Google Site Search


Friday, September 26, 2008

New deployer mechanism in AS5

If you have not yet had a chance to look at this great blog post by BobMc on deployers in JBoss Application Server 5 (JBAS5), then the time is now. :)
Deployers in JBoss Microcontainer

The deployers are broken into categories that depend on stages - parsing, class loader and real.

Wednesday, September 17, 2008

JBoss Application Server 5 is EE5 Certified

The historic post is here:

JBoss QA King Rajesh says:
JBoss Application Server 5.0.0.CR2 has been released and is available for download.

This is the last candidate <>release of the JBoss 5.0.x series for the Java EE*™* 5 codebase
and the first JBossAS release that fully complies with the Java EE 5 conformance testing certification requirements

Detailed released notes:


If you want to know more about the security features in JBoss AS v5, then peruse:

In the time, please watch out for more information at Sacha's blog and Dimitris's blog

Phishing: reading celebrity gossip

Are you interested in searching for celebrities on the web? How about when you want to read on celebrity gossip? It does not matter whether you read this in your free time, sneakily during work hours or use the "Privacy Mode" in modern browsers behind closed doors late at night. The issue is the growing danger of cyber criminals out there to get you and your money.

I am referring to new scary information from Jeff Green, Senior Vice president of McAfee's Product Development & Avert Labs. You can read it here.

"Cybercriminals employ numerous methods, yet one of the simplest but most effective ways is to trick consumers into infecting themselves by capitalizing on Americans' interest in celebrity gossip"

Who are the celebrities to watch out for? Brad Pitt, Justin Timberlake, Beyonce, Heidi Montag, Mariah Carey, Rihanna and Fergie, Angelina Jolie, Jessica Alba, Cameron Diaz, George Clooney, David Beckha, Katie Holmes, Lindsay Lohan, Katherine Heigl and every other celebrity on the planet. :)

Security in Google Chrome

At the Oasis Security Forum in London in 2 weeks, Opera Browser Chief Security Architect, Yngve is going to be making a presentation on "Modern Browser Security". I am looking forward to Yngve's presentation. The Green Tool Bar (via EV Certs) is certainly a nice feature, except that it does not guarantee total security. Remember the authenticity of the website is guaranteed by the EV cert but there is no guarantee what the web content does. :(

Since the major players in the browser makers have put in a lot of emphasis on security, it is important to see the security features in the new browser from Google called "Google Chrome".

1) Privacy Mode
Chrome has a privacy mode; Google says you can create an “incognito” window “and nothing that occurs in that window is ever logged on your computer.” The latest version of Internet Explorer calls this InPrivate. Google’s use-case for when you might want to use the “incognito” feature is e.g. to keep a surprise gift a secret.

2)Web apps can be launched in their own browser window without address bar and toolbar.

3) To fight malware and phishing attempts, Chrome is constantly downloading lists of harmful sites. Google also promises that whatever runs in a tab is sandboxed so that it won’t affect your machine and can be safely closed. Plugins the user installed may escape this security model, Google admits.

For more info, look at this blog entry at blogoscoped.

Apart from the Privacy mode, I think the modern browsers are making an honest effort at fighting phishing and malware.

Friday, September 12, 2008

Mozilla readies "Private Browsing"

Mozilla Firefox 3.1 (which will go beta this month) will have a "Private Browsing" mode (aka P0rn Mode in the informal circles). I guess the privacy advocates will be a little more happy about this move from Mozilla (or may be not considering all the other browsers - safari, chrome, IE etc have adopted a roadmap for this).

But lets ask the following questions about the need for Private Browsing:
a) What is it useful for?
- watch prohibited stuff at your cube? (Remember your visits are logged remotely but not within the enterprise. Ok, the proxy will log your web requests).
b) Missing feature that cannot be lived without?

From the WashingtonPost article:
Much like Chrome, users will be able to open a separate window in Firefox 3.1 that will let them browse the Web in any way they see fit without worrying about the wife or kids entering the History menu and seeing why they spent the last hour in the office with the door locked.

Interesting Feature?

Well, if Mozilla had worked toward providing a safe browsing mode for children (wouldn't that be a significant effort)..... I know, I know it is not easy to filter out content, links etc plus the market is small. Ok, what about "Do no evil" strategy? (it is google's but I consider Mozilla to also do no-Evil). Johnathan Nightingale, Human Shield, Mozilla is a good friend from the W3C Web Security Context Group. I am certain that Johnathan does not aspire to do anything evil. Now lets see a safe browsing mode for small children. Come on Mozilla.

