20050422

Shaj simple, uncomplicated, perfect for a white hat hacking tool

Shaj is my kind of open source. You only have to overcome the hurdle of using JNI and then you have a useful tool simply expressed.

When you are basing products on open source there is a large element of risk associated with each library. Keeping each one simple and not allowing it to take over your architecture is the key to mitigating this risk.

I like Shaj because its API is 3 methods, but its impact on the functionality of the system is potentially huge.

Here are some potential uses:

  • To verify on a local system that the user who originally logged in is still the user of the application.

    This is the only safe use of this library.

  • To verify that a remote user is a valid user of the operation system.

    Just don't tell your system administrator that you are using it, they might get a little worried about exposing OS security through an application - unless you are using a powerful distributed security framework already.

  • To write a password cracker. Although, you would need access to run your own JVM on the target machine.



What would be nice is if there was the option to 'become' that user as far as the OS is concerned, either on a VM or Thread level. But that would make things more complicated.

1 comment:

David Skul said...
This comment has been removed by a blog administrator.