Items tagged with: Java

Getting started with #blockchain for #Java developers https://opensource.com/article/19/4/blockchain-java-developers #programming
#RedHat to maintain OpenJDK 8 and #OpenJDK 11
https://www.infoworld.com/article/3389878/red-hat-to-maintain-openjdk-8-and-openjdk-11.html #oracle #java
Announcing #OpenJDK 11 packages in #Ubuntu 18.04 LTS
https://blog.ubuntu.com/2019/04/19/announcing-openjdk-11-packages-in-ubuntu-18-04-lts #java #programming
#Oracle Patches 3-Year-Old #Java #Deserialization #security Flaw in April Update
#oracle #java bugs https://www.exploit-db.com/exploits/46723 https://www.exploit-db.com/exploits/46722 must now patch fast due to exploits.

Install The Latest #OpenJDK 12, 11 or 8 in #Ubuntu, #Debian or #RHEL Using Zulu OpenJDK Builds / #Linux #Java

Java: Red Hat übernimmt Projektleitung für OpenJDK 8 und 11 #Java #OpenJDK #RedHat
#Programming : "FOSS Means Kids Can Have a Big Impact", Python, Eclipse, C++, #Java , #Qt and #Rust
Jakarta EE: Eine Frage des guten Namens #Eclipse #JakartaEE #Java

Lessons learned porting 50k loc from Java to Go

Things I've learned porting a 50 thousand lines of code from Java to Go
Article word count: 2160

HN Discussion: https://news.ycombinator.com/item?id=19589614
Posted by hu3 (karma: 254)
Post stats: Points: 138 - Comments: 68 - 2019-04-06T06:42:14Z

#HackerNews #50k #from #java #learned #lessons #loc #porting
Article content:

I was contracted to port a large Java code base to Go.

The code in question is a Java client for [1]RavenDB, a NoSQL JSON document database. Code with tests was around 50 thousand lines.

The result of the port is a [2]Go client.

This article describes what Iʼve learn in the process.

Testing, code coverage

Large projects benefit greatly from automated testing and tracking code coverage.

I used TravisCI and AppVeyor for testing. [3]Codecov.io for code coverage. There are many other services.

I used both AppVeyor and TravisCI because a year ago Travis didnʼt have Windows support and AppVeyor didnʼt have Linux support.

Today if I was settings this up from scratch, I would stick with just AppVeyor, as it can now do both Linux and Windows testing and the future of TravisCI is murky, after it was acquired by private equity firm and reportedly fired the original dev team.

Codecov is barely adequate. For Go, they count non-code lines (comments etc.) as not executed. Itʼs impossible to get 100% code coverage as reported by the tool. Coveralls seems to have the same problem.

Itʼs better than nothing but thereʼs an opportunity to do things better, especially for Go programs.

Goʼs race detector is great

Parts of the code use concurrency and itʼs really easy to get concurrency wrong.

Go provides race detector that can be enabled with -race flag during compilation.

It slows down the program but additional checks can detect if youʼre concurrently modifying the same memory location.

I always run tests with -race enabled and it alerted me to numerous races, which allowed me to fix them promptly.

Building custom tools for testing

In a project that big itʼs impossible to verify correctness by inspection. Too much code to hold in your head at once.

When a test fails, it can be a challenge to figure out why just from the information in the test failure.

Database client driver talks to RavenDB database server over HTTP using JSON to encode commands and results.

When porting Java tests to Go, it was very useful to be able to capture the HTTP traffic between Java client and server and compare it with HTTP traffic generated by Go port.

I built custom tools to help me do that.

For capturing HTTP traffic in Java client, I built a [4]logging HTTP proxy in Go and directed Java client to use that HTTP proxy.

For Go client, I built [5]a hook in the library that allows to intercept HTTP requests. I used it to log the traffic to a file.

I was then able to compare HTTP traffic generated by Java client to traffic generated by my Go port and spot the differences.

Porting process

You canʼt just start porting 50 thousand lines of code in random order. Without testing and validating after every little step Iʼm sure I would be defeated by complexity.

I was new to RavenDB and Java code base. My first step was to get a high-level understanding how Java code works.

At the core the client talks to the server via HTTP protocol. I captured the traffic, looked at it and wrote the simplest Go code to talk the server.

When that was working it gave me confidence Iʼll be able to replicate the functionality.

My first milestone was to port enough code to be able to port the simplest Java test.

I used a combination of bottom-up and top-down approach.

