Code of Ethics

--Originally published at Computer Security

Every day millions of applications are being used by a lot of people around the world, but how much do we know about the usability of the app, the terms and conditions, the privacy policy and the use of our personal data? How sure are we  about some application is tracking our activities or collecting our data for personal benefit, like selling our data?

There exists a code of ethics for software engineers. In this code of ethics there are some principles that talks about usability of the app, relation with the clients, as well as the use  and the protection of the personal data of the users. Every company or freelance programmer that designs an application or system has the responsibility of follow the code of ethics to guarantee developing the system in the more ethical way possible without affecting the society.

One point that caught my attention and seems interesting for me is the one that talks about the protection of the personal data. Since some applications deal with sensitive data, the programmer must always encrypt it to ensure security and hence letting the user know that his informations is secure and protected, thus it ensures confidence. There exists a lot of established encryption methods, is not a good practice write our own. The smaller the company is, the lower possibility to get attacked by non-ethical programmers, but because the company is small, it exists the possibility that the security protocols are weak because it doesn’t invest a lot of money on security. If we’re using a web application, we will always have to ensure that it uses an encrypted connection (HTTPS).

All apps must have established its privacy policy and terms of conditions, and letting the user know when these documents have some modifications. (Even nobody read

Continue reading "Code of Ethics"

Modo Incógnito – “JA”

--Originally published at Security

Sí, el hecho de que naveguemos en modo incógnito, eliminemos las cookies, el historial o inclusive usemos extensiones como AdBlocker o PrivateBadger no nos exenta de que al visitar una página o dar click a un link nuestra huella queda ahí para siempre, y esto es algo realmente a considerar. Un día mi compañero Gerardo Velasco me dijo algo parecido a, si no quieres que algo se sepa y permanezca para siempre, primero, no lo hagas o digas y segundo, no lo subas a internet. Lo cual es un excelente consejo que tengo presente muy seguido en mi vida.

Sabemos que esto no es un comentario que cualquier persona “común” diría, el lo sabe porque está consciente y conoce de los riesgos, lo alarmante es que la mayoría de personas no lo hace y confía ciegamente en usar el internet. Por esto creo que nosotros como desarrolladores, quienes conocemos los riesgos, tenemos la responsabilidad de hacer sistemas seguros. Debido a lo anterior es que decidimos mantener la confidencialidad  y en nuestra aplicación, para que el usuario se siente seguro, que se respeta su privacidad y que su información sólo sera usada en pro del él. Con esto en mente es que decidimos usar la mínima información personal de los niños y la que almacenamos está codificada, todo en aras de la tranquilidad del usuario.

Siempre recuerden, que cuando subes o ves algo en internet, existe el riesgo que lo vean más personas de las que deseas, piensen dos veces que sitios visitan y qué aspectos de su vida privada comparten.

 


Integridad en nuestros datos.

--Originally published at Security

Primero que nada, ¿qué es tener integridad en nuestros datos? Esto significa que se mantiene la consistencia de los datos durante todo el ciclo de vida de los mismos (Creación-Procesamiento-Análisis-Preservación-Acceso-Reutilización). Esto es muy importante por varios aspectos, desde el punto de vista de negocios para las empresas que venden datos, como para la buena imagen que da una empresa con un correcto manejo de datos.

La manera en cómo definimos nuestro ER Diagram es muy simple, tenemos sólo como atributos los datos de los niños que nos interesan y pueden ser útiles, no todos. Usamos su número de lista como key value para relacionar las tablas ya que nuestra base de datos es de tipo relacional. El manejo de datos que hacemos es bastante simple, guardamos información en cuanto se hace el registro del niño y la información que se añade o actualiza posteriormente son los aciertos, errores y tiempo en cada nivel. El análisis de datos que propusimos es en el único momento que se manipulan los datos, y estos datos son sólo los generados a través de la app y no los personales del niño.

Como mencioné anteriormente nuestra decisión de alojar nuestro servidor de base de datos en AWS fue pensada en tener el respaldo y calidad de una empresa tan grande como lo es Amazon.

 


Seguridad imposible.

--Originally published at Security

El tener completa seguridad en un sistema es prácticamente imposible, sería como destacar en cada aspecto o ser increíblemente bueno en todo lo que se hace, y estoy seguro lector, que tú así como yo, no lo eres.

