important indeed so let me be as clear as possible:

The so called "Java" vulnerabilities that have been surfacing lately do
not impact Jitsi in any way whatsoever.

Those vulnarabilities occur in browsers. Browsers download and execute
code from wherever the user points them to. Some of that code can turn
out to be malicious and end up compromising your system.

There is nothing even remotely similar in Jitsi. The only application
that the JVM in Jitsi is going to execute is Jitsi itself. That's it!


#7

Hello troll!

"100% secure" software DOES NOT EXIST. Security is an "evolving",
ongoing process. Gee, EVERY PATCH TUESDAY via WindowsUpdate comes down
"ActiveX killbits" to fix "security issues" with ActiveX, and also
.Net security fixes (an integral component of windows). DID YOU READ
ANY HEADLINES about "uninstalling .Net from Windows"? OF COURSE YOU
DIDN¨T.

Interesting how the scaremongering headlines appeared shortly after this:

Oracle has been good to Java, despite early fears
http://www.infoworld.com/t/java-programming/oracle-has-been-good-java-despite-early-fears-200200

And these stream of positive events:

-Oracle makes OpenJDK 7 the reference implementation of Java7

-All Linux distros ship OpenJDK
http://www.java7developer.com/blog/?p=361

-IBM joins OpenJDK
http://www.infoq.com/news/2010/10/ibm-joins-openjdk

-Apple contributes its OSX JRE code to OpenJDK
http://9to5mac.com/2011/01/12/openjdk-code-lands-as-mac-port-project-springs-to-life/

-Twitter joins OpenJDK
https://dev.twitter.com/blog/twitter-open-source-and-jvm

-Oracle decides to offer Java 7 JREs for Apple OS X
http://www.macrumors.com/2012/08/14/oracle-officially-launches-java-se-7-for-os-x/

-In 2012, Java continues to be among the top-3 programming languages
according to TIOBE index, despite a campaign of previous FUD articles
like this:

http://www.businessweek.com/stories/2005-12-12/java-its-so-nineties

And third-party languages for the Java VM have skyrocketed, thanks to
Java7's support for dynamic languages:

http://java.sun.com/developer/technicalArticles/DynTypeLang/

http://en.wikipedia.org/wiki/List_of_JVM_languages

I guess Microsoft' s anti-Java campaign never actually ended after
all: http://ho.io/sunblock

And someone in Redmond must be laughing out loud.

FC

···

On Thu, Sep 27, 2012 at 5:16 PM, Anthony Papillion <anthony@papillion.me> wrote:

. If Oracle didn't
catch these vulnerabilities in the browser plugin, what vulnerabilities
are sitting in the JVM waiting to be exploited in offline "mode"? I
think, more than anything, this shows that we should have some MAJOR
concerns around Java as a platform.


#8

As you know it´s "an integral part of the OS" :stuck_out_tongue: as stated under oath
by Microsoft during the DOJ-Microsot trial. :slight_smile:

FC

···

On Thu, Sep 27, 2012 at 5:35 PM, <m.jitsi@grojguys.com> wrote:

Great idea, why didn't I think of that! :wink:


#9

I have seen too many articles full of FUD or wishful thinking over the
years trumpeting the impending death and/or irrelevance of Java, when
in fact Java has been getting more relevant every year -a success
other tried to match, with Microsot´s own .net, or Novell´s failed
´Mono´ clone- that one gets overly suspicious about hidden agendas
when you see another round of such articles....

...specially when reports about one security vulnerability in Java
gets disproportionatelly higher exposure than Microsoft´s own. (like I
said, ActiveX has been repeatedly exploited that´s why the latter gets
regularly updated via "ActiveX killbits" as part of WindowsUpdate)

see:
http://goo.gl/3X2gd

or
Microsoft knew about IE bug for weeks before patching
http://www.hardocp.com/news/2012/09/24/microsoft_knew_ie_zeroday_for_weeks_before_patching

"Microsoft knew of the IE zero-day for more than seven weeks before
Eric Romang, the researcher who announced finding an exploit on a
hacker-controlled server, disclosed his discovery Sept. 15. "

So why the different treatment between critical Windows components and
Java? Good question....

