Author: hermesespinola

What I’ll do this week (March 12)

--Originally published at Hermes's Blog

The most important thing to do right now (in the api) is to be able to split the bill of a pool. I think the best way to handle this is, when the pool owner says that the bill should be splitted evenly, take all current users and divide the bill evenly, the problem is that not all users have joined by this time, all I can do is that when a new user confirms the invitation the API will update all the relations to users in the pool to fit the new bill split. When the ower sets the bill split to custom it I think it should be able to set the amount that invited users should pay, that will require me to add a new relation from the pool to users where invited users have a special relation with the label `:invited`, just so it can tell the user how much is he spected to pay and then he can accept or reject this invitation.

The TODO list is as follows:

  • Pool owners need to split the bill, they should be given the options of spliting it evenly or with custom amounts (do we need to make sure that the total of all the custom amounts sum up to the total of the bill?).
  • Pool needs to specify who you should pay to, how much money do they owe or who payed more than necessary.
  • The only payment method available right now is cash, the pool owner should be the only one able to change the pool and relation to the pool properties.
  • Maybe invites should be visible through an interface in the app, I think that the best way to approach this is to create a new relation between the pool node and user node that indicates that he’s been invited. Because otherwise there is no other way to find out who you have invited, the email is send and after that it all depends on the user clicking the link.
  • We need a Facebook and Google login (I think this will be done by someone else).
  • User profile images are not critical (because we have default profile gravatars) but would be nice to have, we should store them somewhere outside the database, maybe store the path to the file in the node, or use an external service like Amazon S3.

What I’ll do this week (March 5)

--Originally published at Hermes's Blog

This week I’m not sure if we will be able to work in the project because it’s the Tarver Vertical (buuuh), but if we do, the most important thing to do right now (in the api) is to be able to split the bill of a pool. I think the best way to handle this is, when the pool owner says that the bill should be splitted evenly, take all current users and divide the bill evenly, the problem is that not all users have joined by this time, all I can do is that when a new user confirms the invitation the API will update all the relations to users in the pool to fit the new bill split. When the ower sets the bill split to custom it I think it should be able to set the amount that invited users should pay, that will require me to add a new relation from the pool to users where invited users have a special relation with the label `:invited`, just so it can tell the user how much is he spected to pay and then he can accept or reject this invitation.

The TODO list is as follows:

  • Pool owners need to split the bill, they should be given the options of spliting it evenly or with custom amounts (do we need to make sure that the total of all the custom amounts sum up to the total of the bill?).
  • Pool needs to specify who you should pay to, how much money do they owe or who payed more than necessary.
  • The only payment method available right now is cash, the pool owner should be the only one able to change the pool and relation to the pool properties.
  • Maybe invites should be visible through an interface in the app, I think that the best way to approach this is to create a new relation between the pool node and user node that indicates that he’s been invited. Because otherwise there is no other way to find out who you have invited, the email is send and after that it all depends on the user clicking the link.
  • We need a Facebook and Google login (I think this will be done by someone else).
  • User profile images are not critical (because we have default profile gravatars) but would be nice to have, we should store them somewhere outside the database, maybe store the path to the file in the node, or use an external service like Amazon S3.

 

What I did this week (February 26)

--Originally published at Hermes's Blog

Last week I was able to finish with the first bullet point from the list I wrote in the previous premortem.

  • Search pools and users, that implies that I need to create a way to query a regular expresion or at least the begining of one of their string properties. I also need to filter the pools by its `public` property.

This is an important functionality because now we as users are able to search for pools to participate in and search users to invite them to the pool. Right now you can query for pools by name and users by name and email, but only in the web API.

I also corrected a lot of bugs that I found, when I’m testing new functionality I find bugs in old functionality that should have been noticed before, but just because there are no tests it all depends on us to find these bugs, Marco has also found a couple of bugs when testing with android. It seems like unit tests are more and more necessary as time passes by, as it is hard to keep track of everything that I’ve written and not tested.

Estefy created the landing page. And marco is working in the mobile application.

What I’ll do this week (February 26)

--Originally published at Hermes's Blog

There are a lot of things that I’d like to do, I’ll enumerate them in order of importance.

  • Search pools and users, that implies that I need to create a way to query a regular expresion or at least the begining of one of their string properties. I also need to filter the pools by its `public` property.
  • Pool owners need to split the bill, they should be given the options of spliting it evenly or with custom amounts (do we need to make sure that the total of all the custom amounts sum up to the total of the bill?).
  • Pool needs to specify who you should pay to, how much money do they owe or who payed more than necessary.
  • The only payment method available right now is cash, the pool owner should be the only one able to change the pool and relation to the pool properties.
  • Maybe invites should be visible through an interface in the app, I think that the best way to approach this is to create a new relation between the pool node and user node that indicates that he’s been invited. Because otherwise there is no other way to find out who you have invited, the email is send and after that it all depends on the user clicking the link.
  • We need a Facebook and Google login (I think this will be done by someone else).
  • User profile images are not critical (because we have default profile gravatars) but would be nice to have, we should store them somewhere outside the database, maybe store the path to the file in the node, or use an external service like Amazon S3.