Bottom-up part is where I identified the code at the bottom of call chain responsible for sending commands to the server and parsing responses and ported those.

The top-down part is where I stepped through the test I was porting to identify which parts of the code need to be ported to implement that part.

After successfully porting the first step, the rest of the work was porting one test at a time, also porting all the necessary code needed to make the test work.

After the tests were ported and passing, I did improvements to make the code more Go-ish.

I believe that this step-by-step approach was crucial to completing the work.

Psychologically, when faced with a year-long project, itʼs important to have smaller, intermediate milestones. Hitting those kept me motivated.

Keeping the code compiling, running and passing tests at all times is also good. Allowing bugs to accumulate can make it very hard to fix them when you finally get to it.

Challenges of porting Java to Go

The objective of the port was to keep it as close as possible to Java code base, as it needs to be kept in sync with Java changes in the future.

Iʼm somewhat surprised how much code I ported in a line-by-line fashion. The most time consuming part of the port was reversing the order of variable declaration, from Javaʼs type name to Goʼs name type. I wish there was a tool that would do that part for me.

String vs. string

In Java, String is an object that really is an reference (a pointer). As a result, a string can be null.

In Go string is a value type. It canʼt be null, only empty.

It wasnʼt a big deal and most of the time I could mechanically replace null with "".

Errors vs. exceptions

Java uses exceptions to communicate errors.

Go returns values of error interface.

Porting wasnʼt difficult but it did require changing lots of function signatures to return error values and propagate them up the call stack.


Go doesnʼt have them (yet).

Porting generic APIs was the biggest challenge.

Hereʼs an example of a generic method in Java:

public T load(Class clazz, String id) {

And the caller:

Foo foo = load(Foo.class, "id")

In Go, I used two strategies.

One is to use interface{}, which combines value and its type, similar to object in Java. This is not preferred approach. While it works, operating on interface{} is clumsy for the user of the library.

In some cases I was able to use reflection and the above code was ported as:

func Load(result interface{}, id string) error

I could use reflection to query type of result and create values of that type from JSON document.

And the caller side:

var result *Foo
err := Load(&result, "id")

Function overloading

Go doesnʼt have it (and most likely will never have it).

I canʼt say I found a good solution to port those.

In some cases overloading was used to create shorter helpers:

void foo(int a, String b) {}
void foo(int a) { foo(a, null); }

Sometimes I would just drop the shorter helper.

Sometimes I would write 2 functions:

func foo(a int) {}
func fooWithB(a int, b string) {}

When number of potential arguments was large I would sometimes do:

type FooArgs { A int B string
func foo(args *FooArgs) { }


Go is not especially object-oriented and doesnʼt have inheritance.

Simple cases of inheritance can be ported with embedding.

class B : A { }

Can sometimes be ported as:

type A struct { }
type B struct { A

Weʼve embedded A inside B, so B inherit all the methods and fields of A.

It doesnʼt work for virtual functions.

There is no good way to directly port code that uses virtual functions.

One option to emulate virtual function is to use embedding of structs and function pointers. This essentially re-implements virtual table that Java gives you for free as part of object implementation.

Another option is to write a stand-alone function that dispatches the right function for a given type by using type switch.


Both Java and Go have interfaces but they are different things, like apples and salami.

A few times I did create a Go interface type that replicated Java interface.

In more cases I dropped interfaces and instead exposed concrete structs in the API.

Circular imports between packages

Java allows circular imports between packages.

Go does not.

As a result I was not able to replicate the package structure of Java code in my port.

For simplicity I went with a single package. Not ideal, because it ended up being very large package. So large, in fact, that Go 1.10 couldnʼt handle so many source files in a single package on Windows. Luckily it was fixed in Go 1.11.

Private, public, protected

Goʼs designers are under-appreciated. Their ability to simplify concepts is unmatched and access control is one example of that.

Other languages gravitate to fine-grained access control: public, private, protected specified with the smallest possible granularity (per class field and method).

As a result a library implementing some functionality has the same access to other classes in the same library as external code using that library.

Go simplified that by only having public vs. private and scoping access to package level.

That makes more sense.

When I write a library to, say, parse markdown, I donʼt want to expose internals of the implementation to users of the library. But hiding those internals from myself is counter-productive.

Java programmers noticed that issue and sometimes use an interface as a hack to fix over-exposed classes. By returning an interface instead of a a concrete class, you can hide some of the public APIs available to direct users of the class.


