The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,862 other subscribers

Archive for the ‘Java’ Category

« Previous Entries
Next Entries »

in light of the zero-day Java exploits: JRE removal/install tool JavaRa from SingularLabs

Posted by jpluimers on 2013/01/17

Even though the JavaRa tool is Windows-only, it is a tremendous help scraping old vulnerable versions of the Java Runtime Environment (JRE) from your systems and keeping only the fixed versions.

Regular JRE installs from Oracle/Sun will keep the old-and-vulnerable JRE versions.

(note that it seems the recent JRE update did not actually fix the vulnerability, just the exploit, and that a new Java vulnerability might already be exploited. Be sure to keep a watch upcoming Java updates for these).

JavaRa

JavaRa is an effective way to deploy, update and remove the Java Runtime Environment (JRE). Its most significant feature is the JRE Removal tool; which forcibly deletes files, directories and registry keys associated with the JRE. This can assist in repairing or removing Java when other methods fail.

JavaRa 2.1 (released 20130116) Read the rest of this entry »

Posted in Development, Java, Power User, Software Development, Windows, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | Tagged: , , , , , , , , | 1 Comment »

Forcing Java Update on Windows

Posted by jpluimers on 2013/01/04

Sometimes the Java Update checker crashes in the middle of something.

The long solution to restart it is to logoff/logon or reboot/logon and wait for it to come up.

The short solution is to manually restart it (you probably need to be Administrator to do this though) using either of these commands:

"%CommonProgramFiles%\Java\jucheck.exe" -auto
"%CommonProgramFiles%\Java\Java Update\jucheck.exe" -auto
"%CommonProgramFiles(x86)%\Java\jucheck.exe" -auto
"%CommonProgramFiles(x86)%\Java\Java Update\jucheck.exe" -auto

To keep it simple: The exact command depends (:

  • if you run on an x86 machine or not, or – on an x64 machine – which of the Java versions (x86 or x64) you have installed
  • if the jucheck.exe is in the Java directory itself, or in a Java Update directory

–jeroen

Posted in Development, Java, Power User, Software Development, Windows, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003 | Leave a Comment »

C#: any c# – .NET Enumeration allows comma in the last field – Stack Overflow

Posted by jpluimers on 2012/12/06

Thanks Nick Craver for answering this on StackOverflow.

Array initializers can be specified in field declarations (§17.4), local variable declarations (§15.5.1), and
array creation expressions (§14.5.10.2).

The array initializer can end in a comma, which makes some things way easier (boy, I wish I had this in other programming languages).

From Nick’s answer:

It has no special meaning, just the way the compiler works, it’s mainly for this reason:

[FlagsAttribute]
public enum DependencyPropertyOptions : byte
{
Default = 1,
ReadOnly = 2,
Optional = 4,
DelegateProperty = 32,
Metadata = 8,
NonSerialized = 16,
//EnumPropertyIWantToCommentOutEasily = 32
}
[/language]By comment request: This info comes straight out of the ECMA C# Specification (Page 363/Section 19.7)

“Like Standard C++, C# allows a trailing comma at the end of an array-initializer. This syntax provides flexibility in adding or deleting members from such a list, and simplifies machine generation of such lists.”

–jeroen

via c# – .NET Enumeration allows comma in the last field – Stack Overflow.

Posted in .NET, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, C++, Delphi, Development, Java, JavaScript/ECMAScript, PHP, Software Development, VB.NET | 5 Comments »

.NET/C# duh moment of the day: “A char can be implicitly converted to ushort, int, uint, long, ulong, float, double, or decimal (not the other way around; implicit != implicit)”

Posted by jpluimers on 2012/11/20

A while ago I had a “duh” moment while calling a method that had many overloads, and one of the overloads was using int, not the char I’d expect.

The result was that a default value for that char was used, and my parameter was interpreted as a (very small) buffer size. I only found out something went wrong when writing unit tests around my code.

The culprit is this C# char feature (other implicit type conversions nicely summarized by Muhammad Javed):

A char can be implicitly converted to ushort, int, uint, long, ulong, float, double, or decimal. However, there are no implicit conversions from other types to the char type.

Switching between various development environments, I totally forgot this is the case in languages based on C and Java ancestry. But not in VB and Delphi ancestry  (C/C++ do numeric promotions of char to int and Java widens 2-byte char to 4-byte int; Delphi and VB.net don’t).

I’m not the only one who was confused, so Eric Lippert wrote a nice blog post on it in 2009: Why does char convert implicitly to ushort but not vice versa? – Fabulous Adventures In Coding – Site Home – MSDN Blogs.