What I did this week (February 19)

--Originally published at Hermes's Blog

This week I advanced a lot in the relation api for neo4j, altough I’d like to improve it, we can get along with it for whole project. Also, in the Cooper api, we can now create, join pools, users can invite other users and invitation links are sent to them via email. Marco and Poncho managed to have a beta version of the Android app, most of the api functionality is already implemented in the app. It’s been a productive week.

What I’ll do this week (February 19)

--Originally published at Hermes's Blog

This week I’ll work in creating relationships in both relationships, relations that go from a to b and from b to a at the same time. This will be useful to find users that participate in a pool and the pools in which a user participates. I will also work in getting all the relationship entities in a single callback. I will end the pool model and its relationship with users.

And from the frontend, they say they will have the login, register (email, facebook and google), and the users and pools list views ready for the end of this week, in both the browser and android app.

What I did this week (February 12)

--Originally published at Hermes's Blog

So I accomplished what I promised in the last premortem post. We have Neo4j relationships working with properties that are contained in the edge, just that it only works in one direction, a relation of the form (a)–[relation {props}]–>(b). I want to be able to create relations in both directions, so that for example, we can get the pools that a user participates in but also I want to be able to get the users that participate in a pool. From that we need to be able to get these nodes from an endpoint in the api, and so I need to create methods to find the nodes in a relationship. That will be enough work for this week. As well as defining the complete pool endpoints and model.

This will be useful: https://neo4j.com/docs/developer-manual/current/cypher/clauses/match/#relationship-basics

Quantum Computing

--Originally published at Hermes's Blog

Here’s a really good video that explains (vaguely) quantum computing.

 

 

 

 

 

The fact that quantum compures have much more computational power than modern computers and are capable of factorazing very large numbers is a big threat to today’s cryptgraphic algorithms that rely on the assumption that factorizing really large numbers is a a so expensive operation that is nearly impossible to do so, but quantum computers will be able to complete the factorization in a short enough amount of time, and when cryptigraphic algorithms collapses so does network security.

But sure enough, quantum computers are not just a threat to network security, they are too the solution. Quantum cryptography relies on the Heisenberg Unsertainty Principle, which states that an observer cannot fully measure a moving object’s position and path without affecting one or the other.

And here’s a TED video explaining The Heisenberg Unsertainty Principle:

 

 

 

Koley (CTO of Juniper Networks) explains: “Typically, photons are used over a fiber-optic channel to achieve this [transmit information in quantum state], any attempt to measure one of the entangled photons leads to changes in the quantum state of the other, and therefore is detected. Thus, QKD offers a key distribution mechanism where any attempt to intercept the key by eavesdropping is revealed and the keys are discarded. QKD is not vulnerable to cracking attempts by quantum computers the same way that traditional cryptographic techniques are because any interception attempts in the QKD paradigm are readily detected. This is one of the reasons QKD is considered to be a good candidate for post-quantum security.”

And here’s a video explaining the QKD algorithm:

 

 

More resources on the subject:

https://www.techrepublic.com/article/how-quantum-computing-could-create-unbreakable-encryption-and-save-the-future-of-cybersecurity/

http://www.bbc.com/news/technology-36203043

https://www.britannica.com/science/uncertainty-principle

https://research.google.com/pubs/QuantumAI.html

SQL Injection Attack

--Originally published at Hermes's Blog

Sometimes web developers don’t realize that their SQL queries are able to circumvent access control and sometimes they allow access to host operating system level commands.

An SQL Injection is a method of creating or altering existing SQL commands to expose hidden data, override existing data or even delete it. This is usually accomplished by taking advantage of existing static parameters in appliction to build SQL queries

used to combine it with user input. This way, malicious users can paste extra SQL queries into the application, and, depending on the privileges given to the app’s user (usually admin privileges), they are able to perform different actions.

SQL Injection Attack

What is the solution? Just sanitize the user input. It’s basically validating that the user input is what you expect it to be, check that it’s an integer, check that it has certaing format, check that it does not contain weird characters or even sql sentences. Also, mutate the original user input to convert special character to its html equivalent, remove line breaks and extra space and strip octets.

References:

https://secure.php.net/manual/en/security.database.sql-injection.php

https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data