Abhinav's Blog

Internet of 'Hidden' Things: How to Build a Confidential IOT Network using TOR & Docker Containers

noreply@blogger.com (Abhinav Biswas) — Fri, 23 Mar 2018 08:44:00 +0000

Recently, I conducted a Workshop at the India Electronics Week - EFYCON 2018 held at KTPO, Bangalore. This session was focussed on sensitising the audience about how we can leverage the anonymity & containerisation benefits of TOR & Docker technologies respectively to address the security & privacy challenges in IOT Businesses and stop Surveillance Capitalism.

There were several Live Demos on how to build an Internet of 'Hidden' Things by creating confidential, authenticated and anonymous IOT Applications using TOR Hidden Services amalgamated with Docker Containers. The demos showed that these 'Hidden' Things/Devices can even hide the fact they exist at all, if you don’t know the necessary cookie. One can neither crawl nor probe your IOT device through the Internet while your device uses the Onion Authentication feature of TOR Hidden Services. The workshop also covered the dark-side of using Internet of Hidden Things in future.

Here's the digest of the presentation.

1. Introduction to TOR Hidden Services (HS)
- HS Rendezvous Protocol
- Analysis of hiddenness of HSs

2. Introduction to Docker Containers
- Virtualization vs Containerization
- Security Advantages of using Docker Containers

3. Dark-Side of Internet of Things
- Smart Devices: bridging the gap between Digital threats & Physical threats
- Recent Hacks: Jeep Cherokee, Mattel's Wi-fi Hello Barbie, Mirai DDoS Botnet
- Era of Ubiquitous Surveillance: Data being the new Oil of 21st century
- Security vs Privacy vs Anonymity: Importance of Trust in IOT Privacy

4. Need for Internet of 'Hidden' Things
- Security by Obscurity vs Security by Design
- Achieving Privacy with Hidden IOT Devices
- Leveraging the anonymity & containerisation benefits of TOR & Docker in IOT
- How hidden & anonymous IOT Devices can stop Surveillance Capitalism

5. Live Demos:- Hosting Tor Hidden Service in seconds with Docker Containers
- Pushing hidden containers to Linux-based IOT devices for hiding them
- Connecting anonymously to hidden IOT devices with proper authentication

6. Dark-Side of Internet of Hidden Things
- How hidden IOT devices can be exploited for malicious purposes

7. Discussion & Takeaways
- Conclusion & Futuristic Thoughts.

Below is the presentation material for the delivered session.

Demystifying the Dark-Side of Internet of Things (IOT): A Journey through Security & Privacy Challenges

noreply@blogger.com (Abhinav Biswas) — Fri, 23 Mar 2018 08:10:00 +0000

Recently, I spoke at the India Electronics Week - EFYCON 2018 held at KTPO, Bangalore. The talk focussed on sensitising the audience about the paradigm shift that is required for securing IOT Businesses where Proprietary protocols, indigenous hardware & air-gapped networks are not just enough in the era of Industry 4.0. The talk also presented a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security with respect to IOT.

Here’s the digest of the presentation.

Why is everything getting Smart with the advent of IOT?
Sensors or Cloud or M2M.
How is IOT bridging the gap between Digital threats and Physical threats?

Top recent IOT Hacks:
Chrysler's Jeep Cherokee,
Mattel's Wi-fi Hello Barbie.

Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs.
What if the smart doll teaches offensive things to your kid.

Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps.
How Smart TVs have been hacked & infected by malware
for automated Ad Clicks and Cryptocurrency mining.

IOT Ransomeware is now reality.
How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?

Denial of Service (DOS) attacks on & through IOT devices.
How hackers can turn a Smart Fridge into a spam-bot?

Why can't we make smart devices smart enough to be secure?
The IOT Security Challenges:
Resource Constraints, STRIDE Threat vectors.

Security vs Privacy vs Anonymity.
Importance of Trust in IOT Privacy.
Security by Obscurity vs Security by Design:
Proprietary protocols, indigenous hardware & air-gapped networks.

Security can not be an afterthought.
It has to considered & implemented in all of stages of IOT Business:
Planning, Design, Implementation, Verification, Validation, Deployment & Operations.

IOT Business Model needs to change.
Earlier we used to Build product, Ship them &
forget about them until we had to Service them,
but now we have to Ship & Remember.

