Home

News: Betfair bets on J2EE, JBoss and Tangosol Coherence

  1. Betfair bets on J2EE, JBoss and Tangosol Coherence (80 messages)

    The online gambling exchange thinks Java has the security track record required for mission-critical, 24x7 businesses.

    UK online gambling exchange Betfair has chosen to base a major Web site overhaul around Sun's J2EE platform rather than Microsoft's .Net software, claiming the Java product comes with a "proven enterprise track record".

    Betfair bets on J2EE, Jboss and Tangosol Coherence

    Threaded Messages (80)

  2. Quick follow up on this since the summary is slightly misleading. It is not the case that Betfair moved from .NET to J2EE. They moved from ASP to J2EE having evaluated both J2EE and .NET (also, I believe, from Windows to Linux).

    I'm interested that they’re using Jboss and Coherence. I don't know much about the Coherence product and would be very interested in a technical article on it – what it does, how it does it and what problems it solves. Any good articles out there?
  3. Coherence[ Go to top ]

    We use Coherence in our product. Damn good, Coherence is. For information, see:

    http://tangosol.com/coherence.jsp

    If you interested in cluster wide caching this is a great product.
  4. Quick follow up on this since the summary is slightly misleading. It is not the case that Betfair moved from .NET to J2EE. They moved from ASP to J2EE having evaluated both J2EE and .NET (also, I believe, from Windows to Linux).
    I believe that is all correct.
    I'm interested that they're using Jboss and Coherence. I don't know much about the Coherence product and would be very interested in a technical article on it - what it does, how it does it and what problems it solves. Any good articles out there?
    There's lots of info at the Tangosol site: http://www.tangosol.com/

    The question it answers is this: How do you achieve near-100% up-time and good scalability using clustering in Java and J2EE applications? Coherence is clustering .. everything it does is explicitly designed for clustering from the ground up, and everything it does is designed to eliminated SPOFs (single points of failure) and SPOBs (single points of bottleneck) in order to reliably scale applications up into the tens, hundreds and even thousands of servers.

    (Note: Unfortunately, we don't have any customers yet in production with over 1000 servers. However, the software is designed to be able to scale that high.)

    Peace,

    Cameron Purdy
    Tangosol, Inc.
    Coherence: Shared Memories for J2EE Clusters
  5. and SPOBs (single points of bottleneck)
    Not that I have any clients that currently that have a bunch of servers.
    But I have noticed that when they go from a single server to clustered, they run into problems with the limitations of the app servers abitity to custer good OO applications. Does Coherence help with this?
  6. Hi Mark,

    In short, yes! ;) This is one of the exact reasons we developed Coherence. Being able to concurrently manage your application's data across the application server tier removes some of the complexity of truly clustered applications.

    Later,
    Rob Misek
    Tangosol, Inc.
    Coherence: It just works.
  7. Thanks Rob.
  8. Hi Mark,

    No problem. Drop me an email at rmisek _at_ tangosol.com if you want the details on all of Coherence's features (there are too many to cover here).

    Later,
    Rob Misek
    Tangosol, Inc.
    Coherence: It just works.
  9. Coherance question for Cameron[ Go to top ]

    Hi Cameron,

    I have a hypothetical query for you to do with Coherence. I realise the main target of it is customers with very large systems and enormous numbers of users but…

    · I have a J2EE web app that supports a relatively small number of concurrent users, say about 3,000.
    · It runs on a single AIX box with 3 1.9 ghz CPU's – multiple JVM’s are used (IBM's Websphere ND handles load balancing duties). The database is on the same box.
    · The Java code has been optimised as far as it can be and most of the transaction time is spent querying/updating the database.
    · The queries have also been optimised as far as possible, and work has been done to reduce the contention on the database.

    Manager doesn't want to spend more money on hardware and is looking for a silver bullet. Do you think Coherence (I was thinking mainly about the database caching capabilities) would help?

    Charles
  10. Coherence question[ Go to top ]

    I have a hypothetical query for you to do with Coherence. I realise the main target of it is customers with very large systems and enormous numbers of users but ..
    There are two primary reasons to use Coherence:

    1. Scalable Performance - not only make the app fast, but be able to keep that speed as you add more and more boxes to support more and more load, and knowing (predictably) that adding boxes will actually handle that much more load.

    2. Reliability and High Availability (HA) - To maximize uptime and eliminate single points of failure, and to ensure that server loss does not result in any data loss or interruption of service to the end user.
    I have a J2EE web app that supports a relatively small number of concurrent users, say about 3,000.
    Depending on what the app does, that's pretty big for concurrent users.
    It runs on a single AIX box with 3 1.9 ghz CPU's - multiple JVM's are used (IBM's Websphere ND handles load balancing duties). The database is on the same box.
    Not bad. That's 3000 concurrent users on one server, including the database.
    The Java code has been optimised as far as it can be and most of the transaction time is spent querying/updating the database.
    Yup, that's what one would expect to see.
    The queries have also been optimised as far as possible, and work has been done to reduce the contention on the database.

    Manager doesn't want to spend more money on hardware and is looking for a silver bullet. Do you think Coherence (I was thinking mainly about the database caching capabilities) would help?
    Yes, if you are willing to do some changes to the app to add object caching at key points, Coherence would be a great fit. The main reason to use Coherence (or any distributed cache, for that matter) is so that the three JVM's can cache data without that data getting stale if one of the JVM's changes it.

    Coherence handles that type of challenge by providing a uniform view of the data across all 3 JVM's. That's what we call a "coherent cache" .. other terms you might here include "single system image," "shared memory," etc.