Basically, it is the C ancestry: a char is an integral type always known to contain an integer value representing a Unicode character. The opposite is not true: an integer type is not always representing a Unicode character.

Lesson learned: if you have a large number of overloads (either writing them or using them) watch for mixing char and int parameters.

Note that overload resolution can be diffucult enough (C# 3 had breaking changes and C# 4 had breaking changes too, and those are only for C#), so don’t make it more difficult than it should be (:

Below a few examples in C# and VB and their IL disassemblies to illustrate their differnces based on asterisk (*) and space ( ) that also show that not all implicits are created equal: Decimal is done at run-time, the rest at compile time.

Note that the order of the methods is alphabetic, but the calls are in order of the type and size of the numeric types (integral types, then floating point types, then decimal).

A few interesting observations:

  • The C# compiler implicitly converts char with all calls except for decimal, where an implicit conversion at run time is used:
    L_004c: call valuetype [mscorlib]System.Decimal [mscorlib]System.Decimal::op_Implicit(char)
    L_0051: call void CharIntCompatibilityCSharp.Program::writeLineDecimal(valuetype [mscorlib]System.Decimal)
  • Same for implicit conversion of byte to the other types, though here the C# and VB.NET compilers generate slightly different code for run-time conversion.
    C# uses an implicit conversion:
    L_00af: ldloc.1
    L_00b0: call valuetype [mscorlib]System.Decimal [mscorlib]System.Decimal::op_Implicit(uint8)
    L_00b5: call void CharIntCompatibilityCSharp.Program::writeLineDecimal(valuetype [mscorlib]System.Decimal)
    VB.NET calls a constructor:
    L_006e: ldloc.1
    L_006f: newobj instance void [mscorlib]System.Decimal::.ctor(int32)
    L_0075: call void CharIntCompatibilityVB.Program::writeLineDecimal(valuetype [mscorlib]System.Decimal)

Here is the example code: Read the rest of this entry »

Posted in .NET, Agile, Algorithms, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, C++, Delphi, Development, Encoding, Floating point handling, Java, Software Development, Unicode, Unit Testing, VB.NET | 1 Comment »

Great session on how to prevent SQL Injection Myths and Fallacies

Posted by jpluimers on 2012/08/15

A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled  “SQL Injection Myths and Fallacies“.

Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.

He also:

Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.

Watching it you’ll get a better understanding of defending against SQL injection.

A few very valuable points he made: Read the rest of this entry »

Posted in .NET, .NET 3.5, .NET 4.5, .NET ORM, ASP.NET, Batch-Files, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, C++, Cloud Development, COBOL, CommandLine, Database Development, Delphi, Delphi for PHP, Delphi x64, Delphi XE2, Development, EF Entity Framework, F#, Firebird, FireMonkey, History, InterBase, iSeries, Java, JavaScript/ECMAScript, Jet OLE DB, LINQ, LLBLGen, MEF, Microsoft Surface, Mobile Development, PHP, PowerShell, Prism, Scripting, SharePoint, SilverLight, Software Development, SQL, SQL Server, SQL Server 2000, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 7, VB.NET, VBS, Visual Studio 11, Visual Studio 2002, Visual Studio 2003, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, Visual Studio and tools, Web Development, Windows Azure, WinForms, WPF, XAML, xCode/Mac/iPad/iPhone/iOS/cocoa | 1 Comment »

Installing Eclipse, Android SDK and ADT on Mac OS X

Posted by jpluimers on 2012/07/24

Just in case I need to get my Android contacts issue solved by brushing off some Java knowledge and going for Java using Eclipse on my MacBook Air:

All of the above was to try out this: Android-er: Create SD Card in Android Emulator and copy files into, in Eclipse, Emulator and DDMS..

Which in turn I needed for this: Current status on the “Android help needed: App that cleans up the Contacts mess that the LinkedIn app left behind” « The Wiert Corner – irregular stream of Wiert stuff « The Wiert Corner – irregular stream of Wiert stuff.

–jeroen

Posted in Android, Development, Java, Mobile Development, Software Development | 1 Comment »

Paros Proxy | TestingSecurity.com

Posted by jpluimers on 2012/07/18

On the research list as it seems a lot wider than HTTP Fiddler:

Paros Proxy

Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.

Paros Proxy

Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiator. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.

Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.

–jeroen

via: Paros Proxy | TestingSecurity.com.

Posted in Development, HTML, Java, Scripting, SOAP/WebServices, Software Development, Web Development | 2 Comments »

Dear fellow programmer. If you aren’t experienced doing multi-threading, please don’t!