Below is the presentation material of the delivered talk.

Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance by injecting Decoys inside TOR!

noreply@blogger.com (Abhinav Biswas) — Tue, 22 Aug 2017 04:45:00 +0000

Recently, I spoke at the C0C0N X Security & Hacking Conference 2017 held at Le Meridien, Kochi. The talk focussed on the 'Hiddenness' of TOR Hidden Services specific to the detection of HS Directory Surveillance by injecting Decoys or Honeypots inside the TOR network. Here’s the digest of the presentation.

What is TOR?
The Onion Router – Gateway to Anonymity
How TOR works?
Establishing the Circuit
Directory Authorities - The Gatekeepers of TOR

Introduction to TOR Hidden Services (HS)
Why run a TOR HS? - Sneak peek into HS features
How TOR HS works? - HS Rendezvous Protocol

Analysis of hiddenness of TOR HSs
Research Hypothesis - Are TOR HS really Hidden?
The HS Honeypot Approach
Setting up the Onion Decoy Project

Live Demo
Hosting Tor Hidden Service in seconds with Docker Containers
How to setup Honeypots (aka Onion Decoys) inside TOR Network
Live probing of Onion Decoys to detect intrusions by attackers

Results of the Onion Decoy Experiment
Private Hidden Services are not really hidden

Conclusion & Takeaways
Everything can be a Honeypot, if you don’t know it fully
The more you hide, The more somebody wants to know why

The Source Code of the Onion Decoy Project is available at https://github.com/OnionDecoy

Below is the presentation for the delivered talk.

How the next Edward Snowden should access Internet for maintaining privacy? - Rethink VPN & TOR

noreply@blogger.com (Abhinav Biswas) — Mon, 26 Sep 2016 20:13:00 +0000

In the present era of Mass Surveillance by intelligence agencies like NSA, GCHQ & RAW, you should know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route is in the hands of some electronic system whose reach is unlimited, but whose safeguards are questionable. This amount of metadata collected about you is more than enough to create simulations of you and predict your behaviour in any given circumstance. It involves a systematic interference with individual’s right to privacy in terms of subjection to significant indiscrimination, monitoring and censorship. Hence, Privacy & Anonymity are rising concerns among informed citizens, journalists, whistleblowers and Edward Snowdens of the world.

When it comes to technology, privacy and anonymity enthusiasts extensively use encrypted proxy services like VPN & TOR Anonymity network to hide their identities & activities online. But let’s understand how useful & worthy they are, what are the differences and how can we leverage the potential of both.

VPN is faster than TOR, and is suitable for P2P downloading. The major downside however (and reason VPN is said to provide privacy rather than anonymity) is that it requires your trust the VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.

On the contrary, TOR is much slower because of the built-in Onion Routing, is often blocked by websites, and is unsuitable for P2P, but it does not require your truston anybody, and is therefore much more secure & truly anonymous.

Interestingly, VPN & TOR can be clubbed and used together in order to provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside, however, of doing so combines the speed hit of both technologies, making connections more secure but slow. It is also important to understand the difference between connecting VPN to TOR and connecting TOR to VPN for accessing the Internet. Order Matters!

VPN to TOR

Under this configuration you first connect to your VPN server, and then to the TOR network before accessing the internet:

Your computer -> VPN -> TOR -> Internet

This is what happens when you use TOR Browser while connected to a VPN server.

Your apparent IP on the internet = IP of the TOR exit node.

Pros:

1. Your ISP will not know that you are using TOR (but it can know that you are using VPN).

2. The TOR entry node will not see your real IP address, but the IP address of VPN server.

3. Allows access to TOR hidden services (.onion websites).

Cons:

1. Your VPN provider knows your real IP address.

2. No protection from malicious TOR exit nodes. Non-SSL traffic entering and leaving TOR exit nodes is unencrypted and could be monitored.

3. TOR exit nodes are often blocked by popular websites.

TOR to VPN

This configuration involves connecting first to TOR using TOR client and then to a VPN server to access the internet using regular browser:

Your computer -> TOR -> VPN -> Internet

This setup requires you to configure your VPN client to work with TOR, and note, not all but some VPN providers support this like AirVPN, BolehVPN, etc.

Your apparent IP on the internet = IP of the VPN server.

