Scaling Backend Authentication at Facebook

Secure authentication and authorization within Facebook’s infrastructure play important roles in protecting people using Facebook’s services. Enforcing security while maintaining a flexible and performant infrastructure can be challenging at Facebook’s scale, especially in the presence of varying layers of trust among our servers. Providing authentication and encryption on a per-connection basis is certainly necessary, but also insufficient for securing more complex flows involving multiple services or intermediaries at lower levels of trust. To handle these more complicated scenarios, we have developed two token-based mechanisms for authentication. The first type is based on certificates and allows for flexible verification due to its public-key nature. The second type, known as “crypto auth tokens”, is symmetric-key based, and hence more restrictive, but also much more scalable to a high volume of requests. Crypto auth tokens rely on pseudorandom functions to generate independently-distributed keys for distinct identities. Finally, we provide (mock) examples which illustrate how both of our token primitives can be used to authenticate real-world flows within our infrastructure, and how a token-based approach to authentication can be used to handle security more broadly in other infrastructures which have strict performance requirements and where relying on TLS alone is not enough

A Case Study on Cloud Migration and Improvement of Twelve-Factor App

The Twelve-Factor app methodology was introduced in 2011, intending to raise awareness, provide shared vocabulary and offer broad conceptual solutions. In this thesis, a case study was done on two software implementations of the same business idea. The implementations were introduced and then analyzed with Twelve-Factor. Hevner's Information Systems Research Framework was used to assess the implementations, and Twelve-Factor's theoretical methodology was combined with them to form results. The implementations were found to fulfill most of the twelve factors, although in different ways. The use of containers in the new implementation explained most of the differences. Some factors were also revealed to be standard practices today, which showed the need to abstract factors like Dependencies, Processes, Port binding, Concurrency, and Disposability. In addition, the methodology itself was analyzed, and additions to it were introduced, conforming to the modern needs of applications that most often run containerized on cloud platforms. New additions are API First, Telemetry, Security, and Automation. API First instructs developers to prioritize building the APIs at the start of the development cycle, while Telemetry points that as much information as possible should be collected from the app to improve performance and help to solve bugs. Security introduces two different practical solutions and a guideline of following the principle of least privilege, and lastly, automation is emphasized to free up developer time.Twelve-Factor App on vuonna 2011 julkaistu metodologia, jonka tarkoituksena on nostaa tietoisuutta, tarjota jaettu sanakirja alan termistölle sekä tarjota yleinen käsitteellinen ratkaisu. Tässä työssä esitellään kaksi toteutusta samasta liiketoimintaideasta. Toteutukset esitellään ja ne analysoidaan Twelve-Factorin avulla. Hevnerin Information Systems Research Framework -mallia hyödynnettiin toteutusten arvioinnissa ja se yhdistettiin Twelve-Factor -mallin kanssa, jotta saatiin tulokset. Työssä huomattiin, että suurin osa Twelve-Factorin kuvaamista osista toteutuivat ohjelmistoja tarkasteltaessa. Toteutuksissa oli kuitenkin eroa. Etenkin Docker konttien käyttäminen uudessa toteutuksessa selitti suurimman osan eroista. Twelve-Factorin osien toteutuminen suurilta osin näytti tarpeen abstrahoida osia mallista, jotka ovat jo tavanomaisia käytäntöjä. Sen lisäksi metodologia itsessään analysoidaan ja siihen esitettiin lisäyksiä, jotta se vastaisi nykyaikaisten ohjelmistotuotteiden tarpeisiin, jotka ovat useimmiten kontitettuina eri pilvipalveluissa.Uusia lisäyksiä ovat API ensin -ajattelu, telemetria, tietoturva ja automaatio. API ensin -ajattelu ohjeistaa kehittäjiä priorisoimaan rajapintojen rakentamisen mahdollisimman aikaisessa vaiheessa ohjelmistoprojektia, kun taas telemetria ohjeistaa keräämään mahdollisimman paljon tietoa ohjelmiston toiminnasta, jotta voidaan kehittää tuotteen suoritustehokkuutta sekä helpottaa ohjelmistovirheiden ratkaisemista. Tietoturva esittelee kaksi erilaista käytännön ratkaisua sekä ohjenuoran noudattaa vähimpien oikeuksien periaatetta. Viimeisimpänä automaation tärkeyttä painotetaan, jotta säästetään ohjelmistokehittäjien aikaa ja ohjataan resursseja varsinaiseen arvon luomiseen

Analysis, design and implementation of a Node.js Web Application for personal link management using a single link in social networks.

