GMail can be key to your digital life

Matt Honan (Wired) has this heart wrenching story of his digital life being erased. The door to this tragedy was his gmail account.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

You have heard this story from many channels (twitter, facebook, email forwards etc). So I won't repeat it.

But I do recommend enabling two factor authentication on your gmail account.  It is additional inconvenience that is necessary to safeguard your gmail account and potentially your intertwined digital life.

If you have a smartphone such as iphone or android, do not forget to review the section on Google Authenticator.


Perform the following steps:
1) Log into your gmail account.
2) Go to settings via
https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744&topic=1056283&rd=1
3) Now start the two step process by giving a phone number (such as mobile).
4) Get the code via sms or voice.  Activate your account.
5) Two step authentication is enabled for your gmail account.  You may want to set "trust the computer" you are using.

Now for each additional device such as iphone or android or ipad you use to get email addresses, you can generate application specific passwords.
https://accounts.google.com/IssuedAuthSubTokens#accesscodes

This is one time setup for each device.  Hopefully, you should change this quarterly.

Google Authenticator (Smartphone Users)

Instead of using a call from Google each time you login from an unknown location or device, you can use the "Google Authenticator" mobile app available in the iphone app store and Android Market.

1) Download "Google Authenticator" from your app store.
2) Log into gmail account.
3) https://accounts.google.com/b/0/SmsAuthConfig
4) Start the Authenticator App.
5) Press the + button.  Then press the "Scan the barcode" button.
6) Scan the barcode on the computer using your phone.
7) Once the barcode is scanned, you will get a code displayed on the app.
8) Enter the code into the computer screen in the text box.
9) Click Verify.

PicketLink and Salesforce/Google Apps Integration

Marek Posolda from the GateIn team has created an excellent article on integrating salesforce or google apps with JBoss.  It is done via project PicketLink.

The article is at https://docs.jboss.org/author/display/PLINK/3rd+party+integration

Marek also talks about GateIn integration with Salesforce and Google Apps using PicketLink at https://community.jboss.org/wiki/GateInSSOIntegrationWithSalesforceAndGoogleApps

References

GateIn SAML Integration Wiki

LinkedIn has a wake up call

All the IPO fun news - soaring personal assets - increasing cash pile must have gone a bit sour at LinkedIn now. They have probably started living on earth now, like the rest of us. I am referring to http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/  and http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html

I have been a LinkedIn member since inception. It feels like close to decade+. I respect and utilize their services on a daily basis. Their advances in technology primarily big data analytics impresses me.

But when customers/users provide you their information, then it is of utmost importance to safeguard it. LinkedIn failed to do that. But they are not alone. Everyday, we hear some data breach. The fundamental problem is that there is no easy way to secure anything. Passwords are useful to achieve the minimum level of security, with minimum set up. But they are not the best forms of security. Working toward preventing data breaches should be part of a daily routine.

The blog post from Vicente is very assuring. In the next few years, LinkedIn will probably have fewer news reports about data breaches. Hopefully, Ganesh Krishnan (from my alma mater, BMSCE) can shine.

What LinkedIn needs to do is take their advances in big data analytics into security intelligence. Salting/Hashing passwords is just the first step. You should incorporate device registration as well as use security analytics to thwart future breaches. Please be the first to show us the way with big data security analytics.

Good Luck to LinkedIn!

(Now can we please do something about the "Who viewed your profile?" leaks on LinkedIn on mobile apps?).

When Access Control Systems Fail or are Absent,

you can have squatters at your company. And they are not in camp sites in your parking lots or dressed differently - they mingle and coexist with your legitimate employees. How cool is that. :)

Examples: 

1.  19 Year Old Kid builds a startup squatting at AOL.
2. Young Steven Spielberg squatting at Universal Studios for 2 months.

The story of Steven Spielberg claiming that he squatted for 2months/years is rebutted in the media. It is a possibility. :) (http://www.anecdotage.com/index.php?aid=14372)

Another example of studio squatting http://en.wikipedia.org/wiki/Daedalus_Howell#Controversy


So, give some love to access control systems. :)

Growing need for Social Intelligence

In the past, there were firewalls, employee agreements and corporate training to inculcate proper corporate etiquette in employees. As an employee, you were told that

• when you are in public, then sensitive corporate information was not to be uttered.
• when you were sending an email outside the organization, your language/tone had to be watched.

