Java creator James Gosling this week called Microsoft’s decision to support C and C++ in the common language runtime in .NET one of the "biggest and most offensive mistakes that they could have made". Don Box of Microsoft has responded with a tongue and cheek posting: Huge Security Hole in Solaris and JVM.

Gosling, who is currently CTO of Sun’s Developer Products group, made the comments as part of his speech to developers at an event in Sydney earlier this week. He further commented that by including the two languages into Microsoft’s software development platform, the company “has left open a security hole large enough to drive many, many large trucks through".

What are your thoughts? What would YOU like to see in the Java platform with respect to native code?

On James Gosling: Gosling Claims Huge Security Hole in .NET

Don Box: Huge Security Hole in Solaris and JVM

I'd say the biggest security holes in .NET are Windows, DCOM, SQL Server and IIS. Like seriously...

If you've survived the 2 hour, 3.5 gigabyte VisualStudio.NET installation procedure you'll know exactly what I'm talking about.

It's immediately apparent when the installer asks you to disconnect from all networks before beginning the installation --because you'll be vulnerable to countless security threats DURING the installation.

Last time I checked, I didn't have to worry about this with any Java or J2EE server product, let alone an IDE!!!

Cheers,
Clinton

PS: If I might add, VisualStudio.NET is the most ridiculous thing I've ever seen spewed forth from any software company in history.

It is completely different discussion about connecting kernel to GDI to IIS to IE etc.
The .Net itself is a separated entity that has nothing to do with windows, in theory it can run on Linux if MS ever wish.
I cannot say that .Net is less secure then JVM if both are running on the same OS. The .Net itself is only 15-20 Meg, all the rest of the 2G of installation is different development tools and integration with IIS, IE debug upgrading, integration with Office etc. I’d say that .Net has two phases the one is pure concept (C# language, security model etc.) and the other is MS implementation that tries to push everything together.

Find me a professional, commercial .NET developer who:

1) Doesn't use VS.NET,

2) Doesn't deploy to windows and IIS, or

3) Doesn't use SQL Server

Your comment is technically correct. But unfortunately it's completely unrealistic and impractical.

As long as 50% of Microsofts revenue comes from Windows (http://www.microsoft.com/msft/aspx/secfilings.aspx), they'll have NO interest in EVER making it practical or realistic to port.

.NET is a Microsoft Windows based stack, period.

Java is safer, even on windows, strictly because you likely don't have IIS, FPSE, SQL Server, wide open DCOM ports or any of the other nightmarish Microsoft extensions to the already crapola Windows Server 2003.

Cheers,
Clinton

Mr. Begin,

Lets just say, you are very much aginst any Microsoft position.

That is OK.

Lets just keep it that way.

There are a lot of project situations where a Java solution
is a better fit, similarly a a lot of situations Microsoft
solution is a better fit.

No need to pull guns here.

Ricky,

I'm not sure what your point is. This thread is clearly discussing .NET vs. Java in a security context. What do you think it's about?

If you think I'm kidding or wrong about the security of Microsoft tools, try installing VS.NET for yourself. My proof is within the installation instructions written by Microsoft.

Sure some projects are better suited to .NET. But that DOES NOT automatically make them any better.

The need for such crappy tools is irrelevant to their quality or security.

Clinton

Clinton Begin: "... 50% of the work I do this year will be .NET"

Why, may I ask? You mean you could not get a job as a Java developer??? I find it very difficult to believe... We regularly get applications from .Net developers pretending to be Java experts just to get a job.

1) "VisualStudio.NET is the most ridiculous thing I've ever seen spewed forth from any software company in history"

Didn't your mother taught you to be a good loser?
http://www.theserverside.com/news/thread.tss?thread_id=31595#155478

2)"Java is safer?"
Here is the quality of Sun own code do you think Gosling was involved? I leave the security to your imagination.
Java on Solaris:
http://www11.brinkster.com/monoasp/sun-internal-memo.htm

3) "You mean you could not get a job as a Java developer??? I find it very difficult to believe.."

Of course you will find job as well as the thousands upon thousands of Cobol programmers do daily. No difficulty finding jobs with of legacy systems! Especially as J2EE systems needs a lot of maintenance. (Down one day in the week, 80% project failure rate).

BTW, have you noticed how much TSS uptime has improved after dropping EJBs?

hi hi
Regards
Rolf Tollerud
("the Script")

TSS still uses EJBs.
Entity EJBs are what got ditched.

1)Didn't your mother taught you to be a good loser?http://www.theserverside.com/news/thread.tss?thread_id=31595#155478

The response included in the link is full of deceptive half-truths. For example, Unix security updates cover not only the operating system itself, but also all of the apps and utilities that people tend to ship with it. Windows, on the other hand, ignores security problems in the vast library of apps and utilities available to it.

Moreover, one must read these security alerts to see the difference; Linux security alerts are often pro-active, patching vulnerabilities discovered during code audits before they show up in hacker code.
Windows security alerts, on the other hand, are never proactive, and they often address gaping security holes months after they've already been exploited by the hacker community.
Microsoft does not do code audits, and has never demonstrated any interest in patching holes other than those which it is forced to patch through public pressure.

2)I leave the security to your imagination.

Interesting. So the Windows environment is more secure, stable and reliable than the Unix/Linux one..
That must be why Microsoft uses Unix for its critical operations, like delivery & billing ? Apparently, they don't seem to eat their own dog food.

3)Of course you will find job as well as the thousands upon thousands of Cobol programmers do daily. No difficulty finding jobs with of legacy systems! Especially as J2EE systems needs a lot of maintenance. (Down one day in the week, 80% project failure rate).

You're not doing yourself any favor by posting such nonsense.

If you had any real experience in IT, you'd know that project success rates or failures have nothing much to do with the programming language chosen.

It's not up to me. I'm not an independent consultant. Even if I were, I would not be stubborn enough about a platform to cut my market in HALF. That would be stupid.

If Sun is going to lose the battle to Microsoft, I sure as hell am not going down with them. If I have to make a living writing for .NET, so be it.

The MORE I use a platform, the MORE I care about how good it is. So the more .NET I end up using, the more posts you'll see from me about how ridiculously bad most of its components and tools are.

So, One Way, YOU are completely missing the point and are too tied up in your love for Java to see past it. Why do you guys take this stuff so personally? This stuff really SUCKS. Why not say it?

Cheers,
Clinton

It's not up to me. I'm not an independent consultant. Even if I were, I would not be stubborn enough about a platform to cut my market in HALF.

That's probably the most intelligent thing I've ever heard in regards to the .Net/Java debates.

Jonathan

Clinton Begin: "It's not up to me. I'm not an independent consultant."

It's certainly up to you what technology to work with. Are you saying you cannot find a Java job and have to convert to .Net?? I will not say it's impossible but that's a very, very peculiar market you got yourself in; I see just the opposite.

CB: "Even if I were, I would not be stubborn enough about a platform to cut my market in HALF. That would be stupid."

