Elections Analyzer 2018 – Week 3 Premortem

--Originally published at Blog | Cesar Arturo Gonzalez

The weekend I worked on the Makefile of the project so everybody can install dependencies and the devOps work is fully done with space for test, install and run the project in developer mode and in production. This was hard for me because I needed to be sure that it worked in both Unix and …

Code of Ethics

--Originally published at Computer Security

Every day millions of applications are being used by a lot of people around the world, but how much do we know about the usability of the app, the terms and conditions, the privacy policy and the use of our personal data? How sure are we  about some application is tracking our activities or collecting our data for personal benefit, like selling our data?

There exists a code of ethics for software engineers. In this code of ethics there are some principles that talks about usability of the app, relation with the clients, as well as the use  and the protection of the personal data of the users. Every company or freelance programmer that designs an application or system has the responsibility of follow the code of ethics to guarantee developing the system in the more ethical way possible without affecting the society.

One point that caught my attention and seems interesting for me is the one that talks about the protection of the personal data. Since some applications deal with sensitive data, the programmer must always encrypt it to ensure security and hence letting the user know that his informations is secure and protected, thus it ensures confidence. There exists a lot of established encryption methods, is not a good practice write our own. The smaller the company is, the lower possibility to get attacked by non-ethical programmers, but because the company is small, it exists the possibility that the security protocols are weak because it doesn’t invest a lot of money on security. If we’re using a web application, we will always have to ensure that it uses an encrypted connection (HTTPS).

All apps must have established its privacy policy and terms of conditions, and letting the user know when these documents have some modifications. (Even nobody read

Continue reading "Code of Ethics"

Classic Security Architecture Models

--Originally published at Computer and Information Security

Howdy once again reader! Today’s topic is about some basic architecure models to give security in a system.

Security models of control are used to determine how security will be implemented, what subjects can access the system, and what objects they will have access to. Simply stated, they are a way to formalize security policy. Security models of control are typically implemented by enforcing integrity, confidentiality, or other controls. Keep in mind that each of these models lays out broad guidelines and is not specific in nature. It is up to the developer to decide how these models will be used and integrated into specific designs.

The most frequented or used are:

Lattice

A lattice is a mathematical construction with:

  • a set of elements
  • a partial ordering relation
  • the property that any two elements must have unique least upper bound and greatest lower bound

A security lattice model combines multilevel and multilateral security.

Lattice elements are security labels that consist of a security level and set of categories

State Machine

In state machine model, the state of a machine is captured in order to verify the security of a system.

The model is used to describe the behavior of a system to different inputs. It provides mathematical constructs that represents sets (subjects, objects) and sequences. When an object accepts an input , this modifies a state variable thus transiting to a different state.

Implementation tips:

  • The developer must define what and where the state variables are.
  • The developer must define a secure state for each state variable.
  • Define and identify the allowable state transition functions.
  • The state transition function should be tested to verify that the overall m/c state will not compromise and the integrity of the system is maintained.

Noninterference

The model ensures that any actions that take place

Continue reading "Classic Security Architecture Models"

Security on the Web (User Perspective)

--Originally published at Computer and Information Security

OMG! Reader, you keep looking at my posts, I’m so flattered. This time I will talk about how you can prevent get in to the wrong website.

The first thing that you should check, when you visit a website, no matter what type of website, but please, if you need to visit a payment website is really important that you first check their SSL certficate, I think nowadays Chrome tells you when a website is not secure. So, once the browser tells you that the browser is not secure, immediately leave it and don’t type or click in anything, you don’t know that scripts or dirty code lives there.

Resultado de imagen para ssl

Another recommendation of how you can avoid this is by visiting official pages, if you want to buy tickets for a concert and you know that a certain retailer has a valid webpage to buy them, then buy them there, don’t trust those website that post something cheaper, only because is in their website, that doesn’t guarantee it is true.

Resultado de imagen para ticketmasterThis is not a sponsored post, just as an example of an official retailer

One more advice I can give you is that never click those nonestop ads in any webpage, you could get into a website that could officialy infect you computer with stuff downloaded. With a simple click, your computer could be finished.

Resultado de imagen para finish him

That’s it folks, see you in the next post!

