Matthew Bendford

Master Rancher
+ Follow
since Dec 01, 2020
Cows and Likes
Cows
Total received
9
In last 30 days
0
Total given
0
Likes
Total received
70
Received in last 30 days
0
Total given
15
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Rancher Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Matthew Bendford

Usually arrays are iterated up with this standard line:

If the index doesn't matter the simpler foreach can be used:

Your boudary error is caused by let the index fall down to -1. A fix could either be by change the condition to i<0 or if it's important to know that you got thru the array without hitting your check do a check for -1 as already shown.

Declaring an loop index outside of its head is usually only done if the index found by some condition afterwards. As you seem to only want the value in that spot instead of the counted index itself a foreach loop seems to fit better than your down counting while loop. It's not the value of i you're after but what's in the i'th element of the array.

TL;DR: You overcomplicated a simple search iteration. Don't use such bad code. Also don't use fixed limits but use array.length.
3 weeks ago
Using two lists to implement a notebook CAN be done but requires manual synchronization and a list implementation that guarantees order.

Are simpler approach is to take a note and its title as one combined type and have a list of that.

As for naming of variables: Although it's legal to start tokens with $ it's neither required nor following convention as like in PHP.
3 weeks ago
Because the compiler is smart enough to check the boundary of the statement. A byte can hold anything from -128 to +127. As long as the value is within that boundary it results in an implicit narrowing (downcast) as it still fits. If you try something out of range you get a possible loss and hence a compile time error.

TL;DR: It's implementation specific to the used compiler.
4 weeks ago
Usually OTPs are time-based with a 30-60 second window. The generator and the verifier first have to exchange a secret nonce and have to be kept synchronized within the set time window. This way any generated OTP is only valid for 30-60 seconds and can be validated by simple perform the same calculation used to generate it.

If you go for something more long-term stored - like an activation link sent via e-mail - as Stephan pointed out: There's no way without the server knowing about it and has a way to mark it invalid after its use.
1 month ago

Tim Holloway wrote:You can also have client-side certs. The client-side certs are kept on the client's machine. That means that if the machine is stolen, the thief already has the keys to the server, unlike logins with userid/password. Further, if the user's machine breaks and a new machine is swapped in, a cert has to be assigned to the new machine or it won't be able to connect. And from which it follows that if the new machine is a loaner, it is a major security risk if someone doesn't remove its key once it goes back into inventory.


Although I agree in general that using client certs isn't what most are used to when setting up client-certs on a machine basis rather than on a user basis that somewhat defeats the purpose. Client certificates are a way the server can verify the client - which is usually done to use some specific informations to identify the user logging in. If you set it up in a way to identify the machine but a user still has to provide login-credentials like username/password or others it somewhat defeats the purpose as access to a machine with an access certificate should be limited to authorized users only. If anyone can access a client with a machine identifying certificate that sounds like bad security design.
As for a machine gets lost/stolen: Use passphrases on user-based private keys - as a client has access to the private key for a successful two-way (mutual) authentication. Only provide a certificate without its private key doesn't work. Which is another point in "machine based cert/key sounds bad": Everyone with access to the machine has to know a shared passphrase - or the private key has to be stored unsecured - which I'm sure you agree upon should not be done at all.

A simple but effective way I have implemented myself: Hardware tokens like thumb-keys or smartcards. The tokens gets loaded with a private key and a certificate (or rather: the token generates a CSR and gets a certificate - the private key should never leave the token). To login the user has to provide the personalized token. Pretty much how RFID access tokens work. To increase security against loss/stealing this can be combined with like biometrics or other 2FA like a OTP synced to the token but kept seperate.

I'm aware that good security SHOULD rely on a) something a user KNOWs (credentials), b) something a user HAS (tokens)  and c) something a user IS (biometrics) - and if you just enforces it even users not used to such get rather quick to it. A friend of mine is a support agent for PayPal in a service center - and boi does paypal require some security: personalized access credentials (username + password) + personalized biometric token (the one he showed me looks like those fingerprint usb key thingies) + OTP secured access card with an additional otp generator. And he has about 200 co-workers range from 18 to 60 - and all have to follow these rules. It's just that paypal enforces it. It may sound exessive - but if I look at most of regular bank employees often only have a single not-so-secure key on their ring/chain - questionable who to trust more in that respect.

~ sorry for thread hijacking
1 month ago
Class.forName() - if you have to rely on a driver that has to rely on loading that old way - you should change the database backend which provides a more modern jdbc4.x driver which auto-loads via ServiceLoader api and hence no Class.forName() is needed anymore.
Also: Why that heavy focus on orcale? Most who use an oracle database should know what they're doing - and surely don'T need your blod post. What about the way more common MySQL/MariaDB used by your target audience?
Overall this should be moved over to the blatant advertising section - it doesn't really fit where you think.
1 month ago

Piet Souris wrote:Is there anything useful that you can do with that whatever-it-is? If so, please tell us, if not, what's the relevance of your info?


