Paramaterized Java Classes

Posted by Daniel on October 3, 2009 3 comments

One of the biggest features of Java 1.5 was generics. In particular all the collection classes had been extended to use parametrized classes. Normally the collection classes accepted and returned Objects which is the class all other Java classes descend from. Unfortunately this meant that you had to cast everything you got back out of a collection to what you expected it to be. and until you did you would only be able to call methods that were provided by Object. You also had to be ready to catch an exception in case the class could not be cast because it was the wrong object.

Generics and parametrized classes allow Java programmers to place a type on a class and have that type inherited by its methods. For example you can now declare an ArrayList class with a type String. This alters the ArrayList class so that its add method now only accepts objects of type String, the get method now also returns objects of type String. This makes everything type safe which means you don’t have to cast anything and your code won’t compile if you try to put something in the ArrayList that doesn’t match its class.

Java uses parametrized classes to build its collections and you’ll want to use them too if you’re making your own collection class. For example if you were implementing a stack, a queue or a multi-priority FIFO queue are good cases for parametrized classes. Be careful though of the lure parametrized classes can have. They are not a replacement for polymorphism and shouldn’t be used when polymorphism would make more sense. For example if your multi-priority queue gets the priority out of the object itself then you’d need an interface that provides a method to get the priority. Then your class will only be able to accept items that implement that interface, which makes sense in this case as we need to priority to be able to store it.

A parametrized class is really simple to use. Here is an example implementation of a stack collection backed by an ArrayList:
[code lang="java"]import java.util.ArrayList;
import java.util.Collection;

/**
* This class acts as a stack. Items can be 'pushed' which adds them to the top
* of the stack. items can also be 'popped' which removes and returns the top
* item on the stack and removes it. This means only the most recently added
* item is available at the current time. To get to older items you need to
* first remove the others.
*
* Note: Java already has a stack object that should probably be used in
* preference to this one. This is only an example implementation.
*
* @author Daniel Hall <daniel@danielhall.me>
*
* @param <T> The type of items that can be stored in the Stack.
*/
public class Stack<T> {
/* Uses the same type as this class to store the items */
private ArrayList<T> array = new ArrayList<T>();

/**
* Creates a Stack containing items already in a collection. The collection
* must have the same parameterized type as this class to ensure that we get
* the right objects.
* @param c The Collection to initialize with
*/
public Stack(Collection<T> c) {
array.addAll(c);
}

/**
* Creates an empty Stack object
*/
public Stack() {

}

/**
* Adds an item to the top of the stack.
* @param item The item which will be added to the top of the stack.
*/
public void push(T item) {
array.add(item);
}

/**
* Removes the first item from the stack
* @return The item that was on the top of the stack.
*/
public T pop() {
/* This gets the size so we don't have to do it twice. */
int count = array.size();

/* If the stack is empty return null, note that the Java implementation
* of stack throws an Exception instead.
*/
if (count == 0) {
return null;
}

/* Remove the last added object (which will have index count - 1) */
return array.remove(count - 1);
}
}[/code]
Random thought: John Lions wrote a book about the Unix source code, in the seventies, which because it also included some code, was blocked from being published until 1996.

Cryptographically Secure Random Numbers in Java

Posted by Daniel on September 30, 2009 None comments

The Random Class

Most people wanting to generate random numbers in Java do something similar to the following:
[code lang="java"]public static void main(String[] args) {
Random generator = new Random();
int randomnumber = generator.nextInt(5) + 1;
System.out.println("Dice rolled: " + randomnumber);
}[/code]
This is perfectly fine for a simple dice rolling application where there isn’t going to be much effort put into cracking it. For example in this application the only real reason you would bother cracking it would be to show off a neat party trick to your geeky friends. No doubt though the effort wouldn’t be worth it.

Java states that the Random class and its subclasses must produce predictable results when seeded with the same data. This however is not why this is insecure, and it is useful when testing. The reason that this class is predictable though is the way in which it is seeded. The Random class, in the absence of a seed in its constructor it will seed its random number generator with the current time in milliseconds. This means that if somebody knows the time that the Random object was seeded and has several consecutive bytes of output then they can reasonably predict the next numbers. Once somebody has discovered the seed for the generator all number produced from it can be seen as compromised.

The SecureRandom Class

The SecureRandom class is different, it again uses algorithms that when seeded will produce predictable results, but the algorithm is much more complex. It uses a digest algorithm such as SHA-1 on the seed and a counter to generate random data. SHA-1 is much more costly than the simple algorithm used in the Random class and as such it is much harder to brute force.

Its true strength however lies in the method in which it is seeded. The SecureRandom class is seeded using true random data gathered by the operating system. This is data gathered by the OS from sources of true randomisation, such as mouse movements, network packet arrival times, IO statistics and interrupts. On Linux the data is gathered from /dev/random and on Windows via the CryptGenRandom() call in Windows.

When using SecureRandom though you should be aware of a few things:

  • The more random numbers some can get a hold of the more likely they can figure out the seed. You should either throw away the SecureRandom object every now and then or reseed it. Keeping in mind the next point though.
  • The seeding the generator takes entropy out of the system, if it cannot get any entropy it will block until the system has some. This means if you’re reseeding the generator too often your program will hang along with anything else on the system requiring entropy.
  • Don’t seed the SecureRandom class yourself, unless you are 100% absolutely sure you are seeding it with purely random data, or you are testing and need repeatable results. Whatever you do, don’t let your testing code leak into a production system.

How to decide

Generally when you’re coding you don’t need secure random numbers. For example if you’re writing a number guessing game, or a quiz generating program then high quality random numbers aren’t required. It should be noted though that if money is involved people will often go to greater lengths and a more secure generator will be required, such as in a slot machine.

