Det var för ett år sedan

--Originally published at Swedish House Troko

De säger det bästa sättet att inte glömma någonting övar mycket. För att vara ärlig efter ett tag blir allt du vet bara damm i ditt huvud.

Jag cyklar till skolan varje dag och jag vaknar tidigt för första klassen. Det här är något jag minns för den svenska klassen (av någon anledning), allt annat är det någonting som google kan göra. Jag antar att jag inte brukar veta när jag översätter någonting i appen. Jag talar om allt utom det jag vill prata om.

Till sist vill jag bara berätta för världen (som är några personer eftersom ingen här talar svenska) att jag älskar mitt land men det finns så många problem jag bara vill gå undan.

screenshot_20180821-194811

Significa Peligro

--Originally published at Internet: LA comodidad por delante

Hemos llegado al final de esta serie de posts y quisiera recapitular el punto más importante que he tocado en cada uno de ellos. La seguridad depende más de uno mismo que de los demás. Esto se debe al segundo punto que he dicho: A la gente le preocupa más su comodidad que su seguridad.

Es por ello que es súper importante saber la importancia y la manera de protegerse. Estos normalmente serían mutuamente excluyentes ¿De qué sirve saber una sin la otra? Por si no recuerdan, ahí les van algunas de las cosas que me hubiera gustado se queden en sus mentes:

  • Que no esté encriptado significa peligro

Resultado de imagen para significa peligro

  • Protégete usando VPNs
  • Investiga si el proveedor de un seguro protege correctamente tu contraseña
  • No repitas contraseñas
  • No confíes en nadie, siempre alerta

Si alguna de estas cosas se les quedaron tatuadas en la mente, diría que cumplí mi cometido. Recuerden que aunque la comodidad es muy tentadora, es engañosa y no siempre es tu amiga. Por el contrario la seguridad te mantendrá un poco más tranquilo y confortable.

Más vale prevenir que lamentar.

¿Quién lo hará?

--Originally published at Internet: LA comodidad por delante

Como nos vamos acercando al final de estos blogs, hemos visto siempre una constante: Siempre hay vulnerabilidades. Ningún sistema es completamente seguro. Quién diga lo contrario o no sabe lo que dice o está mintiendo vilmente.

Si nada es seguro ¿qué podemos hacer entonces? ¿Llorar? Suena tentador, pero más que nada se trata de hacer lo que hemos estado discutiendo. No porque no sea completamente seguro un sistema no vamos a protegerlo de las amenazas que SÍ conocemos. Y no porque esté protegido vamos a confiar totalmente en su seguridad. La conclusión es no confiar en nadie y no confiarse.

Es necesario siempre estar un paso adelante y definir que podría pasar como usuario y desarrollador al usar y proveer servicios de red. Siempre pensar qué podría salir mal, qué debilidades hay en el sistema. Y mucho más importante, una vez descubiertas, cómo tapar los huecos. De lo contrario, la culpa, el error no recae en el atacante, sino en la inacción al saber que hay algo mal.

En conclusión, no confiar en nadie y en la seguridad es clave para desarrollar y navegar seguros en la web. Si nosotros no nos preocupamos por la seguridad ¿quién lo hará?

Navegando seguramente

--Originally published at Internet: LA comodidad por delante

Todos hemos visto el famoso mensaje en WhatsApp que dice que una conversación está encriptada. Seguramente cuando l vimos por primera vez eso todos nos preguntamos qué era, si realmente era necesario. ¿Por qué WhatsApp quería que nos enteráramos? ¿Realmente nos importa? La verdad es que sí, y muchísimo. La encriptación nos permite que la comunicación entre dos dispositivos sea secreta. Es como hablar en clave para que nadie que esté escuchando pueda entender la conversación. El receptor antes de mandar el mensaje lo encripta, y lo manda. El receptor lo descifra para poder entender lo que le llegó.

Sin embargo, si el que está escuchando conoce la clave, puede descifrar los mensajes. A través de prueba y error y con suficiente tiempo, cualquier clave puede ser descubierta. Entonces, ¿de qué sirve la encriptación si los códigos se pueden descifrar? Vale madres entonces, ¿no? La respuesta es sí y no. Los protocolos de encriptación modernos generan claves únicas para cada conversación. Esta clave única es tan compleja que tomaría muchísimo tiempo (puede llegar a muchísimos años) en que alguien descifre la clave. Para ese entonces, la conversación ya habrá terminado.

