jueves, 3 de mayo de 2018

Clean your shoes before entering the house.

Data sanitization is a simple yet effective tool to preventing attacks. What kind of attacks? you may ask, well many, but all can be summarised as code injection.

In web applications you may encounter with a form, any form, that lets you write whatever string and maybe do something with it, display it as a comment, save it in the data base, send it as message, etc. But lets say that instead of jut plain text, I write a piece of code, and if the input isn't sanitized the page will run that code, and the results can be disastrous. Let the people at computerphile explain it better: 
there are quite some kinds of code injection but here as the most common ones:

SQL injection: As the name indicates, is meant to attack SQL databases, adding sql scripts to the un-sanitized input can result in the database running said queries and returning data that should be read by the user. More info.

Javascript and HTML injection: By adding Javascript and HTML code to un-sanitized inputs can cause the browser to run and make the page behave in unwanted ways, this can potentially affect other users ass well. More info.

A simple solution to this problem is input sanitization, it cleans your inputs so that malicious code can't be written into it. You can do this by preventing certain characters or sets of characters to be typed in your input. Maybe banning the single quote or the <> brackets. The people at eSecurity Planet wrote a very in depth article on how to protect your web applications using code sanitization, there are many things you can do. Since HTML5, input type can be added to any input tag, and that can be a small step into making sure that the incoming data will only be read if it is of the specified type, like email or phone number.

But as teacher Ken always says, never roll out your own security, is best to implement good libraries that you thrust to add input sanitization to your page, for example if you are using PHP you can filter inputs using GUMP. There are many good tools out there, just make sure that you fully trust the said library, and don't add things you don't know to your code just like so.

jueves, 5 de abril de 2018

A self driving conundrum.

The other day I was coding a web page, I was using the framework Vue, you don´t have to know what Vue is to understand this next part, the only thing you have to know is that with Vue you need to program things differently, so I was making a button to simply change the page and it was giving me difficulties, so I coded this:

<a class="d-block mb-4 h-100" href="#" v-on:click="change_page"></a>
Thing is, I tried and I tried and I just could't get it to work, Thats when my friend told me to delete href="#" because I didn't need there, it was less than a line of code yet it was the source of all my problems. The point that I'm trying to make here, Is that we all make mistakes, and small things like that can be overlooked. Maybe this one time it was only a button on a web page, but other times it can be more critical things, and mistakes like that can literally life threatening. Take for example the launch of the Mariner I rocket by NASA, it exploded mid flight because the person coding into the computer forgot, or missed really a hyphen. This time the where no astronauts on board, but in other cases, simple errors, coding poorly, or even just bad practices can result in a deadly situcions, take for example the case of the Therac-25 where bad practices by programmers caused the death of multiple hospital patients.

I write all this to bring an interesting topic into the table, we, programmers, have way more responsibilities in our hands that we may think. Recently, a self driving car accidentally hit a person, this is the first time a pedestrian dies due to an accident with a self driving car, even doe it is impressive that so little casualties where caused by the technology, it is still a tragedy. But more information has been revealed about the incident, people like to say that this scary new tech is to blame, but footage of the accident (that I'm not gonna link put of respect for the victim) shows that the victim was jaywalking in the middle of the dark road. So there is a chance that the cars sensors couldn't react fast enough. But what if that wasn't the case, this is where the conundrum part of the title comes into play, could it have been, by any chance, that the vehicle's sensors did detect the approaching pedestrian, computers are better at seeing things after all, thats what they where built to do. Someone has to take the blame here, there is always someone at fault in a traffic accident, if not all. However, if the sensors did pick up the person crossing, this would be a mistake not made at a split second, but actually months ago, or whenever the code for the car was made, it would be another example of a deadly error, something overlooked, and in that case the tech company is to blame. 

Self driving automobiles are the cause of excitement and fear. It can be the solution to all our traffic problems, it offers great benefits, but many people get anxious about the subject, and I hear them, cases like the one discussed above can be very worrisome. And then have the ethical dilemas, the following Ted-Ed video describes this hypothetical situation, that, even if its just a thought experiment, its important to take into consideration when we are building the tools of the future.

