| NetBeans Plugin - Second Iteration |
(07-26-2015, 12:22 AM)iamthwee Wrote: Ozzy why not use sublime text with snippets on github, I can't recommend netbeans, anything that requires java is not a good idea i realize there may be others out there just as good, but, to be honest, i've gotten used to it and its quirks...
OM...
------------------------- And on the pedestal these words appear: 'My name is Ozymandias, king of kings: Look on my works, ye Mighty, and despair!' Nothing beside remains. Round the decay Of that colossal wreck, boundless and bare The lone and level sands stretch far away. (07-26-2015, 12:22 AM)iamthwee Wrote: Ozzy why not use sublime text with snippets on github, I can't recommend netbeans, anything that requires java is not a good idea I don't know if you realize it, but that article is talking about client-side Java, which is apps run in the browser, due to security holes that hackers are exploiting. And while he mentioned completely blocking it's use, I think that's silly. Non-web based apps, like the IDE's being mentioned here, have much lower security risk from everything I've seen. And also, how could we tell millions of people to stop playing Minecraft. 
(07-26-2015, 08:25 PM)kilishan Wrote: I don't know if you realize it, but that article is talking about client-side Java, which is apps run in the browser, due to security holes that hackers are exploiting. And while he mentioned completely blocking it's use, I think that's silly. Non-web based apps, like the IDE's being mentioned here, have much lower security risk from everything I've seen. Actually, the article talks about both Java as a browser plugin and Java installed on the client OS as used by other software (not through the browser), and specifically advocates completely eliminating it from the client environment, with a reference to an OS X exploit that did not require Java to be enabled in the browser. We've made it a standard procedure to only install Java on computers which absolutely need it, and, in those specific cases, the users have explicit instructions to only use Internet Explorer for the specific sites which require the specific version combination of Java and IE installed on their computers, and that all other web browsing should be done in Firefox and/or Chrome (all other users are told never to use IE). In cases where Java is used for other applications, it is managed by campus-wide patch management and completely disabled in the browsers. Unfortunately, this doesn't stop these people from being infected by malware which disguises itself as Java updates (though, honestly, not having Java on someone's computer doesn't stop that, either, if the malware doesn't require Java). We use a very similar policy for Adobe Flash, which alternates with Java as the primary vector for infections.
Hmm... it was? I'll have to go back and re-read the article, then. I could have sworn all of the attack vectors he was describing was through the browser. That's why I thought the article was a bit extreme recommending it never be used ever.
What has your experience been in the University with IDE's built on Java. For example, I use PHPStorm, but the thread is about Netbeans, so it's all a similar boat. Any idea the potential things we should be protecting against here?
At BCIT, command line Java runtime is enabled in the standard configuration across campus, while browser Java is not.
Inside Computer Systems Technology, the JDK is part of the standard image, as are NetBeans and Eclipse.
The only dealbreaker I have with using phpstorm is that it requires java and for me that's a pretty big dealbreaker
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
(07-28-2015, 12:15 PM)iamthwee Wrote: The only dealbreaker I have with using phpstorm is that it requires java and for me that's a pretty big dealbreaker ok, would someone please tell me what vulnerabilities there are in running a standalone app like netbeans (or heaven forbid, phpstorm) that requires a local installation of java? if i'm running it locally with or without internet access, what possible difference could it make to someone on the outside, looking in? or is all this an exercise in semantics . . . call me somewhat confused or call me just plain confused. just don't call me late for dinner.
OM...
------------------------- And on the pedestal these words appear: 'My name is Ozymandias, king of kings: Look on my works, ye Mighty, and despair!' Nothing beside remains. Round the decay Of that colossal wreck, boundless and bare The lone and level sands stretch far away.
Basically you are as safe as the framework. Assuming the framework is kept up to date, so you're running the latest version of the java run time you should be OK. But the article I posted suggested there will other zero-day vulnerabilities. These don't necessarily have to propagate through java being enabled in the browser, so even disabling it in the browser - that doesn't cover you as being safe. As long as the java run time is on, you're potentially at risk, and unfortunately because java runs on all operating systems so called secure posix type systems like mac and linux which are (well know for its hardy security system) for example have been exploited! To me this is a bad bad sign. And personally the only reason why java isn't a long time dead like flash almost is - is because of company dependance on legacy java written systems. It looks like the OS giants (windows and mac) are going the right way by not installing java as default on their latest OS flavours but in my opinion they should kill it altogether.
To be frank the same could be same for dotnet. In fact, even python runs on a virtual machine of sorts and is subject to vulnerability, it's probably at a similar risk to java but doesn't get the same amount of media coverage. So the reality is, if you choose to run java, the choice is yours- you might need it if your job requires it Don't get me wrong, phpstorm is probably one of the nicest ides out there for php, it's just a shame a vendor of that size can't write a native app, which would prevent such issues when relying on a third party software vendors like java. In any case, this is just my opinion, like I say to each there own. But you'll never catch me running java on a posix system. The framework is too huge and riddled with issues for me to even consider breaking it out. Luckily I used to rely on it for arduino programming but since then a good few native style git repos allows me to flash code directly to the board. But I digress. P.S Hope you made dinner on time
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
(07-28-2015, 02:05 PM)ozzy mandiaz Wrote: if i'm running it locally with or without internet access, what possible difference could it make to someone on the outside, looking in? Well if you have set up another dev machine without internet access and only java then I guess you're as safe as housses, but really how many people have two machines one with a dedicated internet connection and the other without?
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
(07-27-2015, 07:30 PM)kilishan Wrote: What has your experience been in the University with IDE's built on Java. For example, I use PHPStorm, but the thread is about Netbeans, so it's all a similar boat. Any idea the potential things we should be protecting against here? I tested Netbeans, and some other free Java-based IDEs in 2012, and found them too slow (on Windows) to be usable, and most of the major security news about Java came up later, so I never re-evaluated them. When it comes to end-users, our biggest problem is usually that we have so little knowledge of what they're actually running before they get infected, and it's very difficult to lock down machines when people are used to the level of freedom they have typically had on their machines. Most of the people running Java here are doing so either because of an application from SAP which requires Java or because the University (or the CSU system) uses it for specific applications. The most important protections for Java are to make sure it is completely disabled in every browser on the machine (and re-check the configuration after every update) and that it is constantly updated. Zero-day infections do not seem to be as common with Java as with Flash (though, honestly, Adobe had a problem for a long time with their internal version control system being open to people who were releasing exploits for their software, so it's no wonder they might still have issues with zero-days), but nothing has changed to make the initial findings about Java by the US Department of Homeland Security irrelevant. |
| Welcome Guest, Not a member yet? Register Sign In |