    Peace,

    Cameron Purdy
    Tangosol, Inc.
    Coherence: Shared Memories for J2EE Clusters
  11. Coherence question[ Go to top ]

    Cameron,

    Glad you picked this up and many thanks for your detailed reply. When we get the next round of benchmark testing through and know where we are I’ll see if I can persuade the team to do a proper evaluation of the product.

    Many thanks,

    Charles
  12. Hi Charles,

    It is also worth mentioning that we have a number of customer stories already published. In fact, I am reading over the soon to be published Betfair story right now.

    Later,
    Rob Misek
    Tangosol, Inc.
    Coherence: It just works.
  13. Thanks for your comments. I will have a more detailed look at the material on your website when I have the chance.
  14. I like this quote - "All of its development was done in-house by its own engineers and contractors, the company said. Yu explained that "in-house development is a must for the quality of development and rate of innovation that we expect"."

    Seems to go against what some (ok at least one :) ) have been saying here this type of development.

    Anyway, I am glad to see someone considered the long haul. And was willing to say it.
  15. the decision was taken over 2 years ago[ Go to top ]

    "The re-engineering project took approximately two years to complete"

    http://www.silicon.com/research/specialreports/enterprise/0,3800003425,39123903,00.htm

    That was the time when people still believed in EJB ServersÂ…

    Regards
    Rolf Tollerud
  16. "The re-engineering project took approximately two years to complete." ... That was the time when people still believed in EJB Servers.
    The article claims that resisting crime was the primary criterion, and that J2EE was more secure than .NET. Is .NET still lacking on this matter?
  17. regularly like a clock - the old squirming excuses

    Dear Mr. Miller

    I don't know or have any opinion over which system is more secure, J2EE or .NET. What I know however is that accusations that MS/Windows/.NET is not secure are vented every time Sun/Linux/J2EE looses a benchmark test. :)

    Yawn

    Regards
    Rolf Tollerud
  18. .Net is as secure as IE[ Go to top ]

    http://slate.msn.com/id/2103152/

    Wow. Even Microsoft-owned Slate.com same thing applies to windoze XP /2003 .Not server
  19. Assume that IE for the sake of argument is more insecure than Mozilla.
    So why do IE has 95% of the browser market?

    Because it is bundled with windows?

    No, that didn't help IE 3.x when all downloaded the at the time better product Navigator.

    And how can the market still choose IE after MS has abstained from competition for 5 years, done nothing, and it even has security problems? Must have been a darn good product from the beginning then. One can only imagine what the browser would look in 2004 like if MS has worked as fiercely at IE all the time as it did under the "browser war".

    And why has MS not done anything for so long time?

    I don't know but I know one thing for sure it is not because they are incompetent or stupid or do not have any money/talent/resources.

    What mystic business is MS doing?
    Watch out.

    Regards
    Rolf Tollerud
  20. P.S.[ Go to top ]

    That they have not succeded in five years to budge IEs market dominance despite having the advantage of "running alone" is enough to demonstrate and is evidence enough of the incompetence of the Mozilla team.
  21. Competance to spend ratio[ Go to top ]

    Rolf, your posts are entertaining in the annoyance value alone.

    Now what would be interesting is to look at the MS spend on IE and the spend on Mozilla and then see what the ratio is.

    As the market slowly but surely moves the way of linux I'd be interested to see the uptake of IE in this environment.

    I've got a good idea, let's keep this post going for a few years and then review IE dominance.
  22. Why MS has not updated IE in so long[ Go to top ]


    And why has MS not done anything for so long time?

    I don't know but I know one thing for sure it is not because they are incompetent or stupid or do not have any money/talent/resources.

    What mystic business is MS doing?
    As has been written, it's an article of faith inside of Microsoft that the html web browser is dead. It doesn't fit into Microsoft's lock-in strategy of having to run windows to use a web browser. Microsoft's strategy is to get people to move to Avalon and .Net. http://www.internetnews.com/dev-news/article.php/3361141

    And how can the market still choose IE after MS has abstained from competition for 5 years, done nothing, and it even has security problems? Must have been a darn good product from the beginning then. One can only imagine what the browser would look in 2004 like if MS has worked as fiercely at IE all the time as it did under the "browser war".
    Back in the day when Netscape rules, websites were written with Netscape only in mind. Today the opposite is true. Websites are written with IE in mind and certain pages just won't render especially if they use IE spcific api's such as ActiveX controls.

    I use Mozilla FireFox because the "tabs" feature alone makes IE look like it hasn't been update in 5 years.

    Rolf, stop being such a Microsoft tool and use whatever works best. If you honestly think IE is the best then fine use it.
  23. Bryan,

    "If you honestly think IE is the best then fine use it"

    That has nothing to do with it. I do whatever I do to earn money. To earn money! Excuse me repeating to get in the point. Making software for the MS market does not make me rich, but it's a living.

    And there is no money whatsoever in building software targeting the Firefox browser. If Firefox is the best browser at the moment as you seem to imply, you can be sure that its reign as "Queen" will be very short.

    I never made one "crown" with non-MS software.

    Regards
    Rolf Tollerud
    (if you notice that I am not impressed with the "tabs thing", the only thing that Mozilla can show up after 5 years of "running alone" - you are not wrong.)
  24. Hi Rolf,

    You should at least _try_ Firefox. I use Microsoft Office (not OpenOffice) and I use Microsoft Windows (not Linux etc.) for my notebook, because I think they are the best productivity software and desktop OS. I used IE until Moz 1.4, at which point I switched, and subsequently I switched to Firefox. I can tell you that it is not pretty to try to use Windows 3.0 after having Windows 2K or XP .. similarly it is not pretty to try to use IE after having Mozilla or Firefox.

