Cryptography talk at DC Python

At the April meeting of DC Python I gave a talk on cryptography. A video of the event is now available on youtube.

DC Python is the local user group for the python programming language in the Washington, D.C., Maryland, and Northern Virginia area. I have been hosting a monthly event called Project Night with the group since 2015 and we have recently restarted a monthly talk event. All events can be seen on our meetup page.

My presentation was a summary of two of my recent posts on two factor authentication and partial passwords with an introduction to using cryptography in python.

The other presentation was given by Alan Swenson on JSON web tokens in flask. The video for his talk is also available.

Exploring the onset of acute kidney injury during sepsis

In an earlier post I discussed the damage sepsis can do. It has been a focus of many of the projects I have been involved with for the past few years even though the group I am with is tasked with studying kidney disease. We are interested in sepsis because it is a major cause of acute kidney injury.

We do not yet know all the details of this link. Knowing exactly when kidney function falls after sepsis and what triggers the fall could be very important. It would help in developing clinical procedures and therapies to manage patients with sepsis at risk of acute kidney injury.

I recently published a study exploring one potential cause of falling kidney function during sepsis. The kidney filters the blood and removes excess fluid, solutes, and toxins from the body. The blood passes through the glomerulus where fluid can leak out. The volume at this stage is very large and includes many good things the body wants to keep. This fluid then passes through other specialized structures including the tubules where most of the fluid and useful solutes are re-absorbed. To prevent the body from losing too much fluid if the tubules are not working there is a feedback loop that stops the glomeruli producing filtrate.

Using a genetic model I tested whether this feedback loop is activated during sepsis. The results have just been published in the American Journal of Physiology. Renal Physiology.

A partial password implementation

Whilst working on my previous post on two factor authentication I was reminded of the broad spectrum of approaches taken to security by many sites. I have one bank that does two factor authentication, another using the standard username/password combination for one factor authentication, and then another that asks for a username, a piece of personal information and then a partial password. In this case, three characters from a password.

Of these three approaches it is the last that seems the weakest. The piece of personal information includes things like the town you grew up in, the name of your first school, etc. These are not generally secret and could be discovered for most people by a bit of research. The partial password scheme seems only slightly stronger than a three character password.

I believe the partial password is intended to prevent a keylogger on your computer from compromising your entire password. This scheme is often paired with selecting characters from a dropdown menu, potentially providing additional protection. The idea is that by requesting different characters on each visit you would need to log in multiple times on a compromised computer before an attacker discovered your entire password.

I don't think such a system would be used in a new application today but I did wonder how such a scheme might be implemented.

Continue reading ...

Adding second factor authentication with FIDO U2F

This is the first semester since the Fall of 2015 that I have not taught a course with the Foundation for Advanced Education in the Sciences. It was a pleasure teaching and I was lucky enough to spend most of my time on a course I had designed. For the Spring 2016 semester I designed the syllabus and began teaching a course on machine learning and object oriented python. I chose to include a web application as I felt it exposed the students to some unfamiliar ideas.

Most of the students were fellow scientists. Many only had previous experience writing scripts for use in their own research. Not trusting user input was often a novel concept. During the course I only had a couple of hours to introduce web applications. This meant I skipped over many important topics. I intend this post to be the first in a collection moving beyond the basics for anyone still new to these concepts. I will start with a basic background but the actual implementation will hopefully be new for most. If implementing web application authentication is familiar to you then skip ahead to the implementation.

Let me know if there are topics you think I should cover moving forward.

In this post I will cover authentication, specifically adding a second authentication factor for additional security.

Continue reading ...

PyDataLondon January talk

I'm just back from the UK where I spent a couple weeks catching up with family and friends. My visit happened to conincide with one of the monthly PyData London events so I attended and gave a lightning talk on image segmentation in medical applications.

They have built a really vibrant community and it was great meeting over 200 data enthusiasts.

The slide deck is available here. Unfortunately there was no video. The content is a more technical version of the presentation I gave at the NIH Pi Day 2017 event where there was video.