IOTA ImprovedDesign and Implementation of a Modular and

Extensible Course Management System

Andrew Hamilton5th Period

BackgroundBlackboard

Outdated Non-extensible Security holes Disliked

Moodle Support is limited Lacks some features

Iodine Code is complicated Easy to Break existing functionality

Purpose/GoalsDesign/Implement a Web-based framework

Modular Design Easily Extensible Intuitive Interface Standards Compliant Possible Iodine Integration

Quarter 1

Kernel Module

Configuration File

Security Module

Application Security

Login Screen

The Main Site Page

Quarter 2

Python Wrapper Script

Interfaces with Radio via RS-232

Login Module

Authenticates Users and provides session management

control.

Quarter 3

Satellite-Ground Interface

Antenna mounted on dual-axis rotator.

Auto-tracks using SatPC32 running on a Windows Box

Radio currently connected to same Windows Box.

WebSubmissions MySQL DBSQL Query

Admin Approval

Serial Radio/Satellite

Problems/LimitationsSatPC32 (tracker program) only runs on Windows

Communication between Windows (tracker/radio) and Linux

(webserver/MySQL DB) will likely have to be initiated by

Windows

This prevents real-time command sequencing using web

interface. :( (nice feature to have though not critical)

Perhaps hook radio up to Linux box and use Windows only as

tracker (tracker and radio can be separated).

Message SubmissionRequired Features

Page must work without credentials Prevent Automated Submission Prevent/filter double-submissions Submit data to secure DB Optional Enhancements

Allow deletion of quotes by submitter View submitted/previously transmitted messages?

Possible Solutions Make page separate from kernel (outside of kernel security) ReCAPTCHA (by CMU) Search for message in DB and notify if already present Give form INSERT permissions only Generate a unique hash and deliver it to the submitter Output a table of old quotes by date

Spam PreventionFeatures

ReCAPTCHA blocks auto-submissions by random bots

All inputs are escaped before use Email is obfuscated to protect

against harvesting.

reCAPTCHADeveloped by CMU

Works to digitize old books and block bots simultaneously

One of the most secure captchas available today

Provides audio captcha for the visually impaired

Easy to Implement (plugins/libraries)

require_once('recaptchalib.php'); $privatekey = "6LfmUgUAAA.............................."; $resp = recaptcha_check_answer ($privatekey,$_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"],$_POST["recaptcha_response_field"]);

if(!$resp->is_valid) $errors[] = "The reCAPTCHA wasn't entered correctly. Try it again.";

require_once('recaptchalib.php'); $publickey = "6LfmUgUAAAAAAG45AtY6ok6gTLXsncjMaY9YIRrM"; echo recaptcha_get_html($publickey);

Data EscapePrevents various injection attacks against the database

All data is run through an escape_data functionfunction escape_data($mysqli_connection, $data) { if(ini_get('magic_quotes_qpc')) $data = stripslashes($data); $data = mysqli_real_escape_string($mysqli_connection, $data); return $data;} //End of function escape_data()

$fname = escape_data($mysqli_connection, htmlspecialchars($_POST['fname']));

Comic from XKCD (xkcd.com) by Randall Munroe

Email ObfuscationNifty Tool turns plain-text email into the same text but encoded in various bases.

Effective and quick means of preventing email harvestingUser is completely unaffectedReCAPTCHA also offers a more secure (but more obvious)

solution that requires users to solve a CAPTCHA to see the

email.

Users see this

Bots see this<a href="&#x6d;&#97;&#105;&#x6c;&#116;&#x6f;&#x3a;&#x61;&#104;&#97;&#x6d;&#x69;&#x6c;&#116;&#111;&#x40;&#116;&#x6a;&#x68;&#115;&#x73;&#x74;&#46;&#x65;&#x64;&#x75;">&#x61;&#104;&#97;&#x6d;&#x69;&#x6c;&#116;&#111;&#x40;&#116;&#x6a;&#x68;&#115;&#x73;&#x74;&#46;&#x65;&#x64;&#x75;</a>

ConclusionWebsite security is a fairly straightforward solution to provide as a module.

In the future, this system could be expanded to create a

common logon system (same username and password for

different sites, similar to a Google Account).Other features to add are the ability to authenticate against

other systems (Kerberos, LDAP, Certificates).

Any Questions?