Sun's Gosling on security threats, development and Microsoft
Known as the "Father of Java," James Gosling is still at Sun Microsystems working on software development tools and aligning the strategies for the language and platform he created more than a decade ago.
silicon.com recently caught up with Gosling to discuss Sun's decision to release Java under the GPL, whether open source is more secure than proprietary software, how IT departments can cut development costs and why Microsoft still owns the desktop.
silicon.com: Sun has come to embrace open source. Why did you take that open approach with Java?
Gosling: With Java it was a couple of things. One is to get people to use it in the largest number of places, to get people to do ports to platforms and various things.
One of the biggest reasons for me has been that we then get a lot more collaboration with the community--people doing everything from bug fixes to security audits. One of the reasons Java has such a great security story is that we've had lots and lots of people stare at the source code.
We do an immense amount of testing and design work but none of that is anywhere near as good as having thousands of talented eyeballs just stare at it and think about it.
But it's only recently, last November, that Sun announced it'll release Java under the GPL, a standard open source license.
For the longest time, all of the source code for Java has been available to everyone. And until recently it came with a license that said: 'The source is open but you can't redistribute the results of any of your changes without passing the test suite.'
We got a lot of flak from the open source community about that. We got to the point where it was clear that the market pressures were strong enough around testing and interoperability and reliability that the clause in the license was not hugely useful. So we switched to using the GPL license.
When will the switch to the GPL happen?
We're still in the process of implementing it. We expect the process to be pretty much complete by May.
Do you believe that an open source development model is inherently better for security?
Oh yeah. Because it's the only way that you can come to trust a piece of software. Security is a very different kind of thing to test because in security you're not trying to test that the thing you built works. You have to do that but you have to figure out--are there any cracks? Are there any flaws at the design level? And there aren't automated testing techniques [for that]. There's nothing that replaces somebody putting on a black hat and saying, "OK, I'm gonna try to break you." And then they do.
Ten years ago people were breaking into Java now and then. But always in a way done in a spirit of co-operation. We had a number of people find chinks in the amour which we fixed pretty much immediately. There's not been a single incident of actual loss due to a security issue. There is no Java antivirus software because it's not necessary. We've had 12 years of pretty intense scrutiny by experts all over the world.
It can be hard for people who design-whether it's a language or software or a platform--to anticipate all the different angles for someone trying to break into it.
Exactly. So when you build tests, the tests are inherently limited by what you think they're going to do to break in. You can build tests to make sure any of the break-in techniques you know of are stopped. And you can sit around scratching your head thinking of new ways to break into things. But you're not going to be anywhere near as creative as thousands of grad students out there adding a chapter to their PhD thesis.
Do you think we'll see more use of open source in the enterprise as time goes on?
Yeah. It's sort of gotten to the point where it's hard to imagine people using more because so much already is [used]--everything from open source operating systems to databases to programming languages to development tools. It's getting to the point where there's not much left. There are some areas like large-scale databases and ERP [where] there aren't any really serious open source ERP solutions. They're getting there.
What do you see as the biggest security threat to enterprises?
The number one biggest threat to enterprises is the inherent fallibility and laziness of humans. We can make the software as solid as we can but if someone says the root password of the machine is "nothing," anyone can walk in and [log onto the machine].
It's amazing how many people will do something like that because it makes their life easier. The world is filled with IT operations where the staff has gotten annoyed with all the security so they just turn it off.
Or they'll do really dumb things like put a copy of their entire customer database on their laptop hard drive and then go on vacation and lose the laptop.
Do you think the onus is just on the IT department to have stricter policies or do you think there's anything that can be done to make it easier for them?
We put in an immense amount of effort into trying to make it such that the security policies are as easy to administer as possible. We want to make sure that things are not onerous, that things are not pushing IT departments to be lazy. There's a lot of stuff in Java and a lot of stuff in Solaris [Sun's Unix operating system] that are about trying to make bulletproof systems easy to live with. But in some places there's no limit to human laziness.
