Skip to content
Nov 25 10

Shortly – URL shortner for Firefox

by aloshbennett

Introducing Shortly, an extension for firefox to create short URLs using bit.ly service.

Take it out for a spin and let me know what changes and features you’d like to see.

Nov 16 10

Reflection and the missing Security Manager

by aloshbennett

Here’s an interesting trick that’s been around for a long time:

Consider the Person class here, with password as a private data member.

public class Person {
 
   private String name;
   private String password;
 
   public String getName() {
       return name;
   }
 
   public boolean login(String password) {
      if(this.password(equals(password)) {
         ....
      }
   }
   ...
}

The Java scope rules does not allow me to access or modify the password field that’s declared private. All the same, I could do it using reflection as shown below:

   Person person = db.queryPerson("alosh");
   //System.out.println("password: "+person.password); -- won't compile
 
   Field field = person.getClass().getField("password");
   field.setAccessible(true);
   System.out.println("password: "+field.get(person));
   field.set(person, "welcome");
   person.login("welcome");
   ...

It all boils down to this line of code.

   field.setAccessible(true);

All reflection access to an object (methods, fields, constructors) is through the interface AccessibleObject which lets the reflected object suppress the normal access controls. By setting the access flag, the reflected object is now open.
But the access flags are not flipped before it checks with the security manager. Reflection and SecurityManager together provides the power to control access dynamically.

Our little trick could then be attributed to the SecurityManager. Or like in this case, the lack of a SecurityManager.

By default the JVM does not have a SecurityManager available. A security manager could be installed either by passing the following option to the jvm

-Djava.security.manager

or by setting one in the code

System.setSecurityManager(new SecurityManager());

(Now the snippet mentioned in the beginning will not work.)

* SecurityManager is not enabled by default in the JVM.
* Majority of the JEE servers out there don’t run a SecurityManager unless asked for.
* Many applications would not run with SecurityManager in place.

Isn’t it against Java’s principle of ‘Secure by Default’?

Oct 26 10

Unity to replace GNOME in Ubuntu 11.04

by aloshbennett

Starting with Ubuntu 11.04 (codenamed Natty Narwhal), Unity would be the default shell of choice for the desktop edition.

Though Unity (already available on the netbook editions) is far from ready, there are a couple of cool features it brings to the table.

The immediate changes are aimed at reducing the wastage of screen space. The application menu (in the maximized mode) gets integrated into the top panel. So does the status bar – this would be replaced by an indicator on the top panel. This is a huge relief for people like me who runs firefox with extensions that hide menubars, trying to salvage every bit of screen space.

There is also the promise of a Mac styled dock and application switcher.

The Unity project plans to include zeitgeist, a sophisticated data engine that understands user activities and correlates them. This can provide useful context to search and browsing applications.

There are also plans to evolve from directory based file storage to something that’s more intuitive and search oriented (yey!! first step towards tag based systems).

GNOME 3 is coming next April, and there is a worry that throwing in a new desktop shell would divide the development community. Nevertheless I like Ubuntu’s aggressiveness when it comes to redefining the image of Linux.

In the good spirit of choice, GNOME and KDE would be very much available as login options.

Oct 18 10

Cross Site Scripting through image EXIF

by aloshbennett

Cross Site Scripting (XSS) seems to be the most common vulnerability today with every other site having run into it at least once. In a nutshell, whenever a website displays unsanitized user-driven data (supplied directly or indirectly), it makes itself susceptible to XSS.

Image EXIF information is no exception. Though the EXIF is usually written by the digital camera, it could be edited using any of the tools available freely. It is possible to modify any tag including the Camera Make and Model and supply javascript snippets instead of them.

Here’s a sample image with javascript alerts written into its EXIF. (Upload the pic to jpeginfo.com to see the javascript at work. The site doesn’t persist the image and hence is safe.) Most of the big names in photosharing already sanitizes the EXIF tags before displaying them, but there are a lot of smaller websites which are prone to this kind of XSS.

Oct 10 10

Programming for Security – IEEE Computing Colloquium

by aloshbennett

The Hyderabad chapter of IEEE computer society chapter conducted its 4th IEEE Computing Colloquium at BVRIT, Hyderabad. The event was very well received with 600 students from 21 colleges attending. I was fortunate enough to give a talk on security and its programming aspects.

