Keylogger from mSpy application

As an agreement with my spouse to help him with his porn addiction, he allowed me to install a ‘tracker’ called mSpy on his phone. Recently he restarted his phone while he was in the bathroom, and the keylogger function logged over 150 pages of information, such as titles, video durations from pornhub, and from a Twitter website.

Is there a possibility this is a glitch in the system and something that was a mistake.

Average Case Analysis of Insertion Sort as dealt in Kenneth Rosen’s “Discrete Mathemathematics and its Application”

I was going through “Discrete Mathematics and its Application” by Kenneth Rosen where I came across the following algorithm of the Insertion Sort and also its analysis. The algorithm is quite different from the one dealt with in the CLRS so I have shared the entire algorithm below. Note that they have considered a machine where only comparisons are considered are significant and hence have proceeded according. The problem which I face is in the analysis portion given here in bold. Moreover the specific doubts which I have , have been pointed out by me at the very end of this question.

ALGORITHM The Insertion Sort.


procedure insertion sort($ a_1,a_2,…,a_n$ : real numbers with $ n \geqslant 2 $ )

for j:= 2 to n begin     i:=1     while aj > ai         i:=i+1     m := aj     for k:= 0 to j-i-1         aj-k := aj-k-1      ai:=m end {a1,a2,...,an is sorted}  

THE INSERTION SORT: The insertion sort is a simple sorting algorithm, but it is usually not the most efficient. To sort a list with $ n$ elements, the insertion sort begins with the second element. The insertion sort compares this second element with the first element and inserts it before the first element if it does not exceed the first element and after the first element if it exceeds the first element. At this point, the first two elements are in the correct order. The third element is then compared with the first element, and if it is larger than the first element, it is compared with the second element; it is inserted into the correct position among the first three elements.

In general, in the $ y$ th step of the insertion sort, the $ y$ th element of the list is inserted into the correct position in the list of the previously sorted $ j — 1$ elements. To insert the $ y$ th element in the list, a linear search technique is used; the $ y$ th element is successively compared with the already sorted $ j — 1$ elements at the start of the list until the first element that is not less than this element is found or until it has been compared with all $ j — 1$ elements; the $ y$ th element is inserted in the correct position so that the first $ j$ elements are sorted. The algorithm continues until the last element is placed in the correct position relative to the already sorted list of the first $ n — 1$ elements. The insertion sort is described in pseudocode in Algorithm above.

Average-Case Complexity of the Insertion Sort: What is the average number of comparisons used by the insertion sort to sort $ n$ distinct elements?

Solution: We first suppose that $ X$ is the random variable equal to the number of comparisons used by the insertion sort to sort a list $ a_1 ,a_2 ,…,a_n$ of $ n$ distinct elements. Then $ E(X)$ is the average number of comparisons used. (Recall that at step $ i$ for $ i = 2,…,n$ , the insertion sort inserts the $ i$ th element in the original list into the correct position in the sorted list of the first $ i − 1$ elements of the original list.)

We let $ X_i$ be the random variable equal to the number of comparisons used to insert $ a_i$ into the proper position after the first $ i − 1$ elements $ a_1 ,a_2,…,a_{i−1}$ have been sorted. Because

$ X=X_2+X_3+···+X_n$ ,

we can use the linearity of expectations to conclude that

$ E(X) = E(X_2 + X_3 +···+X_n) = E(X_2) + E(X_3) +···+E(X_n).$

To find $ E(X_i )$ for $ i = 2, 3,…,n$ , let $ p_j (k)$ denote the probability that the largest of the first $ j$ elements in the list occurs at the $ k$ th position, that is, that $ max(a_1 ,a_2 ,…,a_j ) = a_k$ , where $ 1 ≤ k ≤ j$ . Because the elements of the list are randomly distributed, it is equally likely for the largest element among the first $ j$ elements to occur at any position. Consequently, $ p_j (k) = \frac{1}{j}$ .If $ X_i (k)$ equals the number of comparisons used by the insertion sort if $ a_i$ is inserted into the $ k$ th position in the list once $ a_1,a_2 ,…,a_{i−1}$ have been sorted, it follows that $ X_i (k) = k$ . Because it is possible that $ a_i$ is inserted in any of the first $ i$ positions, we find that

