x.com/windymelt/status/20646… そういえばJavaにはSecurityManagerというそれっぽいものが存在したのに、あれが失敗した教訓から学ばないと、Scalaに限らず言語組み込みでそういうものを入れても失敗する可能性があるけれど、 Javaのは何で失敗したんだっけ(そんなに深く理解してない)

🟥 Άρθρο μου στο Security Manager! ▶️ Διαβάστε το στην ψηφιακή έκδοση: yumpu.com/xx/document/read/7… ▶️ και online στο securitymanager.gr/it-kai-fy… #smartpress #securitymanager

#ModernSecurity now spans operations, IT/OT, risk, compliance, and experience enabled by platforms like #BuildingX and #SecurityManager. Explore #Siemens outcome-based security and what it could mean for your organization: linkedin.com/pulse/future-se… #Security #SmartInfrastructure

Java's securitymanager is actually pretty good if you use it correctly

Jakarta RESTful Web Services 5.0 is being updated in #JakartaEE 12 Core Profile. Updates include: 🔹 Continued CDI integration path 🔹 Deprecation of @Context, context resolvers, and @Suspended 🔹 Removal of SecurityManager 🔹 Clearer provider injection 🔹 Evaluation of Jakarta HTTP integration 🔹 Java record support 🔹 Java 21 baseline Learn more about Jakarta EE 12 ➡️ hubs.la/Q040wxpN0 #JakartaEE12 #JAXRS #REST #Java #opensource

SecurityManager is dead. Long live SandboxManager?

Jakarta CDI 5.0 reaches Milestone 2 in #JakartaEE 12. Updates include: 🔹 Java 17 baseline 🔹 Eager bean initialization 🔹 Programmatic BuildCompatibleExtension in CDI SE 🔹 Improved support for records and sealed classes 🔹 Spec cleanups and removal of SecurityManager Learn more about Jakarta EE 12 ➡️ hubs.la/Q040wmNM0 #JakartaEE12 #CDI #Java #opensource

You have a few design issues with AES: shared password-derived key for the whole group. Anyone with the password or the ability to get the password can decrypt everything past or present this also brings in the ability to use dict attacks or just phishing attacks. That makes it so your encryption is vulnerable. You should never reuse a the nonces. This is not "military grade encryption" at its core. Thank you for the detailed feedback. We appreciate the security review. On nonce reuse each message uses a unique random 12-byte IV so nonces are not reused. On the shared password model this is intentional for group channels, but we recognize the trade offs. Password compromise does expose channel history, and we are evaluating forward secrecy and per message key derivation. PBKDF2 uses 100,000 iterations with channel name salt, but stronger mitigations are needed. We’re prioritizing improvements to channel encryption security over time. Your input helps us strengthen the implementation. No data trails should be phrased as "no persistent logs". There will always be data trails with the ledger, I get why you said it and the marketing behind it, but its misleading compared to the actual design. Thanks for the feedback. We use "no data trails" to mean no identifiable or linkable data trails that can be used to track users or correlate activity. On-chain, Solana/Bitcoin transactions are permanent, but without personal identifiers or metadata linking them to users. Wallets and identities stay local, so on-chain data can't be tied to specific individuals without additional context. No persistent logs of contact lists, message content, wallet balances, or user metadata on our servers. Transit metadata IP, timestamps, routing headers exists during forwarding but isn't stored or correlated after delivery. Makes sense with the UTO, but your public material specifically states Solana there is no other talk about it (unless I missed it? We’ve planned to expand step by step, developing and integrating more chains as the project grows. Our public materials haven’t fully caught up yet, and we still need to update the marketing content accordingly plus we want to keep some of it as a future catalyst. The Bluetooth is plausible. I actually really like the idea, I'm curious how you are doing re-fragmentation/ reassembly on the other end with packet loss and in the presence of DoS like peers? Reassembly uses a fragmentID-based map, each fragment set gets a random 8-byte ID, and fragments are stored by index until all are received. If fragments are lost, incomplete sets are cleaned up after 30 seconds, preventing memory buildup. Duplicate detection via SecurityManager with a 10k message capacity, connection limits (8 max normal, 2 ultra-low power), and periodic cleanup of stale fragments for DoS mitigations. Fragments are validated before storage, and fragmentID randomness prevents predictable attacks, and currently no automatic retransmission, missing fragments cause reassembly to time out after 30 seconds. This is acceptable for lossy BLE, but we're evaluating selective retransmission for critical messages for packet loss. The 30-second timeout balances memory use and tolerance for transient loss. We appreciate the feedback and are refining these mechanisms as we scale. As a side note, we reviewed your main page post. Could you show us where it says we cannot use open-source code, and what exactly the concern is? Also, please point to any place where we stated that we don’t use open-source components. Since you’re raising technical questions, can you also show us where in BitChat’s code the transaction is generated within the app, and where the hex is verified internally? Also show us where they implemented offline payments.

Java SEの方はSecurityManagerを使わないようになったけど、Jakarta EEのSun時代のコードにはまだ含まれているだろうし、当時を知っている人もいないだろうから、大変だよね。 openjdk.org/jeps/486

Java 24 is wild! Quantum-resistant cryptography. SecurityManager finally gone. Faster startup via ahead-of-time class loading. Scoped values & structured concurrency. Java keeps leveling up. Which of these will you use first in your projects?

Java 24 is wild! Quantum-resistant cryptography. SecurityManager finally gone. Faster startup via ahead-of-time class loading. Scoped values & structured concurrency (4th preview). JNI fading → Foreign Function & Memory API rising. Java keeps leveling up and surprising us.

The answer is no, but with a brilliant nuance. A fatal JVM crash (like a StackOverflowError) is a definite 'no' for finally. But System.exit() is the real tricky part: If it succeeds -> JVM halts immediately. finally is skipped. If a SecurityManager blocks it -> it throws a SecurityException, and the finally block WILL execute as part of normal error handling! So the behavior can actually depend on runtime permissions.

Java Sandbox using SecurityManager: Want to restrict what a block of code can access (like files)? Use Java's SecurityManager to sandbox dangerous operations. This allows safe execution of plugins or user scripts. Not commonly used, but powerful for advanced control.

Added: -Support for Java Records -JDK Runtime aware support for Virtual Threads -Jakarta Data 1.0 Removed: -Prune ManagedBeans -Remove requirement to use SecurityManager -Remove all optional specifications