Tamper-proof Software

10 February 2021, Kevin Watzal

I recently came across the book called Surreptitious Software which is about protecting software from being changed, copied or sometimes even understood in various ways.
Through the introduction of SaaS and the increasing number of web applications the need and knowledge of tamper-proof software decreases.
Nevertheless, there are still applications which do not run on a server or in the browser for various reasons. Especially when a license, or any other payment method is needed to use the software it is vital that the check behaves like it was intended, at least for the business of the creator.


There is a difference between tamper-proofing and obfuscation. While the aim of obfuscation is to make it hard to reverse-engineer and understand the software it does not prevent modification.
However, when code is not obfuscated, it is easier to understand how it behaves and to find and remove the checks, that detect modifications (which is ironic, don’t you think?).

Why you should stop using the word "password"

17 November 2019, Kevin Watzal

Since xkcd is a very popular comic, I am pretty sure you know this comic. What is the main message? Let’s find out!

Tell me a random word

If I ask you to tell me the first word which comes to your mind, you would say something like “Idea”, “word” or even “ehm”, rather than “P4sSw0Rd”, “?let_me_in_000!” or “test1234”. Part of this is that saying your own password is a bit obvious, but maybe you would say: “That is more than one word!”. Why is it not a word? Saying a number or special character will most probably be defined as own word, which is totally correct in linguistics.

What is a word?

According to Cambridge Dictionary a word, in contrast to a sound or syllabus, is something which has an objective meaning. Yes the meaning of a word differs on the way you pronounce it. Screaming “OKAY” has a different meaning than whispering “okay”, but try to teach that to a machine. However, requiring a password implicitly forbids using numbers, spaces or emojis. Hence when a service wants you to choose a password but does not allow you to use (some) special characters or spaces, it is technically correct, but enforcing you to use a number is then wrong.

What is a passphrase?

“A phrase is a group of words”, says Cambridge Dictionary! So a passphrase can be a group of passwords, couldn’t it? When you now ask people to tell you a phrase, you may hear “Hakuna Matata“, “Once in a blue moon“, or “Oh, okay, I can do this!”. It will be longer and also easier to remember.

Serve your Ktor app with Heroku

15 November 2019, Kevin Watzal

Have you ever written an useful web application and wondered how you could deploy it very cheap? Heroku lets you deploy and manage your application and supports a wide variety of languages, frameworks and also features databases or scalability.

When you only want to host a small application, it even is free of charge for you.

Let’s be honest, there are already a lot of blog posts about Heroku and how to deploy Java or Kotlin apps, but all include Spring Boot, which is not really bad, but in my opinion, too much overhead if you only have a small application.

So let me introduce Ktor (and Kotlin if you don’t know it yet).

Ktor is an asynchronous web framework for Kotlin, which offers everything you would expect from a web-framework, but it is also easy to understand, learn and use. In other words: less code for much value.

Continuous delivery infrastructure as code

10 May 2017, Martin Ahrer

This is part 1 of a series of posts covering Docker in a Continuous Delivery environment.

Today I’m showing how simple it is to setup a continuous delivery build pipeline infrastructure using Docker. In an upcoming post we will look at Jenkins pipeline as code creating Docker images and running integration tests against Docker containers. The series will close with an article explaining how we can move all containers built throughout this series of posts in a Docker swarm environment.

We will be using the following components, tools and techniques:

  • Jenkins master (Jenkins 2.x with its pipeline support)

  • Jenkins agent

  • Sonatype Nexus 3 (for a Docker registry)

  • Docker in Docker (specifically DooD)

  • docker-compose

  • Docker volumes for managing persistent data (pipeline jobs)

  • Docker networking

Finally we will be using this continuous delivery system to run a pipeline for building and testing a Docker image for a simple Spring Boot based web application.

Before we dive in th details let me explain why we use docker-compose. As we are building a set of Docker containers we will likely end up with a rather complex configuration. Running and keeping those containers up to date would require quite some lines of shell scripting code.

docker-compose tries to eliminate shell scripting and provides a YML based format for describing container configuration and dependencies. It further comes with a CLI for fully controlling the life-cycle of images, containers, volumes, etc. docker-compose is well suited for managing multiple environments such as development, testing, etc.

To run all the code yourself just checkout the sample project from GitHub and follow the instructions here. All of the Docker related code for building the infrastructure is located at src/infrastructure/docker.

docker-compose best practices (part 2)

07 February 2017, Martin Ahrer

This is part 2 of a series of blog posts about docker-compose. This time we look at managing large numbers of compose projects.

When building complex infrastructure using docker-compose we soon end in a mess of scripts for starting, updating, etc. containers. I will try to describe an approach that has helped to get this done in a very structured way.

docker-compose best practices (part 1)

06 February 2017, Martin Ahrer

In this blog post we are looking into how we can create modular compose projects.

With docker-compose we can describe a bunch of containers and container related resources such as networks and volumes that make up an application. All this is usually going into a docker-compose.yml file.

As an application grows complex its worth to consider modularizing compose descriptors. Instead of stuffing each and every item into docker-compose.yml we can split out individual containers. This gives us the flexibility to build optional containers that we just load in certain environments. Or we just do it to manage complexity just like we do it with ordinary source code.

Let’s look at some real scenario. We have to run a Jenkins build server made up from a master and an agent. Below we find a typical compose descriptor which can get really big as the number of containers it is describing is growing.

Bean Mapping of Transfer Objects

08 March 2016, Martin Ahrer

In the past years I have been working on multiple projects where the so-called Data Transfer Object (short DTO) pattern has been heavily used. This is a pattern that has even been a core pattern in the JEE world. This pattern certainly has its justification for the right cases. But in many cases I have seen it applied inappropriately. This blog posting by Adam Bien, a JEE advocate, is outlining the case where it should be considered useful. However when applied, this pattern comes at the cost of additional code to maintain and some extra CPU cycles for doing the mapping.

In this post we take a brief look at some mapping frameworks (just enough to do simple bean mapping). Finally we do some simple benchmarking just to get an idea what the performance costs of bean mapping are.

Older posts are available in the archive.