Goʼs concurrency is simply the best and a built-in race detector is of great help in repelling concurrency bugs.

That being said, in my first porting pass I went with emulating Java APIs. For example, I implemented a facsimile of Javaʼs CompletableFuture class.

Only after the code was working I would re-structure it to be more idiomatic Go.

Fluent function chaining

RavenDB has very sophisticated querying capabilities. Java client uses method chaining for building queries:

List results = session.query(User.class) .groupBy("name") .selectKey() .selectCount() .orderByDescending("count") .ofType(ReduceResult.class) .toList();

This only works in languages that communicate errors via exceptions. When a function additionally returns an error, itʼs no longer possible to chain it like that.

To replicate chaining in Go I used a "stateful error" approach:

type Query struct { err error
} func (q *Query) WhereEquals(field string, val interface{}) *Query { if q.err != nil { return q } // logic that might set q.err
return q
} func (q *Query) GroupBy(field string) *Query {
if q.err != nil { return q } // logic that might set q.err
return q
} func (q *Query) Execute(result inteface{}) error { if q.err != nil { return q.err } // do logic

This can be chained:

var result *Foo
err := NewQuery().WhereEquals("Name", "Frank").GroupBy("Age").Execute(&result)

JSON marshaling

Java doesnʼt have a built-in marshaling and the client uses Jackson JSON library.

Go has JSON support in standard library but it doesnʼt provide as many hooks for tweaking marshaling process.

I didnʼt try to match all of Javaʼs functionality as what is provided by Goʼs built-in JSON support seems to be flexible enough.

Go code is shorter

This is not so much a property of Java but the culture which dictates what is considered an idiomatic code.

In Java setter and getter methods are common. As a result, Java code:

class Foo { private int bar; public void setBar(int bar) { this.bar = bar; } public int getBar() { return this.bar; }

ends up in Go as:

type Foo struct { Bar int

3 lines vs. 11 lines. It does add up when you have a lot of classes with lots of members.

Most other code ends up being of equivalent length.

Notion for organizing the work

Iʼm a heavy user of [6]Notion.so. Simplifying a lot, Notion is a hierarchical note taking application. Think a cross of Evernote and a wiki, exquisitely designed and implemented by top notch software designers.

Hereʼs how I used Notion to organize my work on Go port:

Hereʼs whatʼs there:
* not shown above, I have a page that is a calendar view where I take short notes about what I work on on a given day and how much time I spent. This is important information since it was a hourly contract. Thanks to those notes I know that I spent 601 hours over 11 months
 * clients like to know the progress. I had a page for each moth were I summarized the work done like this:

   Those pages were shared with the client.

 * A short-term todo list helps when starting work each day:
 * I even managed invoices as Notion pages and used "Export to PDF" function to generate PDF version of the invoice

Go programmer for hire

Does your company need an extra Go programming help? You can [7]hire me.

Additional resources

Iʼve provided some additional commentary in response to questions:
* in [8]Hacker News discussion
 * in [9]/r/golang discussion

Other material:
* if you need a NoSQL, JSON document database, give [10]RavenDB a try. Itʼs chock full of advanced features
 * if youʼre programming in Go, try a free [11]Essential Go programming book
 * if youʼre interested in Notion, Iʼm worldʼs most advanced user of Notion:


Visible links
1. https://ravendb.net/
2. https://github.com/ravendb/ravendb-go-client
3. http://codecov.io/
4. https://github.com/kjk/httplogproxy
5. https://github.com/ravendb/ravendb-go-client/blob/20fade9ee6d22d60c7babf4a155c4de5bf4cfd3b/request_executor.go#L23
6. https://www.notion.so/
7. https://blog.kowalczyk.info/goconsultantforhire.html
8. https://news.ycombinator.com/item?id=19589614
9. https://old.reddit.com/r/golang/comments/ba0lsm/lessons_learned_porting_50k_loc_from_java_to_go/
10. https://ravendb.net/
11. https://www.programming-books.io/essential/go/

HackerNewsBot debug: Calculated post rank: 114 - Loop: 155 - Rank min: 100 - Author rank: 23
#Philippines #Singapore #programming #c #Java #Python #olympiad #sports #esports
Philippine team reaps awards at Singapore Informatics Olympiad

Show HN: 300k lines of Java UI code running native in browser at desktop speed

RMStudio is a page layout application to design templates for the ReportMill reporting tool. The same RMStudio page layout designer written for the desktop and available as a native Windows/MacOS…

HN Discussion: https://news.ycombinator.com/item?id=19581788
Posted by jeffreportmill1 (karma: 188)
Post stats: Points: 113 - Comments: 89 - 2019-04-05T12:24:21Z

#HackerNews #300k #browser #code #desktop #java #lines #native #running #show #speed
Article content:

RMStudio is a page layout application to design templates for the ReportMill reporting tool. The same RMStudio page layout designer written for the desktop and available as a native Windows/MacOS application is now available in the browser!

