lunes, 27 de noviembre de 2017

Make Your Online Identity Safe Again (10) - I Will Tell You A Secret.

The confidentiality concept of the app is also very important. The user must feel like we are respecting its privacy, he/she has to feel protected and that his/her information will remain on secret for the rest of the world. It is true that you leave a trace when you are on the Internet, deleting your browsing history will not erase the fact that you entered a website. Imagine that your trace is like walking on wet cement, your steps will stay there forever.

But that is way different than keeping Confidentiality. Privacy is helping the user to feel comfortable giving those steps, and that only trust worthy people have access to see them, at the end of the day, we have to walk to make our lives worthy.

We encrypted the footsteps, so if anyone tries to look through them, they will not see human footsteps, they could end up seeing pterodactyl steps or something like that. The kids and the teachers will have access to the app by using their IDs and passwords, and we'll have a back up for the information. saved under key.

I really hope my analogy helped to understand confidentiality a little better.

Make Your Online Identity Safe Again (9) - Open and Free.

Ken asked us to take a picture of what open meant to us. I believe that the Internet is the most open door we have. It gives us the opportunity to express ourselves, to research about any topic in the world. The problem with a door being open, is that you can pass through it both ways, let's be careful when entering to it.



Make Your Online Identity Safe Again (8) - On Data Integrity

We'll start this post by defining what is data integrity. It is the maintenance, assurance of the accuracy and consistency of  the entire data life-cycle. It should be considered as a critical point in the design, implementation and usage of any application which uses data (a.k.a. any system).

We ordered the information we're managing by using a relational database, using MySQL. Our system in general is pretty simple, we used JavaScript to fetch all the information, and we used a linear regression algorithm to predict some possible outcomes of the students. Our database is pretty simple. We just have the name of the students, their password, school number, their birthday, their past grades and the results they might achieve while playing the game. The primary key is their school number, we won't actually show that to them, because we think that they could forget it.

We made the sign in very kid-friendly. They will be able to sign in by using their names, and a password that will not be posted here ( haha ). As I've written before, all the information is mounted on an Amazon Web Services Server.

I really hope no one tries to attack our software, but if they try to, if won't be easy for them.

Make Your Online Identity Safe Again (7) - Application of computer security to STATs

Computer security is defined as the protection of a system from damage and theft of their hardware, information and software as well as the wrong usage of the service that one provides. This includes physical security from people such as actual burglars, and protection from cyber attacks, and viruses. The IT team is also in charge of protect the information from accidental leaks.

As of today our project Misión: Marte is all mounted on AWS. We are putting our trust on that provider, so we really don't have much saying on the physical security of our information. We chose this server because we know it is trustworthy.

As for the protection of our software, we decided to encrypt all the information, because we wouldn't like it to be easily accessed by someone without out permissions. We have also created different privilege levels, so not everyone can see all the information, we wouldn't like that a student could see the progress of another student, It wouldn't be useful.

As for protection from malware, we decided to update all our libraries. We are using Phaser JS for the development of our app, and we were using an older version that was very well documented, but we decided that safety came first, so we moved on to the newer one.

We found out that our application can be accessed through mobile as well, so we are taking advantage and covering the risks that this improvised feature might bring us.

Make Your Online Identity Safe Again (6) - Applying the Three Goals and Golden Rules.

I was chosen to become a part of the first Semestre-i of ISC at the Tec de Monterrey Campus Guadalajara, and at the same time, the Security course was proposed to be one of the pillars of the project. Right now we're developing a web application for a primary school, the motive is to help them to reinforce the math course they take with their teacher, by using a computer lab they got at their school.

When we discovered that we were going to work with actual information of REAL kids, we decided to up our game and we tried to develop an app that is as safe as we possibly could. We updated the JavaScript library we were using (Phaser) to their newer version, even though it is not very well documented, just to have our frameworks updated.

We reduced our risks of losing the information by having the information on an Amazon Web Services server, encrypted by the library PassportJS and in a MySQL database. And I know it is not likely for our app to be attacked or mined, but we like to take our data to be safe!

We also made a Terms of Service Document and a Privacy Policy. We are thinking big! Right now it is a social project for one school, but maybe in the future it could grow. Right now you can access to it, and it is available at www.misionmarte.net thanks to our friend Edgar Javier (a..k.a. Killua). All the information is in Amazon Web Services.

We haven't have integrity problems, but I will dedicate a blog entry just for that, so we'll leave that topic for now.

This blog entry is part of a mini series called: What we did on semestre-i on the topic of security.



jueves, 23 de noviembre de 2017

Make Your Online Identity Safe Again (5) - My Necessary Post On Net Neutrality.

I know I'm not American, and that this doesn't affect me right now but when it comes to politics and services Mexico likes to copy the practices of the USA.

As far as I understand, right now the Internet is protected by the US government, and when you get a service, no matter which one it is, you will have access to all the sites no matter who is the owner of the site or what content it is displaying, and your service provider cannot interfere with it.

The Net Neutrality War has been fought several times in the past, but now more than ever is looking that it is going to die. I will leave a link to a video where the whole topic is better explained and let's hope this doesn't escalate. It would be a very sad day for the Internet.


miércoles, 22 de noviembre de 2017

Make Your Online Identity Safe Again (4) - Let's see how you get pass this!

Recently Blizzard gave us an animation that inspired the name of this blog entry. The character Mei is an interesting data analyst who hyper-slept for 0 years. I'll leave the link to the video at the end of the post. It is worthy of watching.

So we're gonna talk about authentication. Right now there are only 3 ways for a computer to know that you are IN FACT you. Apple has given us a lovely example of this with their new iPhone X.

The most common way to authenticate is by testing the knowledge of the user. This can be used by asking for a password, just as Facebook, or a NIP, like an ATM. By asking the user for a specific piece of knowledge, the application can trust some rights to the person trying to access it. That's why it is so important for you to NOT share passwords, and to be very unrelated to you.

The next method is a little bit more secure but actually can be more problematic as well. In Walt Disney World, there exist something called a Magic Band. It is a bracelet that every member of a family must have on themselves through all their stay. The parks react to the band, so they can give you a more personalized experience, you can also access to your the parks and hotel room with it. You can even connect your credit card to it and you can pay for food and souvenirs inside the Walt Disney World with it. The system knows who you are, and gives you access to everything you paid within easy reach of your wrist. The big problem about this is that you COULD lose your Magic Band and someone COULD access to your room, park tickets, and credit card without your authorization. The credit cards in Mexico function like this as well, if you have an account, you just have to have your card with you to make a transaction. If you ever lose your Magic Band or your Credit card, report it immediately.

The third method you can use for authentication is something you CAN´T lose: Your own self! Apple started using Touch ID a while ago, and now with your new iPhone X, they are using Face ID. That's right! If you want to unlock your phone, you just have to watch it and it will recognize is you. Awesome, right? Well, Apple claimed that the chance that someone who isn't you unlocks your cellphone by Touch ID is 1 in 50,000. And by Face ID is 1,000,000. There exist room for error. If someone wanted to go through your iPhone X, they could even print a 3D scale of your face and use it to unlock it.

My point is that there's not one final or best way to authenticate, we just have to protect our data as much as we may be able to, and we also have to be ready for the worst case scenario.