Ok, lets look at the CNET News piece:

Another aspect of the current unnamed feature will save all tabs and close the session, re-opening a new blank browser window. When the private session is finally turned off, the older session will re-open. One difference from Microsoft's InPrivate will be that there won't be any neon advertising that private mode has been activated, according to Mike Connor, the lead developer on Firefox. The fact that you are using a privacy mode will remain private.

Certainly, this is a feature we have been missing. (sigh.......)

UPDATE: I do see an useful use case of a browser's private mode - (Look at the Private Browsing section).

Securing Open Source

The dust has not yet settled on the recent discussion in the media on the security worthiness of Open Source Software. In continuation of my assertion that Open Source software can be as secure as one intends to be, I will be making a presentation titled "Securing Open Source" at the DHS Software Assurance Forum at NIST in October. The DHS National Cyber Security Division is the main sponsor of this forum.

What will my presentation talk about? Well, once it is ready I will post it here. In the meantime, I would like to talk about the secure practices we undertake in JBoss development as well as lessons learned during the ongoing Common Criteria Evaluation of JBoss EAP 4.3.

This month, I am moderating a panel as well as chairing sessions at the Oasis Security Forum in London. Stop by if you live in and around London. :)

So what really goes into securing open source? It is mainly the processes followed in the development and maintenance phases of the software. Many a times, open source software is written by enthusiasts and philanthropic developers for whom getting the latest innovation out is of primary importance. In these cases, there certainly is a lack of significance associated to security and maintenance. But these cases do not become the general trend for open source. For Open source projects/products such as Apache Httpd, tomcat, Linux (Red Hat) and JBoss, you have a company(ies) standing behind the success of the project. In these cases, security is dealt with as and when needed. Every security vulnerability is fixed as soon as possible.

Read more here.

Monday, September 8, 2008

Can history help us prepare for HiTech Crime?

A very interesting answer from Paul Wright, Head of Computer Crime at City of London Police on LinkedIn Q&A forum (the question was "How important is to safeguard customer data?". I had asked the question. Well, you may say it is a dumb question. I was more interested in the answers from the experts than be satisfied with my perception.)

Can history help with this? Who brought down Alfonso Capone? Was it, Frank J Wilson, George E Q Johnson or Elliot Ness? They all played their part but in real terms, it was none of them, it was a shooting in February 1930 that led to Capone's downfall. The details of which are sparse, fragmented, and shrouded in secrecy, but what the event did do was trigger the formation of the 'Secret Six'.

There aim was to assist law enforcement to take down organised crime and in particular Alfonso Capone; and they succeeded for in July 1931 'The Chicago Herald' reported him as saying;

"The Secret Six has licked the rackets. They've licked me. They've made it so there's no money in the game."

Since that time the upper echelon of the criminal fraternity have responded by moving into the unlawful obtaining of customer data, where the perception is that information is less well protected and the sentencing of offenders, when caught, is relatively light.

If we do not invest in the skills necessary to enable us to investigate such abuse in this ever-changing environment, will have to contend with playing 'catch-up' in understanding how new technologies are associated with a range of traditional wrong doings.To achieve this all will have to commit adequate funding and combine it with a promise of quality.

Unfortunately not all of those who use the Internet do so with good intentions. In order to facilitate the goals of this element there is a growing amount of information on the web that is showing them how to commit various unlawful acts using a computer and the information highway.

Why is customer data so easily exploited? This is due to the Internet and it being readily available, then once obtained it is used to facilitate a cocktail of offences. This causes some to ask, should we consider the use of private sector controls requiring organisations to take effective steps to tackle the risk of security breaches. Especially as the works of those who produce investigative guidelines for hi-tech and e-crime tend to focus on detection and prosecution, give reduced attention to the area of e-crime prevention and little attention to the forensic intelligence analysis of seized data.

Therefore, is there a need for multidisciplinary partnerships between academia, industry and law enforcement to work on the loss of customer data? The combined effort could produce a number of significant results, from developing research into technologies and tools, to creating a repository for technical papers. Many already encourage us to share knowledge, expertise and experience. This sharing of information could give organisations the tools to put in place better defences to tackle the abuse of computers and computer systems. It is only through better understanding of the scale and the scope of the problem that they will be able to build effective strategies to deal with it.

Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given for not reporting intrusions was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated.

There has to be a realisation that organisations cannot create such a secure environment in isolation. It will require them to establish internal and external partnerships that are supported by a framework of regulation and legislation.

The 'Secret Six' showed us how an alliance can defeat organised crime, however seventy years on we are faced with a similar predicament, only now it's on a huge global scale and is being facilitated by the Internet and technology. Could a modern day 'Hi-Tech Six' achieve the same results?


Paul will be keynoting at the Oasis Security Forum in London this month. See you there, Paul.

If you live in/around London and are interested in software security, then you should try to attend the forum. I will be moderating two panels at the forum.