(The ethical dilemma of self-driving cars - Patrick Lin)

We have to think about all this cases and their outcomes when building the tools of the future, we cannot be thorough enough, and as security is concern, perfection is impossible. As we talk about security we cannot risk it being to confident, if people can hack into just regular cars that are out today, what could they do to automated cars that rely so much in their software and the internet. This is why we have to be smart about the stuff we develop, not just cars, we have to update constantly to be ahead of the curve, protect our systems using layers, have good coding practices, protect software AND hardware, etc.

When discussing the topic in class a classmate asked if we are ready for fully automated cars? My I think that we are never gonna be, so we might as well start using them now. Maybe not this right moment, but, like with any new technology, we will start solving the problem as we get there, there are many hurdles that we don't even know we have to jump, issues arise as we approach them. What do you think? Are we ready for an automated world? Should we move on with the self driving cars? Or should we wait? Or maybe don't have self driving cars at all, too much risk? 

Whatever the future may be, If we learn from our mistakes I can be confident it will be great. 

domingo, 1 de abril de 2018

Cryptography & Encryption: a secret language.

The internet came to change our lives, no doubt about it. We communicate more and more frequently thanks to it, in fact more than 60 billion (a thousand million) messages are sent through internet apps each day (source).  Adding that to emails and other forms of communication, thats an astounding amount of data flowing through the internet's tubes. And that data may contain any sort of information, important dates, pictures, banking information, addresses, sensible stuff really. So how can we get that data protected? because when its out there, it is out there. Thats why we have encryption, a way to cypher our data so only we can access it. Image translating all your messages into a secret language that only you and the person receiving the message can understand. Thats what encryption is. John Oliver of HBO's Last Week Tonight made a very funny video explaining encryption in layman terms (adult language warning). Computers have settings to encrypt your disk, and manny apps like Telegram and Whatsapp encrypt messages automatically. 

To understand how encryption works I did a small Caesar Cipher code in python, check it out. But Caesar Cipher only shifts letters around by n number of places, so its not very secure, to prove it I coded a message with my python script to try to challenge you, the reader, to try to decoded: 

The coded message is: qzodkbfuaz ue hqdk uybadfmzf fa wqqb kagd uzradymfuaz bdafqofqp rday efdmzsqde 

The spaces in the words can be a dead giveaway, leave a comment if you could figure it out. You can potentially use my script to try to crack the code. 

In real life the encrypting methods aren't so simple. Most common used method to encrypt our messages is by the Public & Private Key Cryptography method. The people at Computerphile made a quite detailed video explaining how it works.

Encryption and cryptography protects our data from any third party trying to use it for any sort of reason. When a third party, an attacker, is reading the messages that are being sent through a channel like the internet, thats called a Man in the middle attack. If messages are encrypted the attacker will only be able to read a bunch of random letters and symbols, thats why it has to be hard to decode. 

So try to figure out if your data is being protected by encryption. 

jueves, 22 de febrero de 2018

Phishing phish.

Phishing refers to the act of masquerading as a company or institution in order to steal information, such as usernames, passwords, and credit card details.

I presented this subject in class, and to be honest is quite a tricky one. The interesting thing about phishing is that, even if it occurs within the different communications technologies, the attacker doesn't actually need any technical knowledge about technology. The attack happens at a human level, so the attacker doesn't need to be a hacker per-se, they'll just send you an e-mail, pretending to be a company or something, saying that something is wrong with an account of yours, and they need your password to fix it. As easy as that.

The more intricate phishing scams will require technical/hacking skills, like hosting a fake websites online, with a url that's almost indistinguishable from the real deal (only different by a couple of characters, they added 'the', different extension, etc.), where users "log in", or at least they think they do, and actually give away their credentials to attackers. A recent example is what happened with the giant company Equifax because, not satisfied with having a massive security breach, they linked on Twitter to a phishing site. If a large company can be fooled, what about the rest of us. Thats why we always check, and double check the URL var.

