Elhanan Maayan

Ranch Hand
+ Follow
since May 04, 2009
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Elhanan Maayan

Stephan van Hulst wrote:

Elhanan Maayan wrote:the keys would stores in another file (i'm thinking JCEKS because it allows to store symmetric keys on top of assymetric ones), have the password for that store encrypted in a another file (also part of the config), and the encryption of THAT, would be stored in the machine (using preferences api)

So basically, you have keys in a file protected by keys in another file, protected by keys in another file. Aren't you worried that those last keys are going to be stolen? Shouldn't you encrypt those? And then also the keys used in that step? And so on?

Like Tim said, it's better to trust and rely on the system administrators.

i'm aware of the bootstrap security problem, but your code is being scanned by customers clients, there's not much you can do
6 days ago

Stephan van Hulst wrote:Usually I don't bother encrypting keys in configuration files on the server. Security is provided by the operating system. If someone unauthorized has access to the files where the keys are stored (encrypted or not), you've already lost.

the problems is that those config files can be exported outside in a zip.

so my thinking was to encrypt those values using either DESde or AES keys (that would be generated upon install) those values would be stored in an xml file along with the seed.
the keys would stores in another file (i'm thinking JCEKS because it allows to store symmetric keys on top of assymetric ones), have the password for that store encrypted in a another file (also part of the config), and the encryption of THAT, would be stored in the machine (using preferences api)

6 days ago

Matt Wong wrote:well - you can either ask the user for a pbe phrase - or store the data in plain
reason: as long as you try to hide somethin you have to reverse it - and when your code can anyone else can
thats called security by obscurity and is always a bad idea

sadly, when it comes to servers, that's always the only option.
6 days ago
i've been trying to figure out what exactly is the use case for ProtobufVarint32FrameDecoder , the reason is that there are times i'd like to send protobuffs messages without it, while still using netty.

the problem is that at times if i use send a byte array with a client to a server, the server only gets most of the byte array and gets the rest, even though with wireshark (used with rawcap) i can actually there's only one packet..why?
6 days ago

is it acceptable procedure that upon install AES/DESde keys will be create automatically, and be encrypted or wrapped by another key that is PBE? (said keys are meant to encrypt specific values on xml files)

i've been looking into ways of key and read resources such as this: Credentials storage in jenkins and was wondering if there are any similar articles ..
6 days ago
wow that worked, i'm assuming everything that doesn't have  "since dom level 2" in the javadoc is considered level 1?

g tsuji wrote:There was a time gap between dom being started taking shape and the necessity of namespace concept. And then dom itself continued to develop as well... At the time of dom level 1, there wasn't namespace in its final shape and dom level 1 is therefore not namespace aware. And when dom developed to level 2, namespace was then fully incorporated and many other things enhanced as well such as event model. I can say though: without namespace, there is no schema validation. Hence, in the area of schema validation, namespace awareness is a must.

That said, we are in dom level 2 minimum for the validation issue. So dbf.setNamespaceAware(true) is good. However, in the construction of and/or parsing to a dom tree, it is not at all a good idea by mixing level 1 and level 2 methods. It can lead to unpredictable consequences and this is one.

This correction will take out the consequential mixing of methods in different levels and should have the problem rectified.

i have a strange problem, where if i change my xml by simply inserting another element, and trying to validate it against the schema,  will cause it to fail with the following error:

Exception in thread "main" org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element ''. One of '{MultiSite}' is expected.

if i use the xerces parser (which would be the default as i have it in my classpath) , however if i use com.suns internal schema validator (the line i remakred)  it passes

i should also add that if i turn the dom into a string and parse it back, it also works.


2 weeks ago
we have a server which sends out messages in protobuff format.
the problem is that so far only netty has been able to parse using it's protobuff adapters.
now i don't know much about netty (as in nothing at all) and i don't want to add another library,but attempting to use any other library starting java normal socket.accept and java's nio2 failed.
i'm guessing this has something to do with the "frameDecoder" it uses" , i tried to do the same in nio2, but that didn't work.

we have a build project which we run on a jenkins slave. now more then once, the build start, but simply doesn't run the maven, we know this becuse the build also has a shell script which tries to move to directory created by the build but which doesn't exists
we are using version 1.586
looking at the logs i see at times (Hudson64bit is the slave)

and at times.

3:31:37 PM SEVERE hudson.remoting.SynchronousCommandTransport$ReaderThread run
I/O error in channel Channel to Maven [c:\opencm\jdk6/bin/java, -server, -Xms1024m, -Xmx1024m, -XX:PermSize=128m, -XX:MaxPermSize=128m, -cp, C:\opencm\tomcat\bin\..\..\hudson\plugins\maven-plugin\WEB-INF\lib\maven3-agent-1.5.jar;c:\opencm\apache-maven-3.0.5\boot\plexus-classworlds-2.4.jar, org.jvnet.hudson.maven3.agent.Maven3Main, c:\opencm\apache-maven-3.0.5, C:\opencm\tomcat\webapps\jenkins\WEB-INF\lib\remoting-2.46.jar, C:\opencm\tomcat\bin\..\..\hudson\plugins\maven-plugin\WEB-INF\lib\maven3-interceptor-1.5.jar, C:\opencm\tomcat\bin\..\..\hudson\plugins\maven-plugin\WEB-INF\lib\maven3-interceptor-commons-1.5.jar, 3495]
coudl this be related?
3 years ago
No dump were produced, this is because they JVM didn't die from OutOfMemory Exception but rather the oom killed the dmesg indicates the total-vm was like 10gb while the anon-rss was 7.8 of the process that was killed.
3 years ago
i'm getting this warning several times on our logs, doing dmesg on 'killed process' indicates java process has been killed several times .

this is running on a vm, and the xmx is usually set to take entire machine's allocated memory minus 1gb .
3 years ago

does anyone know of a detailed article about Netty and protobuff? and i'm not talking about just examples, i'm talking about explanations of which classes are used and why?
the weird part is that OOM shouldn't be activated, we use xmx to always specify memory size smaller by one gb the the vm's memory. meaning if the vm's memory is 8gb we use 7.
3 years ago
can this be shown in netstat or other commands?
we have a strange problem,
we send a signal to a device in udp protocol which responds back to us .
according to wireshark the time interval between the signal being sent and the reply from the device is a few ms. however in our logs which are being printed right next to the UDP socket api the gap is like 2 seconds. which means something between wireshark and our application is delaying the traffic, is there a way i can check for it? (btw there's no high load on the cpu)