Well, hopefully "Jack of all trades, master of none" will not apply to you. In my experience, developers with mediocre skills usually have the hardest time.

Well, hopefully "Jack of all trades, master of none" will not apply to you. In my experience, developers with mediocre skills usually have the hardest time.

It's not beyond human capacity to master two (or more) platforms...especially not two as similar as J2EE and .NET.

...at least it's not beyond my capacity.

Cheers,
Clinton

It's not beyond human capacity to master two (or more) platforms... at least it's not beyond my capacity.Cheers,Clinton

Optimism is good unless it comes from ignorance. Let's hope you are not slipping on the technology where consider yourself an expert, e.g. I haven't seen a single word of discussion about taking advantage of the new JDK1.5 features in the db project you lead. And the benefits to the project could've been significant... easy to see even for a mediocre Java developer.

Well, good luck with whatever.

Haha.... I just realized that I've been feeding a troll. Perhaps the same one that plagued our lists for a while.

Well sir, with your obvious personal attacks (and not much else) you've succeeded in reminding me. I had forgotten you.

And I will now forget you again.

Personal attacks? I simply illustrated that mastering even one technology is a challenge for most people, possibly including you.

Clinton Begin: "... 50% of the work I do this year will be .NET".

For some people it will be 100%, or maybe 180% if you consider the unpaid overtime.

Why, may I ask? You mean you could not get a job as a Java developer??? I find it very difficult to believe... We regularly get applications from .Net developers pretending to be Java experts just to get a job.

My experience has been that managers think .NET is so fast and inexpensive, that they sell the same projects in J2EE and .NET several times. <br>
So they hire J2EE developers and .NET developers and expect the same project in .NET to be built faster and run several times faster than J2EE. <br>
But the J2EE projects are finished earlier, while the same .NET project having access to the J2EE source code finishes several times later and several times the cost. <br>
And of course the J2EE project runs 1000 times faster. This is a real figure, not a joke. Microsoft should be sued, but please wait until I dump all MSFT stock first.

My experience has been that managers think .NET is so fast and inexpensive, that they sell the same projects in J2EE and .NET several times.

I really never heard of that. Why should a company spend money in the same project twice? Even if one thinks that .NET project are far more inexpensive than J2EE projects, one would spend more money on a project, than really needed. I'd like to see the project manager explaining this to the executive committee (and them to the shareholders).

Best Regards,
    Dirk

with larger companies, often this happens. Most of it is driven from the top by politics. Take firms like the top 10 financial firms, there are so many groups and divisions that there's a ton of duplication in effort. I don't know if this is intentional or not, but i am aware of large companies having multiple groups within the same building working on similar projects. It's hard for the IT department to say, "no, we won't do it" if there are two profitable divisions, but each wants it's own thing. In some cases, the divisions have to have completely separate systems because the law requires it. I don't fully understand it myself and don't know enough to know if it's just BS or for real. Regardless of the real reasons, it does happen.

with larger companies, often this happens. Most of it is driven from the top by politics. Take firms like the top 10 financial firms, there are so many groups and divisions that there's a ton of duplication in effort. I don't know if this is intentional or not, but i am aware of large companies having multiple groups within the same building working on similar projects. It's hard for the IT department to say, "no, we won't do it" if there are two profitable divisions, but each wants it's own thing. In some cases, the divisions have to have completely separate systems because the law requires it. I don't fully understand it myself and don't know enough to know if it's just BS or for real. Regardless of the real reasons, it does happen.

You have just described the company I work for, a major telecom company in south america. I believe it is not intentional unless where restricted by law, since duplication of effort = lost $$$, and that most big companies have this kind of environment too, at some scale.

Regards,
Henrique Steckelberg

Valdimir, perhaps you can't say wether .NET of Java is safer if they are running on the same operating system but I am sure James Gosling can.. Believe me, there is every liklihood that .NET is not safe on any operating system and Java is safe on any operating system.. I suppose this site attracts comments from people at levels of understanding.. it's surprising to me that someone would conclude that the underlying operating system is going to dictate the safety of a program layered on top of it..

It is completely different discussion about connecting kernel to GDI to IIS to IE etc. The .Net itself is a separated entity that has nothing to do with windows, in theory it can run on Linux if MS ever wish.

This is entirely untrue. .NET is very tightly bound to Windows, and (having used winforms) it clearly is tightly bound to a large set of ancient APIs.

You may have been referring to "C# and CLI are not bound to Windows", which is true. That's such a tiny part of .NET though as to be inconsequential.

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

James Gosling is the most pathetique individual in the know Universe. His "language for TV-Top boxes" has nothing to do with "Java - the international project”". To call Gosling "Father-Of-Java" shows just that most persons have no clue. How many years has he drawn salary without contributing anything whatsoever?

Please buy him a wheelchair and put him away

Please buy him a wheelchair and put him away

It should be noted that "Rolf Tollerud" is an anagram of "Lured of troll".

It should be noted that "Rolf Tollerud" is an anagram of "Lured of troll".

Very interesting. There are SIGNs everywhere! Maybe Dan Brown can use this in his new book... :-) Excellent!

Yes – and also "Role: Troll Fud" which I kind of prefer.

"Good. I can feel your anger.
I am defenseless. Take your weapon!
Strike me down with all your hatred, and your journey
towards the dark side will be complete."
[...]
"Good. Use your aggressive feelings, boy!
Let the hate flow through you."

The Emperor is not as forgiving as I am

Most of us would rather put you away.

... or disable the script or something.

(Ducks for cover)

I know this is probably anti free speech or Anti American or something but I’m so board of the Rolf script now…

Alternatively maybe the mark as noisy feature could be updated all posts originating from "Rolf" are marked as noisy by default and can be modded up by TSS administrators should it every generate anything interesting.

I’d prefer to stick with java as much as I can, but if there is a real business case for going out to the C++ domain e.g. GUID generator, IO etc. then keyword “unsafe” is more appealing, at least to me, then the cumbersome process of generating the JNI headers.
Using C/C++ is unsafe by definition and doesn’t matter how many artificial obstacles SUN puts in front of developers to overcome. It is assumed that usually people don’t use native code unless they absolutely must, and if some one wants to commit a suicide he/she can perfectly do this with 18-century pistol, modern gun or sport car.

The only difference between JNI and unsafe is semantic, or I might be missing something.

Sounds like a "My daddy is stronger then your daddy" conversation.

These types of issues come up with you tightly integrate languages. Is James saying that this level of integration should not be allowed? or encuraged? As pointed out this problem exists (to some extent) in java also via JNI.

I love frameworks and best practices as much as anyone, and follow them when ever possible, but I also need tools that provide the flexibility I need to complete my projects. There is a ton of C/C++ code out there that works great just the way it is, and there is no reason to convert it to another langauge. So provide us with the flexibility to access it properly. I have worked with JNI and find it painful.

So I say to James "Keep moving our favorate langauge forward, with new features, more integration, etc.. and let Microsoft worry about .NET."