But examples like the one above are just the tip of the iceberg, as I wrote above, attackers don't need to be technical experts, they just need to get in contact with you through an email, social media message, even phone calls.  We need to smart about protecting ourselves, if you someone approached you on the street asking for your email and/or password, even if he/she claimed to be from your bank, will you actually give them? so why should we trust an email.

There are many kinds of phishing:

  1. Phishing, or wide net phishing, is basically what I described above. Attackers target many people, usually using automated systems to send mass emails. Attackers can get a hold to your email address when massive databased are leaked. Attackers may address you as 'dear costumer' or some other general way.
  2. Spear Phishing refers to a phishing scam specifically directed at you. It's creepy, attackers will know information about you, social media is a main source, they will know your name and whatever other information about you is out there. Juan Martinez wrote a very in-depth article in PC Magazine that you should read. Spear Phishing attackers tend to target public figures, but anyone can be phished, so better be careful. 
  3. And perhaps the creepier of all, Cat Phishing. This can be horror story territory. Like Spear Phishing, Cat Phishing targets an individual person, but instead of disguising themselves as a company, attackers pretend to be an individual, someone who wants to know you. This attacks can happen through social media, but the real 'phishing pond' is in dating websites and apps. By using fake name and pictures, the lure victims into an illusion of connection and trust, and what happens next can go in very different directions. Best case scenario is that is just some person trying to get a date by pretending to someone more attractive, but it can get much worse. The'll ask for pictures that can later be used for blackmailing, meeting these people can lead to kidnappings, and much worse things, crimes that I'm not gonna write about in this blog, yes, it is that bad. Ellen McCarthy wrote an interesting piece on the Washington Post where you can learn more about Cat Phishing. 
Phishing isn't an attack that is done with malware, so anti-virus and anti-malware are of no help here. Its almost imposible to prevent you from getting a bad email or message, so you'll need to learn how to spot it and don't get caught. There is a very nice guide in The Guardian that shows tips for spotting Phishing, Microsoft also published some good pointers on the subject. But the Cliffsnotes version is: if it looks fishy, its probably phishing, look for typos, spelling and other errors; never follow randoms links; check with the official companies separately. 

 This hyper-connected world has brought us many blessings, but also many ways to put our security on the line. We need to stay alert, be smart, and don't get caught. 


Dredge, Stuart. (fri Jun 6, 2014). How to protect yourself from phishing. The Guardian, website: https://www.theguardian.com/technology/2014/jun/06/how-to-protect-yourself-from-phishing-attacks

N.A. (N.D.). Phishing. Wikipedia, website: https://en.wikipedia.org/wiki/Phishing

miércoles, 7 de febrero de 2018

Your computer has been kidnapped.

The government of {{Insert current location country name}} has found {{Insert illegal material}} on your computer, please pay the fine of {{Insert ridiculous amount of money}} to regain access to your computer. 

Kidnapped!? Really!? Yes. Thanks to this thing called Ransomware Internet pirates and other evil doers can lock all information on your computer, encrypting it so you can't use it. Now you have to pay them an amount of money to regain access to it, or say goodbye to your precious data. 

As explained above, a Ransomware attack targets your computer and encrypts various files and folders in your computer, rendering them useless. You can get attacked by it if you'r computers gets infected with a virus or you run a malicious script, the attacker hides the code as an e-mail attachment, a link on an infected webpage, videos on iffy pages, system updates, etc. Not very different than other kinds of attacks. But what makes Ransomware different from other kinds of attack is that, while others may just want to ruin your computer or steal your info, Ransomware will actually ask you to pay the rescue, and paying doesn't warranty that your information won't be copied or/and stolen, it doesn't even warranty that it will be released. 

Many times they will mask the attack as a sort of government issued computer search-warrant, claiming that illegal material has been found in your computer, and that you have to pay a fine to regain access to your machine. 

