2nd sprint ready to ignite – To-Do week 4

Okay, so I already have my assigned issue for this week. I found quite nice the idea of just having some assigned tasks, not bothering about what can or should do. Thank you project manager!

2766103746_ff8791de09_o
“Milestones” by Professor Bop (CC BY-NC-ND). From https://www.flickr.com/photos/professorbop/2766103746/

Thiw week I’ll be focusing on getting the remote database up and feed it with levels designed by Gerardo. I estimate it will be an easy implementation. So I guess I will be available to assist any of my partners.

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Anuncios

I understand testing now – End of week 3

Okay. 3/15 done.

I felt quite more productive this week.

I finally cracked chai (Using mocha) and supertest. It just clicked somehow. Last week was a lot of confusion and then it just… worked. I can’t even remember the process I made to make it work. Hehe.

9631706311_ee8e32a558_k
“Drone First Test Flight” by Richard Unten (CC BY). From https://www.flickr.com/photos/unten44/9631706311

Part of the problem is that I haven’t worked with http requests before. I didn’t know what an http mock request was, or if I needed one (After trying a lot I realized that I don’t). At the end I achieve victory. I made my description of the tests. I used supertest’s request to assert the main get request to the server and to check the JSON response of a post (Used to properly load the level).

So I’m happy about that.

After passing the JSON test, I helped Arturo making the level actually load from the JSON. It was difficult, again, because my poor HTML skills, and some poor documentation about which function is the adequate to make the request, what should the headers contain and how to encode the JSON through the response.

I had fun.

The team, in general, worked hard to improve the gameplay and add functionalities. I think that a lot of bugs arose during this week’s development. A lot of them just from merging branches. That did also consume work time.

I’m proud of our GitHub more professional usage. Finally, a full team that comprehends branches and the use of issues… YAY!

Let’ s keep it up!

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Let’s be ethical – Security Blog #3

This is the first time I hear about ethical hacking. Really, it is.

I mean, I knew that there are people who do that. But I never thought that they were called like that.

So let’s start learning ethically! 😀

Ethical Hacking describes the action of hacking by an entity to help identify potential threats. The hacker tries to go around the security and search for weak points where a malicious hacker could exploit and cause an information breach. This information is later provided to the companies or individuals to fix and minimize future hazards.

Ethical hackers and penetrations testers have some perks. They might not reach the levels of adrenaline and badassery as a regular -nonethical- hacker, but they really do earn a nice economic remuneration and the nice assurance that you won’t end up in prison.

And how can you become an ethical hacker?

First, you might consider career/major in IT. You might even study alongside the military (If your country has a program) and they could even pay you to study your career and offer you a job regarding security.

You need to get some basic certifications (CCNA) and some more specialized (Security+, CISSP or TICSA). When doing your certifications, you should also work in tech support and move up to administrative roles, until you achieve an information security position. At this point, you can apply for the Certified Ethical Hacker (CEH) title by the International Council of Electronic Commerce Consultant.

To hack, network engineering skill are -of course- necessary, but UNIX/Linux, C, LISP, Perl, JAVA, and SQL are necessary concepts that you need to master. Oh, and let’s not forget about the soft skill (As any other IT job) and street smarts (People skills and talent for manipulations).

And can you just start hacking after that?

Nope.

Usually, you need expressed, written, permission to probe the network, respect individual’s and company’s privacy, close everything after testing (Let’s not leave open doors for anybody else), and record and report any finding you might have encountered.

That’s all folks…

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

The CIA Triad – Security Blog #2

No, I’m not going to talk about the Central Intelligence Agency (Responsibles to provide national security intelligence to the US). This particual triad -which some people call AIC to avoid the confusion with the regular CIA- stands for Confidentiality, Integrity and Availability.

5762931134_1cfeb64df6_o
“CIA Bitchessss” by Erik bij de Vaate (CC BY-NC-ND). From https://www.flickr.com/photos/mediadeo/5762931134

In general, confidentiality is the property in charge to limit the information, integrity is the assurance of accurate and trustworthy information and availability  is the guarantee of authorized people to information. These concepts conform a model to help people think security-wise.

Confidentiality

The purpose of this is to ensure that every piece of information reaches the adequate people and that no sensitive information is breached.

And to make sure this is done, to enforce levels of authorization and authentication of information access is necessary. As well as creating categories and collections of information and stablish discretion functions.

Some methods used to ensure confidentiality are: Data encryption, two-factor authentication, biometric verification, security tokens. In extreme cases air gapping, or doing hard copies of the information is made.

Integrity

The purpose of this component is to protect data from unauthorized modifications or to make sure that an option to undone changes is always available. Also, integrity involves making sure that data is always consistent, accurate and trustworthy.

Some methods used to ensure integrity are: Typical system file permissions, user access control, version control. Data might include checksums. Backups and redundancy is important to restore breaches of integrity.

Availability

This is very straightforward. This property assures the availability of the data. All kinds of systems for protection must be up to provide the informationwhen requested. Power outages and hardware upgrade and failure must be taken into account when making the availability design. Attacks of the DoS and DDoS kind might compromise the service.

