21
Nov 13

Dilixiri, Securing an REST API and OzU-EMS

Screen Shot 2013-11-21 at 11.00.14 PM

In 2010, I was working on moving web app of Dilixiri to a iPhone app. (Dilixiri is a Turkish-English and English-Turkish sentence translation app.) The problem was of that time, our small team does not know anything about handling data between different softwares. I knew some stuff about TCP/UDP because of my PyQt book‘s example. I first thought about making a TCP server on the server side and then since Dilixiri’s page is a Django based HTML page that simply uses a HTML POST to translate a sentence, I tried to do the same thing as web browser does.

For two major versions of Dilixiri (1.0-2.0), it worked pretty well. I was simulating what web browser does by using actually same headers that what a browser does while making a request. Another problem was parsing response(HTML file). I used some simple “split( )” functions to find the text that I am looking for. (Now I feel embarrassed about it, especially after learning about the side effects and regex.)

However in 2012, instead of making another big mistake, I made something right without knowing that it is the best practice for Dilixiri(partially).  In 3.0, I changed how the app handles the translation by using JSON in the middle. But I was afraid of third party users who could easily use it on their software. I got to think about a solution to handle it.

My first attempt was, implementing using GET parameters based API. So in this case:
http://dilixiri.com/api/?translate=hello&from=eng
But if somebody discovers this url pattern, it can be used without permission. Despite my first attempt that is in engineering may referred as a very bad implementation, this time I thought about giving an API key like some of the famous web services do. But if I request a translation:
http://dilixiri.com/api/?translate=hello&from=eng&key=123123123123
It is the same thing. This request can be listened in the network and be repeated again. (like Man-in-middle-attack) At the end, I implemented something like:
http://dilixiri.com/api/?translate=hello&from=eng&md5=ef800e8….9ff878e50a886d2

I hashed request and API key same time that for every request, I use a different hash number. By implementing this, still relay attacks can be done but a fully working API that makes translations as same as Dilixiri became impossible without knowing API key.

A big drawback is you can only use just a one API key. Another is relay attacks. For an API like Dilixiri, it is not a big deal but when you think about other services. It should be handled, both immunity from relay attacks and being able to serve more than one clients.

How to achieve this ? Nowadays, in Computer Club, we are working on OZU-EMS(Özyeğin University Event Management System) that allows clubs to send their club events to this system and system will share it on its mobile app, web page and etc. Also it also saves time in the university side. (A professor that is responsible for the club, and the social coordinator in the university accept or reject this event request by the club easily in a painless way.) We were looking for a way to make an API to serve these events for different clients that are outside of the server. Such as an Android app or a Kinect based Windows app(CreativeOzu(another club) is working for that.). After a small research, I found that my Dilixiri 3.0 approach was the correct one, but lot’s of clients and different API keys, there should be a public key and private key. I personally wanted to share these links for detailed explanation about implementing this solution:

There should be other methods such as implementing HTTPS based service or something else. But I think such kind of custom solutions are better, if you wanted to handle and understand by yourself.


29
Mar 13

Özyeğin University Computer Club ?

sonlogo

Because of the international students we have in our university and since we all know English, this post will be in English. If you want to contact me about Computer Club, you can send an email to me in Turkish or English. (taha.gunes [at] ozu.edu.tr)

So why I am writing this, first of all I want to clarify some of the things about a club and may or may not convince you to become a member of Computer Club. It is up to you and we need you!

Hello folks,

Let me start by telling you how the idea of “Let’s start a new club, and call it “Computer Club” is found. 🙂 I clearly remember my first day at university. It was “Orienting Days of Ozyegin University”. All of the university clubs were trying attract the newcomers to join their clubs. As a computer(programmer etc.) guy which has some very little(tiny) experience of electronics and robotics, the “Technology and Robotics Club” got my focus. It was the first time I have met with Bahadır. Later we met in CS101 lessons and we had quite fun with some code examples. (“Loading…”) As a member of “Technology and Robotics Club”, I attended their club meetings and I learned that it is the first club that is founded in the university and has a very good history. However I found in that time, as computer guys(when I am writing this, I mean a general definition,for instance programmers, game/web/mobile developers, graphic artists), we needed a club that we can put our all attention to computer stuff besides electronics and robotics. Bahadır and I agreed about this situation and we tried to find some people that could give their concentration to a new club.

Founding a club is not easy. Really, I mean it. First members tried to found this new club. (Meetings, discussions, rules, regulations etc.)There were some discussions about “first members” after our first club meeting. People asked about “Why didn’t you introduce this idea in first place, before telling us, “Yes, we found a club.”” and also “Who is “we””, “Who are you?” People were right about asking these questions and I can’t blame them. It would be better if we have told everybody about this. (for example,maybe all of the university students that we could find.) There are some points that I would like to mention. First, it is my first year and I don’t know you either and it is a good reason for me to start a club like this to meet you and know about you. Second, you also don’t need to lose your time by founding the club. It was already founded. And finally third, a club is a community, we are not trying to make a super-secret-private club that only we can get in.(That is a great idea by the way, I talked about this with Salih, president of CineOzu, it is something like a airport lounge, however only those who have the special card can get in. You will be free to eat, rest, talk, chat. And members will be selected by reference 🙂 ) A club is only for university students and the aim is to making some good unforgettable things in our free-time.

So in 30.11.2012, a club meeting was hold and we talked about why we need a club in our university and what will be the benefits of it. From that day to today, we have more than 25 members and still we are trying to do some voluntary things in our free time for Computer Club. We attended to BILMOK (and we are secretly working on some projects) (and developing a nuclear weapon … oppss you are not supposed hear that 🙂 )

I don’t want to again talk the same things that I did in that club meeting. I just want to mention and yell to you that it is a very wonderful thing to meet people. By people I mean university students, organizations, companies etc. I see Computer Club as a great way for all of the members to create such kind of good network that we talk, communicate, build, create, participate and most importantly be aware of what is going on in the computer world.

As someone who looks outside of this club may think “they are doing nothing”,”they are just sitting and telling people that they found a club and getting advantage of that.”. Believe me working for the club is a something that we do in our free-time and without any obligation(freely, voluntarily). It is not easy to find free-time every time and everybody is busy too.(me too) (“I got a midterm tomorrow”,”I need to finish my homework”, “I need to study”, “I got some other things to do”). The path you select is completely yours and I am not the one that has the privilege to rule you. IT IS VOLUNTARILY! If you don’t have much time, cool. We will not put you in a obligation. We will be grateful, if you say that you don’t have much time about something. Remember it is a good feeling to work together, the things that you are trying to by yourself most of time is easy by sharing experiences. With this collaboration with member, I believe

Özyeğin Üniversitesi Bilgisayar Mühendisliği Topluluğu Facebook Page vs. Computer Club

Before Computer Club, there is a great Facebook page that the authors of the some posts in that page are CS students. But, personally to be seeing as restricting other guys who are not CS students is not good and it is not a official community(or club) that is approved by the university. I kindly invite the members of this page to our club too. You are most welcome!

So again please don’t fool yourself that you don’t have time(I believe you have), you don’t want to put yourself in an obligation. Even the tiny things like “printing a poster”, it counts and you will be credited as well.

Let’s make a difference. We want to meet with you. We decided to not make the mistake of separating meetings(board members and normal members). We will welcome you on our meetings. You can contact me directly(taha.gunes [at] ozu.edu.tr), we just want a small fee for being a member. (10TL come on!)  That’s all.

If you read the whole thing, I congratulate for your effort(1078 words). (If there are some grammatical problems, I want to mention that it is right now 2:45 AM, please forgive me!)