Author: pmunoz

Ethic and legal responsibilities in computer security

--Originally published at A blog by Pablo Muñoz

This post addresses #Mastery03 of the Information Security course imparted by Ken Bauer at the Tec de Monterrey campus Guadalajara on the second half of 2017.

Disclaimer: This post contains my personal opinion and in no way attempts to demerit the efforts of the technology industry regarding ethics, it is merely an observation about how I think we could improve in this matter.

I personally believe that we, the people who work in technological industries, often fall somewhat behind other industries in terms of creating, upholding and promoting a code of ethics. I decided to look at the ethics code published by one of the associations that I respect the most: the Association for Computing Machinery, you may look at their code of ethics here. The ACMs code of ethics mentions principles like: Contribute to society and human well-being, avoid harm to others, be honest and trustworthy, etc. Among the principles more related with information security we find: Respect the privacy of others and honor confidentiality, give comprehensive and thorough evaluations of computer systems and their impacts and know and respect existing laws pertaining to professional work. I won’t recite the explanations of each of these principles (I encourage you to go read the actual document at the ACM site), but you can see how they relate strongly to the AIC triad (the first one even has the world confidentiality right in it). In total, the ACMs code of ethics lists a total of 28 principles.

To illustrate, here is the definition of the “Honor confidentiality” principle:

The principle of honesty extends to issues of confidentiality of information whenever one has made an explicit promise to honor confidentiality or, implicitly, when private information not directly related to the performance of one’s duties becomes available. The ethical concern Continue reading "Ethic and legal responsibilities in computer security"

AIC: The IT security triad

--Originally published at A blog by Pablo Muñoz

This post addresses #Mastery02 of the Information Security course imparted by Ken Bauer at the Tec de Monterrey campus Guadalajara on the second half of 2017.

Anyone who starts getting into information security will come across the three words availability, integrity and confidentiality early on. These are considered to be the three canonical goals of information security. Confidentiality refers to keeping data private, integrity means ensuring that the data exchanged between two parties hasn’t been tampered with, and availability deals with ensuring that systems are up and running smoothly when they are needed, which, for some services might even be as close as 24/7 as it is feasible.

Confidentiality is important for many reasons. Sure, an enterprise will want to keep its internal documents from the eyes of competitors or other unsavory characters, but individuals also want to have control over who can get access to their data. If someone wants to prevent friends or co-workers from looking at their angsty teenage Facebook posts they should be able to. Some countries are beginning to create legislation for what companies wont think about or refuse to implement, like in the United Kingdom, where the telegraph reports that: Facebook users will be given new legal right to delete all posts they made as teenagers. On the corporate side of things, well…, just google this document is confidential filetype:pdf and see how many results you get. I get almost 7 million hits and some of them are even from goverment sites, ouch! Obviously, someone wasn’t doing their job properly, uploaded some files to a server without thinking, and the search engines found them and indexed them.

On the topic of integrity, as the authors of What Do We Mean By Security Anyway? put it best:

Integrity is the most subtle but maybe the Continue reading "AIC: The IT security triad"

Hello world!

--Originally published at A blog by Pablo Muñoz

It’s time to start blogging. The thought of starting my own blog has crossed my mind in more than one occasion. However, I always put it off due to being indecisive about what technologies to use, what it should contain and how it should look.

As of right now (late 2017) I’m about a year and half from obtaining my second bachelor’s degree. The first time around I graduated as a “licenciado” in administrative finance. Now I’m looking forward to graduate as a computer systems engineer. I’ve studied for both degrees at the Tecnológico de Monterrey, campus Guadalajara. Why I chose to get a second degree, and in some ways, start my life anew will be the matter of another blogpost.

As a student of the (in)famous Ken Bauer, I am tasked with starting a blog in which to make regular posts that detail what I’m learning about IT security in class. Since the collection of posts will count towards my grade, I was put into action to stop procrastinating and start my blog right now. I expect that this exercise in writing will serve to better my communication skills, ability to form thoughts, and perhaps be helpful or at least interesting to a few of you out there.

After struggling to get a blogging platform going in python’s Flask, I decided to use wordpress. The whole set of technologies that power this blog are:

  • MySQL Database (hosted on aws)
  • EC2 AWS instance as the server
  • Docker for ease of development and deployment

I shall make another tutorial style post about how I got this site running, and what I learned during the process.

I hope that blogging will become a habit of mine. Expect posts not only about my security class, but about a whole range of subjects from programming, startups, Continue reading "Hello world!"