What I did this week (February 12)

So I accomplished what I promised in the last premortem post. We have Neo4j relationships working with properties that are contained in the edge, just that it only works in one direction, a relation of the form (a)–[relation {props}]–>(b). I want to be able to create relations in both directions, so that for example, we can get the pools that a user participates in but also I want to be able to get the users that participate in a pool. From that we need to be able to get these nodes from an endpoint in the api, and so I need to create methods to find the nodes in a relationship. That will be enough work for this week. As well as defining the complete pool endpoints and model.

This will be useful: https://neo4j.com/docs/developer-manual/current/cypher/clauses/match/#relationship-basics


Quantum Computing

Here’s a really good video that explains (vaguely) quantum computing.






The fact that quantum compures have much more computational power than modern computers and are capable of factorazing very large numbers is a big threat to today’s cryptgraphic algorithms that rely on the assumption that factorizing really large numbers is a a so expensive operation that is nearly impossible to do so, but quantum computers will be able to complete the factorization in a short enough amount of time, and when cryptigraphic algorithms collapses so does network security.

But sure enough, quantum computers are not just a threat to network security, they are too the solution. Quantum cryptography relies on the Heisenberg Unsertainty Principle, which states that an observer cannot fully measure a moving object’s position and path without affecting one or the other.

And here’s a TED video explaining The Heisenberg Unsertainty Principle:




Koley (CTO of Juniper Networks) explains: “Typically, photons are used over a fiber-optic channel to achieve this [transmit information in quantum state], any attempt to measure one of the entangled photons leads to changes in the quantum state of the other, and therefore is detected. Thus, QKD offers a key distribution mechanism where any attempt to intercept the key by eavesdropping is revealed and the keys are discarded. QKD is not vulnerable to cracking attempts by quantum computers the same way that traditional cryptographic techniques are because any interception attempts in the QKD paradigm are readily detected. This is one of the reasons QKD is considered to be a good candidate for post-quantum security.”

And here’s a video explaining the QKD algorithm:



More resources on the subject:





SQL Injection Attack

Sometimes web developers don’t realize that their SQL queries are able to circumvent access control and sometimes they allow access to host operating system level commands.

An SQL Injection is a method of creating or altering existing SQL commands to expose hidden data, override existing data or even delete it. This is usually accomplished by taking advantage of existing static parameters in appliction to build SQL queries

used to combine it with user input. This way, malicious users can paste extra SQL queries into the application, and, depending on the privileges given to the app’s user (usually admin privileges), they are able to perform different actions.

A worked example of the issues regarding SQL Injection

What is the solution? Just sanitize the user input. It’s basically validating that the user input is what you expect it to be, check that it’s an integer, check that it has certaing format, check that it does not contain weird characters or even sql sentences. Also, mutate the original user input to convert special character to its html equivalent, remove line breaks and extra space and strip octets.




What I’ll do this week (February 4)

This week I’ll translate what we had in the backend to use the new database. I think that should be my first priority. Then I’ll work in the implementation for the relations between the nodes. I’m a bit worried about the fact that I’m not testing the api for the database. Maybe later. Marco is now working on the frontend web application too. He defined the roles for everyone, since we are a big team.

What I did this week (January 29)

This week I did’t finish the helper functions for neo4j but I have enough functionality so that we can start working developing the basic models and endpoints for the api. Now we can create models, restrict uniqueness of some fields and index the nodes in the database for fast lookups. With this functionalty we can start managing the users, and the money pools, we still need to implement the relations. There is no news for the mobile application.