Thursday, April 24, 2014

The Most Difficult Thing About Raspberry Pi

The most difficult thing about Raspberry Pi is determining which Raspberry Pi project is most interesting to you.  A while back I wrote a Java program to measure my Internet connection bandwidth.  I was thinking it might be a cool project the project over to the Raspberry Pi, write a JavaFX display, and display it like a picture frame on my desk.  Maybe build my own WIFI Pineapple security tool.  I'm still not sure what I want to do but first I need to get the hardware working.

A little background, at my home everything uses the Internet.  I have in the range of 40 to 50 Internet connected devices online at any one time, multiple managed switches, ISP gear, VOIP services, iPhones, solar monitoring, etc.  Do I really really need all this technology?  Nope, not at all but it's just fun to play with.  That is, until I blow up my home network in the middle of my wife's phone call or the kids Netflix isn't working.  The family knows just where to go when the our home IT is not working so keeping my customers happy is important.

For my project I have a basic Raspberry Pi computer and 2.8" TFT display.  I will follow-up with the nuts and bolts of the hardware list at the end of the article.  To begin all Raspberry Pi projects require an image to boot.  If your comfortable with *nix installs then you will feel comfortable setting up a Pi.  Download the Raspberrian image.  Write the image to an SD card.  On OSX, I used the ApplePi-Baker to write the image to an SD card.  My Mac Air just happens to have an SD card slot - whoot!

For me, getting a Pi working was not enough.  I wanted to the get the small 2.8 TFT display working with the Pi as well.  There are some subtleties of the TFT display, and perhaps other TFT displays, to be aware of.  In my case, the screen I'm using uses the GPIO pins so it may not be compatible with other hardware that may use the same pins.  Meaning if you are planning a bigger project there is some reason to to stick to the available composite video port or better yet the HDMI port.  The next concern is the display requires some modifications to the kernel.  All these details are included on AdaFruits web site.  Modifications aside, the results are impressive and the display only uses about 70ma.  Very low power.

After getting the computer and display together and basic testing out the way.  I thought I would try their sample movie and open source animation, "Big Buck Bunny".   It ran pretty well but since my Pi does not have sound I'm missing half the story.  In any case, the animation framerates appear reasonable to the eye.  I notice the movie is optimized for the small display size.  I believe if your using the HDMI port there is hardware acceleration so it's probably a bit more forgiving when playing different movies but I have not tried it yet myself.

Next, I got X-Windows and the desktop working.  Interestingly enough, the screen saver is set by default.  After a few minutes it turned off my screen and I thought the computer crashed.  A quick push to the touch sensitive screen and my computer was alive again - phew!  Of course, it's difficult with my chubby fingers to push small UI widgets on the screen.  Any graphical application you write will have to be optimized to make use of the full screen width and keyboard shortcuts.  For the finishing touches I purchased a PIBOW 3d printed enclosure (on right) that accommodates the screen.  Everything works surpassingly well out of the box and following AdaFruits instructions.  It would be great if the PIBOW case included a smoked acrylic basel but mojo bang for the buck.  Enjoy!


My parts list is as follows.

Raspberry Pi Model B 512MB RAM
PiTFT Pibow kit
Adafruit PiTFT - 2.8" Touchscreen Display for Raspberry Pi
32gb SD Memory Card
USB charging cable
Ethernet cable
*Core components purchased from AdaFruit.

Thursday, April 10, 2014

JavaOne 2014 Security Track Early Acceptance Sessions

The following, JavaOne 2014 Security Track Early Acceptance Sessions, provides information about Oracle’s upcoming JavaOne security track.


Spotlight on Java SE 8 Security

March 18, 2014 was the long anticipated release of Java SE 8.  I though I would spotlight some of the key security features of Java 8 for readers.  First, many are not aware of security improvements made to Java 7.

Java 7 Security Review

Let’s begin with a quick review the Java SE 7 security features that were rolled into Java SE 8.  I only cover the key features but the details are available at, Java Rich Internet Applications Enhancements in JDK 7.

UI control to enable and disable Java (Area: Java Control Panel, Java 7 Update 10)
Quickly disable or enable Java when run as a Rich Internet Application (RIA) like Applets and Web Start plugins in the web browser.  This allows individuals to quickly disable Applets if concerned about exploitation.  Essentially this is the Java Kill Switch for the browser.  It’s a good feature to have but there are better features to mitigate risk as I will describe (e.g., Security Slider, DRS, Site Exception List).

Java Security Slider (Area: Java Control Panel, Java 7 Update 10)
Allow end-users and enterprises to change the security slider settings from Medium to Very High to balance security vs. operational concerns.  Since the slider was introduced “Low” and “Custom” levels have been removed.

Java Expiration (Area: JRE, Java 7 Update 10)
Oracle has 4 Critical Patch Updates (CPU) per year or security patches.  When the CPU is released, outdated versions of Java may behave differently depending upon how Java is used.  Some activities performed on outdated RIAs carry more risk.  In such cases, some activities that carry more risk may issue security warnings to end-users or be blocked entirely depending upon configuration.  A specific example is running unsigned Applet code which is not allowed by default in Java 7 Update 51 and later.

Expanded Black Listing Support (Area: JRE, Java 7 Update 21)
Each version of Java includes a trust store with approved roots of those participating in the Java SE Root Certificate Program.  Black Listing is a product safety feature designed to augment standard PKI community processes for certificate management and maintaining confidence in signed code.  From a functional perspective, individual certificates or code modules (e.g., both signed and unsigned JARs) may be black listed.  The Black List is checked daily on Java clients where not prohibited by network firewall rules.

