I made a recent blog post on keeping passwords safe, so I did a lot more research and creating a few test programs for this purpose. I found that having a user provide the api or application their username and password alone isn’t very safe. Especially if we are storing that password in our database, that immediately puts their information at risk. That is assuming the third party company that will be used for authentication follows much better security measures. Instead of having a customer provide you with the direct credentials, redirecting them to a trusted third party is ideal, such as google. What happens is when a user wants to create an account, we redirect them to google such as OAuth2.0. Then ask the user for permission for say, their email, and general information like name. Once authorized OAuth2.0 returns an authentication token that we can use to further do more requests. This way we can create an account and store any local information we might need for the user but not have to deal with putting the customers information at risk. The process is a little more in depth by authenticating every step of the login process, making sure it’s not intercepted, and having a different client requesting the information. This can be achieved by using a state value, that only the requesting user will have. We will then compare this value to insure it is still the same client, and deny any non authorized requests. This also makes it very easy to create accounts and to login the user. We now avoid the customer from having their credentials stored in two different locations, this reduces their chances of being involved in a breach. This would be the easier generally more secure method for someone who is not very experienced and even for someone very experienced. The great thing about tokens as well is, they are always retractable by google, if the user wants to revoke all access to a token ( site), they can. Once invalidated, no further request would be able to access any information from the user.
This week has been a little bit of a struggle in trying to finish my projects for all my classes, falling a little behind. Have the mental focus to push through all the assignments has been very tough, usually when I’m in Corvallis things are a lot easier because the environment is based around school and work. However at home, it’s different, you got family and friends that are always around being distractive. CS444 specifically has been the biggest challenge, online lectures are average about an hour asynchronous. Which makes it more difficult, the learning experience is not very good. I understand with programming everything will be mostly done entirely online, however, when learning I think having the classroom environment and people in the same position makes it easier. If you get stuck or need different points of view on a subject, they are there and together learning becomes easier and more fun. My entire university experience has been roughly semi-difficult, mostly all being hard due to time management, now that it’s at home it becomes that much more difficult.
On the bright side, I have finally decided to start running the layout for my developer website. This website will consist of very userfriendly laid out tutorials for things that aren’t very common or very complicated to understand. I find that many tutorials online arent very detailed or explained in ways that aren’t very easy for most people to understand. So I hope that I can create content for just a couple of things to start off with, just to keep others posted. I will deliver my content mostly through social media initially like Instagram to explain or talk about small things. With the website containing more information and very detailed and easy tutorials. This will also serve as a way to demonstrate what I can do and use it on my portfolio. However I will see if others have ideas that I can incorporate or things they would find very helpful or useful.
One challenge I faced this week was encrypting passwords and how to properly manage them. It’s interesting to see how many ways this can be accomplished and things we should never do. I have made a couple of applications that require some sort of password storage initially, when I was back in high school, I only used a base64 encoding. Which is laughable, but I was learning and in my mind, that was somehow working because you couldn’t see their password. That’s all that mattered at the time, however all it took was a simple decode(pass) to get back to the original password. Then I started using some sort of hashing that is nonreversible. This was definitely a better option but I never really looked at data breaches and at real-life events that resulted in breaches. So this week I looked more into it, I did a little more research for my current team project. I found lots of interesting information.
One thing with hashing is that a lot of common passwords are simply already out their with their current hash. So simply storing a hashed password for say “password123” in hash like maybe “somerandomhash”, is not good enough anymore. Since running something like sha256(password123) will always result in the same hash, it makes it easier to guess. You then simply compare that hash against the common password’s hash and you find out the password. So I discovered that there are newer techniques to protect against this called salt. The salt method uses a unique text to append to the password when creating the hash. That way you cannot simply search for already decoded passwords.
So this makes it very hard for even with a data breach and direct access to the unique text and hashed password to be decoded. To add even more security you can repeat this process and do something like sha256(salt + sha256( salt + password)). This isn’t necessary however. Another method called pepper is also a very good choice, for example sha256( pepper + sha256(salt + password)). Where pepper is the same random text for all users and salt being unique. The pepper is never stored in the database which makes it even more secure but can be a pain in case of a breach to deal with. This is a good approach but there is other things apparently that you can implement in the communication/transmission of the password from client to server that can also be made more secure.
Programming in every language is not a fairly difficult task, as long as you use the proper techniques and get creative with your solutions then anything can be accomplished. It does however have certain criteria, some services can be really picky and require very efficient code. In an ideal world, all code would be efficient, but that isn’t always the case. Some implementations are lousy or simply not efficient enough or well fast enough. Give all that all languages share many similarities. However lately I have been work very closely with assembly language for one of my courses. It is very interesting to see how it all really works, I’ve used it before but not a lot.