References:

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiMmMWYourXAhUJxoMKHe_eCOIQjRwIBw&url=http%3A%2F%2Fwww.globaldots.com%2Fneed-ssl-need-now-google-will-love%2F&psig=AOvVaw3Z5axg7Nj2JkcYjXjvTbKS&ust=1512267662935228

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjPhqCSourXAhWh6IMKHUfXAMkQjRwIBw&url=http%3A%2F%2Fmediatelecom.com.mx%2F~mediacom%2Findex.php%2Ftecnologia%2Fempresa%2Fitem%2F107204-llega-la-competencia-de-ticketmaster-a-m%25C3%25A9xico&psig=AOvVaw2tvawCh_iulhQ9zaqwotNC&ust=1512267649862313

https://www.google.com.mx/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiCk5_8oerXAhUE94MKHePVC8cQjRwIBw&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5e3Dks50TMc&psig=AOvVaw2COjHkaRRj5utP4ZLbnoQj&ust=1512267601842048


So you want to know about Bitcoin…

--Originally published at Computer and Information Security

Hey reader! I’m glad you keep digging at my posts, that’s nice of you. This time I will talk about Bitcoin.

From the official page of Bitcoin we can find that this type of coin is:

Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system.

As you can see, the P2P technology that they talk about is something called blockchain, which you can read about in my previous post. In the big picture, Bitcoin is nothing than just a program that uses hash tables and is about transactions made in the web through a certain amount of time, and the one that solves the math problem first is the one that can charge a small amount of the bitcoin value.

That’s it, I tryied to explain to you in simple words what this is, but as I know that you are more graphical than just words, I will leave a video of how to create your own Cryptocurrency in JavaScript:

Part 1

Part 2

References:

https://youtu.be/zVqczFZr124

https://youtu.be/HneatE69814


Blockchain – As you saw it on TV! Actually in the web with Bitcoin

--Originally published at Computer and Information Security

Sup, reader! I feel like a little rusty talking to you since I haven’t uploaded in a while and that’s something I want to change today.

Today’s topic is about blockchain, you will be asking yourself, wt… is blockchain, well, this is nothing that how Bitcoin works, I mean, this is not a post about Bitcoins if that’s what you think you will learn here, for that I recommend you to look it up in my later blog post, where I talk about some cryptocurrency. But, for now I will explain as how I understood from a video that a person made online. I will tell you how I interpret it, but of course I will leave the video down somewhere here, for you to understand the basic concepts about how something like Bitcoins work.

First we have an ecosystem of computers connected in the whole world, through the internet, imagine like a bunch of computers connected with a lan, something, like a mesh. For example this image:

Resultado de imagen para mesh network

Here you can see a lot of devices connected, this is known as a descentralized and distrubuted, distributed because, each computer or device has a copy of each transaction and doesn’t depend on a third party, like how banks works, where you need a banc account which is managed by a banker and in order to reflect when you make a transaction, it needs to be aproved by this banker. So, in blockchain, what is trying to do, is to remove those third party entities, so that, each one of us can have a very transparent and out of corruption system. And, descentralized because, the transcations are reflected in each device connected to this system.

The basic component of the blockchain is  a layer, which is something like you see in the

Continue reading "Blockchain – As you saw it on TV! Actually in the web with Bitcoin"

Terminología de Amenazas Informáticas.

--Originally published at IsmaLga on Informatics Security.

Como ya lo he comentado en varias ocasiones en este blog, el escuchar de amenazas en internet en estos tiempos ya es algo común en las noticias así como el leer sobre filtración de información y hackeos masivos. Considero que a la hora de mostrarse estas noticias, se manejan muchos conceptos que la mayoría de la población no entiende. Es por esto, que he decidido hacer una guía de conceptos para que cualquier persona pueda estar más familiarizada con los términos utilizados en la seguridad informática. 

Malware: Corresponde a la abreviación de malicious software. Engloba a todo tipo de programa que tiene como objetivo dañar un sistema informática o causar mal funcionamiento. 

Phishing: Es la suplantación de la identidad digital de una persona. Las credenciales de acceso a los servicios del usuario son conseguidos de manera fraudulenta. 

Ingeniería Social: Obtención de información de usuarios a través de manipulación de los usuarios. 

Spam: Correo electrónico basura. Son enviados usualmente de forma masiva y buscan perjudicar de alguna manera al receptor. Usualmente son utilizados para actos de phishing. 

Fraude Cibernético: Estafas que utilizan la red para realizar transacciones ilícitas. 

Gusanos: Malware que tiene la capacidad de duplicarse a sí mismo  y se propaga de computadora en computadora. 

Spyware: Programa espía que recopila la información de un ordenador y después transmite esta información a una entidad externa sin el conocimiento del usuario. 

