IOTA Improved Design and Implementation of a Modular and Extensible Course Management System Andrew Hamilton 5 th Period

Background Blackboard Outdated Non-extensible Security holes Disliked Moodle Support is limited Lacks some features Iodine Code is complicated Easy to Break existing functionality

Purpose/Goals Design/Implement a Web-based framework Modular Design Easily Extensible Intuitive Interface Standards Compliant Possible Iodine Integration

Quarter 1 Kernel Module Configuration File Security Module Application Security Login Screen The Main Site Page

Quarter 2 Python Wrapper Script Interfaces with Radio via RS-232 Login Module Authenticates Users and provides session management control.

Quarter 3 Satellite-Ground Interface Antenna mounted on dual-axis rotator. Auto-tracks using SatPC32 running on a Windows Box Radio currently connected to same Windows Box. Web Submissions MySQL DBSQL Query Admin Approval Serial Radio/Satellite

Problems/Limitations SatPC32 (tracker program) only runs on Windows Communication between Windows (tracker/radio) and Linux (webserver/MySQL DB) will likely have to be initiated by Windows This prevents real-time command sequencing using web interface. :( (nice feature to have though not critical) Perhaps hook radio up to Linux box and use Windows only as tracker (tracker and radio can be separated).

Message Submission Required Features Page must work without credentials Prevent Automated Submission Prevent/filter double-submissions Submit data to secure DB Optional Enhancements Allow deletion of quotes by submitter View submitted/previously transmitted messages? Possible Solutions Make page separate from kernel (outside of kernel security) ReCAPTCHA (by CMU) Search for message in DB and notify if already present Give form INSERT permissions only Generate a unique hash and deliver it to the submitter Output a table of old quotes by date

Spam Prevention Features ReCAPTCHA blocks auto- submissions by random bots All inputs are escaped before use is obfuscated to protect against harvesting.

reCAPTCHA Developed by CMU Works to digitize old books and block bots simultaneously One of the most secure captchas available today Provides audio captcha for the visually impaired Easy to Implement (plugins/libraries) require_once('recaptchalib.php'); $privatekey = "6LfmUgUAAA "; $resp = recaptcha_check_answer ($privatekey,$_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"],$_POST["recaptcha_response_field"]); if(!$resp->is_valid) $errors[] = "The reCAPTCHA wasn't entered correctly. Try it again."; require_once('recaptchalib.php'); $publickey = "6LfmUgUAAAAAAG45AtY6ok6gTLXsncjMaY9YIRrM"; echo recaptcha_get_html($publickey);

Data Escape Prevents various injection attacks against the database All data is run through an escape_data function function escape_data($mysqli_connection, $data) { if(ini_get('magic_quotes_qpc')) $data = stripslashes($data); $data = mysqli_real_escape_string($mysqli_connection, $data); return $data; } //End of function escape_data() $fname = escape_data($mysqli_connection, htmlspecialchars($_POST['fname'])); Comic from XKCD (xkcd.com) by Randall Munroe

Obfuscation Nifty Tool turns plain-text into the same text but encoded in various bases. Effective and quick means of preventing harvesting User is completely unaffected ReCAPTCHA also offers a more secure (but more obvious) solution that requires users to solve a CAPTCHA to see the . Users see this Bots see this ahami&#x 6c;to@tjhs&#x 73;t.edu

Conclusion Website security is a fairly straightforward solution to provide as a module. In the future, this system could be expanded to create a common logon system (same username and password for different sites, similar to a Google Account). Other features to add are the ability to authenticate against other systems (Kerberos, LDAP, Certificates).

Any Questions?