My point is to, well, point out that there's no such thing as something printing any memory related stuff but only an objects hashcode.
As for it's usefullness: It depends. As it's a 32 bit signed int that should at least somehow relate to an objects content or state it only has a meaning in context of an objects class and its implementation. If one overrides hashcode() the hashcode-equals contract has to be obeyed so that two objects that are equal return the same hashcode. Otherwise it's just a meaningless random number. But in no way is it related in any way to the underlying memory layout of tge running process. The two lines mentioned Object.hashCode() would return a memory address is wrong and it has to be pointed out in a beginners section that this statement is wrong.
1 month ago

saswata mandal wrote:System.out.println(testArr) prints the memory reference of testArr


Again: Object.toString returns the type and hashCode. There's a) no way to get to any internal memory stuff and b) tge gashCode has no real meaning other than uniquely an objects content. If it's the memory address that's return anything hashCode based would not work.
1 month ago
[quote=Sean Hatton]2. Its printing the memory address[/quote]
Actually what's printed is the hashCode which is an arbitrary calculated 32-bit signed int.
Although it's may not quite correct but arrays are handled more like an Object rather than a primitive. As there's no real "type" which could override Object.toString() one get the default Object.toString() implementation which returns an objects hashCode.
Although references internally contain an objects memory address in difference to C-family languages one doesn't have direct access to the internal memory structure of the runtime. Hence Java is said  to be a higher level language in terms of more abstract from what's going on at the physical level of a computer.

A hashCode is only meant to uniquely identify an objects content and to compare it to other objects of the same type. Care must be taken about equality: Although equal objects have to have the same hashcode two objects return the same hashcode doesn't have to be equal.
A sample is using the ascii code of a string and just add them. An object "Hello World" may result in the same hash as any other combination of these characters but only if the same characters appear in the same order those two objects are actual equal to eachother.
1 month ago
Long story short: Because strings a treated rather special by the java language and spec compliant compilers and runtimes. It's just a design descision from the og devs.

Btw: if at all the correct syntax would be more like String a=new String("string");

Btw btw: It's not just java treating strings special. C and the C-family does so as well. In the K&R it's explained that when a string literal is compiled into object code it becomes an array of chars with an explicit \0 byte as end marker. The reason: Back then memory was expensive so it was cheaper to add one single \0 byte to mark the end and a few standard functions to scan for it to determine the length rather than add like 4 or even 8 byte upfront. Also: back then a byte was not always 8 bit. There were system with word size as long as 11 bits per byte. Conversion between different systems was hard. Tgat's why at some point standards like 1byte=8bit or us-ascii and unicode/utf became a thing.

TLDR: Even as a dev you don't really need to know how and why - just take it as given.
1 month ago
Another common type of attack vector should also get mentioned: SQL injection.
It's pretty much the same idea: Unfortunately many beginner level tutorials, teachers and books commonly use simple string concatination to piece together sql queries. This works with provided sample data but already breaks on something common as a forum. The english language commonly uses both types of quote-marks: The single quote ' and the double quote ". If you now try to store this very line in a database one of them is used as delimiter character - and when encountered unexpected means end of input string which corrupts the sql query and the best case is an error returned from the database.
If you manipulate an input to a vulnerable qurry in a specific way you can get any sort of result from wiping the database over free access to leak its content.
So to get around this you have to sanitize the user input and properly build your query. One part of it is to use PreparedStatements. The query is done with placeholder characters (usually the question mark ?) and the values are filled with setters. This is also a way of type safety: If you expect a numerical value but you get a letter or other symbol the setter alrwady fail fast building the sql query before anything is ever send to the database.
An additional way of user input sanitization is limit the input characters. For a name there's a reason for a single dash - but a double dash -- (the sql comment marker to ignore the rest of the query srring) doesn't make sense. This can be a simple typo - but can also be an attacker trying to forge a bad query. You should reject such a name even before building the query as the input already looks too suspicious.
This list goes one for quite some lines. Atracker found all crazy issues over the decades like what's called a reverse shell abusing a bug in the apache web server or the recent log4j (which I became a victim of). The overall gist is: NEVER trust the user input. Always pre-check and validate and sanitize it and don't use simple string concatination if other methods are available like varargs methods for execute sub-processes, prepared statements for sql or simple I/O like a file by using a languages internal api rather then rely on a potential flawed shell command.
1 month ago
Please note: There's no such thing as multi-dimensional arrays. There're only arrays of arrays. One of the key differences is that the lower orders can have different lengths. There's nothing that would enforce that the lower order always has to be the same length. The following is fine: {{1,2,3,4},{a,b,c,d,e,f,g,h},{null}}. You see: The first array has a length of 4, the second one has a length of 8 and the third one only has a length of just one.
1 month ago
just for the memes - I just gave it "cat" - took about 2 minutes
1 month ago
Hmm, can't remember which grade - but I had to solve a similar question in primary school - so the actual math behind it is not that complicated - also writing that into a few lines of code isn't something to struggle with - forming it into an algorithm which can be used to calculate the result for any given delta-time seems the hard part.

