Never Trust User Input for Generic Fields

Never trust user inputNever Trust User Input for Generic Fields

Disclaimer: I am not a professional developer or database designer, this is a hobby for me.

I’ve written in the past about php unit testing and why you should always use example.com for your testing efforts. Now, in the wake of the Equifax data breach, I am taking a stab at expressing a thought of mine with regards to safe guarding PII (Personal Identifiable Information) in a data application.

Anyone whose ever worked with data driven web applications will already know that user input is to never be trusted. Sanitizing data is always necessary before working with it in a data driven web application. There are many different ways to sanitize user input such as escaping special characters on input and using prepared statements. I am not going to get into the nuts and bolts of that right now. This article is an argument for treating input into generic fields as untrusted in the fact that it could potentially contain PII.

The Problem

For the purposes of this article, generic fields is a term that I am using for any field that is not for a specific type of information. Fields labeled as “Notes”, “Additional Information”, “Descriptions”, etc. fall under this term.

Many times development organizations will not encrypt these generic fields and instead trust that training will be provided for the end user to not input PII information into such fields. We should never trust user input. Handling PII through policy instead of technically is equivalent to trying to stop a leak with a screen. Some of the water will stop, but it only takes one hole for a data leak. Relating this to the issue at hand, it only takes one person forgetting what a policy is. This can cause catastrophic PII issues for your application. This should be handled at the development level.

Example Scenario

An HR organization has a database of employees. They need to make a note that Jon Doe has a peanut allergy and that there is an epi-pen in the first-aid kit for emergencies. There is no specific field to denote medical conditions so they place it in the “Additional Details” field. Furthermore, the person making the entry adds another emergency contact (name, phone, etc) into the same field for this particular allergy case. Due to a security issue with the SQL server, hackers capture a dump of the database. Almost all the data containing PII is secure except for the generic fields. Now the hackers know Jon’s medical condition without having to decrypt the database. Not only is this a privacy violation, but also a potential HIPAA violation. Again, we should never trust user input.

The recent data breach at Equifax reminds us of what can happen with PII information once released to the world. While the Equifax breach is probably related to a hacker or group of hackers gaining access to an account that has legitimate access to this information and (hopefully) not one in which they had direct access to unencrypted data in the databases at Equifax, my argument for protecting generic fields still applies.

The Solution

In this case, the solution to storing data in these generic fields should be simply to encrypt these fields. Through good database practices, such as the holding the PII data fields is in their own table and using primary and foreign keys, then encrypting them should have a minimal impact on performance.

What I’m Reading – The Nerdist Way

For the last week or so, I have been reading “The Nerdist Way” by Chris Hardwick. I was happy to add it to my library. So far, it has made a positive impression with me. It speaks to me as a nerdist, a productive, working professional and from a personal point of view. Though I am not finished with the book yet, I believe that this book will be getting at least a four star rating on Goodreads. This will definitely be a book that is pulled from the library shelf to read again.

Nerdist Chris Hardwick
Chris Hardwick by Gage Skidmore

About Chris – The Original Nerdist

Incase you don’t know, Chris Hardwick is the brains behind the Nerdist web empire. In the words of the website, “Nerdist was started by CHRIS HARDWICK and has grown to be A MANY HEADED BEAST”. In addition to being a comedian, he currently hosts no less than six different shows on television. He is one of the hardest working people in the entertainment industry.

About the Book

Reading “The Nerdist Way” has revealed to me that, in many ways, Chris’s life experience is very similar to mine. I can relate to the stress and anxiety he lives with and how he coped with it in the past to how he copes with it now. He decided on his own that quitting drinking was the best thing for his life while I had to come to the same conclusion after a bout of pancreatitis. Both Chris and myself are now sober although he has a few years on me.

On Stress and Anxiety

His account of experiencing stress and anxiety was almost exactly what I experienced; it was like he was crawling around in my head, that is rather unsettling if you think about it. One of my favorite parts of book with respect to this was his account of looking up medical symptoms on the internet”

THE WEB: A HYPOCHONDRIAC’S LIFEBLOOD Please do me a favor. We’re friends now, right? OK, good. NEVER go online to self-diagnose. EVER. Don’t fucking do it. You might as well just ask Dwayne “The Rock” Johnson to kick you in the solar plexus. Sites like WebMD should just change their name to Enjoy YourCancer.com

YES! Finally someone came out and said what I have been saying for years! I feel vindicated!