Again generally if what you are generating is a security token of some sort then you will need a secure generator. For example a session id, a one time password or an encryption key. The exception here is a salt for a password, salts can be generated using predictable entropy sources, even a simple time stamp would work here (especially if your also storing the time stamp to measure password expiry).

Random Thought: For those of you who don’t know Bruce Schneier is the Chuck Norris of cryptography.

Google C&Ds CyanogenMod

Posted by Daniel on September 27, 2009 None comments

In an act that appears to contradict both the ‘do no evil’ and the ‘android is open’ mantras of Google they sent a Cease and Desist to CyanogenMod creator Cyanogen. This effectively means that all cooked versions can now no longer include and Google applications, sync with Google services or the many other closed source parts of the ROM. I use Cyanogen’s mod and this effectively cripples it to a worthless Linux phone distribution. Google have essentially said to me “You know that T-Mobile G1 you brought that was supposed to be completely open? Well we never made all the good bits open, and now we’re taking them away.”. I can’t use the Official ROM because I live in Australia and it constantly sends text messages to T-Mobiles myFaves which costs me a fortune. So Google has removed my ability to use their services on my ‘Google’ phone. So now wherever you read a press release where Google claims that Android is open you know what they really mean is they made the stuff they had to open and closed the rest.

I see only one way out of this mess, we need developers to replace all the closed source parts of Android with free software solutions. This means Android will be free and fully open source. Why stop there though? Lets make Google’s decision into one they will regret! As the open source community is replacing the closed source apps we should build in functionality to allow the phone to work with Google’s competitors. When you first used the G1 you had to sign in using your Google account. What if that same box let you sing in with your Live Id, your Yahoo account or even OpenID? Imagine the Android phone being written in completely open source to work on any operator! It wouldn’t be hard either, most are beginning to provide APIs to their accounts and I’m sure they’d love to help.

Edit: According the the Save Cyanogen Petition application on the market it is impossible to even run the ROMs that Google claim to support without the Google binaries.

Random Thought: Did you know the first Australian computer was built by Trevor Pearcey and Maston Beard in 1947-1951.

Using Subversion over SSH

Posted by Daniel on September 23, 2009 1 comments

Subversion is an amazing tool that you can use to keep track of all the changes you make to a group of files. If you haven’t used it before, or have never heard of ‘version control’ then you should probably read the Subversion Book.

Few people don’t realise that subversion has the ability to connect to a remote repository via SSH. Its extremely simple and can give you all the advantages of storing your important files on a server while still having them readily accessible on your desktop. This means that for example you could have your files (and every old version of your files) stored on a RAID device on a server while working with them locally on your desktop.

To set this up its actually rather simple. First you create your repository and perform the initial import of the files. I usually make it in my home directory as follows:
[code lang="shell"]mkdir -p /home/daniel/svn/newproject
svnadmin create /home/daniel/svn/newproject
mkdir -p /tmp/newrepo/{trunk,branches,tags}
svn import /tmp/newrepo file:///home/daniel/svn/newproject -m "Create Initial Structure"
rm -rf /tmp/newproject[/code]
These commands are basically what you’d use to create any subversion repository and people familiar with it require no explanation. Most people probably even have is scripted to make it just that much easier. Here comes the fun part though. Next we (on our local machine) check the files out. To checkout subversion repositories over ssh you simply use the following command:
[code lang="shell"]svn checkout svn+ssh://username@servername/home/daniel/svn/newproject/trunk newproject[/code]
All going well you will now see a password prompt and upon successful authentication the files will be checked out. This is all that is required and from now on you can simply use the ordinary svn commands.

Random Thought: … and I says to the kernel developer, I says “git this!”

The T-Mobile G1 Phone

Posted by Daniel on September 19, 2009 2 comments

The T-Mobile G1 Phone goes by a few names. HTC Dream and Google Android Development phone are two more. Essentially they are the same hardware and the only change is the software. The Android Development phone unlike the others comes with an unlocked bootloader allowing you to flash any software image you want where the other two will only allow software signed by either HTC or T-Mobile.

I bought mine two weeks ago and it has completely replaced my Windows Mobile phone to the point where I actually gave it away. The main issues that I have with Windows Mobile was the instability and the difficult to use interface. This new phone was a breath of fresh air. Amazingly when I was testing it out with the seller it received a weeks worth of SMSes indicating that my Windows Mobile phone had stopped accepting them.

I opted for the T-Mobile option. Mainly because I found one cheap on eBay but also because I knew of an exploit to easily get root, flash a new bootloader and install whatever OS I wanted. I knew with almost absolute certainty that I would want to be able to play with root access to the OS. I could have went with the HTC Hero or Magic (the successors to the G1) but I liked the idea of the flip out keyboard way too much.

The G1 is easy to use without a stylus, in fact it won’t work with a stylus as is uses a capacitive touch screen. This means all the applications, the keyboard and the core OS are designed with that in mind. While I could use my old phone with my thumbs many of the controls were impossible to use without perfect precision. Generally all the controls on the Andriod are larger and easier to manipulate, where the Windows Mobile controls are clunky and small.

The Android marketplace is also something that Windows Mobile could certainly have done with. It is an almost perfect image of the iPhone App Store, except that in the culture of open source most of the applications are free. The applications are easier to search for, review and download making the Android Marketplace a much easier to use and more polished tool.

One thing this phone and my last one have in common was the hacker community around them. Both have multiple ROMs available and its relatively easy to flash a new one. I’m currently running the latest stable CyanogenMod (4.0.4) which was extremely easy to flash courtesy of the latest kernel vulnerability and some specially designed tools.

Random Thought: I thought Androids could make breakfast for me.