This is a very silly statement. Solaris is 100% C++ and unlike Windows/.Net, it's not being progressively rewritten in a "safer" language.

More thoughts here.

--
Cedric

Here is the technical subject being discussed :

1. C++ CLI can target verfiable MSIL instruction set (running in a security sandbox).
2. C#, VB can target verfiable MSIL instruction set
(running in a security sandbox).

3. C++, C# can target mixed CLI and native code (not verfiable, requires fulltrust security) and this is
very similar to Java + JNI application.

Most applications target #1 & #2 scenarios. Mr. Goslings
comments do not apply to these.

#3 is a very valuable to library writers which must take
advantage of OS capabilities or large C based code already in production. Often this is a temporary stopgap measure or
you are in microsoft's position. This is very similar to the fact that Java runtime library must make some operating
system call below a certain level of abstraction.

Anyway, all unsafe code (think JNI application) will not run in Code Access Security (CAS) sandbox without elevated
permissions.

So his comments are not in the proper context.

As long as you run an application without a security manager you can have security issues. It is the same kind of issues for .Net and JVM.
Here is an example http://www.javaspecialists.co.za/archive/Issue102.html , how a pure java code using reflexion can screw the JVM if there is no security manager. And by default Sun java is running without any.

Here is an example http://www.javaspecialists.co.za/archive/Issue102.html , how a pure java code using reflexion can screw the JVM if there is no security manager.

That's a bogus claim. In the example, "CoolClass" makes use of reflection to damage some internal Java variables. So what? Anyone can write a thousand bugs in their code, most do. The question is - where did this code come from? Obviously it was loaded by the JVM because the person who created the launch script set the classpath to include some hopefully trusted sources. If an intruder could change the launch script to point to their classes (and then get them called from the app), yes, they could do anything they want. But an intruder can't poke the JVM and get their new CoolClass to load (yes, once every few years a bug hole is found that would almost let you think about doing something like this), but it's a secure container.

Even a SecurityManager would not protect you from a rogue developer adding malicious code in the normal codebase. You got to trust what you say you trust. This is what Bruce Schneier works on now, non-technical security issues are the bigger security problem.

I’m not talking about not functional or boggy developer code. But rather about code that could corrupt the underlying virtual machine (.Net or Java). No mater where the code comes from.
The discussion is about James Gosling remark around unsafe pointer manipulations in .Net that could corrupt the platform.
This kind of security breach exists in Java as well. You can use reflexion to alter private fields. Using this you can corrupt the entire VM (http://www.javaspecialists.co.za/archive/Issue102.html).
In .Net you can perform pointer manipulation. In java it is private fields modifications.
In both cases you have to not use the sandbox or relax its constraints to execute the code (accept unsafe code in .Net, do not setup a security manager in Java (default with java)).
In that regard .Net and Java behaviors are quite close, both can get corrupted with user code.
Therefore with the keyword unsafe, or with reflexion .Net and Java have roughly the same level of security.

Note in both cases remote code is executed in a sandbox and potentially corrupting code is rejected. It is once more almost the same level of security.

Rolph, you might be being wheeled out in a wheelchair if you don't watch your big mouth.. don't wear a nametag at any java conferences..

It is true that java does support native code using JNI , but this is deffrent than allowing it in the language itself.

IMO , JNI is the way that supporting native code should be , rather than supporting it in the language itself ( as in .NET case)

Amjad Shahrour
Software Engineer

It is true that java does support native code using JNI , but this is deffrent than allowing it in the language itself.IMO , JNI is the way that supporting native code should be , rather than supporting it in the language itself ( as in .NET case)Amjad ShahrourSoftware Engineer

Which is just another premise-less conclusion.

You see, the .NET approach is better AND just as safe.

o Better because it makes life SO much simpler.

o Just as safe because the code doesn't compile unless you mark it as "unsafe" and unsafe code simply doesn't run unless the user actively allows it to (in fact, this is stronger than JNI)

it is so pathetic to read these dime-store book programmers opinions who have never had a course in computer science question the concerns of one of the top computer scientists in the world.. don't you idiots even realise that what your saying is in error.. i've never seen so many comments by uneducated idiots about a scientific fact as though it were an opinion about art..

The round trip time to jump to JNI code is 300+ cycles on a P4 Xeon -dog slow. The problem of building JNI libraries for all possible targets your app runs on is a nightmare. Which I think was the plan: to make JNI really hard.

Doing mildly risky stuff in the HLL language saves you a lot of overhead and development grief. Given that MS dont give a rats ass about portability, if you can talk to your binary data in an efficient (albeit dangerous, unportable) code, then MS are laughing. I used it once to convert bitmaps from GDI+ to legacy BMP layout for sending to a COM library that took the older content. They dont go out their way to make it easy (you need /unsafe, your code isnt trusted, you need to lock down a pointer for a controlled perioud), but they make it possible.

What Sun ought to do is make it easy to talk to native code, like COM libraries, so we can integrate with native legacy code without having to jump through so many hoops.

Please, can anybody explain to mean what a "tongue and cheek" posting is supposed to be? Is Mr. Hannibal Lecter practicing again, under the assumed name of Don Box?

Cheers,
Lars

Hi guys don't confuse us with so many technologies in j2ee. first try to get rid of the complexity in EJB, i am gettin irritated of writing those try and catch blocks in JDBC code. plz ease the developers life. plz put a thin layer over JNDI. Microsoft guys r movin up by providing highly user friendly features. try to implement it in j2ee technologies. then no technology can beat J2EE. J2EE'l b the leader in the enterprise world.

Don't about others, but I'm going to say it's a case of a reporter taking statements out of context to generate traffic. I can understand that. It's much more juicy to report something inflamatory, than be informative. All one has to do is look at all the trash mags out there and how many papers they sell. Writing an informative article takes much more work than rehashing a bunch of old news.

Microsoft reminds me of the Roman empire. Rich, corrupted by power and money, and slowly but surely it grows weaker in its very core since its aspirations have vanished, and its hunger for victory has become irrelevant. The company grows slow, ignorant, and only attempting to keep the status quo instead of advancing. Now, first comes the division to two empires: the OS, and the applications as imposed by some government. Then the individual pieces still linger on but slowly the rebels are taking bites out of the empire, until the ragtag group of open source barbarians douse the flickering flame of old glory.

There your go, Rolf. You know history repeats itself. You still have some time before your soul is completely corrupted.

Take MS out of the equation and apply it to any position of power. About the only thing reliable is those in power will get corrupted. Whether the person/business/group learns from it, and makes itself better the real challenge. I'd say very few individuals can handle power gracefully and not "loose their sense."

Tero,

It is evident that you have not read Gibbons, "The Decline And Fall Of The Roman Empire". Nor "A Study of History" by Toynbee.

"In the Study of History, an investigation into the growth, development, and decay of civilizations, the problems of history are considered in terms of cultural groups rather than nationalities."