The Ever Working Brain

As a fellow nerdist, I understand the way he described the head always working, always thinking and always making connections to things that may not necessarily be correct or even healthy. Whether it be worrying about that strange ache on the back of your right earlobe or worrying about where you are going professionally, the voices in your head (not literal voices, that’s just crazy) whisper the worst case scenario; that only helps make things worse.

In a lot of ways, I think this contributes to the reason why many of us have chosen to quiet the voices in our heads (again, we’re not crazy) with alcohol. When there is nothing telling you that you are dying of some horrible ear lobe fungus, you are actually a much happier person in the short term but not in the long term.

The Professional Nerdist

As productive, working professional, I appreciate Chris’s work ethic. Once your mind is free of the voice-muting alcohol, it needs to turn to other outlet avenues. For both Chris and myself, that seems to be work. I am not saying that I am as hard of a worker, as productive or as successful as Chris, I am just relating my experience compared to his and the similarities. Take this quote from the book for example:

The fortunate or unfortunate occurrences that befall you most of the time are the direct result of attitudes you employ and the choices you make.

This expresses almost the same set sentiment as one of my favorite quotes by Khalil Gibran. Chris is constantly reenforcing the formula for success in that there is no simple formula. Success is made from hard work, not something lucky you find by chance.

Strive for excellence in something you love.

New Resolutions – Week 4

Paqui Haunted Ghost Pepper | resolutions seriesAs I write about resolutions for this week, my mouth is on fire! These puppies are HOT! And that was after only three. That being said, this weeks new resolution are the Paqui Haunted Ghost Pepper Nachos. I love hot things. Hot buffalo wings, hot chips, hot sausages, etc. I used to devour the Lay’s Flamin’ Hot chips all the time, now they are too hard to find. My order of Chinese food would always include the terms “extra spicy”. This is not me being braggadocios here, I am simply laying the foundation for the scale as to exactly how hot these nachos are.

Some people can’t handle spicy food and that is ok. For me, I think it is the endorphins released when I eat spicy food; it makes me all warm and fuzzy inside. I can feel the fire dragon tickling my stomach when I eat spicy food and that makes me happy.

Of course, it is not just the spice for me, it is the flavor as well. I don’t really care for something that is spicy just to be spicy. If that were the case, I would just pour myself a glass of Sriracha or other hot pepper sauce and drink it straight. That is neither appetizing nor is it smart.

The flavor of the nachos is like that of other chili peppers. Behind the heat, there is a hint of sweetness. Overall, the flavor is enjoyable. This is a flavor that I would chose even if there was no heat to it.

Recap from last week’s resolutions

Last week, as part of the resolutions series, I tried Kame Rice Crackers. I went two weeks in a row of something that I did not care for. The crackers were just the opposite of the nacho chips above. There was no flavor at all; they reminded me of Rice Cakes, remember those? I believe the phrase “Eating packing peanuts” came to mind. I would not eat these again, but hey, if eating paper is your thing, go for it.

Example.com: Always Use It for Testing

Testing with example.comBackground

I was looking over some software tests today and they had different testing addresses such as test.com or test@test.com. This got me to thinking, isn’t there a standard site or address that we should use for testing? It didn’t take me long to find my answer; example.com. More on that in a bit.

Security Concerns

A couple of thoughts that came up while thinking about this; where is my information going while testing with made up sites and what kind of data am I sending? From a security standpoint, using unknown sites for testing may reveal flaws, sensitive data or PII to parties that may not have the best intentions in mind. Let me throw a hypothetical out there. Suppose I am a party that sees an opportunity to purchase the domain name tester.com. My reason for purchasing such a domain is not for legitimate reasons but rather as a honey pot. With that honey pot, I harvest the information by pulling in emails that come to that domain. Once that information is in hand, they could sell it on the dark web. Thankfully, my honor is paramount to me so I will not do such a thing.

Real Life Examples

A quick search on whois found the following: test.com has a private registration in the United States. We don’t know who owns this site. The question here is what are their intentions for the data they gather? Registration for somewhere.com is private in Panama. Nowhere.com redirects to a media outlet in Germany that looks like a simple front site. The last update for this site? 2012. I’m not saying that this one is, but its suspicious in the very least. A web advertising agency owns the site Test-site.com. There is a potential that the owner of test@test-site.com may add emails gleaned from tests to spam lists. How would your clients feel about a sudden influx of spam?

Other Concerns

A less evil, but realistic concern using random sites is that some of these sites could be real and legit. Take, for example a company named Pinacle Associates; I have no idea if such a company exists and please don’t bombard them with emails. Tes Thompson is an SVP for Public Relations for this company. For emails, this company decided on the naming scheme of first name last initial. In this case, Tes’s email would be test@pinacle-associates.com; again, I don’t know if this exists, so please be kind and don’t spam it. Imagine the amount of mail she must get if a test team decided to use her email address for testing?

The Solution: Example Domains

So what is the solution then? Set aside for the very purposes of testing and documentation are Example.com, example.net, example.org and example.edu. The Internet Corporation for Assigned Names and Numbers or ICANN owns and manages these domains. These are the folks that give out and manage domain names.

Conclusion

So the moral of the story here is that you should always use one of the example domains. Using a domain such as example.com when testing software will help prevent inadvertently leaking PII data. Your company or client values their data and wants it kept secure.

… And Everything Under the Sun is in Tune

Enjoying the eclipse in style

Eclipse

Wow! What an event. The eclipse of 2017 turned out to be everything that it was hyped to be. As early ago as yesterday, it was still looking a little dubious whether or not we would be able to see it as we were forecasted to have mostly cloudy skies during the time of the eclipse. Would the weather hold true to its promise? As you can see, the forecast was once again wrong, although at the time of this writing, it is now mostly cloudy outside.

I worked to get setup for the eclipse and it was muggy and hot. I thought for sure that I would either be spending a good chunk of the eclipse inside and be outside for the 45 minutes or so before the eclipse but that turned out to not be the case.

Soon after the eclipse started, the temperature began to drop. I knew that this would be a possibility, but I don’t know if it was due to a front moving through or the eclipse itself causing the cool down, I’ll have to look into that later.

Eclipse shadows
Weird shadows

Halfway There

About halfway through the eclipse, there was a definite dimming of the sky. Strange shadows from the trees had the appearance of waves flowing over the ground. It was indeed a strange site. I suppose I should define weird. All the shadows of leaves seemed to have a crescent shape to them. It was this crescent shape and the movement of the shadows that caused them to look like water waves.

About twenty minutes before totality, nocturnal instincts of animals started to kick in. The crickets chirped, some other nocturnal bugs started crawled onto the patio. Thankfully, I did not see any snakes. Birds started returning to their nests. Thor went into bedtime mode and retired to his room.

Thor's eclipse glasses
Thor, not liking the glasses

The Darkside of the Moon

I am happy to report that my experiment of syncing Pink Floyd’s The Dark Side of the Moon seemed to be almost perfect. I did take video, but it did not turn out too well for a variety of reasons but the major one of which was that a train was going by at the time of totality. Other night animals started in the form of neighbors shooting off fireworks during totality.

While I did not see any stars, I did see at least one planet, I’m assuming it to be Jupiter. I began shooting away with

the camera at totality, I had just under 2 minutes. The best one I took is at the top of this article. I missed the ‘diamond ring’ image due to taking in the scenery with my own eyes, but I don’t regret it.

This has been billed as a once in a lifetime event, but I hope to get to Texas in 2024 for that one. Based on the cost of hotel rooms in Kearney ($7k+ if booked close to eclipse time) I may need to make reservations soon.

 

New Resolutions – Week 3

Old Resolutions: Bizzy Cold Brew CoffeeLast week for the resolutions series, I wrote about trying a cold brew coffee by Bizzy Coffee.

Last Week in the Resolutions series

Maybe I misread where it said that you could drink it cold but, bleh! I did not care for it cold. Since we are in the midst of a devil’s sauna, I did not care for it hot either. Perhaps, coffee will never be for me, if it is, it will be a winter drink. I think, however, that it will always be something I occasionally try.

I’ve still got some of this left that I need to get through so I got myself some French Vanilla flavoring to help me through it. That is not what is new this week. This is just an update to let everyone know that the coffee won’t go to waste.

