Neuroning

Violating Java's privacy

Posted by F Tue, 20 Feb 2007 03:49:00 GMT

I found myself in the need to invoke a private method of a Java class that was out of my control. I really needed it.

So, I went ahead and violated the method’s privacy declaration via reflection. You can (under certain circumstances) invoke methods which are declared as private using the Reflection APIs (java.lang.reflect).

But before using reflection, I created two classes:

class A {
  public String method1() {
    return "Hello World!";
  }
}

class B {
  public static void main(String[] args) {
    A a = new A();
    System.out.println(a.method1());
  }
}

They compiled, and java B said “Hello World!” as expected.

Then, I made A’s method private and recompiled A. And I run java B again. Nothing changed. It just worked again.

That cannot be right. This would mean you can handcraft a class with the same name and methods as the original one but making everything public. Then you could use this class only at compilation time, allowing your code to call any method. (Or, one could modify the Java compiler to ignore access declarations altogether).

Posted in Java, Security | no comments | no trackbacks

Airport "Security" Jokes

Posted by F Tue, 14 Feb 2006 23:53:00 GMT

I’m at the Saint Louis International airport (STL), waiting to board on my flight back to Dallas. I have just experienced another stupidity of the airport (in)security procedures. This post is not about software, but software security and “physical” security depend on each other.

It’s an American Airlines flight. You can usually do the check-in procedure online, and print the boarding-pass yourself before heading to airport. This is a welcomed service, but this time it gave me an error, something like: “Sorry, you cannot check-in online, please see an agent at the airport”.

No big deal. At the airport I used one of the automated kiosks to print my boarding pass. And it worked, without the need of an agent.

I proceeded to security screening. The TSA officer highlighted a “SSSS” imprint on the lower-right corner of my boarding-pass and said: “you’ve been randomly selected for additional screening, please come this way…”.

I couldn’t believe it!. They randomly selected me for screening, but they warned me about it in advance!… I mean, now I (and you) know that if a passenger gets a quadruple-“S” code it means he/she will get additional screening!

I asked the TSA guy how could the process be so flawed. He replied that he understood my concern, but he was not responsible for defining the process and couldn’t give me his opinion. Later, I asked one of the American Airlines agents:

Posted in Security | no comments | no trackbacks