    I think you are letting your worship of Microsoft cloud your otherwise excellent judgement ;-)

    (BTW - I still have IE on my quick start bar b/c about 1% of sites don't work on Firefox, and also because there are some things that I have to test on IE. So don't worry, if you install Firefox, you can still occasionally run IE just to remember the bad old times.)

    Peace,

    Cameron Purdy
    Tangosol, Inc.
    Coherence: Shared Memories for J2EE Clusters
  25. I can tell you that it is not pretty to try to use Windows 3.0 after having Windows 2K or XP .. similarly it is not pretty to try to use IE after having Mozilla or Firefox.
    Firefox by design does not reload a page when going back session history, if page is marked as "no-cache". The page is supposed to be reloaded using "no-store" but current 1.0PR has a bug, which prevents it from being reloaded. Thus applications which always synchronize View with the Model do not appear correctly on Firefox. But this is minor, the bug is fixed by Mozilla team and hopefully this fix makes it to the public release.

    Firefox printing is non-imaginative. It cuts pictures if they happen to cross pages. MSIE does not do that since at least 5.0, maybe even since 4.0

    Tabs are stupid thing, I can simply open a new browser window. What it this, MDI comeback? I don't say tabs are bad, they simply add nothing.

    Ctrl-N opens a new window which is empty, it does not clone window like MSIE does (invaluable feature).

    Firefox allows to increase/decrease font size, but it does not have the "standard" size, so it is hard to say which site is done wrong: the one with larger fonts or the one with smaller.

    Anyway, I use Firefox now, it is getting better ;)
  26. Cameron,

    "You should at least _try_ Firefox"

    Ok. I will give it a try! (I am not difficult to have to do with :)

    For me it is not important to browse the internet. After all, how hard can it be to make software to read text & pictures?

    But when you press the browser to the limits with advanced Rich-Client Interfaces you see what a product goes for. Last times I tried Mozilla, it had more bugs and holes than a cheese from Switzerland. Have you heard about the little touch called "finishing the product"?

    There are more to browser software than implementing the latest css fashion rules. Let us see how it handles asynchronous XMLHttp, how it repaints in odd situations, how the Javascript debug scenario looks like, etc, etc.

    Regards
    Rolf Tollerud
    ("It is the end that identifies the genius." Nietzsche)
  27. not loading ActiveX controls?[ Go to top ]

    Sorry, the test is finished already.
    I will not abstain from my digitally signed ActiveX "Applets".

    IMO, the real reason that Navigator lost the browser war was that N. could not read ActiveX. If you have two products that are alike in every aspect except that one of theme can not read the thousands of components out there, it is not difficult to predict the outcome.

    To make the same mistake twice is unforgivable.

    Regards
    Rolf Tollerud
    (One should always play fairly when one has the winning cards)
  28. Rolf Give up[ Go to top ]

    Hey Rolf,

    Why do you bother with so many ignorant people? I commend you for defending MS. My votes for you buddy :)

    Wow, these people sure make a stink about some guy who decided to go J2EE and Linsux two years ago. Who hell gives a crap? .NET is constantly taking away their market share and will continue to do so. Our company is currently in the process of rewriting two overly complex, non-scaleable J2EE applications in .NET; in less time that it actual took the previous company to finish off one of the applications. What a joke :)

    I work very closely with MS. They actually would like to FireFox to take over IE for a few reasons.

    1.MS is not making any money from IE

    2.Take the browser off MS’s hands and let someone else deal with the brunt of security issues, which FireFox will definitely endure

    3.They are hoping that FireFox obtains a 50-75% market share in the next 4-5 years

    4.FireFox like all software will suffer the same security issues that IE currently endures. This will then be used against the Open Source advocates that Open Source is not as secure as closed source software.

    5.Life goes on

    IMO, they won the browser war :)

    Rp
  29. too little information[ Go to top ]

    "Our company is currently in the process of rewriting two overly complex, non-scaleable J2EE applications in .NET"

    Why can you not give us some more details and names of the sites?
    That should be interesting and also we would know that it is true too. (no offense meant)
    For example, what was the rational for not choosing Spring/Tomcat/J2EE?

    Please provide some links.

    Regards
    Rolf Tollerud
  30. too little information[ Go to top ]

    True. Like how long ago were the apps built?

    If the company allowed the "wool to be pulled over their eyes" before what makes them (and you) sure it isn't happening again. I would venture an educated guess that it is. Just in a different way.
  31. too little information[ Go to top ]

    From the original software vendor (IBM), the first app took 1.5 years to complete and was just put into production 8 months ago. The second app (the bigger of the two) was schedule to be completed Jan 2005, but IBM has pushed the date foreword to July 2005.

    The client was not very impressed with the results and IBM has failed to meet the SLA obligations in timely manner. Each day is costing IBM $10,000 a day for being late in final delivery, meeting the SLA obligations.

    We started both applications 6 months ago and we are scheduled to have both applications in production end of April 2005. From analysis, design and QA, our company will only take one year to complete. Our timeline is tight because the client mandates it. The only concern I have with the timeline is the intense security audits and privacy, and meeting the SLA obligations.

    IBM really screwed up here. From my understanding the projects were developed in India. IBM charged $3.5M US, yet we only charged $2.8M US, built in Canada.

    We're a small shop of only 145 developers (80 MS and 65 J2EE). $3M projects are usually medium sized projects for us.