This Week

This week in the resolutions series, we move away from caffeinated beverages into the world of snacks, oriental snacks to be precise.

New Resolutions: Kame Rice Crackers

Trying foods of other cultures is always fun to me, even if they are Americanized.

Kame Rice Crackers were calling my name in the small oriental food section of a local grocery store. They looked like something I may like so I picked them up. The crackers look healthy. They have only 90mg of sodium, 0g of saturated fat, 0g of sugar, 120 calories and 2g of protein per 16 crackers. They are also certified gluten-free and non-gmo verified, if your into that. I will let you know how it goes.

Thoughts on Removing Confederate Symbols

Removing Confederate SymbolsI used to think that removing confederate symbols was in some way destroying or rewriting history but then I though, “Huh, You know what we don’t see any? We don’t see swastika statues around; not even the Hindu, Buddhist, Jainist, nor the Native American swastika.” We also don’t see statues or displays of pentagrams around much anymore. We removed those for the most part and yet we still know what they were. We know the weight they carried through news, textbooks, history courses and online resources such as wikipedia.

Power in Symbols

Good or bad, there is power in symbols. A symbol doesn’t care what its intention originally was. People, groups and society in general assign power to objects until they become a battery to charge beliefs. These beliefs can be beliefs that benefit others (good beliefs) or beliefs that hurt others (bad beliefs).

The swastika was originally a religious symbol of many peoples the world over. In some areas of the world, it still is. It remains a sacred symbol of spiritual principles in Buddhism, Hinduism and Jainism. In the Western world, it was historically a symbol of auspiciousness and good luck. It was not until the 1930s when the Nazi regime came to power when its meaning changed.

The pentagram is now widely considered a symbol of ‘evil’ by many religions, including Christianity. The fact is that the pentagram was once a sacred Christian symbol. It represented the five wounds of Christ. Today it is considered a sacred symbol among the Wiccan religion.

The Bellamy Salute

We no longer perform the “Bellamy Salute” when saying the Pledge of Allegiance because of its similarity to the “Sieg Heil” of Nazi Germany. Civilians now remove their head cover and place their hands over hearts. Some stand with hands at their side when saying the Pledge or during the singing of our National Anthem. Military members perform a military salute during these activities.

How the Meaning of Symbols Changes Over Time

I bring up these historic examples because I want to demonstrate how a symbol can change over time. This directly relates to what is going on now. We are not erasing our history by removing monuments of generals and leaders. These people fought to leave the United States; to keep their economy, an economy which relied heavily on slavery, the way it was. Yes, they fought brave and strong for what they believed, but in the end, they were rebels. They wanted to break up the United States and create their own country with a major chunk of the pieces. Today we would call that treason.

A Reason for Removing Confederate Symbols

Statues and flags of the confederacy have become magnets for people of hate. People like the white supremacist who gathered in Virginia for a white pride rally. These symbols have been growing in strength in the last few years and not in a good way. Perhaps, like the swastika and the pentagram, we should abandon these symbols as well. We should not abandon them through violence or vandalism, but through a legal process. Lets let the majority agree on what they symbolize and what should be done with them. Perhaps removing confederate symbols is the appropriate thing to do. They are not serving anyone any good anymore; they are only bringing trouble.

Happy Anniversary to Me

Rural Conference CenterHappy Anniversary

Today is my six year work anniversary with Xpanxion. With the exception of about a year or so when I was sick and then recovering from pancreatitis, it has been a very enjoyable experience. Even when I was recovering, I was enjoying learning new things. It was these things that I could apply to my work. Among the things I am most proud of is my continued work on an internal application I have developed to handle internal employee reviews. I have learned so much about software development working on that project than you can learn reading textbooks for a class.

The Future

Now our company is at a turning point. Not a bad one, mind you, the future looks very bright for Xpanxion. We are building a multi-million dollar rural conference center in my city of Kearney that will be state of the art. Our client list is growing almost weekly, we are in a good place. We grow not because we advertise or buy clients, we grow because our reputation grows. Our quality and work-force both here and overseas is incomparable to any other company like ours.

I just wanted to take a moment to reflect on my time with Xpanxion. I admit my bias but of all the careers out there, Xpanxion is the best.