Pros:

1. Your VPN provider cannot ‘see’ your real IP address – only that of the TOR exit node.

2. If combined with an anonymous payment method (such as properly-mixed / well-laundered Bitcoins) made anonymously over TOR, the VPN provider will have no way of identify you.

3. Protection from malicious TOR exit nodes - As data is encrypted by the VPN client before entering (and exiting) the TOR network.

4. VPN Provider Allows you to choose server location (Great for geo-spoofing).

5. All internet traffic is routed through TOR (even by apps that usually don’t support it).

6. Bypasses any blocks on TOR exit nodes (Important!).

Cons:

1. Your ISP will know that you are using TOR.

2. The VPN provider can see your internet traffic (but can’t identify you - true anonymity)

3. Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).

4. Does not allow access to TOR hidden services (‘.onion’ websites).

TOR after TOR to VPN

This configuration involves connecting first to TOR using TOR client, and then to a VPN server and using TOR Browser to access the internet:

Your computer -> TOR -> VPN -> TOR -> Internet

Note, this setup requires you to use TOR Browser as well as configuring your VPN client to work with TOR.

Your apparent IP on the internet = IP of the TOR exit node of 2nd TOR circuit.

Pros:

1. Your VPN provider cannot ‘see’ your real IP address – only that of the TOR exit node.

2. If combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over TOR, the VPN provider will have no way of identify you.

3. Protection from malicious TOR exit nodes - As data is encrypted by the VPN client before entering (and exiting) the 1st TOR Circuit.

4. VPN Provider allows you to choose server location (Extra-functionality not required actually because, 2nd TOR circuit will provide geo-spoofing).

5. Allows access to TOR hidden services (‘.onion’ websites).

6. Less prone to global end-to-end timing attack because of two TOR circuits.

Cons:

1. Your ISP will know that you are using TOR.

2. The VPN provider can see your internet traffic (but can not identify you - true anonymity)

3. TOR exit nodes are often blocked by popular websites.

So which one is better?

However, before that, two important things to ponder upon:

1. Malicious exit nodes:

When using TOR, the last exit node in the chain between your computer & open internet is called an exit node. Traffic enters and exits this node unencrypted (unless some additional form of encryption is used like SSL), which means that anyone running the exit node can spy on users’ internet traffic. This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.

Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites. SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.

2. End-to-End (E2E) timing attacks:

This is a technique used to de-anonymize VPN & TOR users by correlating the time when they were connected, vis-a-vis the timing of otherwise anonymous behavior on the internet. An incident where a Harvard bomb-threat idiot got caught (http://www.businessinsider.com/harvard-student-used-tor-for-bomb-threat-2013-12) while using TOR is a great example of this form of de-anonymization attack in action.

On a global scale, pulling off a successful E2E attack against a TOR user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public TOR exit nodes. If such an attack (or other de-anonymization tactic) is made against you while using TOR, then using VPN as well will provide an additional layer of security.

Conclusion

Note, TOR to VPN is usually considered more secure than VPN to TOR since it allows you to maintain complete (and true) anonymity if the correct precautions are taken because not even your VPN provider knows who you are. It also provides protection against malicious TOR exit nodes, and allows you to evade censorship via blocks on TOR exit nodes. You should be aware, however, that if an adversary can compromise your VPN provider, then it can control one end of the TOR chain. Over time, this may allow the adversary to pull off an E2E timing or other de-anonymization attack. The additional benefit you get if you use TOR after TOR to VPN is that you can access ‘.onion’ websites, but with a caveat that tor exit nodes are often blocked by popular websites.

Hence, the bottom line is that any user who requires a very high level of security, privacy & anonymity must carefully weigh up the pros and cons of each of the above three configurations in relation to their particular needs.

Dark-Side of Internet of Things (IOT): Security & Privacy Challenges

noreply@blogger.com (Abhinav Biswas) — Sun, 28 Aug 2016 18:04:00 +0000

Recently, I was invited to deliver a talk at the Global IOT Conclave held at The Chancery Pavilion, Bangalore. The talk focussed on the Dark-Side of Internet of Things specific to Security & Privacy Challenges in IOT. Here’s the digest of the presentation.