El problema ocurre cuando la gente transmite información confidencial por sitios web, aplicaciones y redes no encriptadas. Por ejemplo, si yo entro a una página web sin encriptación, y pongo mi nombre de usuario o contraseña. Cualquiera que esté examinando la red podría ver cuál es mi contraseña. El problema no reside en que la gente no quiera que su información al navegar sea segura, sino que muchos no saben ni siquiera que esto existe. Sino saben, ¿cómo esperamos que se sepan proteger?

De las diferentes maneras que uno se puede proteger es primero que nada no usar redes públicas. El WiFi que ofrecen en lugares públicos NO está encriptado. Continue reading "Navegando seguramente"

Security and STATS (not security stats)

--Originally published at Alfonso reviews…

I know this is not the way to start a blogpost, but this post is going to be a long one, and yes, you’ll get a potato.

You may or may not know what I mean when saying STATS, for those wondering, STATS is a project where I’ve been working for the last 15 weeks, and it involves a web app, elementary school kids, and math.

Basically at the start of this semester, when creating my schedule, all my subjects were gone, and I got this notification saying, do you wish to register the STATS package, and I thought to myself, “do I get to choose?” Long story short, the answer was NO and I ended up in an interesting way of learning and developing as an ISC. No homeworks, no exams, just us developers, and the project at hand, that was the promise, some teachers respected it, some others didn’t, but that’s another story.

My team, which I think is the best team where I’ve worked ever, (If you guys are reading this, thanks for this semester) and I decided to make it happen, and we created a web app featuring an adventure of a spaceship on its journey to the Red Planet, math here and there and funny stuff.

The app intended audience/users are kids in elementary school, and their respective teachers as administrators of the system, the kids would play the game, and we would be collecting data, analizing it, and sending it to the teachers helping them with their work…

Data… Security… I wonder if those two should be related in any way, oh, yeah, they should be like father and son, like wolves and the moon, and like that bubblegum in your shoe.

With that being said, lets start our ride on how security

?
fancyPotatoe
Continue reading "Security and STATS (not security stats)"

One rule to rule them a… wait… there are three?? (Short talk about Morris’s golden rules and the STATS project )

--Originally published at Alfonso reviews…

I know it’s early in the morning, but I felt like writting a little bit, I had this topic as an assignment in university, and I thought about adding some salt and pepper to it, Bob and Alice always like their food with salt and pepper *wink*.

Obviously I’m not as safe as one could be with the Morris’s rules, but I think that by following those three little fellas my life would be slow and boring.

Rule 1: Do not own a computer. Even if I didn’t use my laptop to write, phones nowadays are little computers that send and receive stuff every second, so… I’m screwed.

Rule 2: Do not power it on. Like, for real, people out there, if you broke the first law and you have spent some money on a laptop or phone, and you care about your security, don’t turn it on, it won’t explode (I hope), but who knows who may be looking through your webcam or hearing through your mic, yes, I’m frightened while looking at that thing on top of my computer hoping it won’t look back at me.

Rule 3: Uhm yeah… if you got this far, I guess you broke the third rule with me, as it is not to use your computer. Your eyes are not tricking you. Your computer is your door to many places in the outer world, but it’s also a window of opportunity for people lurking for information.

But don’t worry that much, many of us have broken this rules, we may or may not become a target. But know what you are getting into by using a computer, and if you can, lock the window.

I had so much fun by writting this, and I hope you had some while reading it, now

Continue reading "One rule to rule them a… wait… there are three?? (Short talk about Morris’s golden rules and the STATS project )"

The Big One (that’s what she said)

--Originally published at Error C2129: static function 'blog(void)' declared but not defined

I had thought to make this long blog post by going over every single topic we’ve covered during this semester, then talking about how each of them applies to our semester-i project. However, realizing that that would take up too much space and time, I opted, instead for simply listing which security features are implemented within our project, then giving a brief description of how each of these things apply various concepts of security. By the way, sorry for the long preamble, I should just get on with it.