That Microsoft and its employees have engaged in the past in
disinformation campaigns is a known fact. Starting with the "barkto
incident" (Google it) to the fake grassroots campaign where dead
people wrote in support of the firm in its legal fight with the US
DOJ, and to the ***"fake security consultant"*** who turned out being
a ***MS employee***, writing to say AOL´s AIM had an ***AOL-installed
security hole*** that put users at risk.

Barkto incident
http://www.isham-research.co.uk/barkto.html

Even dead people write in support of MS
http://community.seattletimes.nwsource.com/archive/?date=20010823&slug=microlob23

Fake security consultant turns out being MS employee
http://www.net4tv.com/voice/Story.cfm?storyID=1335
http://www.nytimes.com/1999/08/13/business/microsoft-says-worker-wrote-smear-of-rival.html?pagewanted=all&src=pm

BM outed as Microsoft´s sock puppet
http://www.catchingflack.com/2007/09/burson-marsteller-outed-as-microsofts-sock-puppet/

So, does this mean that the Java bug did not exist?. No, the bug
was/is real. And it was dealt with both by Oracle by releasing an
update, and also preemptively by users, by disabling the Java plug-in,
or whitelisting it only for known sites that need it (via free add-ons
like NoScript), or with a single-click via other addons like
"Preferences Toolbar" http://prefbar.mozdev.org). And again, this was
related to the browser plug-in only, not the java runtime when used to
run Java apps.

What blew my mind was the tons of scaremongering articles telling
everyone to UNINSTALL JAVA completely, rather than advising to:
updating it to the latest version (on my system the auto-updater
kicked in all by itself the same day 1.7_07 was released and
downloaded and installed the latest), and, also as a precaution,
"disable the browser plug-in" to avoid further risks until all these
exploits are plugged.

A far more sensible recommendation than "you don´t need it, it´s
awful, time to get rid of it", without telling users that by doing so,
they would also cripple popular desktop apps installed on their
systems that use Java, like OpenOffice´s database module, or Intel´s
driver updater.

Give me the right to be suspicious about the motives behind such
extreme headlines and wide circulation of the news...

For instance HowtoGeek´s headline
"Java is insecure and awful, time to get rid of it"

Illustrated by this well-spirited image of the Java logo
http://www.howtogeek.com/wp-content/uploads/2012/08/image366.png

or betanews "You don´t need Java"

compare with the media coverage of ActiveX holes as ´another fact of
life´ or ´gee, get used to it´:

Be prepared: ActiveX attacks will persist
http://www.infoworld.com/d/application-development/be-prepared-activex-attacks-will-persist-459

call it just gut feeling. And no, I don´t have any actual videotaped
proof of any MSFT employee or independent ´citizen journalist´
rejoicing over the news and circulating the scaremongering headlines
so that the snowball grows...

Just my $0.02
FC
Tech writer, Java user, Java advocate since Java 1.0 days.

···

On Thu, Sep 27, 2012 at 5:16 PM, Anthony Papillion <anthony@papillion.me> wrote:

I
think, more than anything, this shows that we should have some MAJOR
concerns around Java


#10

Hello,

Is there any way of being on a digest message system with the jitsi
users email list? I seem to get a lot of unrelated messages regarding
jitsi such as what versions of java are secure/unsecure that I don't
really find very interesting or topical to the jitsi program. On other
mail groups you can get a digest or summary email that is once every
24 hours rather than every moment a mail comes in. I tried looking in
the settings on the account but I cannot locate such an option. Is
this an undocumented feature, or not currently implemented on this
usergroup?

Kind regards
Peter

···

Sent from my iPad

On 27 Sep 2012, at 22:59, Fernando Cassia <fcassia@gmail.com> wrote:

On Thu, Sep 27, 2012 at 5:16 PM, Anthony Papillion <anthony@papillion.me> wrote:

I
think, more than anything, this shows that we should have some MAJOR
concerns around Java

I have seen too many articles full of FUD or wishful thinking over the
years trumpeting the impending death and/or irrelevance of Java, when
in fact Java has been getting more relevant every year -a success
other tried to match, with Microsot´s own .net, or Novell´s failed
´Mono´ clone- that one gets overly suspicious about hidden agendas
when you see another round of such articles....

