Välkommen till Sverige

--Originally published at Swedish House Troko

Finally I made the step to move on, grab a baggage, passport and…

Actually, it took me around 3 months to start working on this blog. I still believe I’m the same guy that took that plane from Guadalajara to Stockholm. But I wasn’t hoping to be a different person to be honest. The main reason behind this blog is to have record of my trip through Sweden and Europe. Pictures, videos and text to make a contrast between the Mexican life and this new country full of FIKA and bad weather.

Should I improvise this things? Should they be on spanish or in english? I would love to see them on swedish but everybody know that is never going to happen.

And it is very funny the reason why I have never finish this posts are mostly because of my laziness, I was hoping to become less lazy in Sweden. Turns out that I’m even more lazy than ever.

1600px-Flag_of_Sweden.svg


Business + Code of Ethics = Organizational Progress (a guide about what a code of ethics is, and what should it include)

--Originally published at Alfonso reviews…

What is a code of ethics? This is probably the reason why you are here.

A code of ethics is a document where an organization shows their mission and  values, so other people can see the alignment the organization will take when problems arise, and how is the organization going to approach those problems.

This document also includes ethical principles that follow the organization’s values. Looks somewhat like a rulebook stating what to do and not to do while in the organization.

And the main reasons why it’s good to have a code of ethics are to guide the people in organizational decisions, to make clear the goals of the organization, and to let the people which will be the next moves from the organization.

Usually, a code of ethics is written to protect the reputation of the organization. If, by any chance, a member of the organization fails to follow the code of ethics, the organization can say that his/her behavior isn’t aligned with the organizational goals and code of ethics, and decide what action to take about the person implicated.


The NIST way (a brief description of the NIST Risk Management Framework)

--Originally published at Alfonso reviews…

The NIST Risk Management Framework is a guide to know how much security you need depending on the risks you can or cannot take, and how to apply the necessary measures to ensure your system is as safe as you need. The guideline it provides consists of six steps that can be done over and over again until you are satisfied.

  1. The first step’s goal is to determine what kind of information system you are trying to keep safe. Maybe you are trying to protect a database with the names and adresses of thousands of people, as well as their telephone numbers, and credit card information. In this case, you’ll need to focus on getting strong security measures in your system, It probably won’t be cheap, but it’s a must when working with sensitive data. On the other hand, if your system is concerned with… let’s say dog photos, you may not be that worried about information leaking from your databases.
  2. The second step depends on the first one, depending how much secrecy with the information you need, you’ll be choosing some security controls, and those controls will be managing the risks involved with operating the business.
  3. After you have chosen what security controls you are going to use, you need to implement them, but beware, too much security limits functionality, unless you really need an excesive ammount of secrecy, you should be looking for a balance between security and usability.
  4. The fourth step is more concerned about the third step working as it should, here you should check is the security controls you just implemented are working efficiently, if you need to apply some changes, this is the time to do it. And remember, in security you always need to look at the weakest link, so put the system
    Continue reading "The NIST way (a brief description of the NIST Risk Management Framework)"

Setting up SSH keys

--Originally published at Surviving CS

SSH keys are another type of security that you can use in order to authenticate yourself in a server. They are plane easier because you don’t have to remember a complex password.

Using a public key over a password provides some benefits:

  • Cryptographic strength that an overly complicated password can’t match.
  • Automate the process for sign-on.
  • No interactive login.
  • They check your identity via a private key.

The crypto keys use a private-public key schema, this way if someone is trying to perform a man in the middle attack it won’t work because the keys can’t be intercepted.

SSH keys works the following way:

  1. In order to access a server you need a key to access this information.
  2. Only those who can access the information can have an authorized key that will grant access to the server.
  3. The user who has permission to access the server will use his/her private key to unlock the server.
  4. Each authorized key has a corresponding private key that can unlock the server.

ssh-key-authentication-1441x970-6_knr0l6

Setting up an SSH keys

For this exercise I will be using Cloud9, Github and Heroku. The keys we are going to create will authenticate us and permit our virtual cloud9 computer to communicate with the Github servers. Then we will add those keys to Heroku in order to authenticate us when we perform a deploy to the server.

