Java Security Video

Chris K. just watched the podcast on Java security, and was (thankfully) able to put a finer point on it. Not to mention, clarifying a misspoken URL:

The way Java runs is that it has a JVM (Java Virtual Machine), and commands in Java are sent to these VM. The VM, which is coded for each OS, sends the code to the processor after translating it. The processor then performs the action.

For example, on Mac: new BadGuy(); -> Mac OS -> JVM -> Translation -> Processor -> Performs -> Reserves spot in RAM for the new BadGuy. The same applies on Windows or Linux, or anything else you care to name.

In some cases, Java doesn’t use a JVM, instead using a physical hardware chip, installed directly on the motherboard in most cases. The code will go to this chip instead of the JVM, and then is sent directly to the processor. This is many times faster in most cases. When you download the newest Java, it will either install the latest firmware upgrade for the chip in your computer, or it will install the JVM (or sometimes both).

Java is one of the most secure programming languages. It has several layers of security:

• A compiler won’t be able to compile code that accesses the files on the computer in any way. It can make a stand-alone application with a specific kind of compiler, but then it won’t be web-usable (it is not like flash in the sense that you can put anything on the web, or off the web; it has to be specially coded for an applet. Of course, you could use a rouge compiler, but that brings us to our next layer of security.

• The JVM, or the firmware on the chip, will stop any access to files through applets, and will warn the user, and ask permission. This prevents even a rouge compiler from compiling “bad” code.
• The final layer of security falls to the operating system, which the code goes through.
  Can you make a Java application that deletes all of the files on your computer? Hell yes! Can you make an applet? No. Java applets are completely blocked from modifying files on your computer, unless they have a certificate from VeriSign, etc.

However, can you make a .exe (or Mac application) that deletes everything on your computer? Yes, you can. For the most part, Java is very secure, and if you don’t upgrade, you still are just as secure, because any new code on an updated compiler won’t run, so there’s no change of an exploit with new compilers. (PS: It’s java.sun.com, not sun.java.com as you said in your podcast)

Have you ever heard of Traffic Blazer? Submit your business info to more than 200 search engines and directories and position your Web site for top rankings with Google and other leading search engines - it's available through GoDaddy. Plus, as a listener of The Chris Pirillo Show, enter code CHRIS3 and get your .COM domain name for just $6.95 a year. Get your piece of the internet at GoDaddy!