BVRIT, Hyderabad deserves a special mention for playing an excellent host. The effort the host college put in organising the event was commendable.

Here are the slides from the talk.

Programming for Security

Sep 23 10

Oracle’s lawsuit againt Andriod – does it hurt java?

by aloshbennett

Oracle sued Android for patent infringements related to java. The news is old, but there is still a lot of misconceptions floating around.

The biggest of them is around Android’s java support. Code for Android can be written in java language, compiled into a class-like (dex) format and run on Android’s Dalvik VM. So you code in java, run it on a VM. Sounds great so far. But is that java? No.

Java is not just the programming language. An equally, if not more, important part of java is the virtual machine. The VM is what gives java it’s strength, well captured in its punchline “write once, run anywhere”. Code written for Android’s Dalvik will not run on any other JavaME VM. Vice versa, code written for JavaME wont run on Android. Google had its own valid reasons not to go with JavaME. But at the end of the day, it is not justified to call what Android has as java-support.

Microsoft once tried to come up with a windows-only version of java, and Sun sued Microsoft successfully. Even if Android were to remove the dex format and run class format on its VM, bringing in a VM that is not compatible with the standards would only split the java community.

If Google admits that Android doesn’t support java, will it solve the problem? Not really. The beef of the lawsuit is patent infringements related to java VM. You see, the patented IPs are free to use as long as your VM is a fully compatible java VM. Its either a full implementation or nothing. Has there been any patent violations? Lets wait and see.

Sep 4 10

Lua with emacs

by aloshbennett

LuaMode brings a bunch of features like syntax highlighting, auto indentation etc to emacs. There’s an interactive and very handy Lua shell too.

Place lua-mode.el in your emacs’s load-path and add the following code to your .emacs file.

;; bring in lua
(setq auto-mode-alist (cons '("\\.lua$" . lua-mode) auto-mode-alist))
(autoload 'lua-mode "lua-mode" "Lua editing mode." t)
(add-hook 'lua-mode-hook 'turn-on-font-lock)

Your favourite editor is now ready for Lua!

If you find the prompt to save abbrevs irritating, add the following into your .emacs

(setq save-abbrevs nil)
Aug 23 10

Programming for Performance – IEEE SSC Session

by aloshbennett

Slides from the session I took on Programming for Performance for the IEEE Section Students Chapter held on 22 August 2010 at Hyderabad.

The talk discusses on various aspects of building an application with performance in mind. The talk is kept mostly at a higher level, with some specific examples from java.

Programming for Performance

Aug 18 10

LIET Session – RSS and Atom

by aloshbennett

Notes from Learning Is Every Thing session on RSS and Atom held on 17 August 2010.

This session discussed the history of RSS and Atom, their structure and application.
Thanks Neil for the video!

LIET Session: RSS and Atom from Neil on Vimeo.

LIET- Rss and Atom

Aug 18 10

LIET Session – JSON

by aloshbennett

Notes from Learning Is Every Thing session on JSON held on 16 July 2010.

The session gives an introduction to JSON, its advantages, how to consume JSON services and how it stacks up against XML.

LIET – JSON

Here’s the code from hands-on session on consuming flickr’s api to explore interesting pictures:

<html>
  <header>
    <title>intersting pics</title>
  </header>
  <body>
    <script type="text/javascript" >
      function jsonFlickrApi(list) {
        for(i = 0; i< 10; i++) {
        j = Math.floor(Math.random()*100);
        document.write("<br>");
        document.write(list.photos.photo[j].title);
        document.write("<br>");
        document.write("<img src=\"http://farm");
        document.write(+list.photos.photo[j].farm+".static.flickr.com/"+list.photos.photo[j].server+""+list.photos.photo[j].id+"_"+list.photos.photo[j].secret);
        document.write(".jpg\" >");
        document.write("<br><br><br>");
        }
      }
    </script>
    <script type="text/javascript" src="http://api.flickr.com/services/rest/?method=flickr.interestingness.getList&format=json&api_key=your_api_key" >
    </script>
  </body>
</html>

You’ll have to replace the api_key with a valid one.