To create a key you need to type the following command in your working directory, this will create our key.

cat ~/.ssh/id_rsa.pub

After the key is generate, copy that content to your clipboard and add it in the github settings.

Screen Shot 2017-10-25 at 3.39.18 PM

When this is done you can add those keys to Heroku

 heroku keys:add 

You will get a similar output

Screen Shot 2017-10-20 at 12.20.05 PM


Post not authenticated

--Originally published at Error C2129: static function 'blog(void)' declared but not defined

Authentication refers to the process of ensuring that the user that wants to access a system is who he says he is. Proper authentication is a major concern in today’s world. When it comes to keeping some of the most confidential information safe from prying eyes, passwords simply don’t cut it anymore. There are 3 characteristics of users that allows proper authentication to become more secure:

  1. What you know
  2. What you have
  3. What you are

This simply refers to things that may be used to make sure that you are whom you say you are. The first is pretty simple and straightforward, it’s the basis of password technology. You, as the real user, know some sort of hidden information that is only known to the party you are trying to communicate with; you say what you know, and then there is no doubt that you are yourself. The second is the basis of key and lock systems, you possess a certain item that, again tells another party that you are whom you say you are. However, both of these points have the major flaw that what is known and what is had can be things that can be “stolen” from the real user. Passwords may be stolen, and keys, too. That’s why there has been such an important push towards creating security systems with the third point in mind: what you are. Through biometrics, there is a higher guarantee that the person is whom they say they are. Whether it be through a fingerprint, retinal scan, or otherwise, these are things that are extremely hard to imitate. Sure, there are always cases where coercion may still be used to “authenticate” unwanted users, but at least it’s a step in creating more secure systems.


Security on the web (User Perspective)

--Originally published at Surviving CS

On this post I’m going to focus on free wi-fi because any wireless network that can be accessed by anyone comes with any number of security risks.

The risks

You access a free wi-fi because it comes free, no authentication needed to establish a connection. This makes it desirable for for hackers because they can access any device that is connected to this free network.

One threat is known as the Evil Twin where the hacker position himself between you and the hotspot so instead of talking to the hotspot you create a connection with the hacker. The hacker can now monitor your activity and every bit of data you send is being received by the hacker instead of the hotspot.

Another popular threat is Man in the Middle where the hackers can hijack your connection and then redirect you to webpages that force you to install a software that contains a malware. This webpages are disguised as system updates or pop-ups that tell you that you just won a prize.

The solutions

What is the best way to protect yourself against this type of threats?. Some of this security tips can get you started:

  • Don’t use public wi-fi to access financial institutions, shops or other sites ever.
  • Implement two-factor authentication in any website that has it or where you have sensitive data, so if your password gets stolen they won’t be able to log in because they need another piece of code to access your data.
  • Use a VPN (virtual private network) to encrypt your data and create a network within a network.
  • Keep wi-fi off when you don’t need it or turn off the automatic wi-fi connection so your device can’t connect automatically to hotspots.
  • Only visit sites that are secure with HTTPS.

 

net20security20fpga


The Cuckoo’s egg

--Originally published at Surviving CS

Today I’m going to talk about a book, is not a hard topic but I found it interesting because it’s about a hacker, security and passwords.

The Cuckoo’s Egg is a tale of computer hacking and espionage, the author was an astronomer at Lawrence Berkeley Lab, suddenly the money for his department ran out and he had a choice to develop programs for those astronomers who still had grant money or unemployment.

The choice was clear, he started developing a program to keep track of computer usage and almost immediately he discovered a 75 cents error that was assigned to a user who didn’t have a valid address. The real problem was here, the computer at Berkeley were networked to other military and scientific computers. His investigation drew him into a rabbit hole, he involved a lot of three-letter agencies and he had to deal with a lot of bureaucracies.

The threat was real because the hacker could access to sensitive information that could threaten the national security in the USA. Despite that this was published around the early 90’s, the damage a hacker can do and the need for MORE secure passwords is valid today as it was back then.

