Franchu’s lair

Tal como reza el título de este post, creo que la seguridad web es una gran asignatura pendiente puesto que la gran mayoría de la gente sigue pensando que en Internet solo existe peligro cuando visitas páginas de contenidos de reputación dudosa por el hecho de que te puedan instalar algo malo, o los correos electrónicos de gente que no son realmente quien dicen ser (phishing).

Para ser sinceros, hasta hace no mucho yo también pensaba (inocente de mi) que aparte de los problemas mencionados anteriormente, existían los problemas de SQL Injection y de Cross-Site Scripting (XSS) pero que tenían una presencia marginal en la web. El primero por requerir una programación descuidada y el segundo por mi percepción de que las peticiones XMLHTTPRequest solamente funcionaban contra el servidor desde el que se servía la página.

Poco a poco he descubierto que hay muchas cosas que no conocía (y las que me quedan por descubrir!) en el campo de la seguridad web, pero voy aprendiendo gracias a la página de OWASP y su feed de noticias de seguridad interesantes.

Realmente lo que me ha llevado a escribir este post, es la entrada From the Office of “Real World Software Security” en la que tras recomendarle a un cliente utilizar una librería antiXSS el cliente respondió… “No utilizamos Cross-site scripting”. Esto me ha hecho pensar en que muchas veces el desconocimiento nos pone en una situación peligrosa y es por ello que es interesante aprender todo lo que se pueda para estar preparado ante lo inesperado.

En el tiempo que llevo leyéndo el feed RSS de OWASP he encontrado algunos posts que me han parecido muy interesantes:

• DOM for hackers
• Cross-site printing
• HTML/CSS Injections - Primitive Malicious Code (or, What’s the worst that could happen?)
• Ajax Security opens up a whole new can of worms
• List all properties the entire JavaScript environment!
• Building a security plan

I just found a report from the OECD titled Giving Knowledge for Free: The Emergence of Open Educational Resources.

The first paragraph in the executive summary of the report is particularly revealing.

An apparently extraordinary trend is emerging. Although learning resources are often considered as key intellectual property in a competitive higher education world, more and more institutions and individuals are sharing digital learning resources over the Internet openly and without cost, as open educational resources.

It talks about a global trend as people have realised that providing educational materials for free (as in beer) don’t represent a threat to their business model. These materials per se don’t have any more value than the one that the user can extract from them, in the sense that an advanced course on mathematics will only be useful for the users that have the background to understand it, won’t provide the experience that IMHO makes educational institutions important: the posibility to interact with the instructor.

It seems that researchers understood long time ago that sharing the information once you have achieved results was crucial for the advancement of science and that is why they publish their findings and attend conferences to disseminate their work while getting recognised for it.

Now it is the moment for educators to move down the same path. Teaching materials just like scientific research can be reused, borrowing ideas on how to present concepts from other educators, a teacher can improve the experience they offer to the students. Nevertheless, in order to encourage the sharing of materials, three issues should be addressed, one legal and two technical:

• Intellectual property rights licensing. This can be easily overcome with open licenses such as the Creative Commons licenses family. As this group is already working on licensing Open Educational Resources (OER) and more information is available on the ccLearn pages. Basically, this type of licences enable an institution to change “All rights reserved” to “Some rights reserved”, by being able to control whether the user has to give credit to your work (Attribution), whether it can be used only for non commercial purposes (Noncommercial), whether they can create derivative works based on your content (No derivative works), or whether the derivative materials have to be distributed under a license identical to the license that governs your work (Share alike). You can check all the details in the detailed licensing page.
  
• Standard way of sharing teaching materials. This other issue can be easily overcome as there are many working groups trying to come up with standards to store in a common format the previously mentioned Open Educational Resources (OER). After all, we don’t want that once the materials creators have finally taken the decision to support the open materials philosophy they have to face a wall that hinders the free exchange of learning materials with their peers. Some of the standards that are popular nowadays are SCORM and IMS which are supported at different degrees by open eLearning platform (or in eLearning parlance CMS standing for Course Management System) such as Moodle.
  
• Tools for creating easily teaching materials. It is obvious that not all the professors or knowledge holders in general are proficient with computer technologies and that if they need to learn the complex specifications (and different flavours) of each of the standards to create content, they will never take the plunge. That is why there is a need for content creation tools that allow a normal user through a WYSIWYG GUI to create content and to export it into one of the common standards. There are several tools in the market, but I would like to point out eXe that on top of being free open source software, it is extremely easy to use and has versions for Linux, Mac & Windows.
  

The OECD report analyses thouroughly the licensing issue and marginally addresses the fact that standards are needed but does not enter in the technical implementation, after all it is a report for policy makers and high education strategists, and for them concepts are enough. Once they go for it, others will worry about the technology needed to make it happen In this case, both tasks are moving in parallel as there are some institutions that have already shown their will to share contents, and the eLearning possibilities are booming online.

Some examples of institutions that have embraced this philosophy are: MIT Open Courseware (OCW) that offers lectures and contents from MIT courses for free for anyone that wants to drop by their page; Stanford; Yale; UC Berkley; …

If some of the best universities in the US are willing to do this, maybe there is something good in it. Only universities that are scared of their quality will fail to provide free content for making education truly accessible to everybody. The article 26.1 of the Universal Declaration of Human Rights, touches this issue although falling short of covering everybody in all circumstances. I think it is about time to realise that after almost 60 years we can improve this article and give people the possibility to access knowledge even if it comes without the important added value that attending the university provides.

Universal Declaration of Human Rights (1948)

Article 26.

(1) Everyone has the right to education. Education shall be free, at least in the elementary and fundamental stages. Elementary education shall be compulsory. Technical and professional education shall be made generally available and higher education shall be equally accessible to all on the basis of merit.

Let’s give a chance to concepts such as Lifelong Learning (LLL). The European Commission already stated in 2001 its will to promote this concept, how much will it take for all the actors to make it a reality? Only time will tell… but let’s hope it will be soon!

Esta mañana me he encontrado con una web que permite hacer anotaciones de una web de una forma rápida, fácil y sencilla. El sitio en cuestión es kwout.com homófono de quote (citar, en inglés).

El funcionamiento es bastante sencillo. Ir a la página del servicio, introducir la URL del sitio que queremos citar en el cuadro de texto y hacer click en el botón que pone “kwout”.

kwout | A brilliant way to quote via kwout

Y tras seleccionar el fragmento que queremos citar, nos proporciona un fragmento de código HTML que podemos utilizar directamente en nuestro sitio web. Por ejemplo, la imagen anterior se genera con el siguiente código:


<div class="kwout" style="text-align: center;">
<img src="http://kwout.com/cutout/f/cy/jb/qs2_bor_rou_sha.jpg" alt="http://kwout.com"
height="339" title="kwout | A brilliant way to quote" width="591" usemap="#kwout_fcyjbqs2" />
<map name="kwout_fcyjbqs2" id="kwout_fcyjbqs2"><area coords="138,6,437,171"
href="http://kwout.com/" shape="rect" alt="#" />

<p style=”margin-top: 10px;”>
<a href=”http://kwout.com”>kwout | A brilliant way to quote</a> via
<a href=”http://kwout.com/quote/fcyjbqs2″>kwout</a></p></div>


También existe la posibilidad de añadir un bookmarklet en el navegador, pero eso viene explicado en la página principal por si estais interesados.

Ya no hay excusa para citar webs recurriendo al copy/paste y sin citar las fuentes.