image:RMHI_logo
rmhiherbal.org
[HerbalistReview archives]
[RMHI Home]
[HerbalThinkTCM software] [Tutorials]
[RMHInet] [Courses/Certification] [FAQ]
[Articles] [About]
[Follow] [Contact]

— updated 2013-01-19

image:herbal_art_4

Herbalist Review, Issue 2013-#1:
Java security alerts and what they mean for HerbalThink-TCM users; HerbalThink-TCM 4.0.0.4 released

by Roger W. Wicke, Ph.D.

In this short article I explain why the primary security risk of Java has always been in its use as a plug-in option for Internet browsers and not in its use as a programming language for desktop and embedded applications. In a nutshell, the solution is simply to disable Java in your Internet browser.

Subtopics on this page…

 
Copyright ©2013 by RMH-Publications Trust; all rights reserved. 

 

Java desktop software vs. Java on the Internet — two very different risk environments

RMHI's HerbalThink-TCM interactive-learning software is written in a computer language called Java, which is now one of the most widely used computer languages in the world. Java has periodically been in the news for its role in increasing the vulnerability of Internet browsers to attacks by computer hackers. [U.S. warns on Java software as security concerns escalate; 2013 Jan 11] Some of our users have contacted us for advice on what they should do to minimize their risks.

In this short article I explain why the primary security risk of Java has always been in its use as a plug-in option for Internet browsers and not in its use as a programming language for desktop and embedded applications. In a nutshell, the solution is simply to disable Java in your Internet browser — Internet Explorer, Firefox, Safari, etc. (Note that Java and Javascript are different; the latter is a relatively safe, though more restrictive, language used by many e-commerce sites.) You can safely disable your Java browser-plugin and yet still access Java to run any desktop applications that may require it. RMHI's HerbalThink-TCM software is a desktop application, does not connect to the Internet, and does not itself allow any unknown 3rd-party Java applets to run.

Following is a link to our general guidelines for computer security:

    http://www.rmhiherbal.org/payments/security.html

It's easy to understand, not technical, and intended for our users and students. 

 

Malicious code can be written in almost any computer language

Java, when used as a programming language to create desktop software applications, is no riskier than any other software. A determined hacker can create malicious code in almost any computer language, disguise it as something useful, and entice users to download and install it. Major computer companies like Microsoft and Apple have recently attempted to develop hierarchical, highly technical, bureaucratic systems to increase security and to automatically protect computer end users from harm by malicious hackers. However, it is my opinion that there has been a dismaying tendency for such technical wizardry to provide merely the illusion of security while increasing the complexity and fragility of software generally. There is no substitute for old-fashioned common sense and trust. If a total stranger knocks on your door asking permission to enter your home, wouldn't you rightly ask a few questions first, perhaps ask for personal references, and call a few neighborhood friends to see if he/she has been around to their homes? And was anything damaged or stolen? Your computer is an extension of you and your home. Allowing a big corporation to make security decisions for you, and often without even informing you when such decisions are being made, merely changes the nature and the magnitude of the risks. Hackers have cracked into the databases of major corporations and stolen credit card numbers, personal financial information, and medical and legal records. They have also cracked into the corporate databases for the certification/authentication schemes used to perform Java code signing, enabling hackers to potentially create malicious Java applets that appear to Internet browsers as "trusted/certified". 

 

Why Java Internet plugins are a major security risk

Java Internet-browser plugins are the source of the vast majority of security incidents for the following reason: if Java is enabled (either by default or by you manually) in your browser preferences, this allows any page you may visit on the Internet to automatically load and execute Java applets without alerting you. These applets will display specific graphic effects on the page that may appear to you like any other Internet content, and you may never know that your browser is running a Java applet. For many years, I have always turned Java OFF in all my Internet browsers. The vast majority of websites do not require it, and the ones that do — well, too bad, I'll just move on, thanks. Java is a perfectly decent programming language, but its designers were too ambitious, assuming that it could overcome the demanding and hostile environment of the Internet and to make automated decisions about the security of specific Java applets without informing the user in most cases. 

 

Why Java has become the preferred language for consumer electronics, corporate IT departments, and academia

Java is used to program the microchip controllers for literally billions of electronic devices worldwide, including cell phones, consumer electronics generally, and scientific and industrial electronics. The vast majority of software used by corporate IT departments and in secondary and university education is written in Java. Java has evolved as the preferred choice by industry and academia for several reasons. It is used to create desktop computer software for which a single version can potentially be run on many different operating systems. Compared to C/C++, its predecessor language, Java has a number of security features that prevent a program from accidentally clobbering memory outside its allocation and that prevent accidentally writing to prohibited files, both of which have formerly been major sources of system crashes. Malicious hackers occasionally have been able to override these protections, but for honest software developers, these features have been a great help in minimizing bugs and improving performance. 

 

What Java has allowed RMHI to accomplish with the HerbalThink-TCM software

Our HerbalThink-TCM software has been in use since the year 2000. It is still amazing to me that code that was written back in 2000, with no modification of the Java code itself — only the packaging, still runs 12 years later on the current Oracle Java 7. (I am referring to the TCMHerbalTutor module, which is currently the focus of a major upgrade to be released in future.) How many software products do you have from 12 years ago that still run on your current computer and operating system? I have a whole box of computer software disks that are now useless. In creating the HerbalThink-TCM software, one of our design criteria was to create software that would work for many years and that we could use in RMHI's Chinese herbology curriculum. This is a major consideration for many colleges and universities, who would rather spend their time focusing on the job of education rather than continually tweaking software.

Some of our users have asked us why we don't provide a single double-clickable installer file that automatically puts everything in the right place. The short answer is that a common reason why much commercial software "breaks" is because the requirements of such automated installers often change with operating systems upgrades. In the early days of HerbalThink-TCM, we did provide such an installer, and we soon had to abandon it after it no longer worked with newer operating systems. We now provide the software as a ZIP file archive, which is a "universal" format that has been supported by all operating systems for many decades, and is likely to remain a common standard for the foreseeable future. The Java language allows us to run the same core application file on Windows, Mac OS X, and Linux; we have found that by testing and debugging the identical software on multiple operating systems, we have been able to significantly improve its reliability and stability. To accomplish all this, however, requires users to follow a few extra, though simple, installation steps. 

 

HerbalThink-TCM version 4.0.0.4 released

This single change has had a huge impact on our admissions, allowing us to more effectively spot talented, aspiring TCM herbalists. Our graduation rate has increased greatly, because users can effectively determine for themselves whether they have the aptitude for this profession before applying and enrolling. The effective clinical practice of Chinese herbology has never been easy, and the introductory games in HerbalThink-TCM will give you a good idea of the types of mental challenges involved.

The major difference between this and previous versions is that version 4.0.0.4 includes a complete Java 7 Runtime module (JRE) for each major operating system, simplifying installation and increasing the likelihood of reliable operation for many years. Some users have complained about the difficulties in installing and managing their system Java installation, and this new version allows each user to choose from at least two options for each operating system:
    (1) Run HerbalThink-TCM with the included Java package;
    (2) Run HerbalThink-TCM using a version of Java installed on your system.



The topics of our next newsletter:

  • How HerbalThink-TCM has changed the way we handle applications for admission;
  • Cognitive decline in America and suggestions for reversing it;
  • Are our public schools destroying students' abilities in pattern recognition?

image:END