Articles by Joseph Lee

How to Prevent Attacks With Proper Input Handling (Part 2)

Part 2 of this article is aimed at demonstrating how to code a accept-list validation class in PHP. We will start with a classic example of request routing where a HTTP GET request will include a “page=” parameter which will instruct the server which page the user is requesting and an empty “?action” parameter which will instruct the sever-side application which HTTP POST data to expect in the request. However, this model of input validation can be modified to handle other forms of HTTP GET and POST attribution to specify the data request. Let’s start with the basics of compiling the accept-lists for GET and POST. This is specified as a config file as shown below. The configuration is setup as constants that hold arrays. This does a couple things. Firstly, it makes the values global and they can be access from anywhere in the application code. Secondly, it prevents…

Read more

How to Prevent Attacks With Proper Input Handling (Part 1)

Input handling is an key aspect of secure web-design.  But what makes a good data validation/sanitation engine? The implementation depends greatly on the language and framework that your site is build on.  However, best practices across IT security topics maintain that “whitelisting” or “strict checking” is a more secure way to validate.  The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.  Below are some exerpts from their advisories on input validation .  After the quotes from OWASP, the article will use the terms “strict checking”  and “accept list”  to refer to whitelisting and “blocklist” to refer to blacklist . OWASP Input Validation Cheat Sheet Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering…

Read more

Stages of Vulnerability Disclosure

This article attempts to give an overview of how IT vulnerabilities are categorized during their life-cycle.  Understanding the terms related to the various stages of IT security vulnerabilities can allow a better understanding of what a proper security policy framework should include.  First lets cover the stages: Unknown – vulnerabilities that exist but nobody knows about them.  The vulnerability is not designed in put into the software or hardware by a malicious actor.  These vulnerabilities are caused by poor implementation.  Software coding standards and software development guidelines attempt to prevent these types of vulnerabilities from happening, but complex constructs in software programming languages are difficult to implement properly can be a large source of vulnerabilities.   Unknown vulnerabilities may be discovered through static code analysis and “fuzzing” (automated testing) by malicious actors, bug hunters, or security threat hunters. Known – once the vulnerability has been discovered, it may fall into…

Read more

Building Your IT Security News Pipeline

If you are responsible for securing a network, you should know that monitoring reliable IT security news is now critical to mitigating threats on your precious goods. Prioritizing that news landscape and rolling out a timely response is also critical to a solid recipe for security. While it is not realistic to expect security architects to have that kind of response time, if you are ignoring IT security news, you  might need those backups you have been diligently maintaining or worse. Building a solid incoming information pipeline requires an analysis of the IT security news landscape.  The most fundamental elements of this landscape includes threat advisories & guidelines, updates to best-practices and standardization recommendations,  and changing legal requirements if they apply to your organizational assets.  Threat analysis reports and newly released Common Vulnerability Exposure details (CVEs) are critical secondary elements that relay more detailed information about vulnerabilities affecting specific software. …

Read more

What is EPO OPS Open Patent Services?

EPO Logo

The European Patent Office OPS offers a RESTful API for its patent data designed to allow clients to access EPO data for use in their own products and applications.  Basic access to the API is free.  However, annual subscription fees are required if you need more than 4 GB of data per week.  Authentication is handled using OAuth to track your data usage, and documentation is available at the EPO Web-services page under the Further Information tab.  

Read more

What is USPTO Global Dossier?

The UPSTO Global Dossier is a portal to accessing application data from the “IP5” global patent patent offices. Global Dossier functions include: Streamlined applications to multiple international patent offices. Streamline application data access from multiple international offices. Global Dossier integrates with the “IP5” (USPTO, EPO, JPO, KIPO, SIPO) and WIPO The IP5 is comprised of the U.S. Department of Commerce’s United States Patent and Trademark Office (USPTO), the European Patent Office (EPO), the Japan Patent Office (JPO), the Korean Intellectual Property Office (KIPO), and the State Intellectual Property Office of the People’s Republic of China (SIPO). Allow applicants to file a patent application to global patent offices through a single portal. Reduce redundant processes associated with global cross-filing Monitor application process across all offices in a single portal Online access to documents and legal action history of applications Search global patent families Watch the demo below on how to access the…

Read more

How to Install Canvas LMS on Ubuntu 18.4

canvas-lms

Getting  Canvas LMS Pre-installed If you want to skip the installation of Canvas LMS and purchase a pre-installed VPS Canvas already installed, or alternatively, have a secure instance of Canvas LMS hosted on your own domain, please contact me by email  (joseph@ripplesoftware) or via contact page for more details. The full instructions for installing Canvas LMS on your own Ubuntu 18.04 server are below. Installing Canvas LMS on Ubuntu 18.04 8GB of ram is recommended for a server running Canvas LMS. However, it is possible that you can install and run Canvas LMS on a server with only 4GB or less. This installation was done on a Digital Ocean Ubuntu 18.04 VPS. Be sure to point your domain’s name-servers at your correct cloud host and edit your DNS networking so that your domain is pointed at your server before you begin. You can check using nslookup command as shown below….

Read more

Sources of Patent Data

USPTO and Reed Tech Public Dissemination of Data Contract Update After seven years of service, the Public Dissemination of Data (PDD) contract between the United States Patent and Trademark Office (USPTO) and Reed Tech will officially end on June 25, 2020. Sources of Patent Data 1. USPTO self-hosted bulk data The USPTO bulk data-sets for grants and applications come in several versions including: only PDF files, full-text (with and without TIFF images/drawings), and only bibliographic front-page data. The USPTO Gazette bulk files contain notices in each issue which provide important information and changes in rules concerning both patents and trademarks.  The USPTO Cancer Moon Shot data-set is a collection of consists of 269,353 selected patent documents with the purpose to reveal new insights into investments around cancer therapy research and treatments and increase the pace of cancer research. Official Gazette for Patents (2002 – present) (Description) Patent Grants bulk data…

Read more

If  you find it hard to believe that a company such as Apple, Microsoft, or Google might intentionally leave their users exposed to blatant security flaws such as allowing apps to steal the data on your mobile device clipboard, good luck in kindergarten this semester because you must be 5 years old.  Major corporations now have the art of turning their customer’s vulnerability into profits, and henceforth we shall constantly being abused by these tyrannical titans of tech. Those of us in the ultra-paranoid computing demographic of IT security freaks are constantly having to squeegee our brains off the wall from having our minds blown by news of egregious security flaws that seem to gaslight the corporation/client relationship.  For example, why would Apple feel the need to ask my permission to send analytics metrics from the phone to improve it’s function, but NOT ask me if they could share the…

Read more