It's just a more complicated way of this basic math problem: "train a starts in city a with speed a towards b - so does train b with speed b starts at time b towards a - when and where will the meet at what speed" - common primary school math problem with litterally couple 100s of YT videos
1 month ago

Tim Holloway wrote:"wmic" is not a Java function, it's an external command. Technically cheating, and if you're going to use wmic, might as well use ALL available external commands.

Java absolutely cannot see any non-mounted storage via API methods. The best you can do is look for pseudo-files, like /proc and /dev.

Not all storage in Linux is /dev/sdX, though. That originally indicated SCSI drives and was later re-purposed for SATA. The IDE disks (and some SATA) were /dev/hdX, CD/DVD devices typically show up under /dev/sgX (often aliased to things like /dev/cdrom, /dev/dvd0, etc.). And of course floppies: /dev/fdX.

And then there are USB storage devices. Not everything under /dev/usb is a storage device; some are mice, keyboards and other things.

Java is my first-choice programming language for most projects. But for something like this, I'd be looking elsewhere.


I'm well aware that using any external command is kind of "cheating" - but so is the "raw" access OP already mentioned by using the rather cryptic "\\.\PHYSICALDISKn" "path" - which just leverages the underlying drivers.
In fact, using external commands has another two sides to it: a) it's somewhat the linux way: "a tool is meant to do one thing only but do it good" (a bit like how classes should designed) and b) it's just another way of accessing the win32api - but instead of some "internal kernel magic" it's calling a sub-process and readings its output.
As for accessing devices on linux: I'm also aware of that - no need to point it out - but it's the same "bruteforce" or "cheating" as what OP tries to avoid: Use some pattern and iterate through what it returns until it causes an error. There's no difference in going thru /dev/sd[a-z] than \\.\PHYSICALDISK[1-9] - it's just brute force until the next iteration throws an error because there're only so many devices.
Using wmic is about as calling (new File("/dev")).listFiles((f,s) -> s.matches("sd[a-z]")); - it's getting a list upfront to iterate over instead of bruteforce until an exception is raised.
So, to wrap back around: In fact there're exactly these two ways:
1) using \\.\PHYSICALDRIVEn as template and scan for anything starting from 0 up until n+1 no longer exists
2) using SOME method of many available by getting a list containing every target devices and iterate over it - and just avoid the exception for n+1 because we know what n is
Which of these two ways OP wants to go comes from the original question:

One method definitely crossed my mind. I could just try reading data on \\.\PhysicalDrive0, \\.\PhysicalDrive1, \\.\PhysicalDrive2, .... \\.\PhysicalDrive55 or something like that to detect drives. If some bytes are actually read, then those physical drives exist. As far as I know, attempting to read data is the only way to know whether a drive exists (apart from JNI).

But that's really not a good way to do it and probably a last resort. Is there a better way?


So, OP seem to look for ANY possible solution to 2 - which WMIC is just one, using JNI/JNA and ask the win32API another - using REST to talk to the storage subsystem is a third one (which by the way doesn't differ much from just calling WMIC) ... anything else I mentioned is just either comparing to linux or questioning the reason behind. If OP will find the crypto stuff one's looking for? I wouldn't go far as to scrap the entire disk - as there's obvious at least some knowledge of part of what's to be searched.

To get off-topic: In the GTA5 modding scene it's common to share around a list of hashes and a few informations how to extract the crypto keys from the executeable to access the assets and modify them - as sharing around the keys would be copyright infrigement. So scanning a bunch of bytes of known length and compare their hash to a known value to find some crypto keys and related information seem to have its usecase - but I'm sure OP is not after such infromation just to avoid possible legal actions. I personal still doubt that Java is a good tool to approach the problem - but others shown me to utilized PHP to come up with rather complex programs I would had struggle to implement in other languages - the issue here just is that java has not the capabilities out of the box for OPs specific question.
1 month ago