Why is everything getting Smart with the advent of IOT? Sensors or Cloud or M2M.
IOT is bridging the gap between the Physical world & the Digital world and how Digital threats are becoming Physical threats?
Top IOT Hacks: Chrysler's Jeep Cherokee, Mattel's Wi-fi Hello Barbie.
Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs. What if the smart doll teaches offensive things to your kid.
Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps. How Smart TVs have been hacked & infected by malware for automated Ad Clicks and Cryptocurrency mining.
IOT Ransomeware is now reality. How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?
Denial of Service (DOS) attacks on & through IOT devices. How hackers can turn a Smart Fridge into a spam-bot?
Why can't we make smart devices smart enough to be secure? The IOT Security Challenges: Resource Constraints, STRIDE Threat vectors.
Security vs Privacy vs Anonymity. Importance of Trust in IOT Privacy.
Security by Obscurity vs Security by Design: Proprietary protocols, indigenous hardware & air-gapped networks.
Security can not be an afterthought. It has to considered & implemented in all of stages of IOT Business: Planning, Design, Implementation, Verification, Validation, Deployment & Operations.
IOT Business Model needs to change. Earlier we used to Build product, Ship them & forget about them until we had to Service them, but now we have to Ship & Remember.

Below is the presentation for the delivered talk.

Dark - Side of Internet of Things (IOT) from Abhinav Biswas

Touring the Dark-Side of Internet: A Journey through IOT, TOR & Docker

noreply@blogger.com (Abhinav Biswas) — Fri, 03 Jun 2016 08:53:00 +0000

Recently, I had the privilege of delivering a talk at ThoughtWorks GeekNight Hyderabad along with my co-speaker @Sarath. The session focussed on the Dark-Side of Internet touching upon the following theme.

With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? Is it just a marketing gimmick?

People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?

The talk focused on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk also sensitised the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.

The detailed Agenda of the delivered talk:

Top 5 Security Attacks of 2015

Sony Hack, Ransomware, State-Sponsored, Hacktivism

The Cyber Attack Kill Chain

APTs (Advanced Persistent Threats)

Defense Strategies & New Challenges

Signature-based vs dynamic sandboxing
Virtualization & Cloud Security
Security vs Privacy vs Anonymity

The Advent of IOT

People - Process - Product (Era of ‘Smart’ Things)
Cloud - M2M - Sensors (How connectivity can go bad)

Introduction to Docker

From Virtualization to Containerization
Shift in DevOps – Demo of Web hosting through containers

Deep Net vs Dark Net

TOR (The Onion Router) – How to be Anonymous on Internet
Demo of TOR hidden service through Docker Containers

Future thoughts.

Below is the presentation for the delivered talk.

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
from Abhinav Biswas

Digital Disruption - Facts to ponder!

noreply@blogger.com (Abhinav Biswas) — Fri, 01 Apr 2016 05:20:00 +0000

Why didn’t a cab driver think of Ola or Uber?

Why didn’t a Shopping Mall owner think of Flipkart?

Why didn’t a Theatre owner think of BookMyShow?

Why didn’t Airtel or Vodafone think of Paytm?

Why didn’t Taj or Marriott think of GoIbibo?

The answer to all above, and the myriad of all other companies displaced by digital disruption, is that at some point they became so busy and coupled with the ongoing need to meet or exceed the quarterly numbers, that they forgot to look far enough outside of their business to see the disruption ahead. A quite convincing reason why so many companies fail to face the disruption is that when someone from the outside uses digital disruption to disrupt you, the strategy most often invoked is to protect and defend the status quo. It is amazing how much time and money organizations spend protecting and defending their current ‘cash cows’. In the past this was a valid strategy that did produce good results. But digital disruption is different. Because it tends to be game-changing with a very low cost of entry, it is not hard for a small startup to quickly disrupt not only a big business, but even an entire industry.

But, why all this is happening now? What is digital disruption?

Digital disruption is nothing but the change that occurs when new digital technologies and business models affect the value proposition of existing goods and services. Consider how fast the mobile web has changed how we all live, work, and play. The sudden instant, massive connectivity of the smartphones & internet enabled the ‘service economy’. Transformation is far reaching, and it is happening at lightning speed. Technologies and gadgets that are omnipresent today didn't even exist a few years ago. Gone are the days of SMS, it’s all WhatsApp now. Telcos are defending by fighting to kill Net Neutrality. But is it the right solution? Or they need to come up with new startup ideas.