HackerNewsBot debug: Calculated post rank: 105 - Loop: 159 - Rank min: 100 - Author rank: 40
#IBM Clarifies #Java Options Following #Oracle License Crackdown https://www.itjungle.com/2019/04/03/ibm-clarifies-java-options-following-oracle-license-crackdown/ #programming
IBM Clarifies Java Options Following Oracle License Crackdown
" #FinalCrypt is an open-source, cross-platform file encryption platform with two trump cards up its sleeve. The first is its use of Symmetric OTP encryption, of course, while it’s also been designed for bulk file #encryption purpose" #java :/
FinalCrypt 4.0.3 adds uncrackable encryption to your most sensitive files
What should developers use? #Java EE, #JakartaEE , #MicroProfile , or maybe all of them!
https://jaxenter.com/java-ee-jakarta-ee-microprofile-156992.html #programming
What should developers use? Java EE, Jakarta EE, MicroProfile, or maybe all of them!
#Mozilla tries to do #Java as it should have been – with a #WASI spec for all devices, computers, operating systems
Java: Alibaba schiebt eigene OpenJDK-Variante Dragonwell in die Open-Source-Welt #Alibaba #CloudComputing #Java #OpenJDK
"The production release of Java Development Kit 12, based on #Java SE (Standard Edition) 12, is now available. #JDK 12 builds are available from Oracle for Linux, Windows, and MacOS."
#Java #JDK
#Quarkus 0.12.0 released https://developers.redhat.com/blog/2019/03/20/quarkus-0-12-0-released/ #Kubernetes #Java #freesw #server
Quarkus 0.12.0 released

Java 12

This page provides production-ready open-source builds of the Java Development Kit, version 12, an implementation of the Java SE 12 Platform under the GNU General Public License, version 2, with the…
Article word count: 239

HN Discussion: https://news.ycombinator.com/item?id=19434966
Posted by kalimatas (karma: 439)
Post stats: Points: 157 - Comments: 172 - 2019-03-19T19:50:00Z

#HackerNews #java
Article content:

This page provides production-ready open-source builds of the [1]Java Development Kit, version 12, an implementation of the [2]Java SE 12 Platform under the [3]GNU General Public License, version 2, with the Classpath Exception.

Commercial builds of JDK 12 from Oracle under a [4]non-open-source license, for a wider range of platforms, can be found at the [5]Oracle Technology Network.

* [6]Features
 * [7]Release notes
 * [8]API Javadoc
 * [9]Tool & command reference

* The Alpine Linux build previously available on this page was removed as of JDK 12 GA. It’s not production-ready because it hasn’t been tested thoroughly enough to be considered a GA build. Please use the [10]early-access JDK 13 Alpine Linux build in its place.

 * To obtain the source code for these builds, clone the JDK 12 [11]Mercurial repository and update to the tag jdk-12-ga.

 * If you have difficulty downloading any of these files please contact [12]jdk-download-help_ww@oracle.com.


If you have suggestions or encounter bugs, please submit them using [13]the usual Java SE bug-reporting channel. Be sure to include complete version information from the output of the java --version command.

International use restrictions

Due to limited intellectual property protection and enforcement in certain countries, the source code may only be distributed to an authorized list of countries. You will not be able to access the source code if you are downloading from a country that is not on this list. We are continuously reviewing this list for addition of other countries.