    Rp
  32. EJB Servers are so out[ Go to top ]

    Ross,

    Thank you!

    Well that does only confirm what I known for a long time that the overly complex EJB application server just doesn't cut it and occasionally work at all only because of products like Coherence. But not every application benefits from cashing and in any case the database is not kept updated. The main competition to .NET comes from solutions like Spring/Tomcat/J2EE, not from legacy EJB Elephant servers.

    80 MS and 65 J2EE developers, hmm. I hope you keep us informed in the future too. :)

    Regards
    Rolf Tollerud
  33. EJB Servers are so out[ Go to top ]

    It seems they are still in the design phase - so I am not so sure what they have proven yet.

    I would venture a guess that they did spend too much on hardware/software they didn't need. I would also venture a guess they will be doing the same with the .Net solution. At least with a Java solution they can pick and choose vendors (i.e. Tomcat/JBoss vs Websphere). Obviously they didn't.

    The biggest problem I've run into with "J2EE" is not in the business tier but in the Web Tier. And a .Net solution will have the same problem and has little help, if any, in solving it. Peoples unwillingness to dump the browser as an application UI is the source of the problem. And vendors willingness to build it that way is just some fuel to the fire.
  34. And in all fairness one have to say that the second time you build a system you benefit upon the experiences of the past. At least I never succeed the first time with anything! :)
  35. EJB Servers are so out[ Go to top ]

    We are not in the design phase but currently in the build phase. All is going well and we should be in production a month before schedule. Our solution is not over engineered as the previous IBM's solution. It's elegant vs. elephant.

    Most vendors that we deal with don't care about moving from one web server to another or portability from one platform to another for that matter. If that was the case then J2EE would be the better choice. But an expesive choice that most customer don't care about.

    Rp
  36. EJB Servers are so out[ Go to top ]

    We are not in the design phase but currently in the build phase. All is going well and we should be in production a month before schedule.


    Sorry your previous post said you were.
    Our solution is not over engineered as the previous IBM's solution. It's elegant vs. elephant.
    Still doesn't mean they won't be spending money they didn't need to. I develop for MS platforms too. I know.
      Most vendors that we deal with don't care about moving from one web server to another or portability from one platform to another for that matter.
    Sad. It seems that was their initial problem. They should. Not being tied to one vendor is what will save you money in the short and long run.
     If that was the case then J2EE would be the better choice. But an expesive choice that most customer don't care about. Rp
    Sorry. J2EE does NOT mean more expensive. Choosing the wrong Vendor might have that effect. And it seems to have in this case. If you can implement a MS.Net
    solution then equivilent can be implement in Java for cost of hardware and development.
  37. too little information[ Go to top ]

    Rolf,

    "Why can you not give us some more details and names of the sites?
    That should be interesting and also we would know that it is true too. (no offense meant)
    For example, what was the rational for not choosing Spring/Tomcat/J2EE?"

    There are a few reasons:

    1. The Applications are not public Web Sites (extranet). In fact, only 20% of the total solution is Web based. The rest is B2B like processes.

    2. I'm currently under an NDA. However, I can give you some information: The purpose of the applications in a nutshell deals with VIN frauds in Canada. The company is a non-profit organization where insurances and brokers are members that pay annual fees for services rendered. The applications will have a large B2B interface between members in a very collaborative environment, using EDI (85%) and XML (15%), with BizTalk Server (Unfortunetly, EDI still rules).

    3. We are currently, in the design phase and are scheduled to have the applications completed and in production end of April 2005.

    The old applications were written in J2EE/WebShpere and JSP/Tomcat. They are not putting down these technologies. However, they got burn too many times by IBM (cost, time, bad solutions), that they decided to try Microsoft. My company has both expertise, .NET and J2EE. But we are seem more work come in on the .NET side vs. J2EE. This wasn't the case two years ago.

    Rp
  38. Rolf Give up[ Go to top ]

    IMO, they won the browser war :) Rp
    Congratulations. Now we get an 5 year old browser as a result, just because MS decided what's better for us. Imagine what would happen if .Net wins the application server war...

    That just proves how bad monopolies can be to the market. But some people don't seem to mind that, they love being spoon fed.

    Regards,
    Henrique Steckelberg
  39. And how can the market still choose IE
    Are you sure 95% of the market even knows they have another choice? Would your gandma know it, after buying a new comp with windows preinstalled? Most people don't even know there are other browsers out there, or wouldn't take the time to download, install and configure it. I thought you knew it: it is called bundling, and is usually done by monopolistic companies. The usual MS spoon feeding, which most people are glad to take as being the norm.

    Regards,
    Henrique Steckelberg
  40. So why do IE has 95% of the browser market?
    Where does this number come from? There are also other numbers:

    http://www.w3schools.com/browsers/browsers_stats.asp

    It shows an interesting trend if not anything else.
  41. A citation from Balzac.

    This thing fantasy interests me because myself, I have a vivid imagination. Then on the other hand we have the guys that think that Open Source only can sit still and wait until Mozilla expel IE to the dustbin. (hi hi)

    So come on. What do you thing Microsoft is up to? What are they planning? Are you not curious?

    Never underestimate the enemy, use your fantasy.

    Regards
    Rolf Tollerud
  42. I have to say that the reason most people use IE is that it comes with their computer. I make my clients use Mozilla to access the CMS I sell them. Even though I install it on their computer and explain what it is, the vast majority of them never use it as their standard web browser, only to access the CMS. I then get calls along the lines of "Mozilla isn't working" when they can't be bothered to read the manual for the CMS, which probably doesn't do much for Mozilla's popularity.

