I Don’t Want Just Anyone To See My Data

--Originally published at IT Security – Debugging My Mind

Confidentiality as I’ve mentioned before, is a key property that any application must have, you don’t want your personal data that any app you download so easily asks for to be out there for anyone to see, otherwise we would just be carrying around papers with all our info taped to our backs.

This is why as developpers we have to always assume any info we ask out of someone about them can be personal, we don’t know whether someone thinks their name can be public, or someone who thinks it should be kept private unless absolutely needed otherwise, so it’s better to keep things as confidential as possible by default, rather than publicly out and easy to obtain.

One of the main methods to keep confidentiality of data we have stored of our users is by the use of encryption. Using a hashing algorithm we change that plain text info into an unreadable mess that requires computation to solve, adding salt and pepper we make it very difficult to go back to the original text without  the key, making it so that data cannot be precomputed in bulk as a rainbow attack.

Handling data of young children makes it even more sensitive, as their personal information is being handled by other people that have to be responsible for it. This wasn’t an issue back when we were younger, but these kids live in the digital age, where the internet is predominant and their info can easily be thrown out there for anyone to see without their consent or them even knowing. It wouldn’t be nice us as adults right now to find out that back when we were young and couldn’t do anything about it our information was put out there easy for people to find and read.


Continue reading "I Don’t Want Just Anyone To See My Data"

What Happened With My Data?

--Originally published at Debugging My Mind

Integrity. The property of data not being altered or destroyed by an unauthorized entity; such a property isn’t so easily assured to a client, and that’s why we needed a plan as to how we were gonna do it.

Our application consists of 2 separate main modules, the school management part of the app, consisting purely on the web implementation, keeping track and being able to register teachers, students and checking on their information, while on the other side we have the game itself, responsible of handling all the logic to provide the levels, with their defined difficulty, as well as keeping track itself of temporal progress data from each student.

Our main concern related to data integrity surged from the communication between these modules, more specifically, between the game and the database, since there has to be a stable connection to be storing each separate level, as well as obtainning the new predicted difficulty for the game, there is a chance of data being corrupted or lost in the process should a connection error occur.

Because of the glaring problem that the lack of connection of the game with the server creates, we decided to design the game itself in such a way that it can work independently whether there is a connection to the database or not. To do this, the game will do several checks before starting: first, it will try to connect to the server to obtain the user’s required information, such as their profile, predicted new difficulty and money for the store, should this connection fail there will be 2 options. One of them is executed if there are no locally stored information, where the game will begin in a “default” mode, where the player plays through the game as if they started back from

Continue reading "What Happened With My Data?"

Let’s Get Paranoid

--Originally published at IT Security – Debugging My Mind

Everyone is out there to hack you and get your personal/private information! Well, maybe not everyone, and maybe it won’t be happening to you at all in the course of your life (or at least not without you noticing), but this is a real danger that comes with the use of technology, specially the internet, where it’s so easy as to start a blog like this one and write off of your mind without a care in the world.


Image by Henri Bergius

So as an user you hear the usual stuff, “Get an antivirus”, “Use different strong passwords for your accounts”, “Don’t click on the DOWNLOAD HERE links or enter your credit card information to win the amazing prize you just got in this random website“, but even if you were to follow all these pieces of advice you keep hearing around related to security, you might still lose access to an account or your information taken, and this is where not only the final user has to take their appropiate security measures, but where our job as software engineers begins.

What good is there that our users take several extra steps to care for their security if the software we create has a clear fail, an easy backdoor to access, and then when the information gets taken, it’s as clear as plain text, which they can then use as a domino effect to cause more damage to us and our users.

Here’s where the title comes in, let’s get paranoid, not only about our security as users of a piece of software, but as developers of it. Things like security are often taken as an “opt-in” mechanism, cutting the corners and the extra work that it takes to add a probably already tested and reliable library that

Continue reading "Let’s Get Paranoid"

The Security Triforce

--Originally published at Debugging My Mind

security triforce

It is said that if you gather all three pieces of the security triforce, your software will be the most protected. In all seriousness, this is known as the CIA/AIC security triad and it refers to the most common topics that are focused on when protecting systems. It refers to Confidentiality, Integrity and Availability.

These next months my team and I will be creating a web application focused on helping the 2nd grade students of a particular school, where security will become a topic of importance for the development of this app.

At first glance you might be able to discern what these 3 terms mean from the word alone, but I’ll go through them quickly and specify what they represent, as well as how each of them will (or not) be necessary on the app that we’ll be developping.

confidentialityConfidentiality: It refers to the ability and the property of keeping delicate and important information hidden or encrypted in such a way that unauthorized individuals are incapable of accessing it, and even in the case of it happening, being unable to understand it.

In order to customize each of the children’s experience with the math mini-games we’ll be implementing in the application, as well as the reports the teachers will obtain, delicate and important information about them might be needed and stored within the app’s database.

Since the personal information of young children will be handled, we have to be very careful to keep it as confidential as possible, as well as making sure to not keep data that is no longer used (for example, children that have left the school or that just won’t be using the application anymore shouldn’t have their data kept after some time has passed). I believe this specific security property is the most

Continue reading "The Security Triforce"