Y eso no quiere decir que esté mal, así como en nuestra persona hay que estar consientes de nuestras debilidades para fortalecerlas, igual en un sistema, ya que como vimos en clase, un sistema es tan seguro, como la menos segura de sus partes. Siendo así, lo más importante es ver cuáles son los aspectos a proteger del sistema, y enfocar la mayor atención y el trabajo en asegurar esa área.

Nosotros estamos trabajando con datos personales de los niños, por esto y con lo anterior en mente es que decidimos tomar ciertas medidas y tener las siguientes acciones al respecto.

  1. Actualizamos Phaser (2.9.2), nosotros estábamos trabajando con una versión de Phaser (2.4.4) que ya tenía casi dos años de haber salido, esto con el fin de tener mejor soporte y contar con los servicios más actuales, porque como vimos en clase, nunca es bueno contar con la versión pasada de algún software.
  2. Decidimos tener una compañía de renombre que nos respaldara, AWS, esto es muy útil ya que en el caso de tener alguna filtración de datos, contaríamos con su apoyo además de la seguridad que brinda.
  3. Usamos Passport Js para la autentificación de usuarios y Bcrypt para la codificación de datos en la base de datos (SQL).
  4. Tener certificados de seguridad y el protocolo HTTPS

Estas fueron las principales medidas que tomamos, ya que el almacenar información de menores no es algo que se deba tomar a la ligera y menos si esto llega a crecer e implementarse en más de una escuela.


Three golden rules

--Originally published at How to HACK

During this course we have learned a lot about security, our task during this semester is to create a solution to help children in elementary school to learn mathematics, and of course we have to take care of its own security.

There’s a lot of rules that can help us in order to secure a system. I found one, that made me laugh a lot, this post says that the three golden rules for not having security issues were: do not own a computer, do not turn it on and do not use it. Of course that’s not useful for us.

So, we need to set other rules, and these are the ones I found:

  1. Review repeated times the code and test the security often. This means prioritizing and knowing the strengths and weaknesses.
  2. Continuous development. World changes everyday and security must, as well.
  3. Managers must take responsibilities. I think security is a task that developers and managers should be responsible of, but yeah, all the responsibility will lie in the manager, so, the manager should be more worried about it.

Security measures should be taken for our project, because it will work with people’s information. The rules listed above must be applied on it. Testing it many times, to assure that the methods are correctly implemented, offering maintenance services for sure and assuming the responsibility as long as it is used correctly.


Systems Security

--Originally published at How to HACK

Operating systems have security as well. An operating system serves to set security, since it is a platforms that interacts with a lot of users and information. This is how easily you can implement security to your Operating System.

First, passwords. For passwords we can use three things to create them: what we know, what we have and what we are.

  • What we know are things or words that we keep in our heads.
  • What we have could be material things we own, some examples are credentials or tags, which we have already used to have access to some places.
  • What we are are our own characteristics, eyes or fingerprints. These passwords are the best, because you cannot be copied or cloned, but of course, are more expensive.

NTFS (New Technology File System) is a new form of saving, browsing and securing files. This systems allow that premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others.

Also, you can create an active directory to store, classify and retrieve information. It is a directory for objects,  essentially a database that resembles the form of a pyramid. It also, implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

My advice is to look further in the web how to provide security to your operating system,  this post is just a little example of what you can do. As always, prevent and be prepared for the danger you could face, operating systems are not the exception.


Cryptography

--Originally published at Computer Security

Cryptography has been in use since a lot of time ago, mainly in the form of encrypted messages, and these ones were used in some important wars to communicate between allies and teams, sharing a key to decrypt them. A common example is the Enigma Machine, used in the World War 2 and decrypted by Alan Turing, this is known as the start of the modern computer era.

Nowadays Cryptography is a must in computer systems and the Internet, because a lot of personal and sensitive data is shared between websites and servers. The most common data that is encrypted are passwords and billing information, but all the data should be encrypted. There are a lot of encryption algorithms with its own complexity and security.

Some of the most popular are:

  • RSA – Rivest-Shamir-Adleman
  • AES – Advanced Encryption Standard
  • Blowfish
  • Twofish
  • MD5
  • SHA – Secure Hash Algorithm

If a website owner deals with sensitive information, like users personal information, billing data, all of this must be encrypted to ensure security and protection from hackers.