Posted by jpluimers on 2012/07/05

Recently I was asked to investigate a performance problem with a certain .NET application.

The first error I got when getting the app to build in Visual Studio 2010, and then run it was like this:

System.ComponentModel.InvalidAsynchronousStateException was caught
  Message=An error occurred invoking the method.  The destination thread no longer exists.
  Source=System.Windows.Forms
  StackTrace:
       at System.Windows.Forms.Control.WaitForWaitHandle(WaitHandle waitHandle)
       at System.Windows.Forms.Control.MarshaledInvoke(Control caller, Delegate method, Object[] args, Boolean synchronous)
       at System.Windows.Forms.Control.Invoke(Delegate method, Object[] args)
       at UI.Splash.SetStatus(String status) in C:\...\Splash.cs:line 395
       at UI.Menu.Main() in C:\...\Menu.cs:line 4275
  InnerException:

Someone built their own splash logic with multi-threading.

Funny that today, this got answered on StackOverflow by [WayBackmgie: [WayBack] multithreading – TMonitor synchronization / Application.ProcessMessages – Stack Overflow.

Though that is a Delphi link (and points to the nice libraries [Archive.is] AsynCalls and [WayBack] OmniThreadLibrary), the most important link it contains is to  [WayBackBorland Newsgroup Archive :: borland.public.delphi.internet.winsock :: Re: Disconnect TIdHttp in thread.

That sounds like a Delphi link too, but the subtitle “‘Ways to get into avoidable trouble with threads, V1.2′” hints the essence: it is a post that describes in an environment-agnostic way how to avoid multi-threading problems.

Recommended reading!

Anyway: Building multi-threaded code is hard. Even harder fleshing out all the corner cases and potential error conditions.

No matter what kind of programming environment: If you have not done lots of multi-threaded programming, then please don’t do it yourself: go ask someone that does know how to do it. Or better, try to avoid it.

I try to let libraries to the handling of multi-threading for me, if I use multi-threading at all, as others are far better at this than I am.

–jeroen

Posted in .NET, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, Conference Topics, Conferences, Delphi, Development, Event, Java, Software Development, VB.NET, VBS, Visual Studio 2010, Visual Studio and tools, WinForms | 6 Comments »

Many more web platforms vulnerable to the hash collision attack (not only ASP.NET) #28C3 @hashDoS #hashDoS @ccc

Posted by jpluimers on 2011/12/29

When writing my Patch your ASP.NET servers ASAP early this morning, I didn’t have time to research the full extend of the vulnerabilities published at 28C3 (slides, mp4), though a small bell was ringing a message that I had seen something like it before earlier this century.

I was right, this posting on perlmonks direct me to a /. posting in 2003 pointing me to the research paper on low-bandwidth attacks based on hash collisions (pdf version) that I had seen before. Perl 5.8.1 fixed it September 2003 (search for “hash” in that link).

The attack can be used for DoS because a normal distributed hash table insert of n elements will be running O(n), but a carefully crafted insert of those elements will run O(n^2).

Carefully crafting a worst case scenario depends on how well you can predict collisions in the underlying hash table implementation, which – apparently – is not too difficult, and requires little bandwidth.

Many platforms and languages are vulnerable (already archived at the WayBack machine), including those based on Java, Tomcat, .NET, Ruby, PHP and more in greater or lesser extent. I have the impression that the list only includes big names, but presume platforms based on smaller names (ASP, Delphi, Objective C) are equally vulnerable.

Just read the articles on CERT 903934, oCERT 2011-003Arstechnica, Cryptanalysis.euHeise (German), Hackillusion and the research paper published at 28C3.

a few quotes:

“This attack is mostly independent of the underlying Web application and just relies on a common fact of how Web application servers typically work,” the team wrote, noting that such attacks would force Web application servers “to use 99% of CPU for several minutes to hours for a single HTTP request.”

“Prior to going public, Klink and Wälde contacted vendors and developer groups such as PHP, Oracle, Python, Ruby, Google, and Microsoft. The researchers noted that the Ruby security team and Tomcat have already released fixes, and that “Oracle has decided there is nothing that needs to be fixed within Java itself, but will release an updated version of Glassfish in a future CPU (critical patch update).”

“The algorithmic complexity of inserting n elements into the
table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request”

“We show that PHP 5, Java, ASP.NET as well as v8 are fully vulnerable to this issue and PHP 4,
Python and Ruby are partially vulnerable, depending on version or whether the server
running the code is a 32 bit or 64 bit machine.”