Big companies like Microsoft can be compared to civilizations. The main thesis of Toynbee is that the well-being of a civilization depends on its ability to respond successfully to challenges, human and environmental.

As MS just has emerged victorious from the most deadly challenge ever, (the web appearing "overnight") according to Toynbee, it should now be at its strongest ever.

And Gibbons show that the empire flowered as long as they had good leaders (like Hadrianus and Trajanus). So there should be no problem at all as long as Bill Gates has the leadership. (One of the few company leaders that is actually intelligent opposite to the pointy-haired, golf-playing Scott Mcnealy).

So you better brush up your history!

Regards
Rolf Tollerud
(Ah! Being here in TSS is good for my self-confidence :)

Rolf, Rolf... :-)
It is evident that you have not read Oswald Spengler, "The Decline of The West".

Leaders are not the cause, but the products of their own times. And they are great just in fairy tales. In reality, they are always tyrants.

So, don't pick your "Führer" that easy. Think.

And Microsoft is in such a good shape after recent "victories" - as if my grandmother would say that she is in her best years just because she put on silk underwear. ;-)

And history is much more than a few shallow thoughts and "common place" sentences, so be careful when relying your self confidence on such things. ;-)

With respect,
Vlada

Leaders are not the cause, but the products of their own times

I am aware that your view is popular in certain leftist circles.
I politely disagree.

So, don't pick your "Führer" that easy

Spengler:
Return to Authority
Hatred of "decadent" democracy
Exaltation of the spirit of "Prussianism,"
"No one looks forward to the National Socialist revolution with greater longing than I"

Please don't place the populists Spengler besides the classical pillars Gibbons and Toynbee, "The Decline of the West" = pretentious work by an amateur'.

Regards
Rolf Tollerud

Sorry I can't resist

Ah! Being here in TSS is good for my self-confidence :)

God Rolf, really. That's the most tragic thing I've ever read on here.

Sorry I can't resist

Ah! Being here in TSS is good for my self-confidence :)

God Rolf, really. That's the most tragic thing I've ever read on here.

I am guessing getting some minor attention from those who feed trolls gets his mind of unemployment and celibacy for a while? ;)

As MS just has emerged victorious from the most deadly challenge ever, (the web appearing "overnight") according to Toynbee, it should now be at its strongest ever.And Gibbons show that the empire flowered as long as they had good leaders (like Hadrianus and Trajanus). So there should be no problem at all as long as Bill Gates has the leadership.

As far as I am concerned, Microsoft won nothing. They merely saved their face from a complete humiliation. Afterall, Internet posed no risk, threat or challenge to Microsoft. Microsoft owned practially all the cars on the interstate - there was no fight. It is the fact that Microsoft failed to understand the importance of Internet and was belittling it's influence that clearly demonstrated that the age of corruption has already begun. Behind were the times when Microsoft was the contender and slender athlete bashing the likes of IBM. Now, it was a fat couch potato, ignorant and sluggish.

"Microsoft failed to understand the importance of Internet"

No matter that Bill Joy tries to take credit ("we build the internet"! :) the web surprised everybody including Tim Berners-Lee himself, the inventor, Microsoft that had won their position in fair competition against many pretty good competition as OS2, Mac, Amiga, Atari, etc found that practically overnight their systems and technology was worthless.

"After all, Internet posed no risk, threat or challenge to Microsoft"

That must be the most stupid sentence ever uttered.
Before the Web 95% of the enterprise systems was build by MS tools, a short time after the Web 95% of the enterprise systems was build with non-MS tools. If that is not a treat then I don't know what is a threat.

Such a surprise would have been the death of most companies. That MS succeeded to turn around such a large company on a 2 center is nothing less of a miracle, and the business press was/is duly impressed:

Bill Gates of Microsoft once again top business leader
January 20, 2004 - General Electric has retained the number one slot for the sixth year running in the Financial Times/PricewaterhouseCoopers World's Most Respected Companies rankings. Microsoft once again takes second place with Toyota displacing IBM in third spot. For the second year running Bill Gates is the world's most respected business leader.

Regards
Rolf Tollerud

Before the Web 95% of the enterprise systems was build by MS tools, a short time after the Web 95% of the enterprise systems was build with non-MS tools.

What? This must be some very strange defintion of 'enterprise systems'. When the Web started (early 1990s) Microsoft had virtually no server market share. How could 95% of enterprise systems be built by MS tools when MS HAD NO enterprise tools? Either provide some evidence for this or be honest and admit this is nonsense.

What? This must be some very strange defintion of 'enterprise systems'. When the Web started (early 1990s) Microsoft had virtually no server market share. How could 95% of enterprise systems be built by MS tools when MS HAD NO enterprise tools? Either provide some evidence for this or be honest and admit this is nonsense.

Steve, it's pretty obvious: He meant that they had used "VB: Enterprise Edition" to build the applications.

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

... For the second year running Bill Gates is the world's most respected business leader.RegardsRolf Tollerud

This is not the place for me to get deeply into my take on Bill Gates (discussion key words - moral turpitude, psychopath, megalomaniac, Hitler, Stalin).
But if you are trying to emulate him, you should spend less time trying to snow people who know better; pray on ignorance and apathy: knowing where and when to stick the knife in made Microsoft what is it today.

Getting back to the topic - what Gosling said seems pretty obvious - security is harder with pointers & unchecked code, duh.

Microsoft decided that the sacrifice is worth it (if they considered it at all). If developers use the feature properly, and users carefully manage their security settings, it will gain a little efficiency. Personally I'm filing the above scenario with flying pigs, and I expect .NET security to be right there with ActiveX.

The Java model keeps unsafe code at arms length; it's not perfect, but it's easier to be safer.

Maybe one day Gosling will become a goose, but I don't see evidence here.

Clive:

This is not the place for me to get deeply into my take on Bill Gates (discussion key words - moral turpitude, psychopath, megalomaniac, Hitler, Stalin).

These words could be used of Tiberius, Caligula and many others of the Roman emperors but not all of them. That it is possible to have absolute power and still be moral decent person (not like the average TSS person!) is proved by the before mentioned Hadrianus and Trajanus. And that anyone can use words like this in connection with the nice "nerd" Bill Gates is beyond me. Not a single scandal (not a playboy like Larry Ellison for example) is tied to his name, goes to the job every day in spite of being so rich, has given away more money to charity than any person in the history, is obviously quite intelligent, etc etc.

But if anyone wonders, joke aside, why I so relentlessly and unforgiving keep on pursuing Java year after year and direct the unforgiving light on all practices and technology and idiotic shortcomings, here is the answer: the attitude of persons like you.

"The Java/UNIX/Oracle camp particularly seems to enjoy casting their technical preferences in quasi-religious terms that encourage hyperbole, paranoia and hatred. The rhetoric used by Java advocates about Microsoft and Bill Gates is not subject to common standards of decency."

That it is extra fun too is a secondary reason.

