EP53 - AskDeveloper Podcast - Privacy and GDPR

General Data Protection Regulation
Following the Data Protection Directive of 1995
ePrivacy Directive of 2002 (cookie law)

Articles
https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice
General Data Protection Regulation

EU Site:
https://www.gdpreu.org/

Privacy by Design
https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/

Questions
• What?
• Why?
• Who is affected ?
○ Am I a controller?
○ Am I a processor?
• What data is included in protection?
• What protection is required?
• What to protect against? What consent is required?
• What are the penalties?


Privacy Impact Assessments
A Privacy Impact Assessment (PIA), which is required under GDPR for data-intensive projects, is a living document which must be made accessible to all involved with a project. It is the process by which you discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.
Like all GDPR documentation, a PIA can be requisitioned by a data protection regulator in the event of a privacy concern or data breach. Not having a PIA is not an option.

EP52 - AskDeveloper Podcast - MOOCs

- Quick history
○ Distance learning
○ Open educational resource movement
○ MOOC coined in 2008 by Dave Cormier
○ Khan Academy, P2PU, and Udemy
○ Udemy has tools for pros to create courses and publish (also attracting corporate trainers to create courses for enterprises)
○ Udacity growing out of Stanford CS courses by Sebastian Thrun
○ Coursera growing out of Stanford's Andrew Ng and Daphne Koller
○ MITx launched by MIT in response to commercialization of MOOC, then joined by Harvard and renamed edX
- Cost
○ Content is free
○ edX offers certificate for 100$ for most courses
○ Coursera have some quizzes and grading exercises only for paying students
○ Udacity has nano-degrees with projects reviewed only for paying students
- Interdisciplinary learning
○ Importance
○ Examples
- For credit leaning
○ Georgia Tech masters 2013 with Udacity
○ edX have MicroMasters which offers for credit courses and earn 25% credit of on campus masters
§ RIT cybersecurity
§ University of Pennsylvania Robotics
§ British Columbia Software Development
§ Boston University Digital Leadership
§ MIT Supply Chain Management
§ University System of Maryland Cloud Computing
§ Columbia Business Analytics, AI
§ San Diego Data Science
§ Michigan UX Research and Design
§ Others
○ Coursera masters with
§ Illinois MBA, Accounting and CS (Data Science)
HEC (innovation and entrepreneurship)

بعض الروابط التي ذكرت في الحلقة
كورسات كلية الحاسبات و المعلومات جامعة حلوان
https://www.youtube.com/user/FCIHOCW


Our facebook Page
http://facebook.com/askdeveloper

On Sound Cloud
http://soundcloud.com/askdeveloper

Please Like & Subscribe

EP51 - Software Craftsmanship

من هو المبرمج الصنايعي
من هو المبرمج المهندس
الموضوع مش بالشهادات
سؤال الفرق بين المبرمج والمهندس
الألقاب
تأثير الثانوية العامة علي ترتيب الوظائف في البرمجة
المهندس الكويس مش شرط يكون حرفي كويس
علاقة المهن في البرمجة بالوظائف الإدراية
سؤال "أنا ما أعرفش أي حاجة، وعايز أدخل المجال"
سواء أخدت شهادة أو ما أخدتش شهادة، إيه هي الحاجات اللي المفروض أتعلمها؟

