Security: Sun gets grifted

how-to

Aug 12, 20082 mins

The Java ME vulnerability sounds pretty nasty: with just a phone number, an attacker can send a series of messages to a Nokia Series 40 phone that would essentially take over the device, allowing the attacker to record conversations, make phone calls, and install various unsavory programs. The particularly nasty turn that the story has taken is that Adam Gowdiak, the security researcher who found the vulnerability, is essentially extorting money from Sun and Nokia for his proof of concept. 20,000 euros is chump change for a couple of multinational corporations like Sun and Nokia, but it sets an unpleasant precedent — plus, there’s no guarantee that the information he has will be useful, or that the vulnerability he describes exists. Gowdiak actually claims to be a former Sun employee, which adds another layer of distaste and drama to the sordid affair.

(This story caused a bit of panic in me personally as I couldn’t remember just what kind of phone I owned — turned out it’s a Series 60. Whew. Do your worse, hackers!)

Other Java security news was a bit more upbeat. Hey, remember that anti-Java professor who got everyone so darn riled up? Remember how he said that one sign of Java’s basic lameness was the aerospace industry’s failure to adopt it? Well, it looks like Java is beginning to battle Ada (Ada?) for defense contracts in the US for embedded programming. This is due to the advance of real-time Java, which is more secure now than ever — secure both in the sense of “has good encryption and is safe from hackers” and in the sense of “will not crash and shut your system down at Mach 2”.

On a final security note, Symantec released its 2008 Cybercrime trends, suggesting that Java could cause problems on the PC. “Java-based Web applications—small programs, such as video players or interactive maps, that launch themselves from a Web page—are proliferating, which will provide a growing opportunity for cyberthieves to spread bots, keyloggers, and other malicious software.” Wait, are we talking about Java Web Start here? Doesn’t that run in some kind of security sandbox? I suppose Symantec would tell us the details if we, um, paid for their reports.

Security

by Josh Fruhlinger

Contributing Writer

Follow Josh Fruhlinger on X

Josh Fruhlinger is a writer and editor who has been covering technology since the first dot-com boom. His interests include cybersecurity, programming tools and techniques, internet and open source culture, and what causes tech projects to fail. He won a 2025 AZBEE Award for a feature article on refactoring AI code and his coverage of generative AI earned him a Jesse H. Neal Award in 2024. In 2015 he published The Enthusiast, a novel about what happens when online fan communities collide with corporate marketing schemes. He lives in Los Angeles.

Show me more

Topics

About

Policies

Our Network

More

Security: Sun gets grifted

More from this author

What is context engineering? And why it’s the new AI architecture

What is prompt engineering? The art of AI orchestration

What is GitOps? Extending devops to Kubernetes and beyond

Agents, protocols, and vibes: The best AI stories of 2025

It’s the end of vibe coding, already

What is A2A? How the agent-to-agent protocol enables autonomous collaboration

What is generative AI? How artificial intelligence creates content

What is vibe coding? AI writes the code so developers can think big

Show me more

How to land a software development job in an AI-focused world

OpenAI’s desktop superapp: The end of ChatGPT as we know it?

Google’s Stitch UI design tool is now AI-powered

How to build desktop apps in Typescript with Electrobun

Write and run assembly in Python with Copapy

Run AI Models Locally on Your PC — No Cloud Required (LM Studio Guide)