Late TODO week 14

--Originally published at That Class Blog

Okay, so this week is movie production week! Yay, I guess. It means we are mostly done.

I still owe a level. I’m getting into it. But the most important thing this week is to develop our promotional video. Decide what to include and what to tell. And yeah…

Cherrio

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

OMG I did it!

--Originally published at That Class Blog

Okay, so I’ve been so proud this last 2 weeks because I finally got a -more than- decent score in LastPass Security Challenge. The first time I took the quiz I had more than 40 sites (There were more of them, but I already had the duplicate/same domain configuration working), and I obtained a well deserved 12%, in the lowest 7%, but at least my Master Password was excellent (At least something wasn’t horribly wrong).

OMG I did it!
“pw_xato-net_02-06” by Mark Burnett (CC https://creativecommons.org/licenses/by/2.0/). Taken from https://www.flickr.com/photos/mark_burnett/26965409864

Now, I can truly be proud to say that after some heavy work I got, after inserting 5 new sites, a 96%. This puts my account in the top 1% of Last Pass users. YAY!

So,  it was really a heavy task to change the passwords of almost 50 sites. It was really horrible and exhausting (Maybe because I tried to all of the necessary changes in one sitting). But I can share some stuff I’ve learned to the rest of the world:

  • Last Pass offers a method that automatically changes your password in the supported sites (Usually it only works with the big ones). I found that method extremely ineffective. It takes what feels like years, to let the program found the adequate buttons, text fields and then generate the password. I don’t know why did this happen. Maybe because I have some pages in Spanish and Esperanto, and the program failed to find the buttons (if the method is made using the value of the button and not the ID, or something like that).
    I mean. My problem was with the time it took to accomplish those tasks. Not that it didn’t work. I don’t have any problem leaving Last Pass to change your password in the background while you do something else. Then there isn’t any con for you. (Remember that you will need to manually select each site that you wish to auto-change).
  • Manually changing your passwords was a pain in the butt… sometimes. Why? Because of three reasons.
    1. Sometimes, Last Pass doesn’t detect the new password fields. So how can I take advantage of the password generator, if it doesn’t appear where I need it to be. I then need to use the generate password feature in the extension button of the explorer.  Which is, in fact, the second reason.
    2. If you have the necessity of using the “generate password” inside the extension button, and if you want to write edit the password (Which is a feature you supposedly have), you will suffer. Why? Because the dumb system stores the texts that you have managed to type in. I was going to post a GIF where I showed this ugly implementation, but then I realized that the stored list has passwords that you actually use on some sites! I mean, if supposedly Last Pass is trying to make me use different passwords for each account, then don’t show me my used passwords. But specifically, don’t store them in a list that impedes the insertion of a new password to test or the generation and tweaking of a different one. So I encourage you to try this by yourself so you can actually understand.
      The problem is that instead of letting the user write a new password to test, it will change the value of the field to the stored text in the list (I sincerely don’t know how I managed to get those in) that starts with the key you just typed, like a form.
      And if you manage to actually make Last Pass stop changing your text, you can only add more characters to the end of the string. You can’t move the text cursor somewhere else because, bad luck, it will change the entire string that it’s being displayed.
      And after that, if you think that that password you have would fit your needs, then, good luck copying that into the reset password field (Remeber that you only got here because, from the start, Last Pass didn’t detect that you were actually trying to change the password). Because when you release the ctrl+c keys, Last Pass will change the text to the string that starts with c in the list. And your clipboard will still remain empty, and your perfect password lost.
    3. Okay, so let’s say that Last Pass actually detected you are changing your password. And let’s say that you manage to generate a new one, either automatically (Without even touching a thing), or semi-automatically (Giving the generator some parameters). Sometimes, after you click the update password button in the site, Last Pass will prompt you to update also the entry in your vault. But, this is only sometimes! And how am I to know that if you can detect that new password field for a particular site, doesn’t mean that you will be able to tell if I actually updated the password?!
      If this feature didn’t exist, then I wouldn’t care. But the problem is that sometimes it does work. And it’s beautiful. But when it doesn’t, how am I to update myself the Last Pass vault entry, if I don’t have any clue of the new password! It only leaves me with the option to click on the “I forgot my password” on the site. Generate another password and remember to copy it. Then, and this is just ridiculous, if Last Pass doesn’t automatically detect the new password this time, I manually updated it in the vault.