Microsoft seems to have been notified pretty late in the cycle, I presume because the researchers started with a some platforms and finally realized the breath of platforms involved.

The ultimate solution is to patch/fix the platforms using for instance a randomized hash function a.k.a. universal hashing.

Microsoft will provide a patch for ASP.NET later today, Ruby already patched and other vendors will soon or have already (please comment if you know of other platforms and patches).

The links this morning indicated there were no known attacks. That is (maybe was) true for ASP.NET, but for PHP a public proof of concept of such a DoS is has been published by Krzysztof Kotowicz (blog) with sources at github and a demo html page.

Temporary workarounds (based on the some of the links in this and the prior blog post, and the workarounds mentioned here and here):

  1. If you can: replace hash tables by more applicable data structures
    (I know this falls in the for-if anti-pattern category, but lots of people still use a hammer when a different tool works much better)
  2. Limit the request size
  3. Limit the maximum number of entries in the hash table
  4. Limit form requests only for sites/servers/etc that need it.
  5. Limit the CPU time that a request can use
  6. Filter out requests with large number of form entries

Some platforms already have applied temporary workarounds (I know of Tomcat (default max 10000 parameters), and PHP (default max_input_vars = 1000) did, and looks like the ASP.NET fix will do too).

Other platforms (like JRuby 1.6.5.1, CRuby 1.8.7 (comments) and Perl 5.8.1 in September 2003 ) fixed it the proper way.

Note: workarounds are temporary measures that will also deny legitimate requests. The only solution is to apply a fix or patch.

A major lesson learned today for a few people around me: when vendors start publishing “out of band” updates, do not trust a single 3rd party assessment with state “initial investigation”, but be diligent and do some further research.

–jeroen

PS: Just found out that most Azure users won’t need to manually apply a fix: just make sure your Hosted Service OS servicing policy is set to “Auto”.

Posted in .NET, ASP.NET, C#, Cloud Development, Delphi, Development, Java, PHP, Ruby, Scripting, Software Development, Web Development, Windows Azure | 6 Comments »

some reflections on #Delphi #FireMonkey support for #iOS based on the #FPC compiler that caused quite a surprise

Posted by jpluimers on 2011/08/17

When looking over a few forums, it seems that the way Delphi XE2 will support FireMonkey on iOS (by using FPC aka the FreePascal Compiler) was very surprising, even for the FPC dev team.

Actually, Embarcadero’s Michael Swindell posted some very interesting reactions on the Lazarus forum and his series of comments on Jon Lennart Aasenden blog entry discussing Delphi XE2 and iOS.

Recommended reading!

A lot of pieces of the puzzle fall into place now: Embarcadero aquiring KSDev (that made DXScene/VXScene), and the support in FPC 2.5.1 for a more Delphi Language compatible syntax, and Objective Pascal binding to Objective C as indicated by Phil Hess. VGScene already supported iOS using FPC in Delphi Mode, as this thread on the embarcadero forums also indicates, so it is logical that FireMonkey does too.

Embarcadero, FreePascal and RemObjects are in parallel (and sometimes cooperation) working on cross platform compiler development.
For the Mobile world, ARM (for iOS) and Java (Android, BlackBerry) are very important.

Clearly, Borland was far ahead of its time when they demonstrated their dcc32j Delphi to Java bytecode compiler proof of concept at BorCon conferences back when their opening evenents had great videos (I think it was both at BorCon 1998 and BorCon 1997), and not so great shifts (the Inprise identity crisis).

The same holds for the Sun’s slogan “the network is the computer” (actually by John Gage): basically that was about predecessors of Cloud computing.

Things from the past come back, sometimes presented as “new”, a few (partially from this Evolution of Pascal programmers.stackexchange.com thread):

All of those are (partial repetitions) of technologies that help you build systems. The trick is how to be able to quickly learn and apply those technologies (as opposed to add a bunch of TLAs or FLABs wich are about the only thing that most modern “recruiters” use to match résumés/CVs to positions).

Some of the things above have died, or are not in wide use any more.
That is OK: Life can’t have ups without having downs, and without some form of long wavelength repetitions: that’s what makes the journey so interesting (just think about the financial markets, there will be good times…).

Using FPC for iOS opens the road to develop applications using a very productive environment consisting of the Delphi IDE and the FPC compiler in a short while from now.

–jeroen

PS: two more events that I will be attending and/or speaking:

PS2: Now it probably is more clear why I bought and installed my Mac Mini Server last year :)

Posted in .NET, C#, Delphi, Development, Java, Software Development | 6 Comments »

« Previous Entries
Next Entries »