Visible links
1. https://openjdk.java.net/projects/jdk/12/
2. https://openjdk.java.net/projects/jdk/12/spec/
3. https://openjdk.java.net/legal/gplv2+ce.html
4. https://www.oracle.com/technetwork/java/javase/terms/license/javase-license.html
5. https://www.oracle.com/technetwork/java/javase/downloads/index.html
6. https://openjdk.java.net/projects/jdk/12/
7. https://jdk.java.net/12/release-notes
8. https://docs.oracle.com/en/java/javase/12/docs/api/index.html
9. https://docs.oracle.com/en/java/javase/12/tools/tools-and-command-reference.html
10. https://jdk.java.net/13/
11. https://hg.openjdk.java.net/jdk-updates/jdk12u/
12. mailto:jdk-download-help_ww@oracle.com
13. http://bugreport.java.com/

HackerNewsBot debug: Calculated post rank: 162 - Loop: 218 - Rank min: 100 - Author rank: 59
Das sind die Neuerungen von Java 12 #Java #Java12 #Programmiersprachen

Don’t read your data from a straw

#bot #daniellemire #java #performance
Don’t read your data from a straw

Daniel Lemire's blog: Don’t read your data from a straw (Daniel Lemire)

Java-Konferenz: Live-Streaming vom JavaLand 2019 #Java #JavaLand
Umfrage: Java-Entwickler treibt die Neugier zur Weiterbildung an #Java #JetBrains #Programmiersprachen #Weiterbildung
I build a #Scheme with fewer parens. Today in #Java: Collections.sort(scales, (a, b) -> Double.compare(a.scale(), b.scale() * -1)) // 🤦
I build a Scheme with fewer parens. Today in #Java: Collections.sort(scales, (a, b) -> Double.compare(a.scale(), b.scale() * -1)) // D’Oh!
Programmiersprache: Java-Community wechselt nur langsam weg von Java 8 #Java #Amazon #OpenJDK #Oracle #Programmiersprache #RedHat #Applikationen #OpenSource #Softwareentwicklung
#IDG keeps posting this in more domains it has. #SAP and other #proprietarysoftware companies now rebrand #Java for themselves, sort of.
Moocher #amazon 'invents' #java (or a name for it)

“No, we’re telling everyone we are using Java”

“I saw a similar phenomena years ago a (unnamed) games company was using Erlang to great advantge I said “can we tell people” answer “no we’re telling everybody we’re using Java”…
Article word count: 613

HN Discussion: https://news.ycombinator.com/item?id=19346017
Posted by tosh (karma: 33898)
Post stats: Points: 170 - Comments: 148 - 2019-03-09T13:32:36Z

#HackerNews #are #everyone #java #telling #using #were
Article content:


[1] [IMG][2]Joe Armstrong‏ @joeerl [3]11h11 hours ago

Joe Armstrong Retweeted Devon C. Estes

I saw a similar phenomena years ago a (unnamed) games company was using Erlang to great advantge I said “can we tell people” answer “no we’re telling everybody we’re using Java”[4]https://twitter.com/devoncestes/status/1103998647673520128 …

Joe Armstrong added,

Devon C. Estes @devoncestes
I received an interesting email today. It was from someone at a major financial services company that was interested in hiring an Elixir consultant. However, I canʼt say who it is because they asked me not to tell anyone theyʼre using Elixir. Why would that be, you ask?
Show this thread
[5] [IMG][6]Dr. Christian Geuer-Pollmann‏ @chgeuer [7]11h11 hours ago

Replying to [8]@joeerl


[9] [IMG][10]Joe Armstrong‏ @joeerl [11]10h10 hours ago

Replying to [12]@chgeuer

No. Wooga publicity said they were using erlang. The company I mentioned has never said anything publicly. Wish they had but it’s their call.

[13] [IMG][14]AnneOgborn#WontBeErased‏ @AnnieTheObscure [15]3h3 hours ago

Replying to [16]@joeerl

We routinely hear this narrative in Prolog land - ʼUsing Prolog is our competitive advantage, donʼt tell anyone weʼre using it.ʼ I hear rumors sometimes they add " or youʼll violate USC section blah blah"

[17] [IMG][18]Andrew Grimm‏ @andrewjgrimm [19]10h10 hours ago

Replying to [20]@joeerl

My uninformed speculation: those companies using bad languages would continue to do so if you shouted the benefits from the rooftops.

[21] [IMG][22]10x Full-Stack Paladin‏ @lunde_andrews [23]2h2 hours ago

Replying to [24]@joeerl

Why is it that programming language choice is wrapped up with so much corporate politics and marketing? Like, shouldnʼt that be a decision best left up to the engineering team?

[25] [IMG][26]Chris Lane‏ @lanstin [27]1h1 hour ago

Replying to [28]@lunde_andrews [29]@joeerl

Too many people in software (management?) only know one language. They think that is normal. Not realizing good and bad software is orthogonal to language. The salient features are quality and tool suited to the job.