And those are my complaints of Last Pass. I still have one HUGE complain. During this process of changing the passwords, I found out that there are sites that handle this request easely, and others that makes it impossible to the user to reach its goal. Some of them let you change the password only if you click on the “I forgot my password”. But there is one site that is thw worst of all.
dish.com.mx – I mean… they don’t event let you change your password. So I clicked on the forgotten password button, to then realize that they just sent me my password via email. OMG. That is so badly implemented. In fact I made a public complaint in Twitter. But they account is mostly offline.

And I guess that its everything I have to share about my experience. If you feel like asking something, please do.

Cheerio.

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

What I’ll do this week (April 23)

--Originally published at Hermes's Blog

This week I plan to finish the test and have at least 70% of the api code covered. We already have all signup, login, profile and delete account functionality tested and passing. I tried to include the tests in the travis-ci build but it seems to have problems with the neo4j service, neo4j is throwing this error:

Uncaught error when processing result: Neo4jError: 140223444313984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827

And I just don’t know why, should I just remove the https code when the code is being executed in travis? Maybe it’s because it does not find the key and certificate, but I don’t see why that would be the case, I’ll try again anyway.

What I did this week (April 16)

--Originally published at Hermes's Blog

This week I started helping with the testing. I solved the issues that they were facing with the cookie. Marco is creating the web application and, when he was developing, found some bugs in the api, these are already fixed. Marco (and someone else that I’m not aware of, I guess) integrated the firebase chat to the app. That’s nice, altough it’s kind of ugly, but hey, it works.

We know we may have some security issues, in the chat and some parts of the api, but no can do, we are aware of that and will not fix it, we have to finish the things that we need to present in the demo.

Week 12 (1): Internationalized

--Originally published at Ce qui est chouette

This week me and Miguel worked with internationalization of the game, Miguel worked on the different string for the levels, a general way of handling them, and I did the selecting of the language from a querystring in the URL, and loading the strings that would be shown in the menu. With this features done, we’re just going to be designing and testing new levels.

– Worldwide Guy

No level – End of Week 13

--Originally published at That Class Blog

So previously (TO-DO) I committed to doing 3 issues. And sadly I just accomplished 2 of them. According to myself, I completed the two most important issues, and I left the boring and “difficult” to deal with one. And I’m talking to the creation of level 5. I didn’t have time for its development, and it’s also so booooooring and tiring to try and match the size of the figures to the ones I have in mind.

No level – End of Week 13
“Undone” from Wayne Stadler (License: https://creativecommons.org/licenses/by-nc-nd/2.0/). Taken from https://www.flickr.com/photos/waynerd/5125189682/

But now, onto the stuff that I actually did.

The first issue consisted in creating the Mongoose schema to hold the texts that some levels have. It should hold the texts in multiple languages. This part was easy. in fact, it is the shortest schema we have.

The second issue consisted in simply updating the Mongoose schema of levels. This meant only changing the text field with a boolean (Because the text now is held in the level-text document). This was also very easy.

So, what wasn’t easy? The middle ground of this two issues. This consisted in updated the server routes. Make a new route to deliver the text of the level. Make the BD connections for this level to be fetched. Make the HTTP requests from the client to the server. Update the way the level is loaded and decide whether or not a fetch for the texts is needed. And the worst of it was: Updating the level development script so you could modify both the level document and the texts document at the same time.