This is not the first time mr. Gosling has lost credibility. This is just one of a long string of outrageous statements and lame interviews from him. Never is there any positive information, something he has done. He does not act or behave like an intelligent person IMO, not after my standards. If there ever was a person that fit the description "before guy" it must be him.

"Best regards"
Rolf Tollerud

If there was justice Monopoly like M$ should have been dealt properly. M$ the pure leach that copies everyone else.


13 New Windows Security Vunerabilities

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Attacks on .NET or Microsoft always results in a long thread with lots of lots of negative Java/Unix information. Not very smart IMO.

Linux is currently reporting 35 security breaches per week
http://www.theserverside.com/news/thread.tss?thread_id=31595#155478

Regards
Rolf Tollerud
(As I am just a script I can go on forever)

Linux is currently reporting 35 security breaches per week
http://www.theserverside.com/news/thread.tss?thread_id=31595#155478

Garbage reference to Linux, getting sloppy Rolf?

Linux is currently reporting 35 security breaches per week
http://www.theserverside.com/news/thread.tss?thread_id=31595#155478

Poor Rolf. You meant this link, right?

http://www.theinquirer.net/?article=20817

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

Agreed.

http://sfgate.com/cgi-bin/article.cgi?file=/gate/archive/2005/02/04/notes020405.DTL

....that anyone can use words like this in connection with the nice "nerd" Bill Gates is beyond me. Not a single scandal is tied to his name, goes to the job every day in spite of being so rich, has given away more money to charity than any person in the history, is obviously quite intelligent, etc etc.

I was trying not to get into this; I was mainly trying to indicate that I am not a fan, but good point. I think I meant sociopath and ethical turpitude, and I'll even drop megalomania since in his chosen domain omnipotence is more of a reality than a delusion. You see work ethic, I see empire building. You see charity, I see power.
Sure I respect (and fear) his intellegence, ruthlessness, cunning, success, and utterly unfettered ambition (only remarkable in combination), but I won't admire him any more than I'd admire Hitler for the same qualities.

This is not the first time mr. Gosling has lost credibility. This is just one of a long string of outrageous statements and lame interviews from him. Never is there any positive information, something he has done. He does not act or behave like an intelligent person IMO, not after my standards. If there ever was a person that fit the description "before guy" it must be him. "Best regards"Rolf Tollerud

Now I've actually read the transcript and what he said was hardly lame or outrageous (prehaps you couldn't follow it because it wasn't phrased in esoteric historical references), and quite relevent in context; i.e. the real damage is done to the VM architecture.

"After all, Internet posed no risk, threat or challenge to Microsoft"That must be the most stupid sentence ever uttered.Before the Web 95% of the enterprise systems was build by MS tools, a short time after the Web 95% of the enterprise systems was build with non-MS tools. If that is not a treat then I don't know what is a threat.Such a surprise would have been the death of most companies. That MS succeeded to turn around such a large company on a 2 center is nothing less of a miracle...

Microsoft holds the desktop monopoly. If you have that kind of advantage and then lose it when something like Internet comes along, that would have been a true miracle. Internet was the best thing that happened to Microsoft in a long time since the IBM PC licence deal. That was like a keys-in-hand house deal for free for Microsoft. Microsoft had the royal flush, competition maybe a pair and a high kicker. Microsoft would just watch the competition to raise the stakes, and then flash the cards - game over. And you know the worst hand in poker is the 2nd best hand.

What comes to the enterprise systems...you have to be smoking crack - this is one of those priceless Rolfisms. They got the foothold because of the Internet opened a huge demand for small/midsize information systems - a segment that never really existed before and was not dominated by the big Unix players. I think you call this the 'enterprise'...it sounds good but come on, Rolf. Without the Internet, Microsoft would not have a server business, period.

So, I repeat, There was no real risk for Microsoft, no miracle, no turnaround. Event the browser wars was a joke...there was no war - just a little skirmish.

"Microsoft would just watch the competition to raise the stakes, and then flash the cards - game over"

Well Tero, If we go back to the time before the browser war, when MS did not had anything, no internet product, not IE, not IIS only windows 98 systems on the desktops completely unsecured and unprotected,

in that case, why didn't you warned the Java/Unix word then that Microsoft had Royal Flush and was just waiting to flash the cards while the competition raised the stakes?

Because if you read the postings from that time you see that that was when all started - the gleefulness, exultation, arrogance, exaggerated claims type "we invented the Internet" etc, etc, in short all the hyperbole, paranoia and hatred.

Why did you not you warned them Tero, so they didn't had to make such fools of themselves?

Regards
Rolf Tollerud

If we go back to the time before the browser war, when MS did not had anything, no internet product, not IE, not IIS only windows 98 systems on the desktops completely unsecured and unprotected

Er. This must be some different version of windows 98 than the one every else used. Microsoft not only had IE around with Windows 98, but Win98SE had IE bundled with it!

Put that together with your statement that Windows 98 systems were 'completely unsecured and unprotected'....

Come on Rolf. You are trying to paint a very heroic picture about Microsoft.

Microsoft in grave danger, many others would have fallen, miraclulous comeback. It is all boloney.

When was Microsoft on the brink of bankcrupcy? When was their desktop monopoly threatened? Did someone even come close to taking over the office suite market? Did Microsoft lose something? Did they get hammered somehow?

Well, none of that happened. There was no miracle. No heroic comeback, no brillant save, or extraordinary leadership. Instead, MS got a lucky break in the servers for small and midsize businesses. The browser wars was just a little skirmish - Netscape could not fight the bundling and monopoly.

Well Tero, it seems that you and I* have quite a different view on MS history (*and the people that twice had voted Bill Gates as the world's most respected business leader). Unfortunately one of us has to be wrong!

But I give you a tip.

When you are in doubt of a situation similar to MS vs Sun/Unix case, be it between people or companies or countries or whatsoever, a good rule of thumb is: watch the type of language and arguments that the parts use.

"Loud and vociferous fanatics full of hyperbole and hatred a la the Chinas Red Guards or from the Old Soviet Union leaders combined with pseudo-science is not good at all, and in fact is a sure sign of the inferior person (company, country, etc)."

You may quote me.

Regards
Rolf Tollerud

You may quote me.
Regards
Rolf Tollerud

Great sayings are repeated, not by request, but in awe of their greatness.

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

And, one might add, "Lacking in humor and self-irony"

Regards
Rolf Tollerud

"Loud and vociferous fanatics full of hyperbole and hatred a la the Chinas Red Guards or from the Old Soviet Union leaders combined with pseudo-science is not good at all, and in fact is a sure sign of the inferior person (company, country, etc)."You may quote me.

Rolf hoists himself on his own petard once again.

Well Tero, it seems that you and I* have quite a different view on MS history (*and the people that twice had voted Bill Gates as the world's most respected business leader). Unfortunately one of us has to be wrong!

I respect Bill Gates too. I just think his greatest moments were 20 years ago.

