By Paul Krill

Editor at Large, InfoWorld | SEP 8, 2017

Java 9 Standard Edition should bring big benefits to developers—as soon as it actually arrives, slated for September 21.

The planned update to the popular enterprise language and platform is set to offer a world of new capabilities. Among these are modularity, an experimental version of ahead-of-time compilation, and a REPL (read-eval-print-loop).

Java 9 will not receive long-term support

[ADDED September 8, 2017] Oracle’s revamped release plan for standard Java means the upcoming Java Development Kit 9 will not be designated for long-term support. Nevertheless, Oracle believes developers will want it for the new capabilities it brings. It also says that the lack of long-term support is “no different by the way from previous adoption cycles of major releases.“

That’s technically true because the new long-term support approach announced on September 6 applies to releases after this month’s Java 9, but it would have made as much sense to have Java 9 be the first long-term release version, starting the clock on the twice-yearly “feature” releases using Java 9 as a base.

» Read more.

JDK gets faster release schedule, new license

[ADDED September 6, 2017] Once Java Development Kit (JDK) 9 is released later this month, Oracle will release a new version every six months, rather than every few years, as well as release OpenJDK binaries for major Linux versions, MacOS, and 64-bit Windows. It will also produce a long-term stability version that comes out every three years rolling up all the new features and bug fixes made since the last long-term stability version. The first long-term stability version will ship in September 2018, Oracle says,

Oracle is also changing the JDK license to GPL and open-sourcing the JDK. Both moves are supposed to make it easier for developers to adopt Java in their applications.

» Read more.

Modularity: The opposition ends

[ADDED June 28, 2017] Modularity, a key but highly controversial feature of the upcoming Java 9 release, looks to be back on track with the Java community’s adoption of a proposal that had failed in an initial vote weeks earlier.

With the new round of voting completed this week, the Java Community Process Executive Committee passed by a 24-0 vote the Java Platform Module System public review ballot, the subject of Java Specification Request 376.

As a result, Java 9 will include the modularity technology and should meet its current release target date of September 21.

» Read more.

Proposal: Fixes to most Java 9 bugs are on hold

[ADDED June 23, 2017] With the initial release candidate build for Java 9 now published, Oracle has proposed that from here on out, only “showstopper” bugs be fixed for the production Java 9 release, which is due September 21.

The proposal floated this week represents a further tightening up of bug-fixing goals for RDP (Rampdown Phase) 2 of the Java upgrade. The plan calls for fixing all P1 (Priority 1) bugs critical to the success of Java Development Kit (JDK) 9. Also, builders would decommit from fixing any bugs not new in JDK 9 and not critical to the release, even if they had been targeted for fixing.

» Read more.

Java 9 delayed again, this time to September 21

[ADDED May 31, 2017] Already delayed several times before (it was set to arrive in September 2016 at one point), the upgrade is now due as Java Development Kit 9 in September 2017. The release has been mired in disagreements pitting Java steward Oracle against major Java participants such as Red Hat and IBM over whether modularization is on the right track.

The shift to modularity has bedeviled Java

Modularity, via Project Jigsaw, is supposed to boost Java scalability and security. But Java 9’s modularity plans have set off alarm bells around the need to set up two different realms—one for modularity and another lacking it.

Modularity is such a complicated refashioning it was pushed out to Java 9 after being dropped from Java 8, which was released in March 2014.

With modularity, parts of the JDK can be compiled at runtime in several ways. But modularity may not mean all that much for actual coding. “I don’t think that modularization is going to do much to change how people code or change their coding practices or productivity,” said Gil Tene, CTO at Java software vendor Azul Systems. But Oracle’s Mark Reinhold, chief architect of the company’s Java platform group, has been on the modularity soapbox for years, describing Jigsaw as a “profound change” nearly two years ago.

Whether or not developers ultimately find modularity to be useful, it’s all but certain to be added to Java 9. Oracle is now expressing optimism about mending fences with the rest of the Java community over the modular plan and finally, at long last, delivering modular Java in release 9.

New capabilities abound in Java 9

There is more to Java 9 than modularity. Ahead-of-time compilation,albeit in an experimental implementation at least for now, should help with application startup times. The REPL, via jShell, will provide a command-line tool to evaluate declarations, along with an API for other applications to use this capability.