Companies needed to maintain vigil and dilgence to safeguard their secrets, brand and Intellectual Property. Ok, that was the 90s.

Then came the world of blogging. Wikipedia became the de-facto encyclopaedia of the world. Then came LinkedIn, Twitter, Facebook, Foursquare and your-favorite-social-network-or-location-or-web2.0-application came into existence and started getting popular. Of course, I did not forget Pinterest and Instagram.  The iPhone revolutionized mobility. Who has not clicked a picture of a place or product or something and published on twitter/facebook?  Instagram makes that easy.

This is the 21st century I am referring to.  Companies started to get involved in social media to maintain brand recognition, marketing and customer outreach.Nothing wrong with that.  Many companies encouraged their employees to embrace openness and use social media.

Things seem to be going well for everybody. I am sure we will see some employee crossing the line and mistakenly sharing private confidential information on the internet. Remember congressman Anthony Weiner 's episode of forgetting to use "D" at the beginning of his tweet. Rather than the tweet going as a direct message to one of the twitterers, it got shared with the world. The rest is history.

Reading Network World's latest bit on security and social media, I strongly feel that there is a need for Social Intelligence.  Rather than people monitoring the social media to see if private information is getting divulged, we need intelligent software that can monitor the social world to flag rumours and threats to corporate brand.  I believe many a times, employees step the thin line. not because they want to harm their employer, but because they do not know where the line starts and where it ends.

Let there be Social Intelligence not to monger fear but as a valuable tool in safeguarding corporate brands and IP. Companies should not take the knee-jerk policy of banning social media from the enterprise. What you end up doing is lowering your employee morale, in this brave new world. Just manage your brand better via social intelligence.

Obfuscate your maven settings passwords

If you still have cleartext passwords in your settings.xml, then it is time for you to mask/obfuscate them.  It will not be fool proof but definitely better than having your passwords in the open.
https://community.jboss.org/wiki/MavenSettingsxmlMaskingPassword

GSOC 12 at JBoss is ready to roll

Google has announced the 1200+ students that will be participating via 180 organizations this year (2012).  As announced a month ago, JBoss Community is one of the organizations participating in GSOC.

We generated a large number of Ideas and identified many mentors for those ideas.  It was an exciting phase. The Ideas page is at https://community.jboss.org/wiki/GSOC12Ideas

Since the number of official gsoc slots has to be finite (you do the math - 1200 students from 180 organizations - so maybe anywhere from 2-20 slots per organization), we were lucky to finally get 8 slots allotted for JBoss Community.

So after negotiations with gsoc office and our mentors, 8 students were identified. The list for JBoss community is announced at https://community.jboss.org/wiki/GSOC12JBossCommunityStudents

Congratulations to the students accepted into the gsoc program via JBoss community.  As true open source ambassadors, JBoss Community is not forgetting the students whose proposals have been rejected.  We are working to include them in open source projects nevertheless. :)

In the end, open source is the winner!

PicketLink STS on JBoss AS 7.1.x

Thanks to community member, Alex Jacinto, we now have a cheatsheet for PicketLink STS running on JBoss Application Server v7.1.x


https://community.jboss.org/wiki/CheatsheetPicketLinkSecurityTokenServiceWithJBossAS71x

Thanks Alex.

Student interaction via GSOC has been awesome

Last few years, JBoss Community projects participated on GSOC via the Fedora Program. This is the first year, we are participating as an independent entity in the GSOC program. So naturally we are excited as well as learning.

So far the interaction with the student community has been very awesome. They have come to JBoss Community with questions, interests and passions that we would not normally have.  Since the deadline for student proposals is April 6, they have been scampering with their proposals, hopping on to our email lists, IRC channels and forums.

Currently, the students are primarily interacting via the email list (gsoc@lists.jboss.org)  Signup: https://lists.jboss.org/mailman/listinfo/gsoc  and IRC channel #gsoc-jboss on freenode  (the log is at http://echelog.com/logs/browse/gsoc-jboss/1333490400 )

The mentors that have signed up on the Ideas Page for JBoss Community (https://community.jboss.org/wiki/GSOC12Ideas) are excited, not only to have received multiple proposals for their projects but also to have great questions on their respective projects.

