Timeline Cards

Menu Items

Subscriptions

Contacts

If you need help getting started on Glass development, Google has released two starter projects in Java and Python that can be loaded into App Engine. From there, developers can use the starter project as a foundation for their own projects. If you need the API in other libraries, you can grab it in Java, Python, Go, PHP, .NET, Ruby and Dart from here.

Once developers have the tools they need, they will also need to follow the rules. In the Terms of Service, Google says quite plainly that Glass developers can not serve ads in their Glass apps, nor can they charge for them. Google also says that all Glass apps must be hosted on Google’s own distribution channel “unless otherwise approved in writing by Google.”

It seems that Google isn’t quite ready to monetize Glass, but it will probably allow developers to start selling apps later this year once the device goes into mass production. It would make little sense for the company not to. Either way, we’ve reached out to Google for comment and clarification and will update if we hear back.

EDIT: A Google spokesperson gave us the following comment:

“Developers are crucial to the future of Glass. The focus during the Explorer Program is on innovation and experimentation, but it’s too early to speculate how this will evolve.”

[h/t: Engadget]

Comments

25-Feb-2013

• Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
• Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
• Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
• Oracle provides tracking numbers for Issues 54 and 55, but claims they are still not confirmed.

27-Feb-2013

• Security Explorations asks Oracle whether it needs any assistance in running the received Proof of Concept Code or whether a confirmation of reported vulnerabilities from a 3rd party such as US-CERT would be helpful for the company. Security Explorations informs Oracle that it expects a clear confirmation or denial of Issues 54 and 55 (in the past, reception of tracking numbers from Oracle was equivalent to the confirmation of a given report).
• Oracle provides the results of its assessment and informs that Issue 54 is not a vulnerability (it demonstrates the “allowed behavior”). The company confirms Issue 55.
• Security Explorations disagrees with Oracle’s assessment regarding Issue 54 and provides the company with its arguments. Security Explorations demonstrates to Oracle a corresponding sample of “allowed behavior” of Issue 54 that leads to a denied access and a security exception.

28-Feb-2013

• Security Explorations provides Oracle with another example illustrating denied access for a similar condition as Issue 54. The company asks Oracle whether it still considers Issue 54 as a non-vulnerability demonstrating the “allowed behavior”.

The issues referenced above – 54 and 55 – can apparently be combined to “gain a complete Java security bypass in the environment of Java SE 7 (Update 15).” Issue 54 is being labeled by Oracle as a non-issue, but issue 55 has been picked up for further investigation.

This latest discovery only further stains Java’s reputation as it has not only been exploited twice in the past two months, but said exploits led to major firms like Apple and Facebook being hacked. Granted, Oracle can’t predict every new exploit that comes its way, but you would think it would be more thorough before releasing updates.

So, what can you do to prevent any Java-based attacks? It’s rather simple really – just disable Java. Firefox automatically disables it for you, and it’s easy enough to disable on other browsers as well.

[h/t: ZDNet]

Comments

Most of the job trends have continued to decline for about a year. Oddly, the one language that looks to have grown during the past year was Visual Basic. VB is showing more demand now than it has in over seven years. Objective-C has a fairly flat trend for the past year, while the others show declining trends. Java shows a significant drop in the past six months, returning to job levels from 2008. Perl has dipped below Visual Basic for the first time in over six years. C# and C++ show almost identical trends and demand.

Now, let’s look at SimplyHired’s short term trends:

SimplyHired’s trends differ greatly from Indeed’s. Overall, these trends are fairly flat, with a slight rebound towards the end of last year. Objective-C does not show much growth during 2012, except at the very beginning of the year. Java leads the rebound at the end of the year, showing more growth than the other languages, but still less demand than in February 2012. C++ and C# continue their twin trends, showing almost identical demand. Perl barely stays ahead of Visual Basic, and both showing slight growth in the end. If we ignore the hiccups prior to February, all of the trends seem to be flat for the year.

Finally, here is a review of the relative scaling from Indeed, which provides an interesting perspective on relative job growth:

Surprisingly, Objective-C growth slowed significantly during the past six months. However, slowing from over 700% to about 550% is not a terrible decline. C# growth is also slowing significantly, dropping below 100% for the first time in over 4 years. Interestingly, Perl and Java are showing similar declining growth trends, with current growth dropping to the same level as 2006. Visual Basic seems to have held steady at slightly positive growth, while C++ continues to decline.