    The market for computers has changed a LOT over the last five years. When MSIE3.0 was around most people who had computers were pretty savvy, knew that Netscape was better, and were well equipped to download and install it. Nowadays most people who have computers know very little. They'll happily install stuff to give them cool smileys and other random shiny things, but it's incredibly hard to get them to replace core operating system stuff like Internet Explorer, which is usually the first thing they learnt how to use on their computer.
  43. I would say that people are more computer-savvy today than in the days of IE 3.0. The big problem now is that you have to tell people "not" to download programs. :) But anyway that is not the issue here.

    Microsoft has been doing nothing for 5+ years (they have even disbanded their IE team), although Mozilla slowly has taken market share. If you consider all you know about MS and its history and still don't think that MS is up to something there is no hope for you.

    Regards
    Rolf Tollerud
  44. Major graphics flaw threatens Windows[ Go to top ]

    http://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html?tag=nefd.top

    Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.

    The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

    The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way.

    "The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products.

    The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

    "The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center.

    Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said.

    "We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at."

    Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create.

    The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. The flaw is unrelated to another image vulnerability found in early August. That vulnerability, in a common code library designed to support the Portable Network Graphics, or PNG, format, affected applications running on Linux, Windows and Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic Experts Group, and PNG formats are commonly used by Web sites.

    As part of a notification program that has been in place since April 2004, any customer that had signed a nondisclosure agreement with Microsoft received a three-day advance warning about the JPEG flaw.
  45. September 09, 2004

    Open-source developers have warned of serious security holes in two Linux components that could allow attackers to take over a system by tricking a user into viewing a specially crafted image file or opening an archive.

    Imlib, a library for graphics-viewing applications used in the Gnome graphical user environment, contains a bug that could allow the execution of malicious code when a user views a specially crafted bit-map image file, according to Marcus Meissner of Novell Inc.'s Suse Linux.

    Linux vendor Red Hat Inc. warned of three security holes in LHA, an utility for compressing and decompressing LHarc-format archives. The bugs, affecting all versions up to and including 1.14, could allow the execution of malicious code if a user were tricked into extracting or testing a malicious archive or passing a specially crafted command line to the lha command. The third bug could allow an attacker to create a directory with shell meta characters in its name which could lead to arbitrary command execution.

    http://www.infoworld.com/article/04/09/09/HNmorelinuxholes_1.html

    Best regards
    Rolf Tollerud
  46. September 09, 2004Open-source developers have warned of serious security holes in two Linux components that could allow attackers to take over a system by tricking a user into viewing a specially crafted image file or opening an archive.
    Strawman. The issue is not whether Linux is as unsafe as Windows. The issue is that J2EE was two years ago more secure than .NET was. Why won't you address this directly? Why, Rolf, in a thread about how .NET was considered vulnerable to crime, do you stubbornly refuse to discuss .NET security?
  47. skip sentiment and wishful thinking[ Go to top ]

    Brian,

    "Why, Rolf, in a thread about how .NET was considered vulnerable to crime"

    You must be joking. Matt Youill:
    ..security was our number one concern. Interestingly it was not the .NET platform itself that was the primary issue, but rather the security track record of the Windows OS

    Can it possible be clearer? How can you after that say that "The issue is that J2EE was two years ago more secure than .NET was"? They were concerned about Windows security for more than two years ago, not .NET.

    Now we write 2004 (soon 2005) and the situation is different.
    Three things have changed since then:

    1)EJB Servers are out
    2)Linux is a bigger server security risk than Windows..
    3).NET is as big as J2EE in enterprise development.

    Try to be less nostalgic!

    Regards
    Rolf Tollerud
  48. skip sentiment and wishful thinking[ Go to top ]

    1)EJB Servers are out
    2)Linux is a bigger server security risk than Windows..
    3).NET is as big as J2EE in enterprise development.
    All three of those are at best debatable, and more likely plain wrong.

    Peace,

    Cameron Purdy
    Tangosol, Inc.
    Coherence: Shared Memories for J2EE Clusters
  49. Cameron,

    Do not be such a whiner!
    Make a .NET version of Coherence in stead.

    "The only thing to do with good advice is pass it on. It is never any use to oneself".

    Regards
    Rolf Tollerud
    (Happily working with iBatis.Net and impatiently waiting for Spring for .NET)
  50. Happily working with iBatis.Net and impatiently waiting for Spring for .NET
    Why wait if you can do it today with Java? Fashion is for sissies... ;)
  51. "Why wait if you can do it today with Java? Fashion is for sissies... ;)"

    Either are you in the first line of fashion or else wait 6 months, I prefer the first.

    In fact if I should be murdered by a bayonet and thrown beside the row I would lie in the ditch look at the knife and say, "Last years model!" why couldn't he at least used this years model!

    Seriously there isn't much difference between modern Java (Spring/Tomcat/J2EE) and .NET as long as you avoid the Elephant EJB Application Servers. That I prefer C# has to do with small things as the simple-to-use standalone debugging, superior documentation etc. And that I have more confidence in MS than in JCP in the future. For instance (Mark!) look up TransactionScope in .NET 2.0 (a.k.a. Whidbey).

    The most important thing for us C# developers now is to get familiar with all the little gems (never coming from Sun or JCP) like Spring.NET, iBatis.NET, NHibernate, Log4Net and so on.