User authentication w/ data encryption – this is one of our main security implementations. Especially when it comes to the subject of data confidentiality. Our application has a unique login screen that allows users to sign in to their accounts, utilizing authentication provided by Passport js, a Javascript library that facilitates the entire process. On top of this, we have implemented bCrypt to encrypt the data that is stored within our secure database server. This way, even if a user manages to access our database, they will only be greeted with encrypted information, that they will be nearly incapable of decyphering without the unique passphrase we used to salt our encryption algorithm.

0d184ee3-fd8d-4b94-acf4-b4e686e57375
This baby, along with bCrypt, were two of our best friends

Restricted access – for testing purposes, we had left user registration open. However, in the final application, access will mainly be restricted by a user database. With the information handed to us by the school which we are cooperating with, we will populate the database to fit only those users that are necessary (teachers and students), in order to restrict access exclusively to them.

IP restriction – for purposes of our application, we must keep our server accessible via the internet, which means we must keep our http/https

le-logo-twitter
http-to-https
node-express
Continue reading "The Big One (that’s what she said)"

Välkommen till Sverige

--Originally published at Swedish House Troko

Finally I made the step to move on, grab a baggage, passport and…

Actually, it took me around 3 months to start working on this blog. I still believe I’m the same guy that took that plane from Guadalajara to Stockholm. But I wasn’t hoping to be a different person to be honest. The main reason behind this blog is to have record of my trip through Sweden and Europe. Pictures, videos and text to make a contrast between the Mexican life and this new country full of FIKA and bad weather.

Should I improvise this things? Should they be on spanish or in english? I would love to see them on swedish but everybody know that is never going to happen.

And it is very funny the reason why I have never finish this posts are mostly because of my laziness, I was hoping to become less lazy in Sweden. Turns out that I’m even more lazy than ever.

1600px-Flag_of_Sweden.svg


Security Goals & Golden Rules [Serious title, for serious people]

--Originally published at Error C2129: static function 'blog(void)' declared but not defined

So, here it is, nearly the end of the semester. It’s been a… weird one. A lot of inconsistencies with this semester, but nonetheless here we are.

At the beginning of this semester, we had talked about the three goals we should try to accomplish when designing a system while taking information security into account. These three goals consisted of Confidentiality, Integrity, and Availability; otherwise known as the CIA triad.

the-cia-triad-goals-of-confidentiality-integrity-and-availability-for-information-security-600x351
You thought it would be complicated?

As we had mentioned before, these three goals are concerned with the following:

  • Confidentiality – refers to the protection of sensitive data. This being information security we’re speaking about, it is easy to see how this can be one of the more crucial goals, but then again, that depends on your application. In our semester-i project, we managed to achieve a decent degree of confidentiality by encrypting the sensitive data of our clients. In our database, we opted to use an encryption algorithm to hide our user’s information.
  • Integrity – refers to maintaining accuracy and consistency with the information we are handling. For purposes of our application, this is the goal in which we focused the least. It is still important, and we guarantee a certain level of integrity through the authentication and transaction methods that we use, but it was not one of our main goals.
  • Availability – refers to keeping constant access to the data. This is the other part of the CIA triad in which we focused for our semester-i project. We guarantee almost permanent avaiability to all our clients, by having out application deployed on two Amazon Web Services instances. This way, our users can access our domain, as long as they have an internet connection.

Some authors will refer to certain “golden rules” that we must apply, or follow,

Continue reading "Security Goals & Golden Rules [Serious title, for serious people]"

Business + Code of Ethics = Organizational Progress (a guide about what a code of ethics is, and what should it include)

--Originally published at Alfonso reviews…

What is a code of ethics? This is probably the reason why you are here.

A code of ethics is a document where an organization shows their mission and  values, so other people can see the alignment the organization will take when problems arise, and how is the organization going to approach those problems.

This document also includes ethical principles that follow the organization’s values. Looks somewhat like a rulebook stating what to do and not to do while in the organization.

And the main reasons why it’s good to have a code of ethics are to guide the people in organizational decisions, to make clear the goals of the organization, and to let the people which will be the next moves from the organization.

Usually, a code of ethics is written to protect the reputation of the organization. If, by any chance, a member of the organization fails to follow the code of ethics, the organization can say that his/her behavior isn’t aligned with the organizational goals and code of ethics, and decide what action to take about the person implicated.