Can you answer me if Microsoft was going bankcrupt? Can you tell me if their desktop monopoly was breaking? Did they lose the office suite market? Did they lose the emerging server market...or did they gain something? After answering those questions, do you still maintain that Microsoft was saved from utter destruction by ingenious maneuvering when Internet emerged?

MS just missed the big wave. The corruption and arrogance had already set in as they felt they were already invincible, and they were. And you are right that many other companies would have falled had they made the same mistake - but they did not have the desktop monopoly, huge cash reserves, or major lock on a lucrative office suit market. If Microsoft had somehow lost that battle, Gates would have gotten the bonehead award for getting out of the bed in the morning.

Stross has a different explanation for Microsoft's success: Gates's strategy of hiring only the smartest software developers, keeping their allegiance with lucrative stock options, fostering an egalitarian creative atmosphere and perpetuating the identity of small working groups.

(Randall E. Stross, The Microsoft Way)

Regards
Rolf Tollerud

Stross has a different explanation for Microsoft's success: Gates's strategy of hiring only the smartest software developers, keeping their allegiance with lucrative stock options, fostering an egalitarian creative atmosphere and perpetuating the identity of small working groups.(Randall E. Stross, The Microsoft Way)RegardsRolf Tollerud

Are you sure about that "small working groups"? The last I heard working with MapPoint group, the general MS approach is 80 programmers for each new group that is created. This is just what I was told and likely inaccurate. I don't consider 80 programmers small. Within that group it's probably divided into smaller units, but I don't work at MS and don't know first hand. the other places I've worked at start with a much smaller programmer count when creating a new "group". Obviously, the term "group" means different things to different companies.

I am no expert on MS inner workings but I have no reason to doubt Stross observations, which I also heard from many other sources. Let us just suppose for the sake of argument that it is true.

1) Hiring only the smartest software developers (as opposed to go for experience, education, etc)

2) Keeping their allegiance with lucrative stock options

3) Fostering an egalitarian creative atmosphere

4) Perpetuating the identity of small working groups
(larger groups can be build by concatenating smaller groups)

Seems pretty smart to me and certainly not something I ever seen in any company I have been in. If it is true, and I repeat if, and I repeat if, then it more than well can explain the reason for Microft success.

Regards
Rolf Tollerud

I have a much shorter explanation for MS' success:

1) It has a monopoly on desktop OS.

Give me a monopoly, and I will get successful, no matter what.

If MS actually had the best developers, we wouldn't have had VB or this much virii and security holes in the first place.

Regards,
Henrique Steckelberg

Stross has a different explanation for Microsoft's success: Gates's strategy of hiring only the smartest software developers ..

Absolutely delusional:
http://www.joelonsoftware.com/items/2005/01/27.html

It was common knowledge when I lived in Redmond that Microsoft was where you would go to work if you couldn't get hired at the interesting / challenging software companies. Nobody who is motivated and intelligent wants to work for a big, bloated corporation run by suits with red tape.

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

It is not wise of you to continue this thread!

The Sun/Unix/Java camp accuse MS of takings FUD, talk about throwing stones in a glasshouse. :)

1) MS has the best culture, in short "the developer is the king". Opposite to for example CA that once said after an acquisition: "In our company the programmer is just an ordinary employee as anyone else"

2) MS has the most intelligent and talented programmers thanks to a special hiring philosophy practiced over more than 15 year.

3) MS is the only company that can make decent software.

Microsoft was chosen "Most Desired IT Employer of 2002".
http://home.techies.com/Common/Content/2002/12/15mc_idealemployers.html

And here is voice from the ranks:

Ian P. McCullough:<br>
"I did it... it rocked...
I was an MS Intern several years ago. (And was a MacPhile and OSS proponent the whole time.) It was probably the single best work experience I've ever had. And that's even after I mention that my boss and I clashed at every turn and I ultimately got a "no hire" recommendation, pretty much blacklisting me from ever working there again. You can hate the way they do business, or their FUD marketing or whatever you want, but at the end of the day, working there is like being an endowed researcher at the coolest, most well-funded university on earth, where they only let in the uber-smart. It was easily the highest concentration of smart people I've ever had the pleasure of being around. If someone had handed me a crystal ball and told me the shit the economy was about to become I would have kissed some serious ass and made sure I got an offer there."

Why do you keep on citing "joelonsoftware" that is just opinions from a notorious anti-MS person? Remember "Sharepoint, nobody uses it" :)

I have been on many interviews and know that it is nothing like the MS Way, but usually more like something from "Dilbert":

If you get a list of employees in SUN, u can draw a lot of Family Trees. This is all because SUN hired most of the programmers thro some reference or someone who is related to one of the employees without proper screening or interviews. Not only this but most of the sales force and marketing people are also like that. They spend more time in meetings or in gym and talk abt their weekend plans more than a stupid JVM memory leak. The lack of seriouness and aim to achieve higher is the main reason behind SUNs loss in last few quarters. Its like a illness which spreading across SUN. May GOD keep SUN shining. ( or atleast keep apache and JBOSS alive).
- ex SUNW employee

http://www.theserverside.com/home/thread.jsp?thread_id=17831#73715

Regards
Rolf Tollerud

I don't believe that Rolf has ever spoken to any of the day to day programmers in the Microsoft ranks, but gets the bulk of his information from marketing materials and glowing reviews of the environment from Redmond lifers.

My friends who are forced to be there due to the economic circumstances they face would totally agree with you, Cameron.

Ok Ok I get your point, what does it matter in a thousand year? You are entitled to your opinion of course. You are not in the vociferous falang, that goes without saying.

Regards
Rolf Tollerud

And thus spake Rolf:

...Microsoft that had won their position in fair competition against many pretty good competition as OS2, Mac, Amiga, Atari, etc found that practically overnight their systems and technology was worthless.

You cannot give Microsoft 100% credit for this. It was IBM who created the open IBM PC hardware platform which set the stage for Microsoft dominance. Without that, I very much doubt that Microsoft would have been any different then Mac, Amiga, Atari. Most likely they would have been worse off since they would have to rely on someone else to build the hardware their OS ran on.

I think you are also overstating the notion that Microsoft caused systems like the Mac to become worthless. Anymore then you can say that the introduction of Windows resulted in Sun servers becoming worthless. Both examples served (and continue to serve) a market niche. Both also continue serve that niche very well.

Correction...

Most likely they (Microsoft) would have been worse off since they would have had to build their own hardware their OS ran on.

And thus spake Rolf:

...Microsoft that had won their position in fair competition against many pretty good competition as OS2 ..

You cannot give Microsoft 100% credit for this.

Actually, you can. Microsoft wrote OS/2. In fact, OS/2 version 3 was renamed to its internal name: "Windows NT".

For a good trip down memory lane, read the old Microsoft publication (Windows Dev Journal? Microsoft Dev Journal? Can't remember ..) where it was talking about the upcoming OS/2 3.0 that was known internally as Windows NT.

Peace,

Cameron Purdy
Tangosol, Inc.
Coherence: Shared Memories for J2EE Clusters

You cannot give Microsoft 100% credit for this.

Actually, you can. Microsoft wrote OS/2. In fact, OS/2 version 3 was renamed to its internal name: "Windows NT"

While this is true, my point was that without IBM creating the open PC platform that Microsoft chose as its hardware platform, it would be less likely that Microsoft would have achieved the level of dominance it has today.

So it wasn't simply Microsoft's "cutting-edge" OS that gave them the dominance they enjoy today. I'd equate it more to the beta-max vs. vhs format wars a few years back. The best doesn't always win.

As an interesting sidenote, IBM is trying to do the same open format for their server blade chassis as they did for the home/business PC. The open format will allow other vendors to sell blades that will also fit in the IBM blade chassis and in essence commoditizing the blade market.

I am wondering why Java - C++ with JNI is secured over .net interop. There is no case made for that by Gosling or any other venerable members of tss.com.

Here they are :
http://www.auctionsieve.com/blog/
Straight from the source with no reporter inbetween.

The Sydney transcript is edited. For example, when he mentions the DCMA, the audience audibly hissed, and from memory he made a little aside about the evilness of DCMA, which segued into his comments about people building trivial copyright protection into things just so you can't legally reverse engineer them. Anyway some of that stuff isn't in there apparently, so its undergone some light editing. And some of the questions too I think.

(Ah! Being here in TSS is good for my self-confidence :)

Surprisingly efficient! Whenever I say "That's it! One cannot be more pathetic than this!", he finds a way to beat his own record!

"As MS just has emerged victorious from the most deadly challenge ever, (the web appearing "overnight") according to Toynbee, it should now be at its strongest ever."

Hey Rolf:

Everything changes....stockholders know more than you do apparently, since Microsoft stock has been stagnant for a very long time now, even after an injection of $30 BILLION dollars spent from MSFT's cash hoard.

The main point is that Microsoft is almost wholly dependent STILL on windows and MS Office, and both these products are being assailed slowly but surely by competing open source products.

if you think about it objectively and without emotion, the fact that
 
(1) open source provides products that are cheaper and as robust or more robust than commercial products;

(2) Many fast developing countries like China are standardizing on open source products

Than in THE LONG RUN, there is no place for Microsoft to go but down...it won't go bankrupt obviously, just like IBM is still here with us, but its relative dominance in the IT industry would doubtless go down (and it's happening already, if you were not so blind).

San Juan,

"open source provides products that are cheaper and as robust or more robust than commercial products"

No. Open source products are unbelievable shit IMO. Every year is proclaimed as "the year of Linux" :)

"Many fast developing countries like China are standardizing on open source products"

Last time I checked Linux (server) impregnation in Asia was less than in the west,

"there is no place for Microsoft to go but down"

Too bad, since MS seems to be the only one that can make decent software.

MS recent "stabilization" is caused by that everybody already have their products. As soon as the mobile market gets traction you will see what MS can do.

Regards
Rolf Tollerud

Like I said, the writing is on the wall....in fact, as i pointed out, the slow relative decline of MSFT has already progressed quite a bit:

http://abcnews.go.com/Business/SiliconInsider/story?id=88655&page=1

I doubt MIcrosoft would become a DEC, but again, its relatively strength has declined already quite a bit since the decentralization of computing power away from the PC, and the coming of open source to challenge MS Office and Windows.

San Juan,

As I said before you are confusing cause and action, every situation needs to be examined in detail. Precisely as the first shift was caused by the Web, and not by the quality of the competition, the stabilization of Microsoft is caused by saturation, not competition. When you are the most successful company in the history it is not as so easy to grow like a little startup.

So Microsoft need to expand into other branches and that is exactly what they are doing, in four areas:

1) The expansion into business system like ERP and CRM
2) The high end server market, not only the small and midsize market
3) Mobiles
4) Home entertainment

If you hone your discernment, you will see that all this activities are going well for Microsoft. You must also take into account that it is a world-wide unjust anti-MS "Lynch-Mob" around the world that influences the stock market.

Open Source is the most laughable, Linux zealots claim 3% coverage but Google showed only 1% (until they were force to take it away for political reasons :) It is totally insignificant.

I put your attention to what I said before, MS advances sometimes faster sometimes slower, but is never influenced by competition, because there aren’t any.

Regards
Rolf Tollerud

I propose we let Rolf get the last say in this thread, in order to preserve some of his self-confidence.

MS advances sometimes faster sometimes slower, but is never influenced by competition, because there aren’t any.RegardsRolf Tollerud

I am so impressed Rolf. You know more than Bill Gates!

Bill says:

"Linux is an unusual kind of competition because in a way it's out there and very pervasive."

But you know better. Perhaps you had better e-mail Bill and tell him he need not worry, because there is no competition.

Unfortunately there isn't a transcript from this event so all we’re getting is the headline grabbing stuff at the moment. It' be interested to know what Gossling is thinking of specifically. He’s probably right, though, security holes in Java programs are pretty rare relative to C++ because the Java verifier guarantees that generated byte code does not violate certain rules such as forging the type of a reference or under/over-flowing the stack. Because this is done at the verify stage it is still possible to compile the bytecode down to machine level instructions after verification which allows you to get very good performance out of type safe code Allowing C++ pointer manipulation makes this difficult (if not impossible) to achieve so that (theoretically) allows many more possibilities for both unintentional and intentional maliciousness. Since .NET is a Microsoft product and MS have always been frankly crap at security attacking them on security grounds makes sense. It must be weird for Gossling though – kind of like attacking an illegitimate child.

In some ways I think Sun could do worse than to simply stop talking about .NET altogether. When Data General first emerged on the scene IBM shot itself in the foot big time by telling lots of its customers to avoid the nasty upstart company. The net result of this was DG getting hundreds of calls from IBM customers trying to find out more. This is the same mistake Microsoft is currently rather brilliantly making with Linux (well I’m enjoying it anyway). The thing is .NET realty isn’t much of a threat to J2EE as far as I can tell. I’ve done three strategic platform choice projects for large enterprises in the last five years, and in all 3 cases J2EE came out top on the assessment. I honestly can’t find a logical reason for choosing .NET over Java and I really tried. Most of the reasons that are given are spurious:
1) Multi-language support. But honestly does anyone care? VB.NET is nothing like VB so the VB programmers have to learn it all over again (one of the reasons I switched from MS to Java in the first place). C# is a new Java-like language anyway.
2) Productivity – MS seems to be doing a good job of convincing their fanboys that .NET (and others) that .NET is somehow more productive than Java but this is mostly crap as well. The best Java IDE's are at least as good (and probably better) than VS .NET in many ways – certainly the re-factoring and code debugging tools in IDEA blow VS.NET out of the water as far as I can see. And the "ASP" productivity argument really is nonsense (if you try and do anything vazguly complicated with ASP.NET it rapidly becomes as painful as anything).
3) Performance – but again this is bunk. Most of the independent studies I’ve read have MS and J2EE on Windows as close to nothing as makes no odds, Although my personal experience has been that I always seems to have scalability problems with .NET.
4) Cost? But Eclipse is free, Java itself is free, Apache Tomcat is free and so on. You can get an equivalent to .NET in Java without spending any money at all.
5) Better GUI libraries. But actually WinForms is DOA (to be replaced by Avalon) and SWT as even Rolf has admitted on occasion is "better" than it. I actually find Swing pretty good too these days, although I wish Sun would get Apple and Trolletch to re-factor it to make it easier to add custom widgets and harder to end up with too many events firing (the main reason why it got its slow reputation in the first place).

