Help coderanch get a
new server
by contributing to the fundraiser

scott irwin

Ranch Hand
+ Follow
since Aug 07, 2000
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by scott irwin

RTFM and that's what it says!
I withdraw my stupid question.
20 years ago
Update: It's doing sometype of "chunking" of the document where the characters() method has a max of 2k. My OoB is due to me taking a position within the document (chuck 1), by the time I reach my end mark I'm in the second chunk. I substring parm1, but it's only the second chunk.
I either need to set/override the 2k limit, or I must know when chunks change and StringBuffer append them back together to recreate my string that spans chunks. What a hack.
20 years ago
I've got a well formed document to parse. When it gets too long (like 10k) I get a String Index Out of Bounds exception from the Crimson parser that comes with 1.4 sdk. Googled with no luck (same errors with different parsers, but no answers). Switched parsers to xerces, same error? Shorten the document by a few bytes and it works fine.
Is there some limit to SAX? Some config I'm missing (not doing any)?
Thanks
Scott
20 years ago
I need to perform encryption between a MS client and Java servlet. I want to use DES or RC2/4.
I'm having trouble attempting to use my Java built key. I base64 encode it and give it to my client. This might be a MS question, but I'm not certain how to use this key in MS CryptoAPI.
Any body done this? Or pointer to good site?
No, I can't use a Java client.
Thanks,
Scott
21 years ago
Mark,
Like I said, I'm not Visa and my project is not a credit/debit card, but I work in a group that's looking out > 18 months. I'm interested in leveraging the computing power in everybody's hand vs. routing information back to huge systems (edge computing.)
This led me to the whole trusted computing platform work that is being worked on by various companies and organizations. In taking my prototype to the next level, I needed to address security. I wanted to continue using Java but realized that the Java security model is there solely to protect the consumer from bad code and not bad consumers from my code.
So now I'm reading up on JavaCard to perform all of my security functions. Basically splitting my application between secure and unsecure functions. I agree with David, the key never leaves the secure platform (smartcard). I think this will lead me to a secure edge computing environment.
Scott
21 years ago
Mark,
Let's say I'm Visa (and I'm not) and I want to maintain a balance on a consumer's device. The code that manipulates the balance must be secure as well as the balance file. The application I (or Visa) distributes needs to send/receive encrypted/signed messages to it's back-end system.
So Visa has it's own key that must be stored on the device to encrypt/sign messages/files. I need to know that only my valid code executed the payment/adjustment. Any code that could obtain my key could sign fraudulent messages.
So short of Javacard/Smartcards (unless I can use Javacard from J2ME via proprietary provider extensions???), is there any method/pattern to secure my key in the hands of a hacker? In your password example, if you know the password (i.e., it's your password that protects my key), you can get the key from the keystore and sign anything you want.
I'm still in a prototype stage, so the best solution given the current limitations will do. But I think the next killer app is being held up by the lack of a trusted computing platform. Many companies are working to crack that nut, and if Java wants to play in that wave of killer apps it too must be secure. I hope JSR-177 nails it.
Thanks again,
Scott
21 years ago
Mark,
What I need is a trusted computing platform for java. Given that is a JSR underway, what is the best I can do at the present?
Ultimately, I'm looking at the J2ME(2.0) environment but I might be forced to fall back to the J2SE environment. I'd have to split my code so that some executes in the VM and some executes in a javacard/smartcard. In the J2ME environment, I'd be looking at proprietary extensions to the VM to access the smartcard (I assume.) Anybody done this?
I guess my root question is: How do you secure encryption keys for the security of the application itself? Given today's environment, the only way I can see is to use JavaCard technology and let it perform all of the encryption/decryption/signing functions.
Obfuscating the code to hide a symmetric key or keystore password will slow down the determined attacker. It's still too easy to find the code working with the java security packages as those names remain unchanged. Then watch the byte[] or Strings in those classes.
Thanks,
Scott
21 years ago
I need to secure both code and files in the hands of consumers/hackers. I'm having trouble understanding where people put their encryption keys to keep them safe, or maybe they aren't safe (a hacker should know.)