    Regards
    Rolf Tollerud
  52. That I prefer C# has to do with small things as the simple-to-use standalone debugging, superior documentation etc.
    Odd. That is why I prefer Eclipse and Java.
     And that I have more confidence in MS than in JCP in the future.
    I'm not sure I would have confidence in either.
     For instance (Mark!) look up TransactionScope in .NET 2.0 (a.k.a. Whidbey).
    Sure. Not generally available now. And only in MS.Net. Thought you like Mono. :)
    The most important thing for us C# developers now is to get familiar with all the little gems (never coming from Sun or JCP) like Spring.NET, iBatis.NET, NHibernate, Log4Net and so on.
    And never coming from Microsoft. Remember those started with Java. Although NHiberante seems to be struggling because it basically needs to be rewrote.
  53. skip sentiment and wishful thinking[ Go to top ]

    1. Application Servers are in! - What is an EJB server? :)
    2.
    3. MS.Net is replacing VB/ASP at best. Many places are sticking with the old stuff. To top it off, it is difficult to do "Enterprise" development purely with .Net because most things are still COM. I know from experience and it is a thorn in my side. MS.Net doesn't come close to the wealth, breadth, availability and choice of Java technologies and the interoperability of them.
  54. Just as I said earlier, if you regularly download the fixes (=preferably automatically), you are immune to the attacks. Now shall we see how long time it takes for Linux to fix the flaw(s).

    Regards
    Rolf Tollerud
    (Secure with SP2 :))
  55. From: http://securityfocus.org/news/9508
    "[...]The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier." ;)

    and this (http://news.com.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html?tag=nl):

    "[...]The Mozilla Foundation, the group that manages development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, patched the flaws Wednesday, the same day news of the vulnerabilities was made public. Microsoft continues to study the issue, a representative of the software giant said late Thursday."

    but this is very off topic :)

    Best regards
    Jarek
  56. I have to say that the reason most people use IE is that it comes with their computer. I make my clients use Mozilla to access the CMS I sell them.
    What is CMS and why it cannot be accessed using MSIE?
  57. CMS == Content Management System. It runs on Mozilla because I develop on Linux and can't be bothered to test it on IE.

    And Rolf, Microsoft are of course up to something - trying to resurrect Cairo between bring out service packs. Seems their resources aren't infinite in the face of the big black hole that is Longhorn after all.
  58. So come on. What do you thing Microsoft is up to? What are they planning? Are you not curious? Never underestimate the enemy, use your fantasy.
    I don't really care what they are up to. All I know is that it is not going to be anything revolutionary or innovative, or something that has not existed for many many years already. It is like an old daily soap show, where every character has slept with everyone else, sometimes at least twice.
  59. .Net is as secure as IE[ Go to top ]

    http://slate.msn.com/id/2103152/Wow. Even Microsoft-owned Slate.com same thing applies to windoze XP /2003 .Not server
    No one on Firefox web board answered me yet how to disable page caching. Even with cache turned off in "advanced" settings Firefox still can't help caching pages when I go back and forth, while the pages are clearly marked as non-cacheable. MSIE obeys HTTP 1.1 specs better. And Ctrl-N is invaluable feature. Tabs? Who cares about tabs if I can open a new window?
  60. Rolf,

    http://primates.ximian.com/~miguel/archive/2004/Sep-01.html
    http://primates.ximian.com/~miguel/archive/2004/Sep-09.html

    and a Microsofty reply:

    http://www.simplegeek.com/PermaLink.aspx/eb453f85-10e3-48ee-a6f5-cc4b886ce668

    It appears that even your hero Miguel thinks .NET has some serious security issues.

    Regards,
    Dustin
  61. As I said, when they can't compete they scream security. But MS Windows 2003 Server Advanced Edition is already more secure than any Linux distribution. In this context, I will take the opportunity to on behalf of Microsoft offer sincere thanks and the deepest felt gratification to all the Unix users and administrators over the world that have spent hundreds or thousands of sparetime hours writings virus attacks against Windows and therefore (thanks to Nietzsche's device, "All that not kills you make you stronger") has contributed to the excellent result.

    Once and again, "Thank You"

    Regards
    Rolf Tollerud
  62. .. and when Microsoft zealots/apologists cannot address the real issues that their platform has, they resort to playing victim.
  63. Dustin,

    Security has been beaten to death, for instance,
    In May this year, 19,208 successful breaches were recorded against Linux based systems, compared to 3,801 against MS Windows
    http://www.net-security.org/news.php?id=2725
    This thread is about the J2EE EJB Server JBoss against .NET!

    No facts exist on what environment is more or less secure. But other facts exists that EJB servers solutions tend to be overpriced and overly complex and is totally out of fashion anno 2004 (vs 2001-2002). So the security question is moot.

    Regards
    Rolf Tollerud
  64. Dustin,Security has been beaten to death, for instance,
    In May this year, 19,208 successful breaches were recorded against Linux based systems, compared to 3,801 against MS Windowshttp://www.net-security.org/news.php?id=2725
    This thread is about the J2EE EJB Server JBoss against .NET!No facts exist on what environment is more or less secure. But other facts exists that EJB servers solutions tend to be overpriced and overly complex and is totally out of fashion anno 2004 (vs 2001-2002). So the security question is moot.RegardsRolf Tollerud
    I don't know which is more secure or not, or wether .Net will prevail over Java. But at least we can agree over one thing: the post above is a serious contender for "the most illogical string of thought ever" grand prize. I'd say that your train of thought must have derailed somewhere in the way to the keyboard. :)
  65. Dustin,Security has been beaten to death, for instance,
    In May this year, 19,208 successful breaches were recorded against Linux based systems, compared to 3,801 against MS Windowshttp://www.net-security.org/news.php?id=2725
    This thread is about the J2EE EJB Server JBoss against .NET!No facts exist on what environment is more or less secure. But other facts exists that EJB servers solutions tend to be overpriced and overly complex and is totally out of fashion anno 2004 (vs 2001-2002). So the security question is moot.RegardsRolf Tollerud
    Speaking of being off topic. Where did the topic of linux OS security come from? I didn't see anywhere that Betfair referenced using Linux as the OS. You seem to like to throw in statements about how secure Windows 2003 is, but when challenged on that position you claim the security issue is not apart of this discussion and is a moot point? Practice what you preach then and don't make statements about security if it is indeed moot point.

