Archive | Technology RSS feed for this section

Technology content from Leo Nelson

Top 10 IT Issues in 2016

Educause has released their Top 10 IT Issues in 2016. What’s really impressive is the visual difference in IT priority changes over the last 16 years. For this year, the top 10 issues are:

  1. Information Security
  2. Optimizing Educational Technology
  3. Student Success Technologies
  4. IT Workforce Hiring and Retention
  5. Institutional Data Management
  6. IT Funding Models
  7. BI and Analytics
  8. Enterprise Application Integrations
  9. IT Organizational Development
  10. E-Learning and Online Education

Source: Top 10 IT Issues, 2016: Divest, Reinvest, and Differentiate

Explicit vs. Transparent Proxy

A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies were invented to add structure and encapsulation to distributed systems. Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.1

In an explicit proxy configuration, the client (e.g. browser, desktop application etc.) is explicitly configured to use a proxy server, meaning the client knows that all requests will go through a proxy. The client is given the hostname/IP address and port number of the proxy service. When a user makes a request, the client connects to the proxy service and sends the request. The disadvantage to explicit proxy is that each client must be properly configured to use the proxy.

In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and the proxy service is configured to intercept traffic for a specified port. The client (e.g. browser, desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a transparent HTTP proxy is configured to intercept all traffic on port 80/443. The typical benefits of a transparent proxy include a standard enterprise configuration where all clients routed to the internet will always be filtered and protected no matter what the end users do, or change, on their machines and the added benefit of reduction in typical user’s client-proxy configuration troubleshooting.

Top 25 Software Errors

SANS has produced the list of top 25 software errors:

Insecure Interaction Between Components

CWE ID Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)

Risky Resource Management

CWE ID Name
CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound

Porous Defenses

CWE ID Name
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-759 Use of a One-Way Hash without a Salt

Symbols Matter

Semiotics, or the study of symbols and sign processes and meaningful communication, has recently been on my radar because of a class I’m teaching.

Earlier this morning I stumbled on a post by Caitlin Winner on how she pushed forward with a small but meaningful change with the Facebook icon set used to display the now universally recognized Facebook Friends icon.

I shared my complaint with a designer friend and she helpfully pointed me to the poster next to mine which proclaimed, “Nothing at Facebook is someone else’s problem.” The lady icon needed a shoulder, so I drew it in — and so began my many month descent into the rabbit hole of icon design.

It turns out that others at Facebook have pursued similar changes. For e.g., the globe.

It turns out this kind of self initiated project is not unique at Facebook. Last year, designer Julyanne Liang worked with engineer Brian Jew to give the non-American half of the globe an accurate world view from the notification icon. Since then they’ve added an Asia-centric globe, too.

Symbols are important. The context in which they are used, the global recognition for certain symbols and the misuse of symbols shape our daily interactions. More importantly, this write up is a great example of how taking personal responsibility and ownership for changing things that seem small to some, but when implemented make a world of difference to others.

Source: How We Changed the Facebook Friends Icon

Using DNA for Access Control

You’ve probably heard of the genetic testing site, 23andMe. The site allows users to send in a swab covered in their saliva for genetic decoding. When that code is translated, it’s viewable online as a pie chart of ancestry. 23andMe even offers an API that allows you to share your genetic information with the REST of the world. Genetic information is some powerful stuff: It can countermand information that’s been passed down through a family, provide a clue to lost relatives, and even offer unexpected insights into one’s origins. But did you ever think that genetic information could be used as an access control? Stumbling around GitHub, I came across this bit of code: Genetic Access Control. Now, budding young racist coders can check out your 23andMe page before they allow you into their website! Seriously, this code uses the 23andMe API to pull genetic info, then runs access control on the user based on the results. Just why you decide not to let someone into your site is up to you, but it can be based on any aspect of the 23andMe API. This is literally the code to automate racism. The author offers up a number of possible uses, many of which sound fairly legitimate, however. Imagine a women’s support group online that restricts access to women only. What if JDate didn’t just take your word for it that you were Jewish, and actually checked your DNA to make sure?

Source: Using DNA for Access Control