Some approaches to ensure availability are: Adequate bandwidth, redundancy, failover and high availability clusters. Disaster recovery is essential in case of loss of data. Backups are a must.

Now, I found an interesting article that talks about the challenges of the CIA paradigm.

It talks about 3 concepts that poses an extra challenge for the CIA

  • Big data

The high volume of data can pose a big challenge to make sure the information is safeguarded, mainly because the high quantity of differetn sources of the data and the high costs of mantaining dupplicates and disaster recovery plans.

  • IoT Privacy

One IoT device might not generate important information, but multiple devices can provide relevant data in case of a breach.

  • IoT Security

This topic has been mentioned in class many times. There are so many IoT devices that aren’t patched, updated or without safe passwords, that these devices are an excellent source for thingbots and eventual botnets.

And that’s it for this post.

Each topic is getting more related to each other now.

Miguel A. Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Why should we study Computer Security? – Security Blog #1

Yeah! Why should we? Isn’t an antivirus and a firewall enough for everyone? Why should I bother studying this if nothing is happening and no one even cares?

Well, in fact, a lot is happening regarding security and there are a lot of people and companies that really do care.

15327725543_d391350869_o
“Computer Security – Padlock” by Blue Coat Photos (CC BY-SA). From https://www.flickr.com/photos/111692634@N04/15327725543

As Gib Sorebo (Chief of Cybersecurity at Leidos) states:

The reason we continually fail to adequately secure our networks is not a failure to undertand technology, but a failure to undertand people and how they behave.

Cybersecurity it’s not (only) about quality control, or writing good code or designing high-performance networks. At the end what you can learn is to anticipate and manage risks; To anticipate human errors alongside computer vulnerabilities, deal with uncertainty and incomplete information.

So if managing risks is something you are interested in, cybersecurity definitely is something you should consider, because there are few areas that offer this knowledge as much as computer security.

But the problem is little quantity of people that are majoring or doing graduate studies regarding this topic (Well, this can be good news also). This is causing a big demand for engineers that know their security stuff, and usually, these companies that know what they really need are giving high payments to the people that can do what they want.

And what I’ve learned about topics that no one study but are highly paid, is that people are usually highly skilled and have a natural capacity to deal with risks. People are interesting and like challenges. You can’t get bored doing cybersecurity work inside in a company… Or anywhere… Because these careers usually are demanded everywhere, anytime.

An extra is being proud of being a computer Batman. Faithful and committed to the fight. Professionals that won’t be famous, never… Or at least not soon.

The more test, the merrier – Week 3

2 weeks done, 13 to go!

33917059435_89991cdf29_o
DSC_6145 by Coldgunner (CC BY-NC-ND). From https://www.flickr.com/photos/coldgunner

We have some functionalities and a basic level working. The testing framework is there, and some functions to test too. Now the actual testing is only missing (Apart from everything else). It’s difficult and new, but I’m very confident I will get it to work.

That will be my main focus. But in general, some basic refactoring is going to be -already- made as well as more gameplay functionality.

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

The first stage of progress – Week 2

Weapons Test
“Weapons Test” by Pascal (CC0 Public Domain). From https://www.flickr.com/photos/pasukaru76/6987077600/

So this week in the It’s not raining project, a lot of nonplanned progress was done, apart from the individual first-contact with the framework and workspace.

In my case, as I talked about at the start of the week I wanted to get to know p5.js and p5.play. Even though I didn’t make any kind of exercise or example with the last one, I did practice with p5.play and everything I need to remember of Node.js and express to assign the routes of the server. It was fun and interesting to make functions and equations that are really based on physics. To take into account mass, acceleration (gravity) and the drag coefficient certain liquids have. In my case, I tried to simulate water and an oil.

p2

When I finished my practice I was given notice that the truth is that mostly nothing of p5.js was going to be of use to us (except the basics). Now I say goodbye to my little exercise, as I delete it from our git repo.

Talking about GitHub. W started using it in a more complete and professional way. It’s not my first time working with multiple, specific, and useful branches (I know this is not the case for some members), but it’s the first time I start to make more descriptive commits and declaring project issues. That’s nice.

Currently, I took interest in the testing as is something that I haven’t done before.

I assigned myself a GitHub issue and started doing some research and implementing stuff. I found it interesting but difficult, as I really didn’t know what I’m supposed to do to achieve certain tasks. It’s still difficult. But at least I know the testing framework works and I can do some basics asserts, but I’m missing to understand the routing and JSON responses. So that is will be my main focus this last sprint’s week.

Meanwhile, Arturo did the heavy lifting in the game-development area, and the rest of the team members did some research and investigation regarding GitHub and P5.play along with supporting Arturo on many issues.

I think we are doing great, faster than expected. I only hope that my testing issues won’t slow down the overall progress.

Let’s keep it up.

Miguel
Esperanto enthusiast
ʕ•ᴥ•ʔ