[GAJSS] Crytpography for Programmers

I had a good bit on this talk, but JRoller’s habit of eating a post when you “Save as Draft” but the session has expired killed it. Stuart Halloway gave a fairly good overview of key cryptography concepts. Not enough to write your own algorithm, just enough to be dangerous, and probably enough to effectively use existing alogrithms in your application, which is really all most of us need anyhow. He alleges, based on the advice of several colleagues, that the JKS Java keystore implementation is NOT secure, and should not be used. Another nugget is that when generating random numbers for security-sensitive purposes, use SecureRandom, not the basic math package Random implementation. Past that, it’s mostly been an overview of key crypto concepts, keys, symmetric and asymmetric encryption, hashes, stuff like that.

Probably the most compelling point is that when evaluating the security of a crypto algorithm, the standard metrics that are spewed – key length, block size, etc. aren’t really relevant. What IS relevant is that number of steps required to break the crypto. And let me reiterate what should be obvious – unless you are an encryption expert, you are best off using the known, time-tested algorithms without known exploits, rather than attempting to write your own.


[GAJSS] J2EE Performance Monitoring

Ramnivas Laddad has obviously tinkered with a broad variety of performance monitoring techniques for J2EE. While he’s mentioning commercial projects, he also has plenty of practical free or built-in approaches for monitoring performance.

He’s pointed out Sun’s JVMPI, which is the built-in Sun approach to instrumenting an app for pre-1.4 JVMs, but the app has to be started in a special way, and runs dirt slow. I’ve used plenty of commercial products that use this API, and it’s brutal. If you do go down this path, the Eclipsecolorer plugin looks like a nice complementary tool to analyze the output. Using a modified 1.4 JVM or Java 5.0+, JVMTI becomes available as a part of the JVM, and it appears to be quite useful – one more feature to add to the list of useful reasons to upgrade our product to Java 5.0. JFluid in NetBeans gets a mention.

For database analysis, he recommends P6Spy (free) or JDBInsight (not free), and showed a nice example of decorating the JDBC connection to log timing information on all queries without intruding on the persistence code. A similar timing approach can be applied to servlets using a servlet filter.

We get a look at AOP monitoring approaches, not surprising given Ramnivas’ expertise in AOP (he’s presenting 3 other sessions, all on AOP). Some nice example code of an abstract service monitor aspect, along with an implementation. A decent idea, but the question remains of whether to add AspectJ to the massive framework stack already in place in most of my apps.

Finally, we get a look at load generation tools. The usual suspects are here – JMeter (normal web apps), TestMaker (for web services), Grinder (mentioned from the peanut gallery), and LoadRunner (if you’re rich).

The wireless network connectivity in this room is miserable. Unfortunately, a majority of the Agile sessions are in here. There’s a wall jack for ethernet, but who knows if it works – I don’t know when the last time was I used a hard line with my laptop.

Where am I blogging from? No Fluff Just Stuff’s Greater Atlanta Java Software Symposium.


Greater Atlanta Software Symposium Tomorrow

Tomorrow, the No Fluff Just Stuff road show comes to town for the Greater Atlanta Software Symposium. I’ll be heading there along with a couple of other developers from our team here. Wifi and power outlets permitting, I’ll endeavor to blog the sessions as I go.

I look forward to this event each year – it is one of the most pragmatically useful and economical Java conferences out there. If you have the weekend and cash available, I think they still have some spots open. It’s as good a collection of Java and software development experts as you’re likely to get at a non-vendor-sponsored conference.

With my job responsibilities drifting more and more into development management, I’ll be spending a good bit of time in the Agile development sessions, but also get some good time spent in more concrete, learning, development sessions. I hope to see you there!