Probably we don’t have military or scientific secrets but we do have private information that we wouldn’t want compromised. So this tale stands valid today and I can bet it will be valid in the future.

 


Risk Management Framework

--Originally published at Error C2129: static function 'blog(void)' declared but not defined

Look, it couldn’t be any simpler. You get a system development life cycle, you mix a bit of predetermined risk management and security measures, and bam, you suddenly get a risk management framework.
That’s basically the gist of it. Any questions? What’s that? There actually is a question? (I wasn’t prepared for this?) What is it good for? Well, I’m glad you asked. A risk management framework is a simple way of implementing risk management and security into a software’s life cycle. Too many a times we tend to forget to take care of ensuring that our software possesses both of these. Additionally, it’s a very simple framework, as we can see from the following image:

500px-risk_management_framework-svgMost of the process and steps are fairly straightforward and logical, however, they’re not something amateur software developers are constantly keeping in their minds. It takes a true software development team manager with years of experience to keep these steps in mind through the entire process.
A general overview of this framework would go something like this…

  1. Categorize the system you’re developing – knowledge is power
  2. Select the appropriate security controls – take into account what your system is
  3. Implement the selected security controls – go ahead and put them to use
  4. Assess the implemented security controls – make sure they’re actually doing what they’re supposed to be doing
  5. Authorize – once you have shown that these controls work and are what you need, authorize them
  6. Monitor – make sure you keep and eye out for any problems that may arise

Again, this is a cycle, so this is technically a process that will keep taking place during the entire process, and depending on the degree of confidentiality that is required when handling users’ data, may be a process that has to be

Continue reading "Risk Management Framework"

Sending an encrypted message

--Originally published at Surviving CS

For this tool we are going to use Keybase.io.

Keybase let us encrypt and decrypt a message an sent it to other keybase users. I plan to sent a message to my friend Toatzin.

Screen Shot 2017-10-12 at 6.55.34 PM

To encrypt the message I only need to sign it and then write my passphrase in order to complete the encryption. Once the encryption is done, the program will provide me with a plain text that I can paste and email to Toa.

Screen Shot 2017-10-12 at 6.58.39 PM

Once is done I can email it to him and he can decrypt it, the reliable thing about signing our emails is that  if someone hacks his email they can’t read it because it has a bunch of random letters and numbers.

Similarly decryption works the same, you receive your signed message and paste it in the decryption box and write your passphrase.

Screen Shot 2017-10-12 at 7.08.54 PM

If you are the recipient of the email you can decrypt the message.

Screen Shot 2017-10-12 at 7.09.46 PM.png


7|-|15 15/\/’7 (|2’/|)706|24|)|-|’/

--Originally published at Error C2129: static function 'blog(void)' declared but not defined

In case you aren’t in with the “cool kids”, the title of this post simply says “this isn’t cryptography” (intentionally sardonic comment).

So what exactly is cryptography? Well, simply put, cryptography is the study or the attempt to ensure secure communication between two or more parties, in the presence of unwanted “adversaries”, as they are sometimes referred to. In short, cryptography tries to keep a line of communication by hiding the information that is transmitted from anyone who is not directly involved with said communication.

As such, cryptography has come a long way. In its most basic form — which is encryption — cryptography has been present for what seems the longest time. 2,000 years ago, encryption was practiced and utilized by Julius Caesar himself, through a simple “alphabet shift” method which, although it is far from safe nowadays, provided an excellent way to keep communication safe back in this era. Other great examples of encryption include the good old Enigma machine, developed by the Germans, for use during World War II, amongst many others.

unnamed
Famously known as the Caesar Cipher, one of the earliest encryption methods

As I said, though, cryptography is more than that now. Now, the advent of the information age, and the attempted attacks and sensitive information that is handled on the web have forced security experts to focus on other factors, aside from encryption. Today, it is not only important to take into consideration how you cypher your data in a way that remains hidden from unwanted parties, but it is also important to take into account how the parties that are supposed to look at the data are going to cypher and decypher said information. It has even become imperative for the development of safe cryptographic systems to rely on complex mathematical knowledge.