AskDeveloper Podcast - 50 - Content Distribution

- Follow up on Encryption episode (Google blocking Symantec certs)
○ Sep 2015 incident (Thawte issuing a goolge.com cert without authorization. Attributed to employee error and resolved by termination
§ Oct 2015 Symantec disclosed 23 test certs issued without owners knowledge, more certs uncovered by Certificate Transparency logs, symantec extended the audit and found additional 164 certs, and 2458 certs issued for domains never registered https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
§ Jan 19 2017, Mozilla reported more misuse https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/fyJ3EK2YOP8/yvjS5leYCAAJ
§ Mar 23, 2017, google posts a report of 30,000 bad certs from symantec, proposing a gradual plan to distrust symantec till actions taken to ensure trust https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs%5B1-25%5D
Extended validation vs. Domain validation certs (mostly technically identical -EV may use stronger enc- but different registration process with different UX presented by browsers -green bar-)
• How the Television age reflected a scarcity of communication channels.
• How the Internet created an abundance of communication channels.
• Creators and audience choose platforms based on cost, ease of use and unified user experience, not because “that’s where everybody is”.
• Once made a choice, users don’t switch to another similar platform even if it’s marginally better.
• Vimeo vs YouTube. Google+ vs Facebook.
• Control of personal data or openness isn’t a deciding factor for most users.
• User data and attention is the main product for content distributors.
• The software offered by content distributors is fairly simple.
• Most of the engineering effort of these companies is going in scaling for a billion users and into mining the data provided by those users.
• The main components of content distribution:
• Producing content
• Serving content
• Consuming content
• Rating
• Comments and discussion
• Reviewing
• Discovery, subscription, and notification
• Saving, bookmarking, and organizing
Ads

AskDeveloper Podcast - 49 - Cryptography - Part 3 - Digital Signaures and Protocols

○ Digital Signatures
§ Goal: verify Authenticity of a message.
§ Based on Asymmetric Cryptography.
§ Basic operations
1. Public / Private keys generation (using some algorithm like RSA)
2. Signing algorithm using the private key
3. Signature verification algorithm using the corresponding public key
i. Extending previous Example
• Steps (Order is very important, bold stuff is the difference added to authenticate sender)
® Party 1 (Alice)
1. Generates a random AES Session Key (32 bytes / 256 bits)
2. Generates a random Initialization Vector (IV) (16 bytes / 128 bits)
3. Encrypt the message to be sent using the AES Session Key & IV
4. Calculate an HMAC of the encrypted message using the AES Session key
5. Encrypt the AES Session Key using the Public Key of Party 2 (Bob) The recipient.
6. Calculate Signature using the private signing key on the HMAC
7. Sends a packet of (Encrypted Message, Encrypted Session Key, Initialization Vector, HMAC, and Signature) to Bob
® Party 2 (Bob)
1. Decrypts Session key using his Private Key
2. Recalculates the HMAC of the encrypted message (Validates message integrity)
} If HMAC check pass
– Verify digital signature using Alice Public Key
w If signature verification pass
w Decrypts the message using the decrypted AES Session Key and Initialization Vector
w Otherwise, identity of the sender couldn't not be verified, reject message.
} Otherwise, rejects the message because of integrity check failure.
• Why Order matters?
® Timing Side-Channel Attacks
® Padding-Oracle Attack

○ Protocols
§ TLS/SSL
• How TLS/SSL Works?
• Mitigates against
® Man in the Middle Attacks
® Authentication, so the client can be sure it is talking to the correct destination.
§ Public Key Infrastructure (PKI)
• Certificates aka X.509 Certificate (Sha-1 Signature Issues)
® A digitally signed file
® Identifies (Computer / User / Device)
® Has Public & Private Key, only the certificate owner has the Private Key.
® Has Expiration date
® Information about the CA that issued the cert
® X.509 Extension Attributes (like Usage attribute)
® Revocation Information.
• Certificate Authority (CA) (CNNIC, WoSign)
® Issues, signs and manages certificates.
® Famous certificate authorities (Verisign, GoDaddy, … etc).
• Trust Chains
® CA's can delegate the signing job to subordinate CA's
◊ Root CA's signs an intermediate signing certificate to the subordinate CA
® The subordinate CA can then issue certificates
® To validate a certificate, the client validates the signatures of all the intermediate stages and make sure all of them are linked to a Trusted CA
• Certificate Revocation Lists (CRL's)
® When a certificate is compromised (Private Key leaked) it will be published on the CRL, so each time the cert is validated, the CRL list is checked in case cert is revoked.
3. Takeaways
4. Books
a. Understanding Cryptography: A Textbook for Students and Practitionershttps://www.amazon.com/Understanding-Cryptography-Textbook-Students-Practitioners/dp/3642041000


