Deterministic Finite Automata vs Java

You need to select a device controller. You have two options: Option 1: Implement with a DFA Option 2: Implement using Java The primary advantage of a DFA over a program written in Java is as follows:

Answer choices:

  • A DFA requires fewer computational resources
  • A DFA is faster than a program in Java
  • Running a DFA costs less than running a program written in Java
  • It doesn’t matter if we use a DFA or a program written in Java, as long as it gets the job done

How to prevent from DNS spoofing in Java code which obtains a name of localhost

FORTIFY static scan has detected that this piece of our java code is vulnerable to DNS spoofing attack:

public String getLocalhostName(){     try {         return Inet4Address.getLocalHost().getHostName();     } catch (UnknownHostException e) {         return null;     } } 

FORTIFY also gives these recommendations:

Recommendations:

You can increase confidence in a domain name lookup if you check to make sure that the host’s forward and backward DNS entries match. Attackers will not be able to spoof both the forward and the reverse DNS entries without controlling the nameservers for the target domain. This is not a foolproof approach however: attackers may be able to convince the domain registrar to turn over the domain to a malicious nameserver. Basing authentication on DNS entries is simply a risky proposition.

My questions are:

  1. Is getting the local host name really vulnerable to such an attack ? I can’t imagine such a scenario.
  2. How to implement this check in practice (in this code snippet)?

Tkank you.

Head First Java, 2nd Edition 2nd Edition

View attachment 253039
Get the book here
Learning a complex new language is no easy task especially when it s an object-oriented computer programming language like Java. You might think the problem is your brain. It seems to have a mind of its own, a mind that doesn't always want to take in the dry, technical stuff you're forced to study.

The fact is your brain craves novelty. It's constantly searching, scanning, waiting for something unusual to happen. After all,…​

Head First Java, 2nd Edition 2nd Edition

Java Keystore – Does the passwords have to be same everywhere?

If I set the password to ABC123 for all prompts then the ActiveMq works fine.

But if I try to play around with different password I get a execption.

Can someone tell me where the passwords has to be same and where it should differ for security reason. And then finally what would be the keystore password and truststore password.

Step 1:

keytool -import -alias "CA" -file /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -keystore truststore.jks  Enter keystore password: ABC123 

Step 2:

cat /etc/puppetlabs/puppet/ssl/private_keys/activemq.localhost.pem /etc/puppetlabs/puppet/ssl/certs/activemq.localhost.pem > temp.pem 

Step 3:

openssl pkcs12 -export -in temp.pem -out activemq.p12 -name activemq.localhost  Enter Export Password: XYZ123 

Step 4:

keytool -importkeystore -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias activemq.localhost  Enter destination keystore password: ABC123 Re-enter new password: ABC123 Enter source keystore password: XYZ123 

And then I try to use this sslContext.

<sslContext>     <sslContext       keyStore="/etc/activemq/keystore.jks"       keyStorePassword="ABC123"       trustStore="/etc/activemq/truststore.jks"       trustStorePassword="ABC123" /> </sslContext> 

But I get the following error. I even tried trustStorePassword as XYZ123 but still it fails.

Invocation of init method failed; nested exception is java.security.UnrecoverableKeyException: Cannot recover key 

Best way to make a Side Panel UI with Libgdx? (Java)

Take this image for example, the game is called Realm of the mad god, and it has this side panel filling the whole screen height with the player info.

To reproduce it, Is there any way to make the game "view" smaller so I can fit the side panel to its right without literally overlaying the game, PROBABLY like this game did, or is the only way out to overlay the game?

(Tibia might also be an example of a game smaller then its UI)

Side Panel example

Getting numerous HEAD requests by Java user agents to resources that require authentication to view within a web application. Should I block them?

I have recently started using Cloudflare’s firewall in front of a web application. This app has a limited user base of selected applicants and they must log in to view anything. There is no public registration form and nothing within the portal can be accessed without an account.

Since moving the DNS to Cloudflare I can see we are receiving numerous daily HEAD requests to paths that are only accessible within the portal.

These requests come from one of two groups of IP addresses from the United States (we are not a US-based company; our own hosting is based in AWS Ireland region and we’re pretty sure at least 99% of our users have never been US-based):

Java User Agents

  • User agent is Java/1.8.0_171 or some other minor update version.
  • The ASN is listed as Digital Ocean.
  • The IP addresses all seem to have had similar behaviour reported previously, almost all against WordPress sites. Note that we’re not using WordPress here.

Empty User Agent

  • No user agent string.
  • The ASN is listed as Amazon Web Services.
  • The IP addresses have very little reported activity and do not seem at all connected to the Java requests.

Other Notes

  • The resources being requested are dynamic URLs containing what are essentially order numbers. We generate new orders every day, and they are visible to everyone using the portal.
  • I was unable to find any of the URLs indexed by Google. They don’t seem to be publicly available anywhere. There is only one publicly accessible page of the site, which is indexed.
  • We have potentially identified one user who seems to have viewed all the pages that are showing up in the firewall logs (we know this because he shows up in our custom analytics for the web app itself). We have a working relationship with our users and we’re almost certain he’s not based in the US.

