Why you should disable WPS on your router?

It’s time to talk a little bit about security, starting with one of the common things everybody use nowadays: Wireless Networks.
They are convenient, pretty simple to set up even for a noob but convenience always come with a price.
The price to pay in this case it’s the security.
There are quite a few security concerns about Wi-Fi networks but in this article I want to discuss about the one I think has more impact: WPS.
What’s WPS and how is working?
WPS stands for Wi-Fi Protected Setup and is a protocol that aims to provide a quick and easy way to establish a secure wireless home network.
It gives 4 different way to add (or “associate”) a new client to the network without setting long password or particular settings.

  1. PIN – You have to provide a code to connect to the AP.
  2. Push-Button – You have to press a button both on AP and client to establish the connection
  3. NFC – Near Field communicaiton. You have to bring the client near the AP to establish the connection<
  4. USB – This is an old and deprecated method that use an USB key to “transport” connection paramenters from the AP to the client.

For the sake of this article, we just have to know that the PIN method is mandatory as per specification for every WPS certified product.
If you are interested to go deeper in details of the WPS protocol you should visit this link.

The PIN is the flaw in the whole protocol.
In the end of 2011, Stefan Viehböcklink discovered the flaw that allow a brute force attack to be perform against a WPS enabled router.
The trick is simple. The WPS PIN is made of 8 digits that means there are 100,000,000 possible combinations. It’s an high number and even thinking to perform each try in 1 second the brute force attack could take up to 3.17 years to succeed. Obviously if I really really really want to access the information stored in that network I could wait that long but in that period of time is most likely that the router will be replaced with a new one : )
So far we proved that the attack is theoretically feasible but practically a failure. Unfortunately for the WPS protocol there is more to come…
The last of the 8 digits is a checksum of the previous ones that means that there are only 7 unknown digits because we can calculate the 8th one. 7 digits yield to 10,000,000 possible combinations , a good reduction but still to many… I don’t want to wait 4 months.
What’s happen when an enrollee attemps to register in the network using the PIN? Once the device sent the PIN to the router, it reports the validity of the two halves of the PIN separately.
That means that an attacker can find first the first half of the PIN (made of 4 digits -> 10,000 possible combinations) and then the second half (made of 3 digits + the checksum that can be easily calculated -> 1000 possible combinations). It’s a matter of only 11,000 guess before the attacker can brute force our router and it can be done in 3 hours (considering 1 attempt per second).
Actually, we have to consider that any attempt usually take more than 1 second and moreover that nowadays some manufacturers have introduced a sort of defense against such attacks by slowing down or disabling the WPS feature after a fixed number of attempts.
Although these kind of protection exists they can’t actually solve the problem but just slow down the attacker; it’s still a matter of hours (usually the attack succeed within 12 hours) before your own security it’s compromised.

How can we protect ourselves from such attacks?
It’s simple: DISABLE THE WPS FEATURE!!!

Issue changing the Default Machine Folder in VirtualBox

If you’re using VirualBox (Version 4.2.0) and after a fresh installation you try to change the Default Machine Folder, what you get it’s the following error:

 Callee RC: CO_E_NOTINITIALIZED (0x800401F0)

It’s probably due to a VirtualBox’s bug, however the workaround it’s quite trivial.
What you have to do is create a new VM (easy one, even without disk) and after it has been created you will be able to change that parameter without any problem.

ORA-00439: feature not enabled: Deferred Segment Creation

Due to a new feature present in Oracle 11gR2 (click here for more info about deferred client segment) if you will import a dump made with Oracle 11gR2 Enterprise Edition to a target system running Oracle 11gR2 Standard Edition you will get the following error:

ORA-00439: feature not enabled: Deferred Segment Creation

In order to avoid this issue, we can force both export and import to ignore this feature using the option version.
This is an example of usage:

Export (11gR2 EE)
expdp user/password directory=dumpdirectory dumpfile=dumpfile.dmp logfile=logfilename.log version=10.2

Import (11gR2 SE)
impdp user/password directory=dumpdirectory dumpfile=dumpfile.dmp logfile=logfilename.log version=10.2

Type Access restriction: The type/class/method is not accessible due to restriction on required library \lib\rt.jar

I’ve just faced this issue working on a Java project in Eclipse.