    I'll also contend that the security question is not moot. I am addressing one of the main talking points of the article from which this dicussion has spawned, and I quote.
    "Ultimately, we chose J2EE due to its proven enterprise track record, security, and maintainability. .Net offered faster development and performance, but for a mission-critical, 24x7 site such as Betfair.com, we chose the proven, secure technology."
    Notice the use of the word secure twice. So this thread isn't just about JBoss vs .NET it is about choosing a "proven, secure technology" ie J2EE. You should also notice that the article didn't even state they were using JBoss until the very end.

    Even if the decision was made 2 years ago, this article wasn't written two years ago and I get zero sense that Betfair now regrets their decision to leverage J2EE on the server side.
  66. off topic?[ Go to top ]

    "I didn't see anywhere that Betfair referenced using Linux as the OS"

    My fault I just assumed that when they were using JBoss (Open Source), they were using Linux (Open Source). But maybe Matt Youill from Betfair can clarify?

    Matt: it was not the .NET platform itself that was the primary issue, but rather the security track record of the Windows OS

    Is this to be another OS security discussion or is it an EJB Server vs .NET discussion?
  67. off topic?[ Go to top ]

    According to netcraft, their servers are running Windows, with the exception of the most current entry which in indicated as the "Unknown" server.

    http://uptime.netcraft.com/up/graph/?host=www.betfair.com
  68. And to that extent[ Go to top ]

    Quite an interesting slant Mt Tollerud.

    So, assuming you are a proponent of the MS world, for whatever the reason, security or otherwise, you are dead chuffed that the open source world is solving security problems in IE, indirectly or otherwise.

    Me too.

    I'm glad that MS is seeing the benefit of Open source. I've even more pleased that as open source consolidates it's position on a daily basis, that the big boys are taking a keen interest.

    Of course, the most smugly feeling is that MS can always sit there are consume open source effort, but there will come a time when the open source community will tire of just trying to beat MS up because they won't be considered a threat anymore.

    The bottom line is that open source has a worker base of many times that of the MS global effort could ever hope to achieve.

    And this is it's beauty.

    By the way, am I right in saying that MS has open sourced some of its software?
  69. As I said, when they can't compete they scream security. But MS Windows 2003 Server Advanced Edition is already more secure than any Linux distribution. In this context, I will take the opportunity to on behalf of Microsoft offer sincere thanks and the deepest felt gratification to all the Unix users and administrators over the world that have spent hundreds or thousands of sparetime hours writings virus attacks against Windows and therefore (thanks to Nietzsche's device, "All that not kills you make you stronger") has contributed to the excellent result.Once and again, "Thank You"RegardsRolf Tollerud
    I didn't realize that it was Unix administrators' fault that MS products has so many holes... :)
  70. the decision was taken over 2 years ago[ Go to top ]

    Voice in the wilderness.
    Nothing new here, will move on.
  71. Regarding the platform decision, the statement "Betfair chooses J2EE over .NET" is not entirely accurate. In fact we did select .NET, as the technology for all of our internal management tools (GUIs). Java/J2EE was chosen as our server platform.

    When evaluating the two technologies, security was our number one concern. Interestingly it was not the .NET platform itself that was the primary issue, but rather the security track record of the Windows OS. Having said that, .NET was/is new and it would have been a bold choice.

    You need to bear in mind that the decision to go J2EE was made over 2 years ago. At the time, issues such as finding skilled developers and the general unavailability of .NET API's, middleware, tools etc. were a big concern. These are still an issue but not as bad as they used to be.

    .NET did prove to perform marginally better in our tests, but this was of little concern as compared with the scalability and reliability of Java. Ultimately we can achieve better overall performance from Java/J2EE.

    .NET on the other hand has proven a much better technology for developing our GUI's. The performance and availability of API's for Swing/SWT are still below par.

    Regarding Tangosol, we've successfully deployed their Coherence product for clustered session management and data caching. It's worked extremely well and the Tangosol guys have always been very helpful ;)

    Its a case of right tool for the job, Java has proven to be the right choice for our server platform. .NET has proven much better for our internal management tools.

    Matt Youill
    Betfair.com
  72. two year to finish..[ Go to top ]

    "You need to bear in mind that the decision to go J2EE was made over 2 years ago"

    Thank you for confirming that.

    "the primary issue was the security track record of the Windows OS"

    Year 2004 Windows is the more secure Server. Maybe you confused the desktop OS with the Server OS?

    ".NET did prove to perform marginally better in our tests, but this was of little concern as compared with the scalability and reliability of Java. Ultimately we can achieve better overall performance from Java/J2EE"

    That is correct if you had used
    1) Spring/Tomcat/J2EE, or
    2) .NET

    And you wouldn't have to work two years..!

    Your current choice was plain wrong IMO (except Coherence). But of course it is easy with 2004 "behind-sight".