The objectives of cryptography are:

  • Confidentiality – Information is accesible for authorized users. It uses codes and cipher.
  • Integrity – Guarantees the correctness and completeness of the informations. It uses hash algorithms.
  • Authenticity – Is the assurance that the sender of a message is who they say they are. It uses hash functions and zero-knowledge proof.

 


Security on the web

--Originally published at Computer Security

Right now there are millions of websites and this number increases every day, so all of these sites have to be concerned about the security if the deal with some sensitive information, because there’s hackers. If some website owner has a security hole in the website, maybe he runs lucky and some white hat hacker (“the good one”) tells him about  it and the owner fixes it. unfortunately, there are more black hat hackers (“the bad ones”) on the Internet, so if the owner doesn’t want to deal with them or doesn’t want the data to be stolen, he has to pay for security.

A bad web security scenario is when a curious hacker, the one that looks into developer tools and plays with the url, can break the security of the website.

A nice practice is to encrypt everything, and for everything I mean EVERYTHING. Passwords, users, files, etcetera and be sure to use established encryption algorithms, is really a bad practice write your own. In the website always will be a security hole, because no website is 100% secure, that doesn’t exist, that’s an utopia. So if you wanna be  the nearest possible to that 100%, be sure to pay for some security specialist. And one important rule. TRUST NO ONE, even your website administrator, be sure not to grant all the permissions to your employees because one day maybe the won’t be your employees, and the will still have the access to your data.

Be sure yo write your security policy, privacy policy and terms and conditions, even knowing that 95% of the people won’t read them.

 


Web Security

--Originally published at How to HACK

Security is way to prevent harm and includes systems and non-physical factors. To develop a good security environment, you have to consider to basic things:

  • Awareness: Identify dangers and set your mind to wait for them to happen.
  • Protection: Using the existing security services in an intelligent way.

Web services can be complex, so web security matters. Why? Because is common that hackers look for complexity and try to steal information.

Hackers can be defined as “someone who tinkers with computers and come up with innovative ideas”. Unfortunately, the term has been mislead because of our context; nowadays, a hacker is known as someone who can find vulnerable point in a platform, gain control and steal information. There’s several kinds of hackers, sadly, most of them don’t use their knowledge for positive causes.

Web design principles:

  • Least privilege is about giving the user just the minimum privilege over the web service, so they can stick to their field and nothing else.
  • Simplicity means to simplify the programs, the less things we have, the easier to protect it.
  • Never trust users is just a recommendation about being careful with the users, most of them don’t know anything about the dangers, and can cause to the system by accident.
  • Expect the unexpected is assuming that things will happen, even it sounds impossible, is better to be prepared than have no clue at all.
  • Defense in depth refers to have various layers of defense, in order to reduce the strength of the attack if it happens.
  • Security through obscurity is leasing the amount of information you share about your web, because the less it is known, the less chances to be attacked.
  • Blacklisting and whitelisting are opposite concepts. A blacklist is a list of banned things and a whitelist is a list of
    Continue reading "Web Security"

Cryptography

--Originally published at How to HACK

Cryptography is not just secret messages, mainly because those messages are not secret. An encrypted message can be read for anyone, or at least try, because its just a senseless disaster. And that’s not bad, it is planned to be a disaster. To read an encrypted message you need a key, making it a man-made art. The origins of an encrypted messages are really old (recall the Enigma code!).

Encryption is the safest way to keep information and assure a safe data transfer. Servers have five basic services to guarantee security (listed below), these are implemented through security services, so encryption is a matter of confidentiality.

  • Confidentiality (protecting data)
  • Integrity (unchanged data)
  • Accountability (protection in communication)
  • Authentication (confirm identity)
  • Availability (services accessible).

Trusted third parties, public key infrastructure and the story of Bob and Alice are basic concepts of cryptography:

  • A trusted third party helps to trust connections between Internet environments.
  • Keys:
    • Symmetric, that uses a single key
    • Asymmetric, that uses a pair of keys.
  • Bob and Alice deals with certificates. Bob and Alice can trust each other because of the trusted third party which authenticates through the certificates.

Cryptography is a wise option to protect data and avoid data transfer.