21
Nov 13

Dilixiri, Securing an REST API and OzU-EMS

Screen Shot 2013-11-21 at 11.00.14 PM

In 2010, I was working on moving web app of Dilixiri to a iPhone app. (Dilixiri is a Turkish-English and English-Turkish sentence translation app.) The problem was of that time, our small team does not know anything about handling data between different softwares. I knew some stuff about TCP/UDP because of my PyQt book‘s example. I first thought about making a TCP server on the server side and then since Dilixiri’s page is a Django based HTML page that simply uses a HTML POST to translate a sentence, I tried to do the same thing as web browser does.

For two major versions of Dilixiri (1.0-2.0), it worked pretty well. I was simulating what web browser does by using actually same headers that what a browser does while making a request. Another problem was parsing response(HTML file). I used some simple “split( )” functions to find the text that I am looking for. (Now I feel embarrassed about it, especially after learning about the side effects and regex.)

However in 2012, instead of making another big mistake, I made something right without knowing that it is the best practice for Dilixiri(partially).  In 3.0, I changed how the app handles the translation by using JSON in the middle. But I was afraid of third party users who could easily use it on their software. I got to think about a solution to handle it.

My first attempt was, implementing using GET parameters based API. So in this case:
http://dilixiri.com/api/?translate=hello&from=eng
But if somebody discovers this url pattern, it can be used without permission. Despite my first attempt that is in engineering may referred as a very bad implementation, this time I thought about giving an API key like some of the famous web services do. But if I request a translation:
http://dilixiri.com/api/?translate=hello&from=eng&key=123123123123
It is the same thing. This request can be listened in the network and be repeated again. (like Man-in-middle-attack) At the end, I implemented something like:
http://dilixiri.com/api/?translate=hello&from=eng&md5=ef800e8….9ff878e50a886d2

I hashed request and API key same time that for every request, I use a different hash number. By implementing this, still relay attacks can be done but a fully working API that makes translations as same as Dilixiri became impossible without knowing API key.

A big drawback is you can only use just a one API key. Another is relay attacks. For an API like Dilixiri, it is not a big deal but when you think about other services. It should be handled, both immunity from relay attacks and being able to serve more than one clients.

How to achieve this ? Nowadays, in Computer Club, we are working on OZU-EMS(Özyeğin University Event Management System) that allows clubs to send their club events to this system and system will share it on its mobile app, web page and etc. Also it also saves time in the university side. (A professor that is responsible for the club, and the social coordinator in the university accept or reject this event request by the club easily in a painless way.) We were looking for a way to make an API to serve these events for different clients that are outside of the server. Such as an Android app or a Kinect based Windows app(CreativeOzu(another club) is working for that.). After a small research, I found that my Dilixiri 3.0 approach was the correct one, but lot’s of clients and different API keys, there should be a public key and private key. I personally wanted to share these links for detailed explanation about implementing this solution:

There should be other methods such as implementing HTTPS based service or something else. But I think such kind of custom solutions are better, if you wanted to handle and understand by yourself.


27
Feb 13

Memory and Objects in Java

On a very early time of a day, (not quite early actually, it is 8:30, however monday+tuesday syndromes are in effect.) a very interesting topic was introduced. “Memory and Objects in Java”!

With that, whole class were awakened without noticing anything but only the topic…(LOTR!*)

Never mind, as you know from my previous blog post (a month ago?) in the first semester, I have taken the CS101 class. (Introduction to Computer Science) But this semester, things Screenshot_2_26_13_11_50_PM-3are starting to get much exciting than before.

We started to learn some advanced stuff about OOP etc. This week is a special one!

Java stores programmer-created objects in a very interesting way. JVM(Java Virtual Machine) divides memory to three different sections. (as it can be seen in the figure 1)

Static data section is simply the things that are defined as “public static …”. This part does not shrink or expand after the program is executed.

Heap section is the part that the objects that are initialized and stored in the memory and can shrink and expand later on.

Stack section is the same for shrinking and expanding, however stack section only stores the pointers(references). With using these references you can find your objects that are stored in the heap. You can make signals too!*

Hacking:(Small anecdote from our instructor(Dr. Murat Sensoy) In old days, the mighty/evil hackers override these rules and expand/shrink these sections to change the behavior of the program. It is now clear that why modern games use anti-cheating software(like Punkbuster, VAC) that scans memory, which is allocated by the games, in order to prevent such kind of hacking.

For more detailed information and cool animations that shows how it actually works, I recommend you to download this presentation file.

*: Check the presentation files


28
Dec 12

So Java? Recursive? End of The Semester?

A lot of question marks, Yes!

After fifteen weeks in university, it is finally end of the semester which has not been completely finished yet. Although there are still remaining final exams, it makes you feel that way.

As you know, I am passionately following my dream in university, this fifteen week were full of interesting and quite exciting stuff, especially about my major. Being a computer science student, eventually generates an unimaginable love for the lectures that are specifically for CS students. (even though I have missed some of CS101 lectures).

So in the first semester, all of the engineers are required to attend to CS101 (except the mechanical engineers, they are taught some mechanical drawing stuff in the first semester.) CS101 is an introductory course for computer science and(Geeks, please do not expect Object-Oriented topics) Java is used as the programming language.

JAVA! Yeah, they were a lot of students who have regret that being an engineer after installing eclipse! (First Week in GoSoapBox App) Not pure Java, we have used java.acm.* library. (Stanford Java Task Force) It makes newcomers to easily be adapted to a language which is both sophisticated and powerful. For me, CS101 started with some basic stuff which is really important for the people who have no idea about programming. Following some basic stuff made me bored sometimes(kind of println(“Hello World”) 🙂 ), however after a while I have realised that my approaches for some programatic problems are really complicated. I can also achieve to make what have I required, but in a complicated way. (This realisation was happened in the half of the semester.) Later, I felt that applying the concepts that I learned makes things work in a way, which is less complicated. Consequently, I took this as personal note. 🙂

Finale of the course was about recursive methods. Basically, you call a function, which calls itself again until to a condition, if not, say hello to the pretty “StackOverFlow” error.  We are assigned to make a minefield game. Don’t be afraid, it is an easy console-based one.  We were not required, but assignment paper mentioned that it will be fun to add the ability to reveal all of the zeros by choosing just a one zero piece if there are near zero pieces in the 3×3 area.(Selected piece is at is at center.) So I have tried this approach and it worked flawlessly(not quite perfect, after discussing this in CS Lab, there is even better way to do it).

 

Basic logic is storing a list of zeros to prevent a loop. (“STACKOVERFLOW”).

In conclusion, (ENG101) “Finals are coming!, we need to conceal ourselves.” 🙂