$ E(X_i)$ = $ $ \sum_{k=1}^{i} p_i(k).X_i(k) = \sum_{k=1}^{i} \frac{1}{i}.k = \frac {1}{i}\sum_{k=1}^{i} k = \frac{1}{i}.\frac{i(i+1)}{2} = \frac{i+1}{2}$ $

It follows that

$ E(X)$ = $ $ \sum_{i=2}^{n} E(X_i) = \sum_{i=2}^{n} \frac{i+1}{2} =\frac{n^{2} + 3n -4}{4}$ $

My doubt


Now here while we are considering the calculation of $ E(X_i)$ we are first considering the probability of the maximum element between $ a_1,a_2,…,a_i$ being at position $ k$ . Then they are saying that the number of comparisons when $ a_i$ is placed into the $ k$ th position in the list $ a_1,a_2,…,a_{i-1}$ (which is already sorted) is $ k$ . Why are they considering the insertion of $ a_i$ into the position of the maximum of the elements $ a_1,a_2,…,a_i$ . $ a_i$ as per the algorithm should be placed at the first position (while scanning the array from left) when we find an element which is $ \geqslant a_i$ and not the maximum element of the sublist $ a_1,a_2,…,a_i$ .

Moveover they say that the max element of the sublist $ a_1,a_2,…,a_i$ is any arbitrary position $ k$ th and the probability of it being $ \frac{1}{i}$ . But if we see that $ a_1,a_2,…,a_{i-1}$ is sorted then the max of $ a_1,a_2,…,a_i$ is either $ a_{i-1}$ or $ a_i$ .

How to “trust” data that is posted from one application to other

We have a use case where a bunch of data needs to be posted from our application to a partner site where the end user takes some actions and then returns back to our site. On the return, the partner site also posts some data back to us. We need to establish trust for both the redirects.. i.e. the partner site needs to confirm that the data is originated at our end and hasn’t been modified during the transmission nd the same applies for post back from partner site. Our main constraint is that it should be a low cost solution for our partners. Our application is a multi-tenanted app with various partners (dozens). The usecase is applicable for all of them.

One option we looked at is a two step process, where our site posts a unique transaction id to the partner site which then calls a webservice hosted by us to get the complete data. We can secure our webservice using 2-way SSL auth and same goes for the data from the partner site. But the problem with the extra cost involved in creating a webservice at each partner end. This would delay the onboarding of a new partner and increase the cost.

Are there other alternatives to this problem than the PKI based solution?

I am trying to configure CSRFGuard library in my java web application, however i get the following error

I have included the csrf 3.0 jar and also included the at the beginning of the jsp pages. However, i get the error when i try to run my project.Can someone guide me to implement CSRF Guard properly on my web application. Thanks for your help.

<java.lang.NoSuchMethodError: org.owasp.csrfguard.CsrfGuard.load(Ljava/util/Properties;)V         at org.owasp.csrfguard.CsrfGuardServletContextListener.contextInitialized(CsrfGuardServletContextListener.java:38)         at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4732)         at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5194)         at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:152)         at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)         at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:702)         at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)         at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:596)         at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:467)         at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1617)         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)         at java.lang.reflect.Method.invoke(Method.java:606)         at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:300)         at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)         at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)         at org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1483)         at org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:904)         at org.apache.catalina.manager.ManagerServlet.doGet(ManagerServlet.java:336)         at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)         at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)         at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)         at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:632)         at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:318)         at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:97)         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)         at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)         at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:1096)         at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)         at org.apache.coyote.AbstractProtocol$  ConnectionHandler.process(AbstractProtocol.java:760)         at org.apache.tomcat.util.net.NioEndpoint$  SocketProcessor.run(NioEndpoint.java:1480)         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)         at java.util.concurrent.ThreadPoolExecutor$  Worker.run(ThreadPoolExecutor.java:615)         at org.apache.tomcat.util.threads.TaskThread$  WrappingRunnable.run(TaskThread.java:61)         at java.lang.Thread.run(Thread.java:745) 