What I want is a scenario where only the signed jar class can access the keystore provided in the same jar file, without a password. The fact that the code source is from the same signer, that is enough. Because I must provide a password to access the key, it provides a hole for hackers.
I wanted to encrypt my class file(s) so they could not be regenerated and supply my own classloader, but I'm back to the same problem with a password exposed in the classloader which can't be encrypted.
I don't see how to get around decompiling, recompiling with debugging and poking around to find the password. I've never tried, but it doesn't sound that hard given that security checks must occur early on in the code. Even with obfuscation, the password/key must materialize early on.
Even if I used JavaCard technology, a secure RMI connection to the reader requires access to some key. I could use an unsecure connection and have the card perform all encryption/signing, but I'm assuming that is sloooooow. Also, that doesn't protect my code. I could just hack the code and tell the card to sign anything I want.
It appears to me, you can only limit your loses in Java. The supported security models require trust at some level (i.e., don't give away the password, decompile my code) in the hands of either the user or device (i.e., card reader). But what if both code and device are in the hands of a hacker? Is Java wide open in that case?
Also, the whole signed/sealed jar thing....Can't I just decompile everything, recompile and execute from my new unsigned/unsealed jar with any "enhancements" I want?
I haven't tried to hack, but it looks like JODE, a good debugger, some time and I'm set.
Thanks,
Scott
21 years ago
I'll answer my own question.... When scrolling is enabled in the console, you must hit the 'action/center' button to advance to VM, as the screen was full. I knew it had to be something stupid!
21 years ago
Anybody working with this VM have the same type of problem? It runs great, up until the same point in my code and it just stops processing lines of code. I have a placed a set of vanilla print statements at that point, and it always reaches the same spot and never prints the next statement.
I'm assuming it is running out of some type of resource (plenty of memory left on the iPaq). Called Insignia...they say call Compaq....they are still looking their manual....
I found www.jeodeassist.com, still waiting "to be accepted" as a user. Found an evm options site but I can't get the incantation right.
This is just a port for a demo, so I don't want to purchase JeodeMonitor.
So, anybody know the magic spell to get this thing to run past the wall?
Thanks,
Scott
21 years ago
Any of you bleeding edgers looking at J2ME bluetooth development yet?
22 years ago
I passed today with a 89%. I'd say 20% of the questions are gimmes. Some said the test was organized into groups, but my questions were scattered across the topics. If you are studying the gory details of every topic (that's great for your job) you are going too deep. Like I've some post-test posts about knowing about MQSeries and a lot of CORBA. Know what they are and where they fit in the big picture, but not their details (unless you want to know the details).
I'd say this was a good test about your broad knowledge across many topics, but you are not expected to be a guru in any area.
I think the questions I got wrong I had down to this one or that one and I talked myself into the wrong answer, or I was unclear about what the question might mean. There were probably two questions where I just didn't know the second correct answer, but still could narrow down to two (last time I use a quarter to decide, but they wouldn't let me bring in my magic 8 ball ). However, I don't think studying for another two weeks would have changed my results. I spent too much time studying the trees and not enough time studying the "overview" and "general concepts". Like knowing the benefits of design patterns (just like the objectives say). I nailed two of the three, eliminated one or two which left me with two possible. Simple, but I read that one time a long time ago and it cost me, that kills me.
I think I know the I18N question everybody gets wrong. I'd like to debate Sun about that question!
So I guess my word to wise is don't forget the simple stuff, it's on the test too.
Anyway, I can ramble onto part II.
Scott
Java Ranchers,
My notes are very light in this area and I'm attempting to reach a critical mass of knowledge to take this test soon. Anybody know what types of features beyond home/remote and their patterns that Sun is looking for?
Thanks,
Scott
Nizan,
Are the networks you speak of G3? If so, I guess we need to really keep our eye on other countries implementing G3 now for those killer wireless apps.
Mark,
So what's the trick? I wanted to develop a web service but I wanted to able to issue asynchronous messaging. Not too good if the app isn't running. Is there a way to route a message to the application?
Thanks,
Scott
23 years ago