This error seems related to the restriction applied by the Java licence that says:
“Java Technology Restrictions.You may not modify the Java Platform Interface (“JPI”, identified as classes contained within the “java” package or any subpackages of the “java” package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI.
In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers.
You may not create, or authorize your licensees to create additional classes, interfaces, or subpackages that are in any way identified as “java”, “javax”, “sun” or similar convention as specified by Sun in any naming convention designation. [Source]“

Moreover in the java manual page we can find this sentence:
“Applications that use this option for the purpose of overriding a class in rt.jar should not be deployed as doing so would contravene the Java 2 Runtime Environment binary code license.[Source]“

We can quite easily get rid of this error.

  1. Open the Preferences window in Eclipse (Window -> Preferences)
  2. Browse the left menu down to Java -> Compiler -> Errors/Warning
  3. Open the Deprecated and restricted API section
  4. Set the Forbidden reference (access rules) to Warning or Ignore

Note that following previous steps you will suppress this kind of errors for all the projects in the workspace.
If you want to do it just for selected projects, just follow these steps:

  1. Right click on the project you want to be affected by the change
  2. Select Properties
  3. Browse the left menu down to Java -> Compiler -> Errors/Warning
  4. Flag Enable projects specific settings
  5. Open the Deprecated and restricted API section
  6. Set the Forbidden reference (access rules) to Warning or Ignore

Conversion to Dalvik format failed with error 1

I’ve just faced this error: Conversion to Dalvik format failed with error 1
So I’ve tried to figure out what it was.
In my case it was a problem related to the classpath due to the fact that I upgraded Android Library from 2.2 to 4.0 leaving there the compatibility library v4.

In case of this kind of error thus I suggest to check your classpath.
To do so in Eclipse you’ve to right click the project’s giving you the error, select Properties => Java Build Path and check that there are any libraries that could generate conflicts.

Error generating final archive: Debug certificate expired

If you’re trying to debug your application but the emulator’s not starting because you’re getting this error:

Error generating final archive: Debug certificate expired on xx/xx/xxxxx

what you have to do is renew you certificate. How to do it?
This is extasimple!
Just go to the following directory: %HOMEPATH%\.android (if you’re on Windows, ~/.android/debug.keystore if you are on Linux or Mac OS X) and delete debug.keystore file.
Now refresh your project (F5) and run it. If the problem persist, perform a project clean (Project -> Clean).

F-Bounded polymorphism

Today I was discussing with a colleague about F-bounded polymorphism.
He was trying to explain to me what this kind of polymorphism is all about but after few attempts he gave up…
Reading this you will understand why.
However we didn’t give up finding a easy and understandable explanation and eventually he succeeded.
Now, I could explain this concept with my own words but I find this article so crystal clear that I want to encourage everyone to read it:
http://work.tinou.com/2009/07/wtf-is-fbounded-polymorphism.html

XML Parsers typologies

Nowadays using XML as data format is quite common and obviously this leads to the need of a tool to read these data.This too is called XML parser.
There are mainly 3 different kind of parser:

  • DOM
  • SAX
  • XML Pull

What’s the difference between them?
In the DOM approach the XML structure is represented as a tree in memory parsing the whole file. Disadvantage: Big memory footprint due to the need of maintain the whole document structure in memory.

In the SAX one the parser push out events to the client without creating a resident structure in memory. Disadvantage: Lots of events callbacks.

XML Pull is different since it parse “on request” and this means very small memory footprint and very fast processing.

In my last project (CV Reader) I’ve used the Android implementation of a XML Pull parser.
The performance of the parser I wrote are not so bad so far and I’m happy with the choice I made but I’m curious to analyze deeper the performance of these tree kind of parser in the Android framework, so stay tuned for more info about this topic. 

java.lang.NoSuchMethodError: oracle/jdbc/driver/OracleLog.setLogVolume(I)V

Configuring WebSphere 6.1 using Oracle as Database 10g or 11g could lead to an error like this:

J2CUtilityCla E J2CA0036E: An exception occurred while invoking method setDataSourceProperties on com.ibm.ws.rsadapter.spi.WSManagedConnectionFactoryImpl used by resource jdbc/DefaultDatasource : java.lang.NoSuchMethodError: oracle/jdbc/driver/OracleLog.setLogVolume(I)V
at com.ibm.ws.rsadapter.dbutils.impl.OracleUtilityImpl.setLogVolume(OracleUtilityImpl.java:85)

The possible causes are:

  1. An old fix pack that contains a bug for which WebSphere’s using 9i methods against 10g or 11g Oracle Databases.
  2. Data source custom property not correctly configured.

If you’re using a recent fix pack, verify that in the data source custom properties screen the property oracle9iLogTraceLevel is blanked out as shown in the following screenshot:

WebSphere Oracle Settings