...specially when reports about one security vulnerability in Java
gets disproportionatelly higher exposure than Microsoft´s own. (like I
said, ActiveX has been repeatedly exploited that´s why the latter gets
regularly updated via "ActiveX killbits" as part of WindowsUpdate)

see:
http://goo.gl/3X2gd

or
Microsoft knew about IE bug for weeks before patching
http://www.hardocp.com/news/2012/09/24/microsoft_knew_ie_zeroday_for_weeks_before_patching

"Microsoft knew of the IE zero-day for more than seven weeks before
Eric Romang, the researcher who announced finding an exploit on a
hacker-controlled server, disclosed his discovery Sept. 15. "

So why the different treatment between critical Windows components and
Java? Good question....

That Microsoft and its employees have engaged in the past in
disinformation campaigns is a known fact. Starting with the "barkto
incident" (Google it) to the fake grassroots campaign where dead
people wrote in support of the firm in its legal fight with the US
DOJ, and to the ***"fake security consultant"*** who turned out being
a ***MS employee***, writing to say AOL´s AIM had an ***AOL-installed
security hole*** that put users at risk.

Barkto incident
http://www.isham-research.co.uk/barkto.html

Even dead people write in support of MS
http://community.seattletimes.nwsource.com/archive/?date=20010823&slug=microlob23

Fake security consultant turns out being MS employee
http://www.net4tv.com/voice/Story.cfm?storyID=1335
http://www.nytimes.com/1999/08/13/business/microsoft-says-worker-wrote-smear-of-rival.html?pagewanted=all&src=pm

BM outed as Microsoft´s sock puppet
http://www.catchingflack.com/2007/09/burson-marsteller-outed-as-microsofts-sock-puppet/

So, does this mean that the Java bug did not exist?. No, the bug
was/is real. And it was dealt with both by Oracle by releasing an
update, and also preemptively by users, by disabling the Java plug-in,
or whitelisting it only for known sites that need it (via free add-ons
like NoScript), or with a single-click via other addons like
"Preferences Toolbar" http://prefbar.mozdev.org). And again, this was
related to the browser plug-in only, not the java runtime when used to
run Java apps.

What blew my mind was the tons of scaremongering articles telling
everyone to UNINSTALL JAVA completely, rather than advising to:
updating it to the latest version (on my system the auto-updater
kicked in all by itself the same day 1.7_07 was released and
downloaded and installed the latest), and, also as a precaution,
"disable the browser plug-in" to avoid further risks until all these
exploits are plugged.

A far more sensible recommendation than "you don´t need it, it´s
awful, time to get rid of it", without telling users that by doing so,
they would also cripple popular desktop apps installed on their
systems that use Java, like OpenOffice´s database module, or Intel´s
driver updater.

Give me the right to be suspicious about the motives behind such
extreme headlines and wide circulation of the news...

For instance HowtoGeek´s headline
"Java is insecure and awful, time to get rid of it"

Illustrated by this well-spirited image of the Java logo
http://www.howtogeek.com/wp-content/uploads/2012/08/image366.png

or betanews "You don´t need Java"

compare with the media coverage of ActiveX holes as ´another fact of
life´ or ´gee, get used to it´:

Be prepared: ActiveX attacks will persist
http://www.infoworld.com/d/application-development/be-prepared-activex-attacks-will-persist-459

call it just gut feeling. And no, I don´t have any actual videotaped
proof of any MSFT employee or independent ´citizen journalist´
rejoicing over the news and circulating the scaremongering headlines
so that the snowball grows...

Just my $0.02
FC
Tech writer, Java user, Java advocate since Java 1.0 days.


#11

Sympa accepts commands through mails so you should be able to achieve
this with the following:

mailto:sympa@jitsi.java.net?subject=SET%20users%20DIGEST

or for a plain test version:

mailto:sympa@jitsi.java.net?subject=SET%20users%20DIGESTPLAIN

Hope this helps,
Emil

···

On 27.09.12, 23:35, Peter Allebone wrote:

Hello,

Is there any way of being on a digest message system with the jitsi
users email list? I seem to get a lot of unrelated messages regarding
jitsi such as what versions of java are secure/unsecure that I don't
really find very interesting or topical to the jitsi program. On other
mail groups you can get a digest or summary email that is once every
24 hours rather than every moment a mail comes in. I tried looking in
the settings on the account but I cannot locate such an option. Is
this an undocumented feature, or not currently implemented on this
usergroup?