[Abstract] The main objective of this project is the development of a Web Application, using a modern technology stack and a scalable system architecture, to provide Social Network users a place to store all their important links for their followers to access in a seemingly transparent manner from their user profiles. This is in some cases necessary as some social networks, of which Instagram is the prime example, block the usage of links/URLs anywhere in their application, except for the usage of a single link as a user’s Webpage inside their profile information. The project will also focus on providing useful insights and analytics to the profile owner based on the metadata collected from visitors’ clicks on the link collection.[Resumen] El objetivo principal de este proyecto es el desarrollo de una Aplicación Web, utilizando un stack de tecnologías moderno, y una arquitectura de sistema escalable, para proveer a los usuarios de las Redes Sociales de un lugar donde almacenar todos sus links importantes para que sus seguidores puedan acceder a ellos de una manera aparentemente transparente desde sus perfiles de usuario. Esto en algunos casos es necesario, ya que algunas redes sociales, de las cuales Instagram es el mejor ejemplo, bloquean la utilización de links en cualquier sitio de la aplicación, excepto la utilización de un único link como la página web del usuario dentro de su perfil de usuario. El proyecto también tiene como objetivo proporcionar al usuario de nuestra aplicación con datos y analíticas basadas en los metadatos recolectados de los clicks en la colección de links de la aplicación.Traballo fin de grao. Enxeñaría Informática. Curso 2020/202

LibTracker--A React Native & Quarkus App to Track Your Personal Book Library

This project consisted of developing a full-stack mobile application to track individuals’ personal book libraries. Users were able to create accounts, import book data, categorize books by tags, organize books in virtual shelves and search the library. The ultimate goal of the project was to develop expertise in mobile application development and gain new experience with a modern framework, and therefore React Native [1] was chosen. To manage the app’s data a server backend was implemented using the open source Quarkus [2] framework and data was stored in a Postgres [3] database. In addition to developing the mobile app and backend a small- scale publicly accessible deployment using a Raspberry Pi [4] as the host was built. This was performed in order to learn some mechanisms that later could be used in a future production cloud deployment that could support a public release of the LibTracker app. Overall the project began with merely the concept and progressed through learning React Native from scratch all the way to a fully functional proof of concept grade prototype with all the basic features necessary to track one’s personal book library