Security Model Improvement (Area: JRE, Java 7 Update 21)
Signing code no longer grants plugin privileges.  Signing establishes identity of the code author.  The Permissions attribute establishes application privileges.

Revocation Services on by Default (Area: JRE, Java 7 Update 25)
OCSP and CRL revocation services are active by default for Java deployments.  Operation revocation services is very important preparation work establishing code-signing as a standard.

Code Repurposing (Area: Plugins, Java 7 Update 25)
New attribute was added to discourage JARs from being repurposed by other web sites.  Use the Codebase attribute to bind the code module to a particular site.

Deployment Rule Set (Area: Plugins, Java 7 Update 40)
An enterprise class feature to create security policies in Java that reflect organization IT policies.  For example, it’s possible to block all Applets by default then allow access to corporate or partner applications.  Deployment Rule Sets (DRS) are an important control to discourage Java’s use as a vector for exploitation by 3rd party malware commonly found in advertisements and emails.

Control of Security Warnings (Area: Plugins, Java 7 Update 40)
When Java is outdated and operating below the baseline a warning is presented to end-users communicating increased risks and encouraging them to upgrade.  The configuration setting (e.g., deployment.expiration.check.enabled=false) allows enterprises to take responsibility for their own deployment processes and mitigate interim risks.

Code-Signing is Default (Area: Plugins, Java 7 Update 51)
Since Java 7 Update 51 (Jan 2014) signed RIA code is now the default.  Unsigned and self-signed legacy code is supported but requires additional configuration to work.

Site Exception List (Area: Java Control Panel\ Plugins, Java 7 Update 51)
The Site Exception List is the consumer analogue for DRS.  Exceptions can be added easily by consumers to support legacy RIAs.

Permissions Attribute (Area: Plugins, Java 7 Update 51)
All Applets must include the Permissions attribute in the manifest to specify if the code is executing with or without security privileges, outside or inside the sandbox respectively.  Including this feature was a subtle but significant change to the Java security model.  Previously, signing RIA code provided implicit privileges.  Now permissions must be provided explicitly.

Uninstaller (Area: JRE, ongoing)
Cleaning up outdated versions of Java where no longer used is important for improving security posture.

That wraps up the high points for Java SE 7.  For more information on Java SE 7 security see, Java Rich Internet Applications Enhancements in JDK 7.  Let's move on to security features of Java SE 8.

Java 8 Security

Java SE 8 includes all the security features of Java SE 7.  Plus Java SE 8 includes new features, algorithm improvements, and support for features that are not identified as security features but provide security benefits just the same.  The following presents the highlights but for details see, JDK 8 Security Enhancements.

Client-side TLS 1.2 Enabled by Default (Area: Plugins)
TLS 1.2 is a security standard implemented in some web servers and web browsers and enabled by default in Java.

Enhanced Revocation Certificate Checking (Area: JRE, JEP 124)
Use the PKIXRevocationChecker class to lookup revocation status of certificates of interest.  Supports OCSP (RFC 2560)  and CRL  (RFC 5280) revocation protocol specifications.  See Check Revocation Status of Certificates with PKIXRevocationChecker Class.

Java Dependency Analyzer (Area: JRE tools)
jdeps is used to identify library(JAR) dependencies.  jdeps is useful from a security perspective since it identifies dependencies in 3rd party libraries that may negatively impact ability to upgrade.  An aside, while it’s not an Oracle product, OWASP has a free and complimentary tool, DependencyCheck for finding published vulnerabilities in 3rd party Java libraries.

Type Annotations (Area: JRE, JSR 308)
Like jdeps, type annotations are not a security feature in the strictest sense.  Type annotations provide ancillary benefit to security since they help ensure data is consistent with business requirements.  University of Washington (search for taint) provides some excellent examples of type annotations in action to discourage injection attacks.

SSL\TLS Server Name Indication Extension (Area: JRE, JEP 114)
Server Name Indication (SNI) Extension has been added to TLS for supporting virtual hosting.  This improvement is useful in the situation where a single host supports multiple HTTPS web applications on a single IP address.

Many Cryptographic Algorithm Improvements (Area: JRE)
  • Improvements to high entropy random number generation.  See SecureRandom API Specification.  (JEP 123)
  • Support for AEAD JSSE CipherSuites (JEP 115)
  • Improved support for NSA Suite B  (JEP 129)
  • PKCS 11 provider expanded to include 64-bit (JEP 131)
  • Overhauled JKS-JCEKS-PKCS12 keystore (JEP 166)
  • Restrict Use of Certs with RSA keys < 1024 bits
  • and more
For additional information about Java SE 7 and Java SE Security features please refer to the following Oracle resources.

Security features for Java 7, Java Rich Internet Applications Enhancements in JDK 7
Security features for Java 8, JDK 8 Security Enhancements
Java PM blog (which includes security),
New security requirements for RIAs in 7u51,
Oracle CPU and Security Alerts,

Java 8 Security Highlights – Video

This is the Java 8 security media (shown) I developed for the Java launch team.  The presentation covers features I described in my previous post, Spotlight on Java SE 8 Security. Enjoy!

Welcome Back!

Yes, your in the right place.  I'm moving back to Blogger.  I like the power and capabilities of Wordpress but I don't like the maintenance.  I would rather spend my time on almost anything else.  Blogger has some quirks, especially with their editor tool, but over all is pretty stable and low overhead for me to run.


Share It!