[30] [IMG][31]Schröshire Cat‏ @schroeshirecat [32]11h11 hours ago

Replying to [33]@joeerl

Itʼs often difficult to find out who actually used it. Fermilab did in 2011 to 2015. After that I find nothing...

[34] [IMG][35]Sebastiän Saavedra‏ @eseSebastian [36]6h6 hours ago

Replying to [37]@schroeshirecat [38]@joeerl

WhatsAppʼs back end is written in erlang, this article is from October 2018 [39]https://www.erlang-solutions.com/blog/20-years-of-open-source-erlang-openerlang-interview-with-anton-lavrik-from-whatsapp.html …

[40] [IMG][41]Schröshire Cat‏ @schroeshirecat [42]5h5 hours ago

Replying to [43]@eseSebastian [44]@joeerl

Yes. [45]@CERN is also using it for CernVM. But for [46]@Fermilab I donʼt know what the status is concering use of Erlang.

[47] [IMG][48]Sebastiän Saavedra‏ @eseSebastian [49]2h2 hours ago

Replying to [50]@schroeshirecat [51]@joeerl and

Got it, I misunderstood that it was only in the context of Fermilab, thought that it was in general. Thanks!

[52] [IMG][53]Schröshire Cat‏ @schroeshirecat [54]1h1 hour ago

Replying to [55]@eseSebastian [56]@joeerl and

No worries.

[57] [IMG][58]Ryan Brown‏ @4everinbeta [59]2h2 hours ago

Replying to [60]@joeerl

I strongly believe building any system on top of BEAM provides instant competitive advantage.

[61] [IMG][62]schrepfler‏ @schrepfler [63]4h4 hours ago

Replying to [64]@joeerl

Do they still exist? Do they still use Erlang?

[65] [IMG][66]Dave Pawson‏ @dpawson [67]10h10 hours ago

Replying to [68]@joeerl

Think fashionable Joe ;-)

[69] [IMG][70]Jim‏ @cat_in_the_tap [71]9h9 hours ago

Replying to [72]@joeerl


[73] [IMG][74]Abid Uzair‏ @abiduzz420 [75]5h5 hours ago

Replying to [76]@cat_in_the_tap [77]@joeerl

May be Erlang was the secret sauce in their business and they didnʼt want to lose that advantage. I am just speculating here.

[78] [IMG][79]Jim‏ @cat_in_the_tap [80]4h4 hours ago

Replying to [81]@abiduzz420 [82]@joeerl

Could be

[83] [IMG][84]Double D‏ @LazyVonMises [85]11h11 hours ago

Replying to [86]@joeerl

The same thing used to happen with Forth.

[87] [IMG][88]Narendra Joshi‏ @narendraj9 [89]10h10 hours ago

Replying to [90]@LazyVonMises [91]@joeerl

Is Forth used in industry? Can you share an example please.

[92] [IMG][93]Double D‏ @LazyVonMises [94]10h10 hours ago

Replying to [95]@narendraj9 [96]@joeerl

No idea. Probably not much any more. Every now and again you see people talk about their companyʼs proprietary Forths but itʼs rare.


