1. 1

    “Ghidra - needs Java 11 if not installed already.”

    Security blogs aimed at mass audiences were always telling people to get rid of Java on their system due to all the hacks it led to. Time passes. Snowden leaks happen confirming lots of subversion. Vulnerability prices from malware writers are going up all the time. Things are getting harder for the NSA despite their dominance in cyberwar. They want cheaper hacks coming in faster.

    Then, NSA releases a nice tool for bug hunting that all the hackers might love. Folks were worried about backdoors that might let NSA in to attack them or just steal their loot (esp iOS or Tor 0-days). The tool is open-source vs that proprietary tool they’ve been using. That’s great with no worries about backdoors since it’s FOSS, right? And all they need to do is install Java.

    (pause)

    Sneaky bastards. Or helpful bastards in defensive part using dependencies that inadvertently aid the sneaky bastards in offensive part. Can never be sure with that organization. ;)

    1. 2

      Java being exposed to the Internet via web applets were the main reason for the for the advice to get rid of Java, disable web applets, disable the Java browser plug-in, opt-in to launch the Java plugin, etc. With Java 11, the applets feature has been removed so that browser-based attack surface is no longer there.

      1. 1

        Oh yeah, you’re right! I guess I hadnt seen an applet in so long I forgot about them or at least when I wrote that.

        Ok, the scenario could still play out for something networked they release.