Author Archives: Jeanne Boyarsky

[2022 javaone] halloween tv – or why it might really be watching you back

Posted on by
Reply

Speaker: Steve Poole

For more see the table of contents

  • Doing Java 27 years
  • True story. Happened to multiple people
  • Company in the middle of nowhere
  • Smart tv with an ethernet port
  • Discover new wifi SSID
  • Look everywhere for the router, use scanners and eventually learn it is the TV
  • Asked supplier for instructions. Suppliers didn’t know had wifi either.
  • Asked manufacturers how to configure wikif. Manfufacturer says no wifi in tv
  • Take apart TV and discover ”system on a chip” with the wifi (had everything a computer needs like a raspberry pi)
  • However, wasn’t the system on a chip (SOC) that the manufacturer shipped. Manufacturer may not know because SOC has extra capabilities they turn off. In this case, manufacturer says isn’t theirs
  • Problem: open wiki, unsecured gateway
  • This SOC phones home. Every time turn on TV, get new wifi and sends geolocation info to an IP.
  • Anyone could ”drive by” and access the network. Can compromise other things on intranet

Implications

  • Lots of thigs plugged into typical network – ex: printer/scanner. Could send your data
  • We all know not to plug USB into computer. However, tiny charger can be compromised and send data
  • A lot are espionage tools. More prevalent now.
  • Software applications can be compromised too.
  • Poor supply chain management
  • If buy charging cable (vs data cable), know what it can do. Can’t tell by looking at it.

log4shell

  • Worst vulnerability ever
  • 33% log4j downloads from Maven Central
  • Look at scanning tools and see if can find all instances
  • 742% increase in vulnerabilities since last JavaOne. Actively trying to create log4j situation in open source

My take

Steve is a great speaker so I’m glad I got to see this. It was poorly attended. Possibly becuse of the location (on the exhibit floor) or possibly becuase people though the stage was all vendors. Granted this is a vendor talk too. But it took more than half of the talk to even allude to something that relates to Sonatype and that’s if you know what they do. Only the last two minutes was a direct tie (and even then didn’t mention their products by name)

[2022 javaone] log4shell where were your bug detection tools

Posted on by
Reply

Speaker: Munawar Hafitz

For more see the table of contents

  • we remember log4shell
  • Path analysis
  • Deep calls
  • polymorphism
  • Didn’t blog on this but Open Refactory presented about Log4j. (felt very commercially). Presented Apache Commons vulnerability as ”next Log4jShell” (it doesn’t look anywhere near as bad. per this article, it afects a specific API)

My take

This was mostly a commercial for OpenRefactory. I didn’t blog about the commercially parts

[2022 javaone] java first, java always

Posted on by
Reply

Java keynote

For more see the table of contents

George Saab

Java SVP

  • Themes: Performance, Stability, Security, Compatability, Maintainability
  • Balance conservatisim (compatibility/don’t alienate users and innovation (adapting to change/fixing mistakes
  • Six month releases have 5-17 JEPs
  • Amber – developer productivity – readability/writable, less code
  • Leyden – reduce start up time
  • Loom – massiely scale lightweight threaes
  • Panama – Easier I/O with non-Java
  • Valhalla – better memory densitiyt thru value types
  • ZGC – low latency garbage collector on large heaps
  • JMS Discovery Service now free (basic features)
  • Java 17 benchmark 64% faster than Java 8 benchmark
  • Java SE subscription enterprise performance pack – built in drop in replacement for Java 8
  • New shorter URL openjdk.org

Power of Clean Code -Olivier Gaudin

CEO, SonarSource

  • Better predicitiblity and repeatability
  • Empahsis on tooling doesn’t yet help us developer better software.
  • Necessary, but not sufficient. Need great code.
  • 42% dev time spent remediating bd code and tech debt
  • 59% devs believe too much time is spent debugging vs innovating
  • Software rewrites cost 3X more than estiated
  • 90% security incidents from poor coding practices
  • Quick feedback loops are more recent.
  • Developers should own code. For existing code, clean over time. Quality gates ensure new/touched code is clean. After year, should have touched 20% of code. Ater five years, 40-50% clean.
  • Happy devs, happy teams

Perforance – Naren Nayak & Michael Vidstedt

  • Ampere AI instances – built for Oracle cloud
  • 15% faster Spark
  • 20% lower latency for Cassandra
  • 29% higher throughput on enterprise class benchmarks
  • 46% better price performance
  • 16% heap size reduction
  • 47% improvement CPU utilization
  • 40% better UI workload performance
  • 22% rest workload performance
  • Non cloud saw 20-30% improvement on real apps

Graal – Eric Selar

  • Donating GraalVM code to OpenJDK
  • Aligning with Java release model and licensing

Community Sharat Chander

  • Did survey on how long people using Java. A lot were 10+ and 20+. And a good number of 27 years folks!
  • 1.8 million stak overflow qustions
  • 360 user groups
  • 355 Java champions. 50 new this year
  • 1 million Java certs (hit this year)
  • had JUG leaders and Java champions stand. Now I see why he wanted us in the front!
  • Bruno Souza – lifetime achievement award. Nice to see he had his Brazilian flag cape on

My take

I like that Oracle blocked off the back half of the room on entry so people sit further up. And also that they had reserved seating for JUG leaders and Java Champions. Finally, I like that they had closed captioning in the keynote. The content represented a good kickoff. Lots of ground covered and lots of announcements