You're thinking of C, not C++.

(Trouble is, so are many people who put "C++" on their resumes...)

No, I'm not. I'm quite fluent in C++ thanks and know how to use the STL. Yes, well written C++ is much better than your typical C app. Unfortunately, even codebases like WebKit that are worked on primarily by experienced, well paid engineers from places like Apple and Google routinely contain exploits in them that would have been avoided by the use of managed languages (not that I think WebKit should be written in Java).

The problem with Java is that the exploits are in Oracle's hands, not ours. We can't fix them even if we know what they are...

I think you missed the memo about Java going open source.

The other problem with Java is that if I install the runtime on my machine to run a little corporate desktop app it also ends up in the web browser, exposed to every single web page I visit. In what universe was that a good idea?

Not so long ago this was considered entirely unremarkable. Browser plugins were a very common and widely used idea, not just Java but Flash, QuickTime, ActiveX, Shockwave (aka Macromedia Director) and so on.

The cost of exposing surface area to malicious code was massively underestimated by practically the entire computing industry, for over a decade. Organized crime has repeatedly exploited that fact and now people are much more realistic about the difficulty of handling malicious code or data: the world learned the hard way that there are lots of ingenious ways to take control of a program that's handling malicious input, especially when those programs are written in unsafe languages!

You can get bad programmers in any language. That doesn't tell you much. The problem with C/C++ is that even extremely good programmers in these languages still write code that is exploitable from time to time. Things like over-engineering or memory bloat can be trained out of people. Some kinds of buffer overflows too. But if one class in your program is bloated and overly verbose, your app will still work. If one class in your C++ program incorrectly uses scanf or starts a thread with a pointer to something on the stack, that can result in your company getting hacked and massive damage beig inflicted.

A zero rate of inflation – or even a constant rate of inflation – is theoretically impossible. Those who have implemented it have destroyed their economies.

Where do people get this crap? Inflation in Switzerland has routinely touched zero had periods below zero (i.e. deflation) in recent times. Switzerland is one of the worlds wealthiest countries.

But you don't have to take my word for it. Professional economists have studied the link between deflation and depression and found it does not exist.

Fortunately I live in the US, which like most developed countries, where nobody has “first access to money”, so I don’t have to contend with that issue. And by money I assume you mean currency which, of course, is very different then money.

I think you'll find semantic distinctions between money and currency are pointless for anything except confusing people and making you feel like you won debates when actually you lost. Of course there are people who get first access to money in the USA - banks do, when they write it into your account and charge you interest for the privilege.

A lot of people can't/won't distinguish between "Java sandboxing isn't good", "Java the language isn't good" and "Java the platform isn't good".

Java sandboxing is clearly not good enough for real world use and most browser makers have realised this and disabled it. On the other hand, it's only in very recent times that browsers got sandboxes and some common ones like Firefox still don't. That fact was exploited recently to de-anonymize Tor users. So it's not like Java is alone here. Pretty much every attempt to sandbox malicious code has failed badly.

Java the language is mediocre at best, though its strength is not to be fun or pleasant but good for large projects with large teams. Lots of people try to build enormous codebases in PHP, JavaScript or Python which are dramatically worse for the task, so apparently that message hasn't really got through (unfortunately by the time a project notices this it's usually too late to switch to anything else).

Java the platform has got a lot better in recent years. The worst excesses of the "enterprise Java" world, with its ridiculously over-engineered libraries and XML config files everywhere, have largely been left behind. There are now quite a lot of slick and modern frameworks. The JVM has come to support other languages much better in recent years and there are now quite a few very cool and interesting languages like Scala, Ceylon or Kotlin targeting the JVM that have really good Java interop, so you have access to lots of libraries. There's an apt-get style dependency management system and central repository so depending on those libraries is a breeze, and Java IDEs (IntelliJ in particular) finally became really fast and slick. Also, JavaFX is turning into a really nice replacement for Swing, so your Java GUIs can finally feel modern and fit in natively amazingly well. JavaFX can be OpenGL/DX accelerated when the hardware supports it so you can get a consistent 60fps, it's got a great animation framework, a nice GUI builder tool, lots of visual effects along with the basics like charting components. And even an embedded WebKit if you want that. I've been playing with JFX in the Java 8 previews and it's really quite impressive.

Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.

Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.

The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.

As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.

I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.

Holy smokes, I never thought of that. Good catch!
We should start a company and get a few million on Kickstarter next week... ;)

Yeah I know, but it is 2014. Surely even a conservative business like a bank could use case sensitivity. They don't even allow special characters and have a limited size (8 chars iirc)

Err, sorry, not specifically the app, their actual site. Case insensitive everywhere.

TD Canada Trust appears to not use case sensitive passwords or allow special characters. Try it with your password using UPPER, lower and MiXEd case.

Slashdot Beta - A roll of the Dice...

"Feel this 3D printed model of a star?"

"Yes."

"Imagine countless billions more of them so far away you can't touch them."

"Whoa."

"Many eyes" is bogus, "the right eyes" is more appropriate.

Use one (or up to 5) YubiKeys with LastPass. If you aren't worried about the security of the key (losing one, having one stolen), you can use one slot in the key as a static password, the second slot can be used for YubiCo's one time passwords.

I wouldn't do it that way but do use a YubiKey for the OTP functionality.

You never actually had unlimited transfer quota, at the prices they were charging you it was physically impossible just due to the way spectrum works. What changed is that perhaps truth in advertising became more important (hah), or perhaps peoples understanding of what a gigabyte is got better so it became easier to tell it like it is.