Visible links
1. https://twitter.com/joeerl
2. https://twitter.com/joeerl
3. https://twitter.com/joeerl/status/1104298407231922176
4. https://t.co/pgQjHEHgls
5. https://twitter.com/chgeuer
6. https://twitter.com/chgeuer
7. https://twitter.com/chgeuer/status/1104302019358134272
8. https://twitter.com/joeerl
9. https://twitter.com/joeerl
10. https://twitter.com/joeerl
11. https://twitter.com/joeerl/status/1104307357138468865
12. https://twitter.com/chgeuer
13. https://twitter.com/AnnieTheObscure
14. https://twitter.com/AnnieTheObscure
15. https://twitter.com/AnnieTheObscure/status/1104413366305595393
16. https://twitter.com/joeerl
17. https://twitter.com/andrewjgrimm
18. https://twitter.com/andrewjgrimm
19. https://twitter.com/andrewjgrimm/status/1104315513964965889
20. https://twitter.com/joeerl
21. https://twitter.com/lunde_andrews
22. https://twitter.com/lunde_andrews
23. https://twitter.com/lunde_andrews/status/1104428160253390848
24. https://twitter.com/joeerl
25. https://twitter.com/lanstin
26. https://twitter.com/lanstin
27. https://twitter.com/lanstin/status/1104440919405686785
28. https://twitter.com/lunde_andrews
29. https://twitter.com/joeerl
30. https://twitter.com/schroeshirecat
31. https://twitter.com/schroeshirecat
32. https://twitter.com/schroeshirecat/status/1104299919177863168
33. https://twitter.com/joeerl
34. https://twitter.com/eseSebastian
35. https://twitter.com/eseSebastian
36. https://twitter.com/eseSebastian/status/1104374316102311943
37. https://twitter.com/schroeshirecat
38. https://twitter.com/joeerl
39. https://t.co/bjc8ttDgWG
40. https://twitter.com/schroeshirecat
41. https://twitter.com/schroeshirecat
42. https://twitter.com/schroeshirecat/status/1104391484814647297
43. https://twitter.com/eseSebastian
44. https://twitter.com/joeerl
45. https://twitter.com/CERN
46. https://twitter.com/Fermilab
47. https://twitter.com/eseSebastian
48. https://twitter.com/eseSebastian
49. https://twitter.com/eseSebastian/status/1104434458466357252
50. https://twitter.com/schroeshirecat
51. https://twitter.com/joeerl
52. https://twitter.com/schroeshirecat
53. https://twitter.com/schroeshirecat
54. https://twitter.com/schroeshirecat/status/1104439985959251978
55. https://twitter.com/eseSebastian
56. https://twitter.com/joeerl
57. https://twitter.com/4everinbeta
58. https://twitter.com/4everinbeta
59. https://twitter.com/4everinbeta/status/1104434131390226432
60. https://twitter.com/joeerl
61. https://twitter.com/schrepfler
62. https://twitter.com/schrepfler
63. https://twitter.com/schrepfler/status/1104403669410304000
64. https://twitter.com/joeerl
65. https://twitter.com/dpawson
66. https://twitter.com/dpawson
67. https://twitter.com/dpawson/status/1104302579142574081
68. https://twitter.com/joeerl
69. https://twitter.com/cat_in_the_tap
70. https://twitter.com/cat_in_the_tap
71. https://twitter.com/cat_in_the_tap/status/1104327129347645440
72. https://twitter.com/joeerl
73. https://twitter.com/abiduzz420
74. https://twitter.com/abiduzz420
75. https://twitter.com/abiduzz420/status/1104382301792690176
76. https://twitter.com/cat_in_the_tap
77. https://twitter.com/joeerl
78. https://twitter.com/cat_in_the_tap
79. https://twitter.com/cat_in_the_tap
80. https://twitter.com/cat_in_the_tap/status/1104407037004447744
81. https://twitter.com/abiduzz420
82. https://twitter.com/joeerl
83. https://twitter.com/LazyVonMises
84. https://twitter.com/LazyVonMises
85. https://twitter.com/LazyVonMises/status/1104301574871023617
86. https://twitter.com/joeerl
87. https://twitter.com/narendraj9
88. https://twitter.com/narendraj9
89. https://twitter.com/narendraj9/status/1104304711945994240
90. https://twitter.com/LazyVonMises
91. https://twitter.com/joeerl
92. https://twitter.com/LazyVonMises
93. https://twitter.com/LazyVonMises
94. https://twitter.com/LazyVonMises/status/1104305017232732160
95. https://twitter.com/narendraj9
96. https://twitter.com/joeerl

HackerNewsBot debug: Calculated post rank: 162 - Loop: 215 - Rank min: 100 - Author rank: 64
Quarkus: Red Hat will Java für Kubernetes fit machen #Kubernetes #CloudComputing #Java #OpenJDK #Orchestrierung #Programmiersprache #RedHat #Unternehmenssoftware #Virtualisierung #Applikationen
Java-Framework Quarkus: Red Hat vereint reaktive und imperative Programmierung #CloudNative #Java #Kubernetes #Quarkus #RedHat


The Supreme Backdoor Factory

Feb 26th, 2019 5:53 pm

Recently I was playing with VirusTotal Intelligence and while testing some dynamic behavior queries I stumbled upon this strange PE binary (MD5: 7fce12d2cc785f7066f86314836c95ec). The file claimed to be an installer for the JXplorer, a Java-based “cross platform LDAP browser and editor” as indicated on its official web page. Why was it strange? Mostly because I did not expect an installer for a quite popular LDAP browser to create a scheduled task in order to download and execute PowerShell code from a subdomain hosted by free dynamic DNS provider.