What does all this mean? There has been a definite slowdown in demand in the past year. Given the growth of mobile, this is very surprising due to the leading mobile development languages being Java and Objective-C. What we could be seeing is the true rise of web development, which allow companies to use a much greater breadth of languages than before. Java and Perl are not required knowledge when writing for the web, and the continued decline of languages like C++ and C# point to the same possible conclusion. Being a true polyglot, meaning developing in multiple languages during the same project, may soon become a requirement. We will likely see more evidence of this when we look at the web and scripting languages in the next job trends installment.

Comments

New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.

What’s worrisome is that the thread is reportedly gone as of today which means that the exploit has been sold to two people already. That means we could be seeing another potentially dangerous zero-day attack on Java in the near future.

Oracle can’t predict the future, and its engineers obviously can’t predict what exploits are going to be found in its software. Hackers will always be one step ahead of software developers. All Oracle can do is remain vigilant and quickly put out a fix whenever a new exploit is found. Java’s presence on over 1 billion PCs must put a ton of pressure on the company, but hopefully it can push out fixes just as quickly as the last one.

And next time, maybe check the fix to make sure there aren’t any security holes left in it.

[h/t: Ars Technica]

Comments

First up, AVG predicts that Java will continue to be the most exploited software on computers. That may just be the case as Oracle already had to deal with a major zero-day exploit last year along with other various security loopholes that hackers always seem to find before security researchers. The software’s spread across over 1 billion computers ensures it will remain a desirable target.

Besides Java’s vulnerabilities, the biggest threat facing users is mobile malware. Android is especially susceptible to malware as many people download malicious apps from unofficial app stores that don’t properly screen their services for malware. Google Play or Amazon’s Android Appstore are the safest bets for avoiding mobile malware, but no promises can be made.

Other threats include an increase in ransomware, cloud service breaches and other scary things that lawmakers and government agencies refer to when trying to push new cybersecurity laws that curb your privacy rights.

AVG’s report may sound like a lot of fear mongering, but it’s seemingly appropriate in an age where people are falling for obvious malware attacks all the time. People need to be more vigilant when browsing the Internet or checking email and avoid any links that look even remotely suspicious. Another handy rule of thumb is to disable Java or any other vulnerable Web plugin before visiting a site that doesn’t look legitimate. You should also stop using dumb passwords, like “password.”

On a final note, you should probably stop using Internet Explorer.

Comments

Speaking to JavaWorld, Java founder James Gosling said that there’s no major technical hurdles standing in the way.

“Technically, it’s not a huge problem. Android is just Linux on ARM, and there’s already a nice ARM/Linux version of OpenJDK,” said Gosling. “There are issues that would make the current binaries inappropriate (mostly graphics integration), but it’s not insurmountable.”

That being said, Gosling thinks that the bad blood between Oracle and Google might impede any efforts to bring OpenJDK to Android. If you recall, Oracle and Google were locked in a lawsuit earlier this year over accusations that the latter copied the former’s Java APIs when developing the Android OS. The jury sided with Google, and then Oracle was ordered to pay Google $1 million. After all of that, it doesn’t seem like Oracle would want to play nice with Google.

Even if there was no bad blood between the two companies, analysts seem to think that OpenJDK on Android just isn’t worth Oracle’s time. John Rymer of Forrester Research told JavaWorld that he thinks “the Java on Android ship has sailed” and that developers wouldn’t care for it anyway.

At the moment, it seems that the prevailing feeling towards OpenJDK on Android is one of pessimism. The major problem is the obvious conflict between Google and Oracle, but developer interest is also questionable. It’s too early to say that OpenJDK on Android will never happen, but chances are not looking good.

Comments

First, back in late August the Java browser plug-in was found to be vulnerable to an exploit that could make all PCs using browsers with the Java plug-in installed open to malware by visiting a malicious website. Thankfully, Oracle didn’t wait for its October patch to fix the issue, and released a patch just a few days later.