The first examples of Java technology were developed for consumer electronics. Are you surprised at how it's taken hold in the enterprise?
The fact it could be used in an enterprise was not a surprise because it was very much designed to handle large-scale server operations. The bit that surprised me was the scale of enterprise adoption.
Can you give an example of something that surprised you?
The big racks in the travel industry at places like Sabre and Orbitz. When you look at a company like FedEx which uses Java heavily--you can't send a parcel through FedEx without a bunch of Java code being involved. It's almost impossible to execute a financial transaction without a piece of Java code being involved.
What's the most interesting use of Java you've seen?
I'm more interested in the science side of things. The current Mars Rovers that are wandering around on Mars, the ground control system has a lot of Java code in it. Or the Keck telescopes, the world's largest telescopes. Their control system has big bags of Java code in it. It doesn't get much cooler than that.
Software development costs continue to be a large portion of IT budgets. Is there any hope for reducing these costs?
No. And my answer "no" is probably a little bit twisted. I've spent most of my professional career building tools for developers to help reduce costs, to make it so developers can be more effective, more productive and in general stuff like that has been really effective. But then there's this sort of depressing observation that if you look at what IT departments are spending, it doesn't really go down.
What I've observed is this funny phenomenon. If you come up with a good software development tool, that makes life easier for the developers and they can get their job done quicker, then the first thing the manager says is "oh you've got free time on your hands. Do this extra thing."
So IT departments are spending the same amount but doing more?
If you look at what IT departments are doing today, some huge fraction of [this] they weren't doing five and 10 years ago. There was no online banking. There were no online stock transactions. There was no online travel. It was all quite different. The set of things people want to do with IT is expanding at the speed that the IT departments can cope with.
So pretty much every IT department will always be running right on the edge of collapse because if you ever get beyond the edge of collapse, you collapse, things fail, things fall apart. If you ever get on the other side, things get a little bit easy and people say "oh we can do more."
In some sense I've resigned myself. In the land of tool builders like me, it's not about cutting IT costs as much as it is inevitably about enabling IT departments to do more.
Looking at the development tools used today, what do you think is missing? What is needed?
The focus has shifted from the language to the development environment and the programming interfaces. A language works pretty well as a hub around which everything revolves. Mostly the really interesting advances in enterprise software development over the last few years have been in the tools, in the IDEs [integrated development environments].
Do you think that's a good situation? Do you think that we need a new language? Or do you think that's adequate?
That's actually working pretty well right now. There have been a number of programming languages out there which are emerging but they tend to be very focused. So things like Ruby and PHP are really good for generating web pages. But as soon as you go beyond that, you get into trouble. And with so many enterprise applications, the web page is sort of the skin on the outside of the real application. And mostly scripting languages don't do the high-performance, large-scale computing very well.
What do you think will be the next big tech innovation that will affect enterprise IT?
There's a lot of stuff going on around multi-threading. For example the way that Moore's Law is shifting from clock rate to number of cores, which means people have to be increasingly conscious of what it means to build multi-threaded applications.
Do you think Microsoft will be able to maintain its dominance in the enterprise?
They're going to be dominant on enterprise desktops for a long time. They really have a stranglehold there. Part of me finds that rather mysterious given that everyone's complaining about things like security, and "you gotta keep your antivirus up-to-date." It's like, why are we using a machine that needs antivirus software? I don't understand why anyone would run Outlook, for example.
What do you use for development?
I go back and forth between Solaris and Mac OS X. Systems that have real security. They have real reliability. They don't break. They pretty much just work.
What about Microsoft's dominance in areas other than desktops?
They don't have nearly the stranglehold in the enterprise server arena that they have on the desktop. A lot of their game over the past couple of years has been to try to leverage their desktop monopoly in the server space. They've been moderately effective at doing that.
What's your take on Vista?
I tend to stay away from Microsoft [software] because it tends to be so toxic. I'm not exactly an expert on the state of Vista. But it sure seems boring. They've put in a lot of eye candy but other than that it seems like an awful lot of money for not very much.