Our facebook Page
http://facebook.com/askdeveloper

On Sound Cloud
http://soundcloud.com/askdeveloper

Please Like & Subscribe

AskDeveloper Podcast - 48 - Thoughts on Interviews

هل الطريقة الحالية لتقييم المطورين بالتركيز على أسئلة الخوارزميات هي الطريقة المثلى؟
روابط ذكرت في اللقاء
DHH (The author of Ruby on Rails)
https://twitter.com/dhh/status/834146806594433025?lang=en

https://github.com/tmcw/presentations/blob/gh-pages/advice-to-the-graduate/index.md
http://www.yegor256.com/2017/02/21/say-no-to-google-recruiters.html

قائمة مجمعة بالشركات التي تعتمد طرق اخرى في تقييم المبرمجين
https://github.com/poteto/hiring-without-whiteboards

Our facebook Page
http://facebook.com/askdeveloper

On Sound Cloud
http://soundcloud.com/askdeveloper

Please Like & Subscribe

EP47 - AskDeveloper Podcast - Cryptography - Part 2 - Encryption

الحلقة السابقة
https://soundcloud.com/askdeveloper/ep46-askdeveloper-podcast-cryptography-part-1-introduction-and-hashing
○ Encryption (Two Ways)
§ Symmetric Encryption
□ Same key both encrypts and decrypts the data.
□ Very fast, yet exchanging key is tricky
□ Very Algorithmic
□ Examples
® DES Data Encryption Standard (BROKEN)
◊ Uses key of 56 bit length
® Triple DES (3DES)
◊ Uses three keys (or two unique keys) of 56 bit each
® AES Advanced Encryption Standard
◊ Uses keys of 128, 192 or 256 bits long
□ Attacks
® Brute force
◊ Usually mitigated via increasing key length, as difficulty increases exponentially as key size increases, for example time to crack given a modern super computer.
Key Size Time To Crack
56 bits 399 seconds
128 bits 1.02 * 1018 years
192 bits 1.87 * 1037 years
256 bits 3.31 * 1056 years
◊ Side-Channel Attacks
§ Asymmetric Encryption
□ Key pairs have mathematical relationship
□ Each one can decrypt messages encrypted by the other.
□ Slow, but exchanging key is trivial
□ Very Mathematical
□ Anyone can know the Public Key
® The Public key can only be used to encrypt data
□ The Private key is kept secret, and never leaves the recipient's side.
® The Private key can only be used to decrypt data
□ Examples
® RSA (Rivest, Shamir and Adelman)
® The de-facto standard in the industry
® Public and Private keys are based on large Prime Numbers
§ Hybrid Encryption
□ Uses both Symmetric and Asymmetric encryption at the same time.
□ Goals:
® Use the performance of Symmetric Crypto
® Convenience of sharing keys using Asymmetric Crypto
® HMAC for authentication.
□ Steps: (Order is very important)
® Party 1 (Alice)
1. Generates a random AES Session Key (32 bytes / 256 bits)
2. Generates a random Initialization Vector (IV) (16 bytes / 128 bits)
3. Encrypt the message to be sent using the AES Session Key & IV
4. Calculate an HMAC of the encrypted message using the AES Session key
5. Encrypt the AES Session Key using the Public Key of Party 2 (Bob) The recipient.
6. Sends a packet of (Encrypted Message, Encrypted Session Key, Initialization Vector, and HMAC) to Bob
® Party 2 (Bob)
1. Decrypts Session key using his Private Key
2. Recalculates the HMAC of the encrypted message (Validates message integrity)
} If HMAC check pass
– Decrypts the message using the decrypted AES Session Key and Initialization Vector
} Otherwise, rejects the message because of integrity check failure.