+1

below is a link to the Sydney transcript

http://www.builderau.com.au/program/work/0,39024650,39176462,00.htm

Being a Java fan is fine, being a complete fool is not.
Especially for someone in a position like mr. Gosling, you have to be careful about what you say and not just spout some party line against a company (or product) you don't like.

That James doesn't like Microsoft is well known, his own blog makes that clear enough. But to go beyond snide remarks and post blatant falsehoods or overexagerated claims just to harm the company and its product goes beyond snide remarks and into the realm of slander.

Being a Java fan is fine, being a complete fool is not.Especially for someone in a position like mr. Gosling, you have to be careful about what you say and not just spout some party line against a company (or product) you don't like.That James doesn't like Microsoft is well known, his own blog makes that clear enough. But to go beyond snide remarks and post blatant falsehoods or overexagerated claims just to harm the company and its product goes beyond snide remarks and into the realm of slander.

Agreed.
The competition between .NET and J2EE is A Good Thing because it should in theory drive these companies to make better products...so Gosling should concentrate on making his own product better rather than spending his time to do competitor-bashing.

Being a Java fan is fine, being a complete fool is not.Especially for someone in a position like mr. Gosling, you have to be careful about what you say and not just spout some party line against a company (or product) you don't like.

No matter what you think of these particular comments, there is no doubt that James Gosling is certainly not a fool, and is known for not always following the company line. Saying he is reflects badly on the poster. He is well worth listening to.

JT, I can assure you that you have no more ability to even understand what James Gosling is talking about than you would know what was being discussed in a university level course in computer science.. stick to ".Net for Dummies" and stop taking up space here..

If I am not mistaken, the seciruty hole is not relevant to developers.. The article spends a lot of time discussing Microsoft excuses about developers "have a choice, about the risk" they are taking, or the totally spurious nonsence about performance.. If malicious developers produce worms which are images, then all naive users downloading that software have left the option for the malicious developer to cast the image to a stream and execute it on your PC... As would be expected, James Gosling is not raising a false alarm... He is pointing out that Microsoft security lapses are moving from emails, spreadsheets, and downloadable .exe's to rich content served into the browser.. I would like to hear how Microsoft is planning to fix this, rather than how fast the code is going to run, epsecially when that code might be stealing my passwords and credit card numbers.. Is this opening the biggest boon to fraud, invasion of privacy, and malicious spam and ad-ware we have seen to date? I hope not, but I think so..

I would like to hear how Microsoft is planning to fix this, rather than how fast the code is going to run

M$ sponsored research comming to a trade mag near you.

New independent study shows virii run 10x faster on .Net than on Java!

"So there should be no problem at all as long as Bill Gates has the leadership"

From the oodles made by Bill Gates
We look forward with amusement to explanations by a variety of psychologists and graphologists of how various characteristics ascribed to the prime minister on the basis of the doodles, such as 'struggling to concentrate', 'not a natural leader', 'struggling to keep control of a confusing world' and 'an unstable man who is feeling under enormous pressure', equally apply to Mr Gates

http://news.bbc.co.uk/1/hi/uk_politics/4220473.stm

Graphology has about as much scientific credibility as Astrology.

I was actually there in the room when Gosling made the comments. How many of the peanut gallery on this sewer of barely-informed opinions that serverside has become, actually heard him speak or are you basing your report on a THIRD HAND report of what was said? Don Box included. Modern technical journalism it seems has become nothing different from tabloid journalism, debate reduced to a pissing contest between two opposing camps.

Gosling's points where in direct response to a question about multi-language support for the JVM, which has been around longer than CLR, and his design decision not support direct memory address access and pointer logic in the JVM. Which is where all the comments about C/C++ in the CLR came from.

And not one of you can produce a good argument as to WHY this (ie C/C++) is a secure choice in the CLR and very few seem to grasp IF and WHERE Java (not solaris) suffers from the same problem.

I mean, he also had a bit of a dig at some of the scripting languages and also made a comment about Apple's problematic relationships with everyone else in the industry and he made several pointed barbs directed to IBM and simply because it's not reported by the co-sponsor of the event no one gets upset about it.

I was at the Melbourne event where Gosling was asked "How does the JVM compart to the .NET VM". His response was that providing the ability to take a pointer, cast it to an integer, add another integer to it, cast it back as an pointer and then refer to this memory address provides a security hole. This type of process can occur in .NET but is prevented in Java, an hence the Java VM is more secure.

Both CLR and JVM try to provide a safe execution environment at the cost of sacrificing flexibility and performance. However, if you need to do something like pointer manipulation in some special cases, the sandbox doesn't allow this. So, a backdoor has to be opened at the cost of sacrificing safety. In word, there is no free lunch.

I agree. But this cost is worthy to pay in 90% of the cases.
I do not see almost no reason in most standard applications to use c++ above java for example.

D. Orbach
booksprice

This is waste of time.... i will do my work :)

Having just returned from a .NET training class, one question remains for me in terms of true security.

While the .NET stack based security model is an interesting one, what prevents a rouge unmanaged ActiveX control or other unmanaged executable from turning off all that security since all of the security in .NET is controllable via API calls?

Seems to me that all of the security can be easily unwraveled with a few API calls to the .NET security manager. Is this perhaps part of the huge security hole that Gosling is referring to as well?

Also, where are the benchmarks for performance implications of the reverse stack walking of the .NET security model? I know the stack walking can be turned off, but then there is no more security, or at least alot more limited security.

As far as I know, the JVM and Solaris themselves are written in C++. Leaving out languages like C/C++ is not possible, when the aim of .Net framework is to allow language independent code. Is James Gosling implying that including C++ is a security hole.
James Gosling is a respected person in the Java community, and I hope he stops insulting a language(no I am not a c++ programmer. I am a java programmer, and wow, I like Java.) for security holes in software "implementations". Java technologies are in a mess today and I hope they make it simpler, instead of commenting on c++ and strousroup. By the way, I was frustated few days ago, when I had to work on JNI. .Net gives you a better alternative. you can call a dll written in C# from VB.net code. For all languages, the MSIL code works out the same. It is tiring to see new jars every other day, and new specs coming out before you have mastered the previous specs. The best examples are Java 5 and EJB3. Will there be a solution to the persistance problem.