Below is the web.xml configuration. I have included CSRFGuard 3.0 jar

    <listener>         <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>     </listener>       <listener>         <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>     </listener>      <filter>         <filter-name>CSRFGuard</filter-name>         <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>         <init-param>             <param-name>error_page</param-name>             <param-value>/csrfAttackError.jsp</param-value>          </init-param>     </filter>     <context-param>         <param-name>Owasp.CsrfGuard.Config</param-name>         <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>     </context-param>     <context-param>         <param-name>Owasp.CsrfGuard.Config.Print</param-name>         <param-value>false</param-value>     </context-param>     <listener>         <listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>     </listener>   <servlet>     <servlet-name>JavaScriptServlet</servlet-name>     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>      <init-param>         <param-name>source-file</param-name>         <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>     </init-param>     <init-param>         <param-name>inject-into-forms</param-name>         <param-value>true</param-value>     </init-param>     <init-param>         <param-name>inject-into-attributes</param-name>         <param-value>true</param-value>     </init-param>     <init-param>         <param-name>domain-strict</param-name>         <param-value>false</param-value>     </init-param>     <init-param>         <param-name>referer-pattern</param-name>         <param-value>.*</param-value>     </init-param> </servlet> 

Best practices for storing long-term access credentials locally in a desktop application?

I’m wondering how applications like Skype and Dropbox store access credentials securely on a user’s computer. I imagine the flow for doing this would look something like this:

  1. Prompt the user for a username/password if its the first time
  2. Acquire an access token using the user provided credentials
  3. Encrypt the token using a key which is just really a complex combination of some static parameters that the desktop application can generate deterministically. For example something like:
value = encrypt(data=token, key=[os_version]+[machine_uuid]+[username]+...) 
  1. Store value in the keychain on OSX or Credential Manager on Windows.
  2. Decrypt the token when the application needs it by generating the key

So two questions:

  1. Is what I described remotely close to what a typical desktop application that needs to store user access tokens long term does?
  2. How can a scheme like this be secure? Presumably, any combination of parameters we use to generate the the key can also be generated by a piece of malware on the user’s computer. Do most applications just try to make this key as hard to generate as possible and keep their fingers crossed that no one guesses how it is generated?

Pattern matching on function application

Suppose we have a function f :: a -> b and a function g :: b -> a such that f . g = id. You might say that g is the “inverse” of f (and vice versa). Could we then pattern match on something like f x on the left hand side by replacing occurences of x with g x on the right hand side? For example:

-- Here, (- 3) is the "inverse" of (+ 3), or more generally, (- n) is the "inverse" of (+ n)  subtractThree (x + 3) = x subtractThree x = (x - 3) 

This just randomly came to my mind and I’m wondering if there is something fundamentally wrong with this.

Edit: This is my first post here and I’m unsure whether this is the right kind of question for this community. Please don’t hesitate to close this if this doesn’t belong here.

What measures can I take to prevent Server Side Request Forgery (SSRF) in a JAX-RS Application running on Apache Tomcat?

If I have a an application server that uses an implementation of JAX-RS, and is running as *.war file on an Apache Tomcat server, is there anything special that needs to be done or configured to prevent SSRF attacks?

My naive understanding is that JAX-RS application are only serving requests to certain URLs and Apache Tomcat only allows requests to certain resources.

If this is handled by default by JAX-RS or Apache Tomcat, could you explain how?

If this is not handled by default by JAX-RS nor Apache Tomcat, could you explain the best way to prevent this type of attack with these tools?

Specific versions:

  • JAX-RS api 2.1
  • Apache Tomcat 9.0.33

Security headers in application vs. Tomcat default 40x error

I would like to assess the actual risk for various CORS attacks when a web application properly sets CSP and other response headers, but the app server error page does not. When a 40x can be provoked by trying to access protected content, for example, can the error response be used to inject malicious scripts, even though the web application is protected? I just can’t envision a scenario where this is done.

Or x-content-type-options: nosniff. It is missing from a 400 error page. Is this a real vulnerability? What can an attacker do with the error response?