I realized after doing the issues that I actually didn’t know where one ended and where did the other begin. This is because there was some stuff I needed to develop to test both of the issues. And before fully testing one of them, I needed to test the other, and to do that I needed the middle ground I didn’t know to which issue assign it to.
And that is why I think I should have done 3 issues (one for the middle ground), and then everything would have fitted perfectly. In fact, maybe a fourth issue was needed that would consist in updating everything that we already have (BD, tests and level development), to accept the new format and schemas.

And that is all for now.

Cheerio.

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Alice and Bob, their story

--Originally published at Ce qui est chouette

The brief description provided by Coursera‘s Cyptography I course by the University of Stanford paints cryptography as a tool for protecting information in computer systems. What I’ll attempt to cover in this post is cryptography’s real-world application, why it is needed.

First let’s deal with some basic stuff regarding cryptography, starting with the classic Alice, Bob and that bastard Eve who’s always meddling, she’s more of a Lilith if you asked me. Let’s say Alice has the sudden urge to communicate some secret message to Bob, perhaps she’s going to confess her love, but Eve also likes Bob, and Alice knows this. She can’t met Bob in person, Eve would find out, she lives close by and would get in the way. THANK GOD for the cryptography course Bob and Alice took years ago, where they learned about symmetric and asymmetric cryptography . . .

 

Alice and Bob, their story
Secured! by Sean T. Evans on Flickr under a CC License.

Sidenote to Explain Asymmetric and Symmetric Cryptography

Based on this post on Synopsys. Encryption uses an algorithm and a key to turn plaintext, the message, into ciphertext, the encrypted message that you can then send. Symmetric Encryption uses the same key for both encryption and decryption of a message, its fast and can be used  for large amounts of data, like encrypting a hard drive, the hard part is keeping that key secured. Asymmetric encryption keeps a pair of keys, a private one and a public one, that can be distributed anywhere to interact with your messages. Plaintext encrypted with a private key can only be decrypted by its corresponding public counterpart, and vice versa. A message can also be signed using your private key, so that others may decrypt the signature with your public key and verify it was sent by you. This type of encryption, though, is slow and can only be used to encrypt data smaller than the key.

Back to the gossip

Alice decided to use Bob‘s public key to encrypt her confession, Eve had a man-in-the-middle software running in Bob‘s network, and caught the message, she didn’t understood it, however, and decided to let it through, ignorant to the fact that she was about to lose Bob, her Bob, to Alice‘s encrypted message. Bob received the message and recognized the gibberish as an encrypted message, like the ones he had worked with. Bob got a hold of his private key and decrypted the message, the surprising confession got to him, and to Eve‘s dismay, reciprocated.

That’s not reality! Well, Alice is the everyday user, Bob is the destination of every operation Alice does online, and Eve is third-parties, like government agencies, interfering in these interactions. This everyday interaction is why encryption is important, to keep your privacy. These third-parties’ goal is to break these encryption algorithms, by cracking it themselves or demanding a backdoor from the developers, which was the case in the FBI-Apple encryption dispute or the whole Snowden situation, of which there’s a cool John Oliver video.

XOXO, crypto guy

International Game – TO-DO Week 13

--Originally published at That Class Blog

Okay, so now I have again stuff to do! Yay! 3 issues to be exact! 2 that I guess i’mgoing to like, and 1 that I must have. This week, and remaining sprint will be focused in incorporating multiple languages to our game. So my 3 issues are mostly related to that.

International Game – TO-DO Week 13
“Mini Rockefeller Plaza” by Sunny Ripert (https://creativecommons.org/licenses/by-sa/2.0/). Taken from https://www.flickr.com/photos/sunfox/5084842773
  1. Update the level schema and already uploaded levels, so that they have only a boolean property called text. If true, the level loader must get the level data.
  2. Create a new schema, for the level texts. It must contain all the languages for the texts of the level.
  3. A new level. it will be level 5.

Yay!

Miguel Montoya
Esperanto Enthusiast
ʕ•ᴥ•ʔ