I am aware that a HEAD request in itself is nothing malicious and that browsers sometimes make HEAD requests. Does the Java user agent, or lack of a user agent in some cases, make this activity suspicious? I already block empty user agents and Java user agents through the firewall, although I think Cloudflare by default blocks Java as part of its browser integrity checks.

Questions

  1. Is there any reason why these might be legitimate requests that I shouldn’t block? The fact it’s a HEAD request from a Java user agent suggests no, right?

  2. One idea we had is that one of the users is sharing links to these internal URLs via some outside channel, to outsource work or something. Is it possible some kind of scraper or something has picked up these links and is spamming them now? As I say, I was unable to find them publicly indexed.

  3. Is it possible the user we think is connected has some sort of malware on their machine which is picking up their browser activity and then making those requests?

  4. Could the user have some sort of software that is completely innocent which would make Java based HEAD requests like this, based on their web browsing activity?

Any advice as to how I should continue this investigation? Or other thoughts about what these requests are?

Java LERP but with integer values

I have a formula which returns a Lerp Vector3 value in integers but the problem is it never reaches the desired target value. It’s converting to pixel values first by multiplying by PPM which is 32.

private Vector3 lerp(final Vector3 source, final Vector3 target, float alpha) {     Vector3 sourcePPM = new Vector3(source.x * PPM, source.y * PPM, 0);     Vector3 targetPPM = new Vector3(target.x * PPM, target.y * PPM, 0);     sourcePPM.x += Math.round(alpha * (targetPPM.x - sourcePPM.x));     sourcePPM.y += Math.round(alpha * (targetPPM.y - sourcePPM.y));     source.x = sourcePPM.x / PPM;     source.y = sourcePPM.y / PPM;     source.z = 0;     return source; } 

So for example with lerp(new Vector3(0.0, 0.0, 0.0), new Vector3(26.0, 29.0, 0.0), 0.06f), the final result is:

Target destination: (26.0,29.0,0.0) Actual final destination: (25.75,28.75,0.0) 

Falling short of the target destination. If I don’t round the values then it gets there fine but I need it to be in whole pixels.

Spring Boot, Set Up Spring Properties From Java Pojo not from application.properties

I have been struggling to set up spring boot properties programmatically. I know how to set up from application.properties file.

but I would like not to use the application.properties because in my use case application properties file is encrypted I mean the file itself is encrypted. (not the industry-standard way like data encryption). So I would like to read the encrypted file and set spring properites without saving the decrypted file on the server. I am able to decrypt and save in java object but i do not know how to set those properties for app.

AES encryption (in Java) of different JSON strings always produce same encrypted string as result. Why?

I have a program written in Java which takes JSON string as argument, encrypts it using AES then encodes it using Base64. JSON string is like:

{"a": "b"} or {"a": "n"} or {"a": "k"}  

I.e related object would have one property a. Value part is randomly generated.

Program outputs for above JSON inputs looks like

UBNvKoRoGqk0PTQQL5K4Sw== bKwlToSND3HkceDExEDXSw== u/yKJq1FdoifBM+AnadC3A== 

i.e. they are unique.

Same goes for {"a":"gn"} — random string with length 2. Same for 3 and so on.

But starting from 7 program produces the same encoded string for different inputs. I mean following JSON strings taken as input:

{"a": "pzfovvs"} {"a": "bqwuvck"} 

produces same string as output:

Dwg0Xjkot8UBfn+vbcCfOS4KluXB6RCFQ932Y9ABtIg= 

Same goes for length 8 and 9. Starting from 10 results became unique again.

What is the explanation of this strange phenomenon?

(I can post code if needed.)

Ok, here is the code:

import java.security.Key; import java.security.NoSuchAlgorithmException; import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.KeyGenerator;  public class JWTEncryptor {  private static String algorithm = "AES"; private static Key key; private static KeyGenerator keyGenerator; private static Cipher cipher;  public static String encrypt(String jwt) throws Exception {     if (key == null || cipher == null) {         setUp();     }     cipher.init(Cipher.ENCRYPT_MODE, key);     return Base64.getEncoder().encodeToString(cipher.doFinal(jwt.getBytes("UTF-8"))); }  private static void setUp() {     try {         cipher = Cipher.getInstance(algorithm);     } catch (Exception e1) {         e1.printStackTrace();     }     if (keyGenerator != null) {         key = keyGenerator.generateKey();         return;     }     try {         keyGenerator = KeyGenerator.getInstance(algorithm);         key = keyGenerator.generateKey();     } catch (NoSuchAlgorithmException e) {         e.printStackTrace();     } }  public static String decrypt(String encryptedJWT) throws Exception {     cipher.init(Cipher.DECRYPT_MODE, key);     return new     String(cipher.doFinal(Base64.getDecoder().decode(encryptedJWT))); }   }