FAQ & Disclaimer

General

* Why take another stab at Java?

The only purpose of this page is to raise awareness.
And I do provide links to useful resources to browse in a safer environment.

* When was the counter created?

2013-03-02

* Has the counter reached ten days yet?

Yes!

* Why does it say '1' when it's been less than 24 hours?

'0' means today. '1' means yesterday, even at 11 p.m.
And it does not adjust for your time zone.

* Why have 3 digits?

Keep guessing.

* Have people from Oracle seen the counter?

After a week, about 1000 hits originated from 45 Oracle IPs around the world.
I also got one hit from North Korea, from an outdated Mac OS X 10.6.8 running Chrome 25.
I gave a lightning talk about this at the 2013 SSTIC conference (PDF, in French).

* Have they tried to reach you?

Not yet.

Tech

* Why not use Oracle's deployment toolkit to detect your installed JREs?

The thing (deployjava.js) instantiates a bloody Java applet.

* But navigator.javaEnabled() isn't reliable!

I know.
Would you rather have me scan your whole thing?
Hell, just as thousands of people,
you dared click on a link that openly says "0day" anyway.

Hope is lost.

* "Click to play" is not a security feature, blocking all plugins is better!

Yeah but no.
You won't force users to browse a text-only web.
"Click to play" is a good enough compromise between security,
usability and raises awareness by educating people.

Plus, Java or any other browser extension aren't all there is to compromise your computer.
Libtiff has a long and shameful history as well. So has Flash Player or Acrobat Reader.