So, how can I protect myself?
  •  Anti-virus, Anti-malware all the way. These are the main ways that ransomware gets distributed, so try using these layers of protection.
  • Don't click random links, check the address to see if its a site you thrust, hover (without clicking) the mouse on the link to see if the address matches the text displayed, or simply browse manually, go through google to find stuff.
  • Don't open email attachments, specially if its from people you don't know, only open things that 100% sure its safe. Now days there are plenty of ways to share files, so be careful of what you download. 
  • BACKUP REGULARLY. In the case that you do get attacked now you know that your data is safe and sound, so you can do a reboot of your machine, make sure you wipe it clean of any malicious software and re-install from the backup.
It's important to never pay what they ask for, we don't want to encourage this kinds of attacks. Thats why we always need to backup. If you don't have a backup it may be better to loose the data, yo never, NEVER want to pay an attacker, so if you manage very important information you need to back it up.

martes, 6 de febrero de 2018

The life and death of Aaron Swartz and why it matters. Part 1.

Aaron Swartz at Boston Wikipedia Meetup, 2009-08-18
Aaron Swartz at Boston Wikipedia Meetup, 2009-08-18
(From Wikimedia Commons, the free media repository)
A couple of classes ago we saw the first half (and a little more) of the 2014 documentary feature "The
Internet's Own Boy: The Story of Aaron Swartz", directed by Brian Knappenberger. And, for a millenial that spends most of his time online, and is studying a mayor in computer sciences, I´m guilty, like many others, of not knowing who Aaron Swartz was. And, let me tell you, he was a pretty big deal.

As soon as the film starts I was ready for not liking this guy, he was a gifted boy genius, heavily opinionated and responsible for the creation of Reddit (a page that, to put lightly, has image problems). People with that profile usually score low on the likeability scale, they can be read as pretentious and hard to connect to in a human level. But I was pleasantly surprised that I was dead wrong, yes he was heavily invested in his work, but also he cared a lot about the PEOPLE who surrounded him, and how his work affected them.

You see, Swartz was quite a pioneer of the modern internet, maybe not a founding father per-se, but his work went from RSS, a page that can be best described as a pre-Wikipedia, and the aforementioned Reddit, all at a very young age. Swartz was all about sharing information, his brothers, interviewed on the film, mention that, apart from computers, he had a passion for teaching. He will explain what he learned at school to his brothers, he will read the entire textbook before class, he will spend his time toying with cd-encyclopedias, he wanted all that information to be accessible to the world, and he saw in the internet a way to do so.

Swartz ideas of a free open access to information are what really propelled him as a public figure, he became political, and his movement is synonymous with progressiveness. Net-neutrality, witch is still being endangered by the way, is one the things that we can thank people like Aaron for. Even doe I personally don't advocate piracy (I'm pretty much for supporting the artists and creators) I can see why the current models can be advantageous to corporations and bad for regular consumers thats why Swartz turned a blind eye (sometimes even encouraged) piracy. I was reading a Pitchfork article that mentioned Swartz about the subject and I can see why his ideals where becoming as radical as they became.

He challenged the system, he took it to himself to free information, which put a big target on his head. Giant information companies, and governments even, hated Swartz, hated him because they saw in Swartz movement a threat of losing money from their greedy hands. This lead to his arrest in 2011.

Join me in part two, in which I'm going to talk about the second half of the film and will go in depth about the political aspect of his life, the trials, and his legacy.

lunes, 15 de enero de 2018

Simple stuff you can do to be safe.

1. Allways stay updated.

  • Be sure to turn on auto-updates for Operating System and apps.
  • Host Operating System as well as other Host Operating System.
  • Applications (mobile and also on computer, drivers, etc.)
2. Ecrypt Data.
  • Modern Phones, Macs and most Linux have it by default, check that it is on anyway. 
  • For windows users u can use other tools like Veracrypt (Make sure that you have a backup first). 
3.  Have an antivirus and anti-malware (but don't install two or more, since they might not work properly that way).

4. Passwords.
  • Have safe passwords, no "password", no "12345678", no "77777777", etc. 
  • Don't use the same passwords for different things.
  • Consider using a password manager, it can be your computer's keychain or a third party manager you trust.  

SEO test

This is not allowed: this isnt't allowed either:  this is allowed: