Archive for June, 2015

So glad we don’t use Java

Tuesday, June 30th, 2015

Interesting news regarding litigation around Java intellectual property (IP) today:

eff.org

Basically the courts are bouncing back and forth decisions regarding a lawsuit between Google and Oracle regarding ownership and use of the specifications for the Java API.

I’m not a lawyer, but generally I think that languages and runtime environments are well adopted if they are open and unencumbered. Nobody claims copyright over C or stdlib, for example.

Oracle has – unsurprisingly given its corporate culture – tried to make as much as possible of the Java ecosystem proprietary, so that they can generate license fees from this asset. This should cause many developers to think twice about investing in this platform — since there is a risk of undefined fees in your future.

Tread with caution. Not only is Java a terrible platform for performance, it turns out that it’s also at risk of becoming increasingly proprietary. Not a healthy place to develop.

LastPass hack

Tuesday, June 16th, 2015

I guess it was inevitable that a consumer-oriented password manager service would get hacked, and today we’ve learned that one did: Gizmodo.com.

So is there a lesson here for us? A few, I suppose:

  • Security is only as good as the weakest link. I don’t think plaintext passwords were exposed, and it’s not even clear that encrypted ones got leaked, but password recovery hints did, and that may be enough to compromise some passwords.
  • The size of a target matters. I’m sure hackers much prefer to compromise popular systems to obscure ones. For consumers, this leads to the following interesting guidance: see where the herd is running – and run the other way. Choose less commonly used services if you can (but subject to other constraints, like commercial viability and likelihood of the service being well/professionally operated – have fun figuring out which is which).
  • The push to federate will only accelerate. Nobody wants separate passwords for various web sites, when the operators of those sites could easily federate to Facebook, Google, etc. Why solve the problem yourself if you can simply farm it out, for free?

If you are/were a lastpass user, you have a couple of options:

  • Change everything – your master password and your hints.
  • Delete your profile. Take your business elsewhere or give up on this class of application.

Stay safe!