Only that wasn’t the end of it. A security company announced the day after the patch that another vulnerability in the Java software had been found. Meanwhile, the news came that Oracle knew about the exploits but did not fix them until news of them forced their hand.

Today, security company Security Explorations has once again called out Oracle for an exploit found in Java. The new exploit affects all the latest versions of Java SE software, including Java SE 5, 6, and 7. The company’s CEO, Adam Gowdiak stated that their tests were able to bypass Java’s security sandbox. The tests used a fully updated version of 32-bit Windows 7 and modern browsers. Anyone using Firefox, Chrome, Internet Explorer, Opera, or Safari is vulnerable.

Gowdiak said in an email that the company has notified Oracle of the exploit. He also told ComputerWorld in an interview that, thankfully, there is not yet any evidence of attacks that use the newly revealed exploit.

(via BGR)

Comments

Google announced the release of J2ObjC yesterday. The new open-source translator allows developers to convert Java into Objective-C without any additional input from them. It’s being billed as an easier way to developer iOS applications for those who are not immediately familiar with Objective-C.

Of course, you’re still going to need to know some Objective-C for the UI elements of an iOS app. Google says that their translator is best suited for the translation of data access or application logic elements. To that end, they hope the translator will be used to build cross-platform apps that can be accessed by Android, iOS and the Web.

They do point out that J2ObjC is not a Java emulator, but rather converts Java classes to Objective-C classes. It includes support for the full Java 6 language and most client-side runtime features, including exceptions, generic types and reflection.

You can start playing around with the translator now at the project page. It’s completely open source so you can poke around inside the code to see how it works. You might even be able to make an even better code translator based off of Google’s already impressive work.

Work like this only convinces me that development is only going to get easier from here on out. People will soon be able to code in their native language and translate it to any other without any trouble.

Comments

So is there a fix? At the time of writing, Oracle has not patched Java yet. The only solution for now is to disable Java in your Web browser or download a third-party patch. Here’s the details of the exploit from Deepend Research:

1. The javascript in index.html is heavily obfuscated.

2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.

3. It works in all versions of Internet Explorer, Firefox, and Opera. Does NOT work in Chrome. (Update: The original exploit we tested did not affect Chrome. We did not test Metasploit but reports are that their version works. All hackers and exploit kit makers now can use a freely available Metasploit module and you can expect a huge wave of drive-by attacks as well as email links. To be safe, perhaps best approach is not to use Java or patch it.)

3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word “Loading”

5. The malicious Java applet is downloaded. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.

6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244

7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.

8. Disable Java in your browser.

The folks at Deepend Research have created an unofficial patch but they’re reserving it for companies who need it to protect their employees or users. Regular end users should just disable Java on their machines until Oracle can push a patch through.

For the time being, we’re at the mercy of Oracle. Here’s hoping they patch Java before the next scheduled patch date of October 16. A lot of users and businesses may be affected by the exploit without even knowing it.

Netbeans has been my favorite IDE for a while- from beginning with it in PHP, to Java (Even though I had a lot of recommendations to switch to Eclipse) to C/C++ when my college professor decided that Netbeans would be the officially supported IDE for our class. Syntax highlighting, easy refactoring, very helpful hints and debugging information, and automatically importing and implementing various code snippets are features that I look for in an IDE, and Netbeans hits them all. For all that Netbeans does good however it still suffered from the above issues for a long time.

The new version however might fix the majority of these problems. Netbeans 7.2 Release Candidate 1 is now available for download, and to be honest, I am quite impressed with some of the improvements. The base IDE now scans projects in the background, rather than in the same process as the IDE, which previously would lock up the IDE until it was finished. Depending on the size and number of projects the IDE had open, this could take a while. The scanning itself has also had an algorithm change, resulting in a much faster scan. While not directly improving it’s stability as a Java application, these improvements do serve to end processes quicker, resulting in a more stable, harder to erroneously interrupt program.

Some other new features have been implemented as well, including, but not limited to: FindBugs support and new hints for Java, Oracle Public Cloud and Amazon Elastic Beanstalk support for Java EE, PHP 5.4 support with remote synchronization and support for the C++ 11 standard with improved parsing and reduced memory consumption. The full list of new features, and the download link, is available here <http://netbeans.org/community/releases/72/>.