PHPUnit – Unit Testing with PHP

Unit TestingIn modern software development, unit testing can no longer be an ignored activity, especially for object oriented programming (OOP). I have been coding in PHP for several years now. I thought I’d share my thoughts on unit testing in PHP with you.

Unit Testing in PHP

OOP has so many advantages over procedural programming and unit testing is one of them. I’m not saying that unit testing can’t be done with procedural styles, but it has a much better use case in OOP programming. I am not going to get into the nuts and bolts of setting up PHPUnit for your PHP project, but JetBrains, the folks behind my favorite IDE for PHP, have an excellent article about setting up PHPUnit for PhpStorm. It can be found here.

Once PHPUnit is set up, writing tests is easy. Just plug in what you want to send to a method and tell PHPUnit what you expect the results to be.

Skeleton Framework

Here is a basic skeleton framework for writing tests.

 

<?php
/**
 * Created by PhpStorm.
 * User: aaron
 * Date: 8/13/17
 * Time: 12:03 PM
 */

require '../lib/Utilities/Utilities.php';

class UtilitiesTest extends PHPUnit_Framework_TestCase {


/* ** Test Initialization ** */

private $utilities;

protected function setUp()
{
  $this->utilities = new Utilities();
}

protected function tearDown()
{
  $this->utilities = NULL;
}

/* ** Tests ** */


/* ** addTwoNumbers() Tests ** */

public function test_addTwoNumbers() {

  $number1 = 2;
  $number2 = 3;

  $result = $this->utilities->addTwoNumbers($number1, $number2);

  $this->assertEquals(5, $result);

}

/* ** subtractTwoNumbers() Tests ** */

public function test_subtractTwoNumbers() {

  $number1 = 2;
  $number2 = 6;

  $result = $this->utilities->subtractTwoNumbers($number1, $number2);

  $this->assertEquals(-4, $result);

}


}

PHP Assertions

There are a whole slew of assertions built into PHPUnit, assertEquals() is just one of them. Assertions such as assertNull(), assertNotNull(), assertContains() are some of the most common ones used. For a complete list, check out the assertions link of the PHPUnit documentation.

See, that really is pretty simple. Of course, when writing unit tests, there is a danger for the mind to wander and think of ‘what if’ scenarios, especially if you come from a quality background such as a QA Analyst. Unit tests should cover the functionality of the component being tested and nothing else; that is what QA is for; they will find the functional defects, you just need to make sure your code works as expected. That is where the unit tests shine.

The Purpose of Unit Testing

This can’t be stressed enough, the primary purpose of unit tests are not to find defects, they just make sure that the components of code work as they should. Even though the unit tests will find a defect in the above examples if it shows that 2 + 3 = 4, that is not the purpose of the test as this will be found during functional testing. The purpose is just to make sure that the method works correctly; calculator examples are also the easiest examples to demonstrate code.

New Resolutions – Week 2

New Resolutions - Honest Tea

Resolutions from Last Week

Last week, on ‘New Resolutions’…

I wrote about my newfound love of tea and the new teas that I was trying. I tried the Honest Green Dragon Tea and the Honest Assam Black Tea. Both were actually really good. I said something about not liking green tea, but liking dragons; well, the dragons won. I was pleasantly surprised because even though there was a sweetness to it, there was not the over-the-top sweetness that turned me off of most green teas.

The Assam Black Tea was pretty much what I expected, a nice, full body black tea. Not much else to be said about it other than it was good, just as I expected.

New Resolutions - Bizzy CoffeeResolutions This Week

This week, as part of my resolutions series, I leave tea behind and try some coffee. I’ve never been able to get into coffee but people at work drink it like mad. I have tried regular office rot-gut coffee, nice coffee shop coffee of varying varieties and have never really been able to hold an interest in it. Maybe its because I don’t like hot drinks, I don’t know. I’ve never been able to get into coffee.

I am going to try it once again this week.

As I was wondering the tea aisle of the grocery store, I came across some organic, concentrated, cold brew coffee by Bizzy. So I said to myself, “Self, you should try this.” So I am. I am hoping that the not so hot drink will appeal to me a little more, but as I write this and am sipping on it, I think it could use a little bit of warmth to it. I’ll report back the final results next week. For now I am going to (try to) enjoy it.

That’s all for now.