I now find myself spending a lot of time trying to understand it all. I’ve been aware for a long time now that it all comes down to gates that store 1s and 0s. It’s baffling to see how in high-level languages we can simply declare a variable and all the hard work is done by the assembler to turn it into something the computer processor can run. I have been struggling quite a lot with virtualization. In virtualization it takes physical memory and virtualizes, to avoid programs from having direct access to the physical memory. In my most recent assignments for this course, we have to work very closely in actually implementing these things. Luckily this is done in C. However even in C, this task is quiet difficult to understand and keep track of where you are in memory.
The positive side of things, I am learning and learning is always a good process. In this industry you must always expect to keep learning. APIs change, languages change, it’s an industry that constantly changes. To think all that change goes down to assembly language and how complex it is is amazing. I hope I can keep learning and truly understand it. I am sure it will become very useful or at least give a deeper understanding of everything I do in programming.
Game development is something that I’m very passionate about. I have been working on a new game that I hope to release within the next year using UE4. Throughout this journey before getting into UE4, I created a simple royale IOS game. One thing I have noticed that is very difficult to accomplish is multiplayer. The amount of variables that come into play are many and depending on the type of video game that you make, can be very difficult or simple. On the very difficult end of the spectrum would be turn based games, such as call of duty. These games require player position to be as close as possible to real time. There are many ways to accomplish the desired behavior, either by interpolating or extrapolating the players position. In a sense what I have learned when building the entirely native IOS app is that for a turn based game, interpolating is the best solution. When extrapolating you have to constantly try and predict the remote clients using their speed, direction, current position, etc. This becomes inaccurate as the players are unpredictably turning constantly. This might be a better solution for racing games where the cars usually just go forward so it’s fairly easy to predict where the car will be in the next second or so.
In my royale ios app, I had to design my own server. Initially I used a python server, which worked fine but wasn’t very well developed. So I completely remade it using nodejs with the socket io framework/api. This in combination with an interpolating system, made gameplay very smooth. In a sense you are always viewing the past, but at 30-60 ticks a second. I must say that it becomes almost unnoticeable. This is just the tip of the iceberg however, I learned that the response times (ping) from client to server and vice versa, are a big headache themselves. I am very glad that I took the time to go through all of that before using UE4, which basically does it all for you. You just set some priorities, etc and it just works. Which takes all the fun out of it but makes it all easier. There was little to no documentation on creating a server for IOS that is real time or the illusion of it. I think I will be creating a tutorial or website where I can upload information, user friendly content for beginners to start learning.
Well we finally got our projects assigned and I’m pretty happy with the one I was put into. Picking a project was pretty difficult, there were so many options which were all very interesting. I was placed into the Hinsdale Wave Research Laboratory project where we have to design on top of their current software that helps measure the level of water in the facility while also allowing the filling and closing of valves to fill the water levels. I’m fairly excited to work on this project. I’m used to working on all virtual projects such as games or other types of utility software, never working with real hardware like valves.
Now that we are finally going to begin working on this project, my team and I have decided to use discord as our main source of communication. This is going well because as a team communication is key, if we want to succeed in this project we will need to trust each other and work together. I’ve worked on projects before in school and out of school where communication becomes difficult because we are all working asynchronously and sometimes things don’t make as much sense or aren’t done efficiently to meet the entire group pace. So I’m hoping communication stays important and straight forward.
We are now left trying to communicate with our project sponsor to get more information on developing the app/software that they need created. Our team has mentioned this briefly but I think its time to communicate it clearly so that we can create a meeting. In a professional environment I believe we should have contacted the sponsor as soon as we received the assignment. To proceed professionally and be eye to eye with the sponsor. I imagine as the client, they are very strict and pay tons of money. They would want communication and transparency over the project status to be key, for them to be comfortable and content with the development progress. Overall I’m glad to be this far into my career and on step closer to a real world paid project.
Welcome to my first blog post! As you can tell by just the title I am a nerdy guy. I’ve always been intrigued by technology and the infinite possibilities that one can make a reality. I am currently an Apple employee, as Tech Support, which is not really what I want to be doing. My passion is programming, because it helps me create amazing things that not too long ago I would have thought an impossible thing to do. I’ve worked on a couple programming projects, mostly personal with one professional that is now an APP in Mexico used for auditing. In that project I helped create over 50% of their back end! I learned a lot from it, before I even took my database classes, I spent lots of time studying and using MongoDb and Mysql. Now that I’ve been through that, it all seems easy but many challenges ahead. I am ready to make a difference.