Our facebook Page
http://facebook.com/askdeveloper

On Sound Cloud
http://soundcloud.com/askdeveloper

Please Like & Subscribe

EP46 - AskDeveloper Podcast - Cryptography - Part 1 - Introduction and Hashing

Information Security
1. Introduction
○ Security by obscurity
§ Steganography
□ Hiding data inside another form of data, like using non-used bits in image to hide a message
§ Cool, but not practical.
§ Disadvantages
◊ Algorithm secrecy vs. key secrecy
○ Cryptography is everywhere and yet if done right, you can barely see it.
○ Goals:
§ Confidentiality
□ Secrets stay secret.
§ Integrity
□ Data is not tampered with.
§ Non-Repudiation
□ No party can deny sending messages.
§ Authentication
□ Each party can ensure that the sender is what they expect.
○ Cryptography
§ Hashing
§ Encryption
§ Signing
§ Protocols
○ Random Number Generators
§ Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is.
§ Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy.
§ Pseudorandom number generator
§ Dual_EC_DRBG random generator backdoor
2. Body
○ Hashing (one Way)
§ Properties
□ Fixed length output no matter what size the input was
□ Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input.
□ Mathematically infeasible to generate a message that has a given hash
□ Any modification to a message produces a completely different hash that has no relationship to the original message's hash.
□ It is mathematically infeasible to find two messages with the same hash. Hash Collision
§ Hashing Functions
□ Provides data integrity, however lacks authentication
□ Examples
® MD5
◊ Considered Insecure
® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3
◊ Sha-1 is considered insecure.
◊ Sha-1, Sha-2 designed by NSA
◊ Sha-3 is not designed by NSA, Competition winner.
□ Attacks
® Brute force
◊ CPU's are getting faster and cheaper every day.
◊ GPU's are getting faster and cheaper every day.
◊ Special Hash calculating hardware is becoming more available especially with the BitCoin push.
® Rainbow table attacks
◊ Pre-Calculated tables where you can reverse lookup a hash to a value
◊ Try www.crackstation.net
§ Hash Message Authentication Codes (HMAC)
□ Adds authentication to integrity
□ Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc.
§ Salted Hash
□ Adds random salt to mitigate rainbow table
□ Salts are unique per record, and not a secret.
§ Password Based Key Derivation Function (PBKDF2)
□ RSA Public Key Cryptographic Standard PKCS #5 Version 2.0
□ Internet Engineering Task Force RFC 2898 Specification
® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations)
® Adds random salt to mitigate rainbow table
□ Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations
§ Bcrypt
□ Password Hashing function
□ State of the art password hashing
§ Usages
□ Integrity Check
Password Storage

Our facebook Page
http://facebook.com/askdeveloper

On Sound Cloud
http://soundcloud.com/askdeveloper

Please Like & Subscribe

EP45 - A little bit about Bitcoin

• What's wrong with the world as it is today?
○ Gatekeepers and Walled Gardens
○ The Master Switch by Tim Wu
▪ Tim Wu is the one who coined the Net Neutrality term.
▪ This book tells the story of how every communication medium starts a revolution that upsets the order, then eventually it gets controlled. The same thing could happen to the Internet.
• Bitcoin
○ Is this about money, or about technology
○ Is this about the technology or bitcoin, or the technology of distributed money.
○ How Bitcoin works. Video.
○ Bitcoin mining in plain English.
• Blockchain
○ permissionless distributed database based on the bitcoin protocol that maintains a continuously growing list of data records hardened against tampering and revision, even by its operators. The initial and most widely known application of block chain technology is the public ledger of transactions for bitcoin, which has been the inspiration for similar implementations often known as altchains
○ Trustless transactions
○ Simple explanation of how Blockchain works.
• Distributed hash tables
○ class of a decentralized distributed system that provides a lookup service similar to a hash table
• Git
○ Git GPG Signature
• BitTorrent
• IPFS: Inter-Planetary File System
○ Intro to IPFS
○ IPFS: Why We Must Distribute the Web (Video)
○ How to Use IPFS to fix NPM
○ HTTP is obsolete. It's time for the distributed permanent web
▪ This page is actually served via IPFS
It covers important points: how IPFS does mutable data, how it does human-readable URLs.

EP44 - Yasser Walked On MARS And Can't Wait To Talk About It

AskDeveloper Podcast - 44 - Yasser walked on MARS, and can't wait to talk about it, and coverage of Build 2016


اشترك في قناتنا على يوتيوب و تابعنا على فيسبوك
http://fb.com/askdeveloper
http://soundcloud.com/askdeveloper
http://www.askdeveloper.com
http://youtube.com/bashmohandes