If you're well-versed in what's happening within the tech landscape – or even just aware of the biggest trends – chances are you're familiar with the ongoing legal dispute between Google and Oracle over copyright issues. Dating all the way back to 2010, this case centers around Google's use of Java code, for which Oracle claims to hold the copyright, in the development of its Android operating system for mobile devices. According to Reuters, the case could find its way to the U.S. Supreme Court, as Google filed a petition Jan. 24, 2019 for the country's ultimate judicial authority to review the matter. Google is hoping the justices will overturn a 2018 decision by the U.S. Court of Appeals for the Federal Circuit, which found in Oracle's favor.
Regardless of what ends up happening with this particular case, the most important takeaway from the matter, without question, is the inherent ease of copying Java code and the security problems that can result from such easy duplication by cybercriminals. If your organization currently relies upon legacy applications made with Java, that's a potential problem you should strongly consider addressing as soon as possible.
Background and current status of the Oracle vs. Google dispute
Reuters noted the root of Oracle's original claim against Google lies in its 2010 acquisition of Sun Microsystems, the original developer of the Java coding language. The Redwood Shores, California-based software development firm filed its lawsuit to uphold what it believed were its intellectual property rights as owner of the smaller developer. 2012 marked the first court ruling on this matter: San Francisco federal court jurors found in favor of Oracle based on Google's violation of copyrights on "declaration" codes, often used by programmers to access libraries of existing Java code and thus speed up writing operations. However, the jury didn't consider the action a full-fledged copyright infringement, and the trial judge overturned the jurors' decision – not necessarily uncommon in such cases – to the benefit of Google, citing certain exceptions regarding "procedures, processes, systems and methods of operation" contained within the Copyright Act of the U.S.
Two years later, however, the pendulum swung back in a positive direction for Oracle: The aforementioned Federal Circuit court overturned the previous judge's ruling, reinstated Oracle's copyright and set the case up for a new trial. After that 2014 decision, the retrial eventually absolved Google of responsibility based on fair-use statutes, but that too was overthrown by the Federal Circuit once again in 2018. That brings us up to date, with Google petitioning the Supreme Court for a writ of certiorari and awaiting the justices' response. As noted by Reuters, if precedent is any indication, the court may deem the matter unworthy of its time – it did exactly that in 2015, after the first Federal Circuit ruling but before the retrial. Google's hope for a different result lies in the ways in which the fair-use laws have evolved, which the tech giant believes will vindicate it.
The heart of the matter
While the willingness of Oracle and Google to spend almost nine years on this case certainly speaks to both parties' skin in the game, it ultimately distracts from a major issue, one that all business leaders currently using Java in tandem with legacy software or hardware must take to heart: It is incredibly simple for a reasonably talented code writer to duplicate or alter Java code. As such, it stands to reason that a black-hat hacker or other malicious online actor – maybe even someone contracted by a rival business – could do the same for purposes far more sinister than what Google did in its relatively small-scale misuse of Oracle's intellectual property. If these cybercriminals can access your code by breaking through outdated protective measures, the consequences could be devastating.
For a more recent, substantive and wide-ranging example of Java vulnerabilities, look no further back than the massive Equifax breach in 2017, which led to the exposure of personally identifiable information belonging to 143 million Americans, according to the Federal Trade Commission. The flaw preceding and facilitating that hack was with the Java app development platform Apache Struts. However, Infosecurity Magazine, citing data from a Sonatype report, pointed out that not only is Struts still plagued by vulnerabilities despite two years' worth of updates by its creators, but these issues also haven't dissuaded major organizations from using it. About two-thirds of companies on the Fortune 100 list downloaded Struts between July and December 2018.
Breaking free of Java security hassles
Companies would have a relatively easy issue to address if Java's flaws were limited to the Apache Struts application – you'd just patch it or use a different app development platform centered around another core code like Python or C. Sadly, that isn't the case: Sonatype's data also uncovered that 51 percent of JavaScript packages and 12.1 percent of Java open-source components downloaded in the same year as Struts had similar flaws that could easily be exploited and turned against organizations by malicious web actors.
While some companies changed (or are in the process of changing) their approach to account for problems like these, it's clear based on the number of Fortune 100 Struts users that a significant number have yet to do so. Your organization and its personnel – not to mention your customers or clients – deserve as much data protection as possible, and more often than not, Java isn't capable of providing it. It's as simple as that. Take a moment to consider the status of your company's IT infrastructure and whether it's up to date or could reasonably be called "legacy." In the latter case, Inventu has the ideal solution to this conundrum.
Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary terminal emulation tool called the Flynet Viewer. This solution allows developers to craft reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. In all, the Flynet Viewer supports streamlined IT modernization and meets employer and staff expectations in a way that feels both familiar and simple.
Contact us today or review our extensive product catalog to see how Inventu can help you rid your servers of unsafe Java.