We are one of over 3 billion people connected to the internet. That’s nearly half of the people on Earth. Many of these people are shopping online or catching up with friends over social networks like Facebook, Twitter & LinkedIn. But some creative people are evaluating a new business idea, raising a startup, or building an app that’s going to change the world. Are you one of those creative people?

Think about other emerging digital disruptions that are coming in near future: the wearable web (smart watches, smart health monitors), the drivable web (smart semi-autonomous cars), the domestic web (smart TVs, smart homes), and so on. What does that do to your industry? If you think the answer is ‘Nothing’, I encourage you to think twice. You need to become our own disruptor, your own best competition. You should not get comfortable. You should disrupt yourself, or someone else will. In order to thrive in this era of exponential change and rapid digital disruption, you need to actively anticipate new ways to disrupt yourself, before others do it for you.

So, start thinking and think big. Who knows, you may have the next great idea:

The Next Startup Boom...

Installing Mac OS X El Capitan 10.10 on Vmware ESXi 6.0

noreply@blogger.com (Abhinav Biswas) — Tue, 13 Oct 2015 20:06:00 +0000

After a long struggle of 48 hours, I could finally able to install the Apple's latest Mac OS X El Capitan v10.11 on a Virtual Machine (VM). The experiment was conducted on Vmware ESXi 6.0 virtualization platform running over physical IBM Server X3650 M3.

Following are the installation steps:

Setting up ESXi for running Apple Mac OS X

Vmware ESXi 6.0 doesn’t support OS X out of the box.

So, the first thing you need to do is to customise the hypervisor layer by executing an Unlocker script by insanelymac.com. Please note that you will need to register on the site in order to download the Unlocker tool.
You need to enable SSH on your ESXi host. In order to do that, login to the host using VMware vShpere Client and navigate to Configuration->Security Profile. From here click on Properties in the upper right corner where it says Services. The dialog Services Properties should appear and from here you can click on SSH->Options and choose Start and stop with host. Click Start and then close all the open dialogs.
Transfer the Unlocker-files to the host using any SFTP client. Make sure you extract the files somewhere on your client before transfer and connect to the ESXi host using the user root. Once connected navigate to /vmfs/volumes/datastore01/ , replacing datastore01 with your actual datastore name. Create a new folder (mkdir) called tools and transfer your unlockerXXX directory.
Now cd into the uploaded directory and ensure the ESXi scripts have execute permissions by running chmod +x esxi-install.sh. Now run ./esxi-install.sh in order to install the Unlocker.
Reboot the ESXi host.

Download and create the bootable OS X El Capitan ISO

Grab the El Capitan installer app from the Apple Appstore. Note, you need a real Mac in order to download and convert the El Capitan installation disk. Once downloaded minimize or close the installer.

Open the terminal and change directory to /tmp using command cd /tmp

Create a new script file: nano ElCapitan.sh

Paste the following into the script file and save:

#!/bin/bash
# Mount the installer image
hdiutil attach /Applications/Install\ OS\ X\ El\ Capitan.app/Contents/SharedSupport/InstallESD.dmg -noverify -nobrowse -mountpoint /Volumes/install_app

# Create the ElCapitan Blank ISO Image of 7316mb with a Single Partition - Apple Partition Map
hdiutil create -o /tmp/ElCapitan.cdr -size 7316m -layout SPUD -fs HFS+J

# Mount the ElCapitan Blank ISO Image
hdiutil attach /tmp/ElCapitan.cdr.dmg -noverify -nobrowse -mountpoint /Volumes/install_build

# Restore the Base System into the ElCapitan Blank ISO Image
asr restore -source /Volumes/install_app/BaseSystem.dmg -target /Volumes/install_build -noprompt -noverify -erase

# Remove Package link and replace with actual files
rm /Volumes/OS\ X\ Base\ System/System/Installation/Packages
cp -rp /Volumes/install_app/Packages /Volumes/OS\ X\ Base\ System/System/Installation/

# Copy El Capitan installer dependencies
cp -rp /Volumes/install_app/BaseSystem.chunklist /Volumes/OS\ X\ Base\ System/BaseSystem.chunklist
cp -rp /Volumes/install_app/BaseSystem.dmg /Volumes/OS\ X\ Base\ System/BaseSystem.dmg

# Unmount the installer image
hdiutil detach /Volumes/install_app

# Unmount the ElCapitan ISO Image
hdiutil detach /Volumes/OS\ X\ Base\ System/

# Convert the ElCapitan ISO Image to ISO/CD master (Optional)
hdiutil convert /tmp/ElCapitan.cdr.dmg -format UDTO -o /tmp/ElCapitan.iso

# Rename the ElCapitan ISO Image and move it to the desktop
mv /tmp/ElCapitan.iso.cdr ~/Desktop/ElCapitan.iso

Now ensure that the script file has execute permissions by running chmod +x ElCapitan.sh and run with sh ./ElCapitan.sh. This will take some time, so just be patient. Once done it should have created a file called ElCapitan.iso on your desktop.