JBoss AS 7:: Social Login (Facebook Connect/ Google Authentication)

Background

There is no denying that Social Media is growing leaps and bounds. The concept of social login has prevailed.  Facebook and Google have turned out to the holders of user information that can be used to be the secure gateway into your web applications. Facebook / Google Users are part of what is called "Consumer Identity".
In this article, we will look at a simple web application as part of the PicketLink Social Project, that can help you visualize addition of Facebook Connect / Google Authentication to your web applications.  We will use the fast, free and awesome JBoss Application Server v7 as the runtime.

What is needed?

You will need to get hold of

• JBoss Application Server v7.1 (at the time of writing, v7.1.1.Final was the latest). 
• Use the self contained picketlink-reg.war.

Steps to follow

1. Follow the JBoss AS7 user guide to extract the server.  It is mainly just unzipping a zip archive.
2. Now copy the attached picketlink-reg.war to standalone/deployments directory of JBoss AS7.
3. You need to make some configuration changes to standalone/configuration/standalone.xml file to add a security domain as well as a bunch of system properties.
4. Start JBossAS7 in the standalone mode. 
5. Test the Web Application.

Configuration Changes to be made in standalone.xml

TIP:  I do attach my "standalone.xml" to this LINK.

 Define a security domain called "external_auth"

<subsystem xmlns="urn:jboss:domain:security:1.1">

<security-domains>

<security-domain name="external_auth" cache-type="default">

<authentication>

<login-module code="org.picketlink.social.auth.ExternalAuthLoginModule" flag="required"/>

authentication>

security-domain>

<security-domain name="other" cache-type="default">

 What Ihave done is inserted a block of security domain configuration inside the security configuration and before the security domain "other".

Define a bunch of system properties.

extensions>

<system-properties>

<property name="CLIENT_ID" value="Insert_your_client_id"/>

<property name="CLIENT_SECRET" value="Insert_your_client_secret"/>

system-properties>

<management>

<security-realms>

We have defined a block for system properties at the end of the block for extensions and the beginning of management.  Please have a look at the wiki article on JBoss AS7 System Properties, for more information.

Note that I am assuming that your app is deployed on localhost.  If the domain is different, then you have to define an additional system property called "RETURN_URL" that gives a value such as "http://thedomain/picketlink-reg/auth"  (replace thedomain with whatever value you want).

How to test the web application?

You can go to http://localhost:8080/picketlink-reg/
Now you can login either using Facebook Connect or Google Authentication.
Note that the attached web application just outputs the name of the authenticated user and the email address.  You can get more information if desired by changing the configuration settings.

What changes do we need to make a web application use Facebook Connect or Google Authentication as its Authentication Mechanism?

You will need to configure the ExternalAuthenticator in WEB-INF/jboss-web.xml   Look at how the attached picketlink-reg.war application does it.


Reference
https://issues.jboss.org/browse/PLFED-272

Attachments

picketlink-reg.war is available at http://dl.dropbox.com/u/20060733/picketlink-reg.war
My standalone.xml is at Link.  You will need to change the client id and client secret.

This article is also available at DZone. Link is http://server.dzone.com/articles/jbossas7-making-your-web

Troubleshooting

• In the Facebook Developer console where your app settings exist,  Edit Settings ->WebSite >
  • Site URL:  Specify the url of your web application.
  • Site Domain:  domain of your web application. (If testing locally, you can specify localhost)

JBoss Community accepted into GSOC 12

With great privilege and honor, I want to share this exciting piece of information that JBoss Community (http://www.jboss.org) has been officially accepted as a participating organization at the Google Summer of Code 2012.

Please take a look at all the participating organizations. List is at http://www.google-melange.com/gsoc/accepted_orgs/google/gsoc2012

In my view, the GSOC Ideas Page (https://community.jboss.org/wiki/GSOC12Ideas) is a clear indication of the amazing variety of Open Source Projects hosted at JBoss Community as well as the enthusiasm and team work displayed by all potential administrators and mentors.

Here is to a successful summer for our mentors and students as part of GSOC 12.

Special thanks to Dan Allen,  James Cobb and all the participating mentors to have made this JBoss initiative for GSOC 12 possible.

