A “horrible mistake” from 1997, the Java object serialization capability for encoding objects has serious security issues