Create a virtual Mac OS X VM

The next step should be fairly simple if you have used ESXi before. As usual open your datastore and transfer the iso to wherever you normally store your installation files. Then create a new vm, select Typical and you should be able to select Other and then Apple Mac OS X 10.10 (64-bit). Complete the wizard, mount the ISO and install Mac OS X as usual. Please note that you must format the hard drive using the disk utility before it will be visible in the install wizard.

Configure Mac OS X

It’s very important to install the VMware Tools as soon as possible after the install has finished. Without it Mac OS X might not awake from sleep and in general be very unreliable. I also recommend to turn off sleep and the screensaver in settings as these may cause issues.

Finally, reboot and start enjoying your virtual Mac on non-Apple hardware.

Signing Java .jar Files with CLI Command Jarsigner using Hardware Token in Windows

noreply@blogger.com (Abhinav Biswas) — Fri, 17 Apr 2015 07:56:00 +0000

How to Configure Java JDK to Use the eToken

Download the JDK from Oracle.com.
Note: Even if you are using a 64-bit version of Windows, the 32-bit JDK is required.
Open a text editor (such as Notepad) and do the following:
1. Copy and paste the following 2 lines into the text (Notepad) document:
  name=eToken library=c:\WINDOWS\system32\eTPKCS11.dll
2. Save this file as eToken.cfg in the appropriate directory for your version of the JDK, for example:
  - JDK 1.8
    C:\Program Files (x86)\Java\jdk1.8.0_20\bin
  Note: If you are running a 32-bit version of Windows, the Java JDK is installed in C:\Program Files\Java\....
Run WordPad (Start > Accessories > WordPad), open the java.security file from your Java Runtime Environment (JRE) installation (e.g. C:\Program Files\Java\jdk1.8_20\jre\lib\security), and then do the following:
1. Search the file (Ctrl + F) for the following line:
  security.provider.10=sun.security.mscapi.SunMSCAPI
2. If the following line isn't already present in the file, add it right after the line above:
  security.provider.11=sun.security.pkcs11.SunPKCS11 ./etoken.cfg
  Note: ./etoken.cfg is the path to the etoken.cfg file, and cannot contain a drive letter (i.e., it must be on the same drive as the JDK installation).
3. When WordPad asks if you want to save the file as a text-only document, select yes.
Open Windows explorer and go to the JDK installation folder (i.e. C:\Program Files\Java\jdk1.8_20\).
Hold shift down and right-click on the bin folder and select Open command window here.
Run the following command to find out in which token slot your certificate is stored:
keytool -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11
Note: This command displays a lot of information.
Go to the top of the information display where the information starts, and search for a line similar to this:
Slots with tokens:#
Where # is a number such as 0 or 2.
If the slot used is "0", skip to Step 9.
Remove the eToken device from the USB drive for a few seconds and then plug it back since it only allows you to run one keytool command at a time.
Open the file etoken.cfg you created in Step 2, and change the value after slot= to match the slot from the previous keytool command then save the file.
name=eToken library=c:\WINDOWS\system32\eTPKCS11.dll slot=0
Note: 0 is the default slot. If you have added additional certificates to the token or re-keyed/re-issued your certificate, you may have a different number than the default.