The HTTP/2 client API for Java 9 should help implement the upgrade to HTTP and WebSocket and can replace the HttpURLConnection API. The existing API has many problems, including being hard to use and maintain.

Unified JVM logging will introduce a common logging system for components of the JVM, providing command-line options for logging and helping find root causes of crashes or performance quirks. Also on the Java 9 docket is a new version-string scheme, defining a scheme to easily distinguish major, minor, and security-update releases.

A faster upgrade pace for Java

If Oracle meets the latest target release date for Java 9, about three-and-a-half years will have passed between Java 8 and Java 9. Going forward, Oracle anticipates a faster release cadence, with releases coming every year—or even more frequently—so Java devotees do not have to wait so long for new features.

User sites might be left wondering whether they should accommodate such a quick update cycle. But they also won’t have to wait as long for the key new features that they do want.

 By Paul Krill

Editor at Large, InfoWorld | SEP 8, 2017

Oracle’s revamped release plan for standard Java means the upcoming Java Development Kit 9 will not be designated for long-term support. Under this new regime, Java 9 is not the first long-term support release on which the first wave of twice-yearl “feature” releases is to be based on, but instead is the first “feature” release, with Java 8 as the base.

Under a plan put forth by Oracle on September 6, there will be feature releases of Java, driven by one or a few significant new features, every six months. Every three years, the feature release will be a long-term support release, with the next long-term support release, to be called Java 18.9, arriving in September 2018. (The version designation of 18.9 stipulates the year and month of the release’s arrival.)

Java 9’s feature release status does not negate its importance, Oracle argues. The company believes developers will want it for the new capabilities it brings, regardless of its release classification. Some people, especially developers, will want to hop on JDK 9 right away to access its new features, said Georges Saab, vice president in the Java platform group at Oracle.

However, enterprises running applications in production may want to wait for the next long-term release, giving Oracle and authors of third-party Java libraries and frameworks time to shake out any bugs in the major new functionality.

“This is no different by the way from previous adoption cycles of major releases,” Saab said. Updates for long-term support releases are to be available for at least three years. These releases are geared to enterprises preferring stability, enabling them to run large applications on a single release.

The next feature release following Java 9 would be Java 18.3, due next March. Aside from feature and long-term support releases, there would be update releases for feature releases, limited to fixing security vulnerabilities, bugs, and regression issues. Each feature release is slated to get two updates before the next feature release. Public updates for the current major Java release, JDK 8, are due to end as soon as September 2018, though the deadline may be extended. Extended support for JDK 8 is due to be available until March 2025.

By Taylor Armerding

CSO | SEP 7, 2017 2:56 PM PT

Security practitioners weigh in on the 16 worst data breaches in recent memory.

 

Data breaches happen daily, in too many places at once to keep count. But what constitutes a huge breach versus a small one? CSO compiled a list of 16 of the biggest or most significant breaches of the 21^st century.

This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers and users or account holders. In some cases, passwords and other information were well protected by encryption, so a password reset eliminated the bulk of the risk.

1. Yahoo

Date: 2013-14
Impact: 1.5 billion user accounts
Details: In September 2016, the once dominant Internet giant, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. The company said the “vast majority” of the passwords involved had been hashed using the robust bcrypt algorithm.

A couple of months later, in December, it buried that earlier record with the disclosure that a breach in 2013, by a different group of hackers had compromised 1 billion accounts. Besides names, dates of birth, email addresses and passwords that were not as well protected as those involved in 2014, security questions and answers were also compromised.

The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually paid $4.48 billion for Yahoo’s core Internet business. The agreement called for the two companies to share regulatory and legal liabilities from the breaches. The sale did not include a reported investment in Alibaba Group Holding of $41.3 billion and an ownership interest in Yahoo Japan of $9.3 billion.

Yahoo, founded in 1994, had once been valued at $100 billion. After the sale, the company changed its name to Altaba, Inc.

Read more about the Yahoo data breach…

2. Adult Friend Finder

Date: October 2016
Impact: More than 412.2 million accounts
Details: The FriendFinder Network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached sometime in mid-October 2016. Hackers collected 20 years of data on six databases that included names, email addresses and passwords.

Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99 percent of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.

CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by 1×0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He said the vulnerability, discovered in a module on the production servers used by Adult Friend Finder, “was being exploited.”

AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

Read more about the Adult Friend Finder data breach…

3. eBay

Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.

It asked its customers to change their passwords, but said financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication informing its users and poor implementation of the password-renewal process.

CEO John Donahue said the breach resulted in a decline in user activity, but had little impact on the bottom line – its Q2 revenue was up 13 percent and earnings up 6 percent, in line with analyst expectations.

Read more about the eBay data breach…

4. Equifax

Date: July 29 2017

Impact: Personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.

Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an application vulnerability on one of their websites led to a data breach that exposed about 143 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May.

Read more about the Equifax breach…

5. Heartland Payment Systems

Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland’s data systems.
Details: At the time of the breach, Heartland was processing 100 million payment card transactions per month for 175,000 merchants – most small- to mid-sized retailers. It wasn’t discovered until January 2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed.

Among the consequences were that Heartland was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.

BACKUP AND SYNC: WHAT TO EXPECT

For consumers, the switch should be straightforward. G Suite customers have a confusing decision to make, however.

By Mark Hachman

Senior Editor, PCWorld | SEP 7, 2017 3:03 PM PT

Google Drive for both the PC and Mac will begin to die on December 11, Google said this week. Depending on whether you’re a business user or a strict consumer, it will be reborn as one of two new apps: Backup and Sync, for consumers, or Drive File Stream, for businesses. Here’s what to expect during the transition.

When Google Drive is going away, and how

Note that Google doesn’t appear to be making any changes to the Drive service itself, just the apps. Google currently offers 15GB of online storage with Drive, and those files are accessible with any device with a Drive app installed. Those devices include Android devices, iPhones, and iPads—whose Drive mobile apps are apparently being left untouched.

Google said it will stop supporting the Drive app for Macs and PCs on December 11, and the Drive app will simply stop working on March 12, 2018. At that point, consumers will have to use Backup and Sync. Business customers subscribed to Google’s G Suite apps will be shifted over to Drive File Stream, a preview app that is now being pushed mainstream.

Backup and Sync vs. Drive File Stream

The major difference between Backup and Sync and Drive File Stream is the latter’s ability to stream files from the cloud—the popular “placeholder” capability that can display copies of all of your cloud-based files, without actually storing them on your PC. (Placeholders will be a feature of Windows 10’s Fall Creators Update as OneDrive Files on Demand.)

Backup and Sync syncs files more traditionally, placing local copies on your desktop, and then backing them up in the cloud. If you want to back up your photos and videos, you’ll use Backup and Sync. Ditto with a generic USB drive that you want to add to the cloud.

Where it gets a bit confusing is if you’re working on a PC with G Suite access, because then you can use both services. Then it’s important to understand the differences between Backup and Sync and Drive File Stream (Google also published an explainer):

Backup and Sync:

• Access files in My Drive
• Sync selected folders in My Drive
• Use native Windows applications (such as Microsoft Word and Adobe Photoshop)
• Sync local folders, such as Documents or Desktop

Drive File Stream can do almost everything Backup and Sync can do, except sync local folders. In addition, it can:

More like this

• Google Backup and Sync review: Works best for those already tied into Google’s…
• Review: 4 online backup services keep your data safe
• How to back up Android devices: The complete guide
• DEALPOSTS

  90% Off This Cloud Technology Security Knowledge Certification Prep Bundle -…

• Access files in Team Drives
• Stream files on demand (the “placeholder” feature)
• Sync individual files in My Drive

Finally, Drive File Stream  appears as a mounted drive under Windows Explorer, while Backup and Sync displays My Drive as a shortcut.

The bottom line: In October, Drive for Mac/PC users may start seeing messages notifying them about the change, according to Google. If you’re a consumer Drive user, it sounds like little, if anything will change other than the name. Business users will be forced to choose between the two new apps, however. And if minimizing disk space via the use of placeholders is important to you, you’ll want to choose either a G Suite subscription or swap to OneDrive.

This story, “Google Drive is being replaced by Backup and Sync: What to expect” was originally published by PCWorld.