Bulls and cows and the Javascript challenge

About 2 years back, I had conducted an experiment with the Bulls and Cows game[1] [2]. I now wanted to see what the 'human average' for the game is. So I wanted to build a small Facebook application to add the social aspect to the game and conduct my experiments.

But before I continued, I had to solve a major problem.

If I continue to make it a Javascript game, as is hosted here, I need to ensure that the random number generated by the browser is secure and not manipulated or found out by the player using illegal ways.

Anyone who knows a bit of Javascript and is used to looking at code using Firebug will soon be able to 'guess' the number in one step:

Yeah, that's right. I store the random number generated in a variable randomNo. And you can find out the value using Firebug. Now this is fine, as long as it is not a competition and you play the game because you actually like it and not because you are winning a million dollars. But what if this game was being played for money?

So my next attempt was to think of storing a MD5 of the number and then match it with the MD5 of the number entered by the player. This works well as long as the random number is generated on the server side and only the MD5 is sent to the client.

Can the random number and its MD5 be generated on the client side without the user being able to 'debug' and get the random number?

My first attempt towards this was the following piece of code:

function getRandomNo(){
        var md5OfRandomNo = MD5(Math.floor(Math.random()*10001)+'');
	return md5OfRandomNo;
}

But unfortunately:

and you step into the function and:

🙁

Right now, I am still not able to find a fool-proof way to generate the random number on the client side. Is there a solution?

Ok, let's say the number is securely generated in some way (client or server) and we only store the MD5 value on the client. Now, there is a second problem:

What if the player just changes the random number altogether?

>>> randomNo
"948f847055c6bf156997ce9fb59919be"
>>> randomNo = MD5('7839')
"ca91c5464e73d3066825362c3093a45f"

We need to maintain a session and include some verification code to ensure that the MD5 was not manipulated.

Is there a solution for this if we want to write the entire game using only Javascript? Are there any other issues other than the 2 described?

Semantic web and privacy issues

Whoa! This is something interesting.

On one side are the people who are talking about making interesting analysis from information over the web and on the other side are people who are talking about its potential threat to privacy.

Well, I am talking about collecting data from various sources and then making interesting analysis from this data. And this data could be of facts, things or 'people'.

Entity analytics is not something new to the Semantic Web. There is some work going on in the field of Relationship resolution (Who is who), Identity Resolution (Who knows who) and Anonymous Resolution (Who is who and who knows who, anonymously). And this is really important because it helps organizations combat against frauds and threat.

But the concern raised in this article in BBC cannot be ignored. The most striking statement made here by Hugh Glaser, Southampton University, with reference to the web is, “All of this data is public data already. The problem comes when it is processed”.

You better leave the needle in the hay. Don't try to analyze and find out where I had been last Friday!

Ok, so what is the solution. Role based security at the data source level is something that I can think of. Build security into the core of the system. This way, no data can get out without people having proper access permissions.

Another solution is to make sure users 'mark' data as available for analysis and if so what kind of analysis. Using data for sampling (individuals being totally anonymous) might not be really bad.

Well, this is something that I feel are some solutions that might be considered to solve this problem. Time will tell.

All your data is ours, but, but wait, what about privacy? contd…

I had recently blogged about privacy concerns with regard to storing data online. And this is what I found today: Do you trust Google?

Among the various things that the article mentions I found these interesting:

* Google working with scientists to make available data related to human genomes. (Now who is going to gift me Google Story?)

* Google providing personal data based on RFID tags.

What is Google upto?!

All your data is ours, but, but wait, what about privacy?

It started with Gmail as far as I can remember. Google provided 1 GB of space and people thought why not store everything online. As I have already told a zillion times, this is what the single data source concept is all about. And now it is back with a bang, with Google Base.

But a thought struck me today.

How can we rely on people who we don't even know? What is the guarantee that Google will not misuse our data? You might say, “What will Google do with MY data?”, but think again. The world becomes so restricted because of the absence of trust. You are not ready to store your confidential files or your private files in the same place. That 100 billion dollar idea that you wrote last night? Are you ready to store it in an online data-source?

The solution?

It would be better if Google (or anyone for that matter) provides the same service, but it does not know what data we store.

The idea is simple.

Encrypt all data as soon as it is created using some key that depends on the user who created the data. Decrypt it just when you need it. A mediator between the client interface and the server is responsible for the encryption and decryption. The mediator of-course lies on the client side.

And in the world of semantic web services, you can expect companies encrypting all data that they generate. So it is ok if you store your confidential files or the vision document of your company in the same single-data-source that you use to publish your photos to the public! (This seems like a horror story now, but it is perfectly valid.) Accidental leaks will not be a problem.

You don't have to be bothered about whether someone will be accessing that data, or if someone misuses it. All copies made of the document will be a waste as people just cannot make sense of it.

Security features like encryption and digital signatures are going to be a very important piece in technological evolution in the years to come. You can bet on it!