Troyanos: Programa malicioso que se presenta como legítimo pero al ejecutarlo brinda acceso remoto al equipo afectado. 

Adware: Programa que muestra publicidad no deseada con el fin de generar lucro del anunciante. 

Hackeo: Acceder de forma intencional a sistemas o información de forma no autorizada con el objetivo de utilizar esa información. 

 

 

Modo Incógnito – “JA”

--Originally published at Security

Sí, el hecho de que naveguemos en modo incógnito, eliminemos las cookies, el historial o inclusive usemos extensiones como AdBlocker o PrivateBadger no nos exenta de que al visitar una página o dar click a un link nuestra huella queda ahí para siempre, y esto es algo realmente a considerar. Un día mi compañero Gerardo Velasco me dijo algo parecido a, si no quieres que algo se sepa y permanezca para siempre, primero, no lo hagas o digas y segundo, no lo subas a internet. Lo cual es un excelente consejo que tengo presente muy seguido en mi vida.

Sabemos que esto no es un comentario que cualquier persona “común” diría, el lo sabe porque está consciente y conoce de los riesgos, lo alarmante es que la mayoría de personas no lo hace y confía ciegamente en usar el internet. Por esto creo que nosotros como desarrolladores, quienes conocemos los riesgos, tenemos la responsabilidad de hacer sistemas seguros. Debido a lo anterior es que decidimos mantener la confidencialidad  y en nuestra aplicación, para que el usuario se siente seguro, que se respeta su privacidad y que su información sólo sera usada en pro del él. Con esto en mente es que decidimos usar la mínima información personal de los niños y la que almacenamos está codificada, todo en aras de la tranquilidad del usuario.

Siempre recuerden, que cuando subes o ves algo en internet, existe el riesgo que lo vean más personas de las que deseas, piensen dos veces que sitios visitan y qué aspectos de su vida privada comparten.

 


Keeping a Secret, that is, Data Confidentiality

--Originally published at Bytes of Mind

This time, we are going to be talking about data confidentiality and how it was handled in my STATS project. To give a little recap, there is more to confidentiality than just making data private,rather, it’s about keeping the needed information private, and letting the user know what it needs to know.

On our project we were handling four different types of users: students, teachers, principal and admin, and each had a different level of access to information. First we have the students, who are able to see their average scores based on they perform on the game Mateoro. Then we have teachers, who can see the average score for each student in their class, an average of the whole group and a comparison between students. After that we have the principal, who can see the same information as a teacher but for every group in the school. And finally we have the admin, who can’t see test results, but is able to add new users (with the exception of a principal) to the or edit some of their information (such as name, date of birth, class, etc.). This is deliberately handled such that students can’t compare their scores through our platform, or that teachers can’t measure the progress of classes not related to them.

This ensures that data is confidential between users, but what about the database? Well, once again, this is where the power of encryption comes in. By running our data through an encryption algorithm we can ensure that data can’t be interpreted even if someone can get their hands on it. Thus, we can ensure that the data can reach their respective users while keeping it safe from people looking from the outside or even from the inside, since the data is basically useless without

Continue reading "Keeping a Secret, that is, Data Confidentiality"

Keeping a Secret, that is, Data Confidentiality

--Originally published at Bytes of Mind

This time, we are going to be talking about data confidentiality and how it was handled in my STATS project. To give a little recap, there is more to confidentiality than just making data private,rather, it’s about keeping the needed information private, and letting the user know what it needs to know.

On our project we were handling four different types of users: students, teachers, principal and admin, and each had a different level of access to information. First we have the students, who are able to see their average scores based on they perform on the game Mateoro. Then we have teachers, who can see the average score for each student in their class, an average of the whole group and a comparison between students. After that we have the principal, who can see the same information as a teacher but for every group in the school. And finally we have the admin, who can’t see test results, but is able to add new users (with the exception of a principal) to the or edit some of their information (such as name, date of birth, class, etc.). This is deliberately handled such that students can’t compare their scores through our platform, or that teachers can’t measure the progress of classes not related to them.

This ensures that data is confidential between users, but what about the database? Well, once again, this is where the power of encryption comes in. By running our data through an encryption algorithm we can ensure that data can’t be interpreted even if someone can get their hands on it. Thus, we can ensure that the data can reach their respective users while keeping it safe from people looking from the outside or even from the inside, since the data is basically useless without

Continue reading "Keeping a Secret, that is, Data Confidentiality"