Real Team Work at JBoss Community to clear the first step in the GSOC 12 Program.

Book Review: Java Performance: Charlie Hunt, Binu John

My Rating:  5 out of 5 stars.  (Strong Buy)

Why you need to buy this book?
1) There is no other strong book on Java Performance in the market.
2) Written by experts who deal with improving the performance of the Hotspot Java VM, on a daily basis.
3) Extensive description on the internals of the Hotspot JVM. Previously the JVM was a blackbox that would run your Java applications. This book will lay out the JVM as an open book. So you have an opportunity to master the JVM.
4) It is from Addison Wesley who publish GREAT books.

My Favorite Chapters:
Chapter 3: JVM Overview.
Chapter 4: JVM Performance Monitoring
Chapter 5: Tuning the JVM, Step by Step

 Review:
I have had this book for a month now.  But I have not read it completely. The reason is that this is an advanced topic.  The book goes into deep lengths to describe the Hotspot JVM concepts that you have to tread very slowly.  I mean very very slowly.

My approach has been to go to the chapters which I am interested in.  Then go back to the chapters that give background information. I strongly recommend that you keep this book close to your work area, because you will require it often, to not only brush up on your reading but also to use it as a reference, when you tune your Java applications. BUT THIS BOOK IS A DEFINITE MUST FOR YOUR COLLECTION.

Let us go chapter by chapter on the ones I have read.

Chapter 2: Operating System Performance Monitoring
I particularly liked the treatment on “monitoring CPU utilization” on various operating systems (windows, linux etc).
There is a lot of information on Memory Usage Monitoring, Disk IO Monitoring that a performance engineer will definitely need.

Chapter 3: JVM Overview
This is a brilliantly written chapter.
Right at the start, the authors state that the users of Java technology see the JVM as a blackbox. My opinion : Well, this is the irony or fact or destiny or whatever. Java Performance has been voodoo over the years. Extensive documentation (that is not confusing) along with reasonable JVM defaults, is the way to go.

The chapter does very well to talk about the ordinary object pointers (OOPS) and the new JDK6+ feature called “compressed oops” to get 32bit like performance on 64bit JVMs. The gist is that compressed oops feature will improve the cpu cache utilization.

The chapter goes into great length to talk about class loading, internal VM architecture etc.  A very very good chapter. Read the section on Garbage collection. There is great discussion on the generations as well as on collectors etc.

Chapter 7: Tuning the JVM step by step

This chapter is just a beauty. There is around 70 pages devoted to this chapter.  So much content just for JVM tuning.  Probably, this topic requires a 1000 pages. But the authors have done the JVM tuning as part of their jobs. So they have condensed the topic in to 70 pages based on their years of experience.

I will update this review as I finish reading the other chapters. I can grumble that the book is very intense but it is a happy grumbling.

Final Commentary:
I have attended talks by Charlie Hunt over the years.  Charlie is extremely knowledgeable and is very passionate about the JVM. No wonder, he has turned up a gem of a book.

Anil Saldhana
JBoss Community
Chicago Java Users Group

Java Performance on Multi-core Platforms By Hunt, Charles J./ Hohensee, Paul/ John, Binu/ Dagastine, David (Google Affiliate Ad)

Open Source and Security Response

We live in a very interesting world. I term it interesting and not dangerous because I see a lot more good in this world than the bad. So unlike the media who love to portray the bad primarily, I would like to talk about  the good in the world.  A good in the world for the last few years has been Open Source.

Open Source has given many benefits to this world including:

• Free alternatives to paid Operating Systems.
• Free open alternatives to the Apple iPhone/iOS ecosystem.
• Apache Software Foundation, JBoss community, Linux Foundation and other communities that have shipped and are shipping great free open source projects including Apache Httpd Web Server, JBoss Application Server, Linux Distributions etc.
• Free alternatives to Microsoft Office Ecosystem.

Now let us look at Web Browsers. They have been our gateways to the Internet content. Of course, you need a ISP or a Wifi connection to get to the internet. But the browsers have been the main avenue to access the rich content that is on the internet. Browsers such as Mozilla Firefox, Google Chrome and Opera have been very beneficial to the world. All 3 of them take security of their users very seriously.

