Reacting To JAVA Vulnerability Media Hysteria!

Recently there have been several stories in the media about a zero-day exploit vulnerability in Java.  I think it’s appropriate to fill in some of the details a little to limit any undue excitement out there.

Yes, several recent versions of Java have this zero day vulnerability.  The vulnerability affects Java 7 (1.7.0 and up). It does not affect Java 6 and earlier.  This vulnerability has been around since at least October when Oracle released an incomplete patch to fix the problem.  Earlier versions of Java do NOT have this vulnerability so it depends upon which Java release is loaded on your PC.

 Is this a serious problem?

We think it’s being over-hyped because it’s been around for a few months with little impact so far.  But!  The vulnerability is serious and based upon the pressure on Oracle to fix it, there should be a fix out pretty quickly. 

NOT EVERYONE HAS THE VULNERABLE VERSION OF JAVA LOADED.  You may not be vulnerable if you’re running any version of Java earlier than Java 1.7.0.

 

What does Java do?

It's a plug-in utility that most web site authors use to enhance features on their web sites to make them more interactive and user friendly.  It's also used in many browser-based programs that may run on a computer network.

 How do I know which version of Java I am using?

http://javatester.org/version.html  will give you that information.

Is this a Microsoft Windows thing? 

No, almost all browsers on all operating systems including Windows, Apple OS X, and Linux are vulnerable because Java is used by them all.

How are you exposed?

Visiting a web site infected with malware that use this exploit can lead to infection by any number of malicious programs that can launch Denial of Service attacks, steal information or propagate spam using your computer.

What can you do?

 At the extreme, you can disable the Java plugin  in your browser(s).  Here’s a link to do that but we don’t recommend it. 

 Here is the link to disable Java:   http://www.java.com/en/download/help/disable_browser.xml

This is an extreme reaction to the problem but if you visit a lot of new web sites each day and are concerned, this will reduce your exposure until the patch is released.  Be aware, though, that many web sites rely on Java to run correctly so you’ll probably not be able to access some sites if you do this.

 

Another alternative is to uninstall Java 7 (1.7) using your Add/Remove Programs option in Control Panel in Windows and the load an earlier version.  You can remove Java 1.7 and then install an earlier version:

Here is a link to the old version of the 32 bit download: http://www.filehippo.com/download_jre_32/13883/

And the 64 bit version:  http://www.filehippo.com/download_jre_64/13884/

This will allow you to use Java but not the most recent version when browsing.  Be aware that when you are prompted to update Java, say “No” because Java is a program that will keep trying to update itself.  Don’t say “Yes” until the patch release is announced by Oracle.

The final alternative is to just wait until next week and limit your use of unfamiliar web sites on the Internet.

Unfortunately, there’s no easy way for us to release a mass update to all of your computers to fix this but hopefully this will ease your concerns a little.

 Thanks

 Jeff and the gang at ACT

Read More

Reflecting on 24 Years As President of ACT

As I sit at my desk at the start of the new year, I've been reflecting on the how ACT has changed over the last 24 years.  Sure I'm a lot greyer now but heck that started when I was in my twenties. I've actually been in IT since 1971 and started my career writing programs using punch cards.  I'll smack the first one of you who asks "What's a punch card?" !  

I firmly believe that an organization is only as good as it's people.  We've had some great people here but some are memorable for other reasons.  To be polite I wont use real names. 

Our first manager ran the business when I was out of the office.  Things didn't go well with him.  For example, he hired a new employee with dyslexia and then disasterously put him in charge of pricing all of our retail inventory. He didn't discover the problem for weeks until one day I discovered a $59 product being sold for $1.59.  The poor employee ran out of the building crying of embarassment.  The manager soon followed after being caught posing as "the owner" to clients and referring to me as an employee.

We nicknamed one employee MegaDeath because he hung around the shop all of the time and always work that band tour t-shirt even to his initial job interview offering that "Maybe I can find a tie if you hire me".  Trying to be kind, I overlooked that in a moment of weakness but it turned out to be a major mistake because after two intense days of training when he was asked about any of our products his only response was "Beats the F--- out of me!"  Debbie fired that one when I was out to lunch one day and has forever been designated as "The Hammer" for cleaning up my hiring mistakes. 

Then there was the "limber" employee who took great delight in explaining to our staff that her flexibility was attributable to her sexual prowess in WAY TOO MUCH detail. Uh, that was uncomfortable!  She got "Hammered" too.

Conversely, Debbie and I have also been very fortunate to have had some incredibly talented people work at ACT.  A few of our favorites have gone on to have very successful careers beyond our humble little IT shop.  One of the drawbacks of being a "small fish" in the great big IT pond is that bigger "downtown" companies will eventually pluck your best talent out of your organization  with the lure of BIG money and opportunities far exceeding your ability to retain them.  Truly talented IT people need to be challenged and rewarded and personal loyalty will only last so long. 

We've also been lucky enough to have several true super-stars work here and some stayed for many years.  They've greatly contributed to any luster associated with our organization.  Three come immediately to mind.  One now works for Microsoft and has traveled the world for them and has received many awards for excellence.  Another is now an IT star at a national banking conglomerate and a third was designated a Microsoft MVP which is a really big designation by that company and is now working on writing his second book on IT.  A couple of others have also gone on to manage IT departments for other corporations.  I'm very proud of all our guys and like to think that maybe in some way we played a part in their success. 

There's one thing about really talented IT people.  They all have a tremendous capacity for learning and pick things up quickly.  I doubt that there is any business that evolves as fast as ours.  Here, it's learn fast or fail.  I once had a network engineer tell me that he learned more in 6 months with us than in his entire career before joining us. 

Not everyone in our field has that capacity for learning and adapting but some can bluff their way through for a while. Sometimes it's just long enough to get through a job interview.  I don't think any industry has been so plagued with people who can "Talk the talk, but can't walk the walk." as the old saying goes.   Part of the problem with hiring IT people is that hiring is often done by people who don't have much understanding of "technical stuff".  Their interests and or talents lie someplace else and they can be easily impressed by people who can throw around a little jargon.  Then they hire these people and put these "Guru's" in charge of hundreds of thousands of dollars worth of technology and let them learn their craft practicing on live systems. 

My advice to organizations hiring IT people is to let an experienced professional do it for you and I don't mean a search firm.  I've yet to meet an IT Headhunter that can tell the difference between a true IT professional and a candidate whose only quailification is that they can spell PC.  Pay a practicing professional to do your screening for you. It's worth a grand or so to avoid a $50-100K hiring mistake. 

I actually created a technician evaluation test a few years ago to screen IT candidates and always use it when interviewing candidates.  We give each candidate 1 hour to complete a 75 question test.  It's amazing how many can't even finish the test and people who should be able to pass it (like recent IT trade school graduates) often score the worst. Well over 75% of prospective candidates can't get a passing grade and it save me and my staff tons of time on wasted interviews.  I've offered my screening test to local companies in the past without any takers.  Maybe I should refrain from doing that in the future based upon the amount of work we pickup cleaning up the disasters left behind by Guru's.

Sigh, I sometimes agree with the sentiment of Danny Glover in the "Lethal Weapon" movies when he said "I'm gettin' too old for this sh--!"

Read More