iOS Technologies & Frameworks

Apple’s mobile platform — iOS — currently generates the largest amount of revenue out of all mobile app stores. The majority of iDevices run the latest major iOS version (iOS 10) due to Apple users’ tendency to update their devices. Consequently, iOS developers are pressured into keeping their apps up to date. Advantages to updating apps consist of new features and adapting apps to the platform’s hardware and software evolution. However, this does not always happen. There are apps, some popular (with many users), which either receive slow updates, or not at all. The main consequence of developers not updating to the latest tendencies (i.e. user interface or API changes) is the degradation of their apps’ user experience. This subpar user experience leads to a decrease in the number of installs (and sales) and a search for alternatives that have been updated to support the latest firmware iteration fully. We identified a common pattern amongst ten apps which have subpar reviews on the App Store: excessive battery consumption and lack of user onboarding were just a few of the ssues. Above all, almost all those apps belong to the top 1% of apps (which generate 94% of the App Store’s revenue), so the lack of focus on the user experience is unfortunate considering their massive user bases. We listed the available resources for those wanting to develop or improve iOS apps. Given these requisites, we studied the possibility of developing a mobile app that adopted good engineering practices and, above all, focused on delivering an excellent user experience in a given timeframe of six months. The app’s idea consisted of a wish list management app called Snapwish that allows the user to take photos of objects they want, create wish lists, and share them with family and friends. The app allows for offline usage, with data syncing automatically (in real-time) without user intervention when the app’s Internet connection is present. We tested Snapwish thoroughly to measure the quality of its implementation. Profiling helped assert that core metrics like CPU and memory usage, network data requests and energy consumption were within acceptable values while unit and user interface tests served to validate our code functionally. Furthermore, our team of five beta testers provided valuable feedback and suggestions. Ultimately, the six-month timeframe proved to be insufficient in regards to a release on the App Store, as Snapwish remains in the latter beta stages at the time of writing. This delay is mostly attributed to a lengthy testing process. Thus, we plan on releasing it in the first trimester of 2017.Hoje em dia, a plataforma móvel da Apple — iOS — é a que tem maior revenue em aplicações móveis. A maior parte dos dispositivos móveis iOS corre a versão mais atual (iOS 10), devido à tendência dos seus utilizadores em atualizar o sistema operativo com frequência. Consequentemente, os desenvolvedores da plataforma são pressionados para manterem as suas apps atualizadas. Algumas das vantagens das atualizações consiste em adicionar novas funcionalidades e adaptar as apps à evolução do hardware e do software da plataforma. Contudo, isto nem sempre e verifica. Existem muitas apps, algumas “populares” (com muitas instalações) cuja atualização demora ou não acontece. A principal consequência da não atualização das apps às tendências atuais, quer em termos de interação, quer em termos de mecanismos de proteção de dados, consumo de bateria e outros, é a degradação da experiência de quem as utiliza, consequentemente, a diminuição do número de instalações (e vendas) e a crescente procura de alternativas que tenham estes princípios em conta. Foi identificado um padrão comum em dez aplicações cujas classificações na App Store são medíocres: um consumo exagerado de bateria e falta de user onboarding foram apenas alguns dos problemas. Acima de tudo, quase todas pertencem ao 1% de aplicações que geram 94% das receitas da App Store. A falta de foco na experiência do utilizador é infeliz considerando as enormes bases de utilizadores dessas aplicações. Foram listados os recursos disponíveis para quem pretende desenvolver ou melhorar uma aplicação iOS. Dadas essas premissas, foi estudada a possibilidade de desenvolver uma aplicação móvel que adote boas práticas de engenharia e, acima de tudo, foque na experiência do utilizador, num período de seis meses. A ideia para a aplicação consistiu num gestor de listas de desejos designada Snapwish que permite tirar fotos de objetos que o utilizador deseja, criar listas, e partilhá-las com amigos e familiares. Além disso, a app permite o uso offline e os dados são sincronizados em tempo real sem intervenção do utilizador quando a app dispõe de uma conexão à Internet. A nossa aplicação foi testada extensivamente para medir o nível de qualidade da sua implementação. O profiling ajudou em constatar que métricas fundamentais como o consumo de CPU e memória, pedidos de dados de rede e de consumo de energia (bateria) estavam dentro dos parâmetros aceitáveis. Além disso, uma equipa de cinco beta-testers contribuiu com comentários e sugestões de grande valor. Em última análise, o prazo de seis meses revelou-se insuficiente em relação ao lançamento da app na App Store. O Snapwish permanece numa fase beta avançada (no momento da escrita desta tese). Este atraso é principalmente atribuído a um extenso processo de testes. Assim, pretendemos lançar a aplicação no primeiro trimestre de 2017

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example

Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing. Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers

Privacy-Preserving and Secure Pilot Self-Assessment

There is a strong culture for using safety risk management tools to monitor the different parts of the operation in the aviation industry. However, most of the monitoring that is being done is done on the technical conditions of the aircraft rather than on the pilot. While there is an expectation that the pilots self-assess their health regarding how fit the pilot is to operate an aircraft, all the tools given are checklist-based. Checklists are widely used in the aviation industry to ensure all tasks are done as they should for mechanics and pilots. However, the drawback of checklist-based systems is that they do not monitor anything over time. As a pilot has responsibility for many passengers on every flight, the consequences of mistakes can be considerable. By not monitoring the health over time, some of the crucial information when considering whether the pilot is fit to fly or not may be forgotten. Fatigue and stress are two essential topics for ensuring the focus is on operating the aircraft rather than either zoning out or being concerned about something else during flight. As the EU work hour regulations exempt everyone within the aviation industry, pilots can work at any time during the day. As the pilots can work at any given point during the day, they have to self-regulate whether they can work. If they do not track topics such as sleep and nutrition, they can be fatigued and lose focus on the work to be done. This thesis presents Gearggus, a self-assessment tool that can assist the pilot in assessing their health based on the information given by a questionnaire. The user answers questions based on how important the data is monitored over time. Based on the answers, there is calculated feedback on how ready the pilot is to operate an aircraft. The data is presented on a history page, so the user can see what the score is based on and how to adjust to gain a better score. Gearggus was evaluated with a qualitative interview with experienced aviation personnel and the Department of Aviation employees at the Unversity of Tromsø. Both parties acknowledge the issues Gearggus is trying to solve, but with modifications to the system. The required changes differ between the parties

Design, development and testing of a full-stack web service for a trajectory computation algorithm

This document delivers a comprehensive report of the final degree project, which had as its primary goal, the design, developing, and testing a full-stack web service to facilitate user-friendly interaction with a trajectory computation software called Dynamo. The crux of this project lies in taking an existing, complex software and making it more accessible and simpler to use for a broad user base through the development of a web service. By leveraging a wide array of technologies - Python, Flask, Vue.js, Tailwind, and MongoDB - and following modern software development methodologies like Agile, a backend server, frontend interface, and a database structure were meticulously designed and implemented. In addition, secure authentication and an efficient system for error handling and validation were integrated to ensure a secure and user-friendly experience. A key aspect of this project was the need to understand how Dynamo functions, even though we did not go into the intricate operational details of the software itself. The main focus remained on its configuration process, providing the basis for developing a web service that allows users to intuitively configure, run, and monitor their simulations. This facilitates a more straightforward way for users to leverage the power of the Dynamo software, regardless of their technical proficiency. For this reason, a web service requirements capture was carried out with researchers from the ICARUS research group, thus ensuring that the developed web service adapts to their needs. All aspects of this project, from understanding Dynamo's configuration process to the development of the backend and frontend of the web service, were tackled systematically and are detailed in this document

Enhanced Failure Detection Mechanism in MapReduce

The popularity of MapReduce programming model has increased interest in the research community for its improvement. Among the other directions, the point of fault tolerance, concretely the failure detection issue seems to be a crucial one, but that until now has not reached its satisfying level. Motivated by this, I decided to devote my main research during this period into having a prototype system architecture of MapReduce framework with a new failure detection service, containing both analytical (theoretical) and implementation part. I am confident that this work should lead the way for further contributions in detecting failures to any NoSQL App frameworks, and cloud storage systems in general

IDMoB: IoT Data Marketplace on Blockchain

Today, Internet of Things (IoT) devices are the powerhouse of data generation with their ever-increasing numbers and widespread penetration. Similarly, artificial intelligence (AI) and machine learning (ML) solutions are getting integrated to all kinds of services, making products significantly more "smarter". The centerpiece of these technologies is "data". IoT device vendors should be able keep up with the increased throughput and come up with new business models. On the other hand, AI/ML solutions will produce better results if training data is diverse and plentiful. In this paper, we propose a blockchain-based, decentralized and trustless data marketplace where IoT device vendors and AI/ML solution providers may interact and collaborate. By facilitating a transparent data exchange platform, access to consented data will be democratized and the variety of services targeting end-users will increase. Proposed data marketplace is implemented as a smart contract on Ethereum blockchain and Swarm is used as the distributed storage platform.Comment: Presented at Crypto Valley Conference on Blockchain Technology (CVCBT 2018), 20-22 June 2018 - published version may diffe