I was reading about Google Chrome getting hacked in less than 5 minutes (http://it.slashdot.org/story/12/03/07/2352220/chrome-hacked-in-5-minutes-at-pwn2own).  Ok, it was not magic.  Definitely those guys had knowledge of some zero-day vulnerabilities, that they had not disclosed before, but used it to get to 60K. (Please read up on zero day at http://en.wikipedia.org/wiki/Zero-day_attack).

Now let us talk about the value of Security Response to open source projects. Almost all major OSS foundations (Apache, JBoss, Linux etc) are backed by a proactive security response team who stay on top of vulnerabilities in their projects.

As the number of open source projects is on the rise, it is critical that you adopt a open source project that has an excellent security response team as well as provides newer versions of the project with the fixes. Also the ball is in your park to stay on top of newer releases.  If you are unable to manage the patches or get on newer versions of projects, then I suggest strongly that you adopt commercial versions of open source software such as the JBoss Platforms (EAP, SOA-P, EPP etc),  Hadoop (Cloudera/MapR/HortonWorks) etc because these are backed by a security response team, who will provide the necessary patches. Trust me, all software at all times will have at least one vulnerability. Software does not get created by magic but by humans who are prone to mistakes.

For this reason, I feel that the security response is a critical aspect for Open Source Choice and Adoption. Please visit Red Hat's Security Response for additional information:  http://www.redhat.com/security 
as well as understanding the role of open source and security.

We are currently at http://anil-identity.blogspot.com/2012/03/open-source-and-security-response.html

Open Source PicketLink v2.0.2.Final Released

JBoss community project PicketLink has released the latest version to the community.  The version is v2.0.2.Final. You can get a lot of details about this release at https://community.jboss.org/wiki/PicketLink202Final

The release will also be included as part of the forthcoming JBoss Application Server v7.1.1 release.

Please use the community forum to ask questions or provide feedback. The forums are located at https://community.jboss.org/en/picketlink?view=discussions

The dashboard is at https://community.jboss.org/wiki/PicketLinkDashboard

Enjoy!

JBoss EAP is Common Criteria Certified - EAL4+ (Highest Level Security Certification)

This morning, the press release has gone out to announce the certification of JBoss Enterprise Application Platform 5.1.0 and 5.1.1 at the highest level of evaluation in its category - EAL4+.

The press release is available at http://finance.yahoo.com/news/JBoss-Enterprise-Application-bw-1345517824.html?x=0

The CC Guide should be available soon at http://docs.redhat.com/docs/en-US/index.html

I am confident that security conscious customers will find this news refreshing.

OpenShift Express Paas always comes to my rescue

Most of us have been through this.  You have to put up a demo for a customer, a conference or just to show something to a person living far away. Now assuming the other person is not on the corporate network, you have to look for a server that is hosted in the public.  Forget getting a computer outside your corporate DMZ. You have to go through many hurdles.  All the corporate security stuff come into play. We cannot blame anybody for being so paranoid, given the state of the world. Everybody is getting hacked these days. Now, the irony is that the demos may be a representation of some tech that is not critical from security perspective but has value when displayed to a viewer. That is why it is called a DEMO.

You may say, there is Amazon EC2. Well, that's cool. I have used EC2 for some quick demos. But I have always had to stay on top of my toes because I would need to shut down the instances, once the job was done. The reason was that the credit card meter would be running (just like a long distance taxi meter).

A couple of years ago, I did write some simple web apps on Google App Engine. They are probably still running. Wow, Platform-as-a-service. You write apps and don't have to worry about dev-ops, cap-ex,op-ex etc. Certainly for simple apps, your credit card meter is not running.

The challenge with GAE was the restrictive API that you had to program against.  It was a pain to code to a whitelisted api.

Enter OpenShift, a PaaS from Red Hat.  I have been running many demos on it for months.  A cheatsheet I have is https://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift

Why do I like OpenShift Express Paas?

• It's free.
• It allows me to deploy standard Java EE web apps in minutes.
• I do not have to worry about server administration.
• I do not have to worry about checking if the web app is running.

I did put up another demo today for a key management app. Check it out here: http://symkey-anilsaldhana.rhcloud.com/keymg.jsp

What are you waiting for?  Give OpenShift PaaS a spin.