I initially planned to keep this write-up short and focus on dissecting suspicious JXplorer binary. However, analyzing the JXplorer binary turned out to be only the first step into the world of backdoored software.


In order to validate my VirusTotal finding I downloaded a matching version of Windows installer ( from the official JXplorer SourceForge repository. Unsurprisingly, the MD5 hashes of both files were different. Last thing I wanted to do was to disassemble two 7 megabytes PE binaries so I started with simpler checks in order to locate difference(s). As binaries were packed with UPX, I unpacked them with the upx tool and compared MD5s of PE sections. The sections were all identical, with exception of the resource section. I was not sure how content of the PE resource section could affect behavior of the installer so I used VBinDiff to see the exact difference. The tool actually revealed the following modifications:
  • The manifest file located in the resource section, specifically the requestedExecutionLevel property. The original file required Administrator privileges (requireAdministrator) while the modified was fine with running with caller’s privilege level
  • Additional newline character appended to the file - explaining 1 byte size difference between the files
  • A relatively small (3230 bytes) blob of what seemed to be ZLIB compressed data at offset 0x4be095. Note the clear text file names just before the ZLIB header (http-2.7.9.tm, platform-1.0.10.tm).
The first two differences did not seem to be important so I focused on the last one. The identified ZLIB data was placed in the PE file overlay space and I figured that it was likely part of an archive used by the installer to store JXplorer files. Fortunately, JXplorer web page mentioned that JXplorer was using the BitRock Install Builder and after short search I managed to find the following Tcl unpacker for BitRock archives: bitrock-unpacker.

Once I installed the ActiveTcl and downloaded required SDX file I used the bitrock-unpacker script to unpack JXplorer installation files from both installers. Then I used the WinMerge tool to compare resulting files and directories. To my surprise there were no differences which meant that JXplorer application files were left intact. That also meant that I needed to dig a bit further.

After going through bitrock-unpacker code I noticed that it first mounted the Metakit database in order to extract installer files that were used to locate and extract the Cookfs archive storing JXplorer files. Using existing bitrock-unpacker code I created this Tcl script to dump all installer files from the Metakit database to disk. This time comparing BitRock installer files yielded interesting results.

WinMerge showed one difference - a file named http-2.7.9.tm, located in the \lib\tcl8\8.4\ directory.

Despite having the same size and timestamps (atime, ctime, mtime as extracted from the Cookfs archive) the file http-2.7.9.tm (MD5: f6648f7e7a4e688f0792ed5a88a843d9, VT) extracted from the modified installer did not remind standard http.tcl module. Instead it contained exactly what I was looking for.

Below is the summary of actions performed by the http-2.7.9.tm script:
  • Create a scheduled task named Notification Push to download and execute PowerShell code from hxxp://svf.duckdns[.]org
  • Write a JAR file (MD5: 9d4aeb737179995a397d675f41e5f97f, VT) to %TEMP%..\Microsoft\ExplorerSync.db. Create a scheduled task ExplorerSync to execute ExplorerSync.db
  • Write a JAR file (MD5: 533ac97f44b4aea1a35481d963cc9106, VT) to %TEMP%\BK.jar and execute it with the following command line parameters: hxxp://coppingfun[.]ml/blazebot %USERPROFILE%\Desktop\sup-bot.jar
  • Execute additional JAR file downloaded in the previous step
  • ping a legitimate domain supremenewyork[.]com
Some of the actions were a bit odd to me (Why would you drop malware(?) to user’s Desktop? Why would you choose that specific domain supremenewyork[.]com?). That got me thinking that I might be dealing with a testing version of modified installer. The names of files (blazebot, sup-bot) did not ring any bells either so I decided to do a bit of online research.
MORE & MORE (full text + links + screenshots): https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

The full list of the repositories:



The full list of accounts


#security #privacy #virus #soft #programm #os #infection #github #repo #linux #windows #virustotal #java #jar #spy #spying
The #OpenJDK Transition: Things to know and do
https://hub.packtpub.com/the-openjdk-transition-things-to-know-and-do/ #java #programming #freesw
The OpenJDK Transition: Things to know and do
Entwicklungsumgebung: IntelliJ IDEA 2019.1 zeigt zuletzt besuchte Codestellen #Entwicklungsumgebung #Groovy #IntelliJIDEA #Java
#Java und die #Blockchain - jetzt wird alles gut...
Applikationsserver Wildfly: Schlank dank Galleon #ApplicationServer #JBoss #Java #WildFly
Later posts Earlier posts