Kind regards
Peter

Sent from my iPad

On 27 Sep 2012, at 22:59, Fernando Cassia <fcassia@gmail.com> wrote:

On Thu, Sep 27, 2012 at 5:16 PM, Anthony Papillion <anthony@papillion.me> wrote:

I
think, more than anything, this shows that we should have some MAJOR
concerns around Java

I have seen too many articles full of FUD or wishful thinking over the
years trumpeting the impending death and/or irrelevance of Java, when
in fact Java has been getting more relevant every year -a success
other tried to match, with Microsot´s own .net, or Novell´s failed
´Mono´ clone- that one gets overly suspicious about hidden agendas
when you see another round of such articles....

...specially when reports about one security vulnerability in Java
gets disproportionatelly higher exposure than Microsoft´s own. (like I
said, ActiveX has been repeatedly exploited that´s why the latter gets
regularly updated via "ActiveX killbits" as part of WindowsUpdate)

see:
http://goo.gl/3X2gd

or
Microsoft knew about IE bug for weeks before patching
http://www.hardocp.com/news/2012/09/24/microsoft_knew_ie_zeroday_for_weeks_before_patching

"Microsoft knew of the IE zero-day for more than seven weeks before
Eric Romang, the researcher who announced finding an exploit on a
hacker-controlled server, disclosed his discovery Sept. 15. "

So why the different treatment between critical Windows components and
Java? Good question....

That Microsoft and its employees have engaged in the past in
disinformation campaigns is a known fact. Starting with the "barkto
incident" (Google it) to the fake grassroots campaign where dead
people wrote in support of the firm in its legal fight with the US
DOJ, and to the ***"fake security consultant"*** who turned out being
a ***MS employee***, writing to say AOL´s AIM had an ***AOL-installed
security hole*** that put users at risk.

Barkto incident
http://www.isham-research.co.uk/barkto.html

Even dead people write in support of MS
http://community.seattletimes.nwsource.com/archive/?date=20010823&slug=microlob23

Fake security consultant turns out being MS employee
http://www.net4tv.com/voice/Story.cfm?storyID=1335
http://www.nytimes.com/1999/08/13/business/microsoft-says-worker-wrote-smear-of-rival.html?pagewanted=all&src=pm

BM outed as Microsoft´s sock puppet
http://www.catchingflack.com/2007/09/burson-marsteller-outed-as-microsofts-sock-puppet/

So, does this mean that the Java bug did not exist?. No, the bug
was/is real. And it was dealt with both by Oracle by releasing an
update, and also preemptively by users, by disabling the Java plug-in,
or whitelisting it only for known sites that need it (via free add-ons
like NoScript), or with a single-click via other addons like
"Preferences Toolbar" http://prefbar.mozdev.org). And again, this was
related to the browser plug-in only, not the java runtime when used to
run Java apps.

What blew my mind was the tons of scaremongering articles telling
everyone to UNINSTALL JAVA completely, rather than advising to:
updating it to the latest version (on my system the auto-updater
kicked in all by itself the same day 1.7_07 was released and
downloaded and installed the latest), and, also as a precaution,
"disable the browser plug-in" to avoid further risks until all these
exploits are plugged.

A far more sensible recommendation than "you don´t need it, it´s
awful, time to get rid of it", without telling users that by doing so,
they would also cripple popular desktop apps installed on their
systems that use Java, like OpenOffice´s database module, or Intel´s
driver updater.

Give me the right to be suspicious about the motives behind such
extreme headlines and wide circulation of the news...

For instance HowtoGeek´s headline
"Java is insecure and awful, time to get rid of it"

Illustrated by this well-spirited image of the Java logo
http://www.howtogeek.com/wp-content/uploads/2012/08/image366.png

or betanews "You don´t need Java"

compare with the media coverage of ActiveX holes as ´another fact of
life´ or ´gee, get used to it´:

Be prepared: ActiveX attacks will persist
http://www.infoworld.com/d/application-development/be-prepared-activex-attacks-will-persist-459

call it just gut feeling. And no, I don´t have any actual videotaped
proof of any MSFT employee or independent ´citizen journalist´
rejoicing over the news and circulating the scaremongering headlines
so that the snowball grows...

Just my $0.02
FC
Tech writer, Java user, Java advocate since Java 1.0 days.

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31