    Regards
    Rolf Tollerud
  73. two year to finish..[ Go to top ]

    Its worth pointing out that the exchange didn't take 2 years you write, the decision to use java was taken 2 years ago. In the mean time, the ASP exchange was being actively developed which meant that the java guys had to catch up and keep up until the swap could be made.

    Good to see you're hanging in there Matty ;)
  74. Matt, please stop this pathetic attempt to save face.

    You dropped .NET in favour of J2EE bcos you felt .NET was not up to the job, fair and simple enough. So why all this boot lickin' sycophancy, if you knew that this affair was going to irk your partner, then why make the press release. The cynic in me reckons that you guys have got Microsoft irate and you've been thrown up as chaff to distract and also mitigate relationship damage. Your spin doctoring is obvious (decision made 2 yrs ago ???, .NET GUI still used internally yadayada - man VB 3.o could have done that job !!) but you've made your choice, stick to it and stop all this wimping around.

    ps
    A lot of folks need to wake up and smell the fact that Microsoft is in reverse gear. Then again, that old African saying rings true - 'even a wounded Lion is guarded by its aura'.
  75. .NET on the other hand has proven a much better technology for developing our GUI's. The performance and availability of API's for Swing/SWT are still below par.
    I was with you till you said that. What API is missing? What platform are your GUI's running on? What ones do you want them to run on? How much Winform/Swing/SWT/... have you all done? Want some help? Having done plenty of Swing and some SWT (and tons of VB) I just don't see it. Any pain with Java GUI techonology, and there is few, is worth the rewards.

    The problems I see with people using Swing/SWT and Winforms for that matter - they want to code like they are coding VB or Powerbuilder.

    What Java IDE do you use? If you do, you must not be satisfied with it according to the above statement.
  76. the decision was taken over 2 years ago[ Go to top ]

    The lack of context in articles like the "security.org" one make it difficult to decide whether it's an accurate reflection on the security of the two OS's.

    Betfair based its decision on its own experience with Windows, and in consultation with it's partners (who constitute some of the world's leading online businesses).

    Subsequently, Linux was determined to be a wiser choice. Having said that, Microsoft is doing a much better job than they used to.

    Perhaps the new Windows/.NET will eventually be the better choice. Perhaps a MONO/'nix etc combination will turn out to be better. Time will tell.

    And yes we are using Linux.

    Matt Youill
    betfair.com
  77. keep up the good work[ Go to top ]

    99% of all people at the time would have done the same. Or, to put it in another way, "It was the right decision then".

    It is nice to see you folks from real companies with real deployments participate in the forum. That doesn't happen to often! Why I don't know.

    I read about how Betfair work together with the Jockey Club to get rid of cheaters. I guess you give the old kind of bookmakers some fire in the pants! :)

    Regards
    Rolf Tollerud
  78. 1. This reads like an unabashed advertisement for Tangosol's product.

    2. Everyone screams about MS Win/IE/.NET security only because it is more widely publicised. Apache, CVS, Linux - all have vulnerabilities.

    3. Man is greedy. It pays to expose flaws in the biggest company's product. Right now it is MS. Tomorrow it could be IBM with Linux

    4. Continuing on man is greedy - Look at what Oracle was doing when it was the dominant database server. They were equally bad with their licensing scheme/policies as MS. And to this date Oracle's GUI interfaces for their management console and the SQLPlus interface sucks.

    5. Fact: .NET has successfully created a very lucrative component market. After 7+ years of Beans, JavaBeans, JSP tag libraries, etc. etc. Java still doesn't have one.

    6. GUI development tools for Java are still lagging behind .NET. The plain simple fact for this is that GUI tools are best when integrated with the target server's characterisitics. In a world of websphere, weblogic, oracle, borland, sun, jboss, jonas, geronimo, <your favorite container> that is very difficult to comprehend.

    7. Fact: MS is a software company with lots of experience in building development tools. Sun is primarily a hardware company desparately trying to reinvent itself as a software company.

    8. At the end of the day, clients will continue to care about project quality, meeting deadlines, return on investment and business outcomes. Its sad that too many in the tech industry ignore these and focus on the periphery....

    My inflation adjusted 11 cents
  79. Everyone screams about MS Win/IE/.NET security only because it is more widely publicised. Apache, CVS, Linux - all have vulnerabilities.
    The above is irrelevant. An online casino wants the best security, and J2EE evaluated two years ago as more secure than .NET. Neither you nor Rolf have disputed this.
  80. <blockquoteThe above is irrelevant. An online casino wants the best security, and J2EE evaluated two years ago as more secure than .NET. Neither you nor Rolf have disputed this.Your online casino employed an unproven, un-standardized metric to arrive at the conclusion that .NET (a vendor specific offering) is more secure than J2ee (a spec without an implementation).

    Go have a look at BEA's product patches. There are enough flaws in Weblogic/Websphere etc. I've personally opened bugs for weblogic security issues. .NET in my experience is not any better/worse (or in other words j2ee offerings do not fair any better).

    So why is this article based on a 2-year old assessment being posted on TSS? Answer: Unashamed promotion by JBoss and Tangosol. You want to refute that?
  81. So why is this article based on a 2-year old assessment being posted on TSS? Answer: Unashamed promotion by JBoss and Tangosol. You want to refute that?
    As far as I know, no one from JBoss or Tangosol had any direct involvement with this article (the original ZD Net article) or with the fact that it showed up on TSS.

    Besides, I'm always getting accused by Bill Burke that I'm not being fair to JBoss, so you know we're not working on this together ;-)

    Peace,

    Cameron Purdy
    Tangosol, Inc.
    Coherence: Shared Memories for J2EE Clusters