How To Sign .jar Files Using the CLI Command Jarsigner

In Windows Explorer, navigate to the JDK folder.
In the JDK folder, push and hold Shift, right-click on the bin folder, and select Open command window here.
To view the Code Signing Certificate and the certificate alias on the token:
1. Plug in your token.
2. Run the following command from the command prompt:
  keytool -list -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11 Enter keystore password: [enter password]
3. Sample output:
  Keystore type: PKCS11 Keystore provider: SunPKCS11-eToken Your keystore contains 1 entry le-a66a-21c4-b862-3c4345271551, PrivateKeyEntry, Certificate fingerprint (SHA2): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
4. In this example, le-a66a-21c4-b862-3c4345271551 is the certificate alias that you use to sign .jar files.
To use the code signing certificate on the token to sign file.jar, run the following command from the command prompt:
jarsigner -verbose -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11 "C:\path\to\file.jar" "le-a66a-21c4-b862-3c4345271551"
If the command executed successfully, you should see something similar to the following output:
Sample output:
Enter Passphrase for keystore: adding: META-INF/7800FA4C.SF jar signed.

What Data Science tells me?

noreply@blogger.com (Abhinav Biswas) — Sun, 31 Aug 2014 18:30:00 +0000

• If you’re a DBA, you need to learn to deal with unstructured data
• If you’re a statistician, you need to learn to deal with data that does not fit in memory
• If you’re a software engineer, you need to learn statistical modeling and how to communicate results.
• If you’re a business analyst, you need to learn about algorithms and tradeoffs at scale.

Just stare at the following figure, you'll understand.

What happens when you hit a key to start a job on a remote EC2 machine

noreply@blogger.com (Abhinav Biswas) — Tue, 16 Jul 2013 18:00:00 +0000

Have you ever thought about what happens when you hit a key to start a job on a remote EC2 machine.

Strike a key on the keyboard and the capacitance changes instantaneously, sending a signal down the USB cable into the computer. The computer’s keyboard driver traps the signal, recognizes the key it’s from, and sends it to the Operating System for handling. The OS determines which application is active and decides whether the keystroke needs to be routed over an internet connection. If it is routed, a set of bytes is sent down the CAT-5 cable into the wall socket, abstraction masked via the OSI 7-layer model, and sent to a router. The router determines the closest router which is likely to know the IP of your destination ( a lot of stuff behind this even like DNS resolution etc.), and sends that packet onwards.

Eventually the packet arrives at the destination computer, enters the via ethernet cable, is trapped by the remote OS, interpreted as an enter stroke, sent to the shell, sent to the current program, and executed. Data from that remote machine is then sent back over the cable and the routers to your machine, which takes the packet, uses it to update the display, and tells you what happened on that remote box.

All of that happens within an imperceptible fraction of a second. Just think...

SetUp Eclipse CDT using MinGW for Windows

noreply@blogger.com (Abhinav Biswas) — Mon, 16 Jan 2012 16:42:00 +0000

The standard Eclipse CDT IDE (for C/C++) needs integration with the GNU toolchain, before you can start making your C/C++ projects in Eclipse (the world's best Open-source IDE, Integrated Development Environment). This includes GNU's make, gcc compiler, and gdb debugger utilities. For windows, MinGW and Cygwin are the two main platform choices for acquiring the toolchain. It is important to note the difference between them. Cygwin produces executables that use the Cygwin POSIX runtime. MinGW produces native Windows executables that do not require a separate runtime.

In this tutorial I'll show you how to setup Eclipse CDT using MinGW toolchain in a Windows Platform.

1. Install MingGW Offline Installer (mingw-6.3.exe , 7-zip Self-extracting Archive) in the C:\ drive.
- The Installation Folder Structure would be like...
"C:\MinGW"
*bin\
  *include\
  *lib\
  *libexec\
  *README_STL

2. Install Minimal SYStem MSYS Base (MSYS 1.0.11) in the default folder C:\msys\1.0
- The Installation Folder Structure would be like...
"C:\msys\1.0"
  *bin\
  *doc\
  *etc\
  *home\
  *mingw\
  *postinstall\
  *share\
  *uninstall\
  *m.ico
  *msys.bat
  *msys.ico

3. Extract Eclipse CDT Helios SR2(eclipse-cpp-helios-SR2-win32.zip) in the 'Program Files' folder.
- The Installation Folder Structure would be like...
"C:\Program Files\eclipse"
  *configuration\
  *dropins\
  *features\
  *p2\
  *plugins\
  *readme\
  *.eclipseproduct
  *artifacts.xml
  *eclipse.exe
  *eclipse.ini
  *eclipsec.exe
  *epl-v10.html
  *notice.html

4. Start Eclipse & enjoy creating C/C++ Projects in Eclipse.
Go Start Programming...