Search Results

Search found 222 results on 9 pages for 'abuse'.

Page 1/9 | 1 2 3 4 5 6 7 8 9  | Next Page >

  • Detecting login credentials abuse

    Greetings. I am the webmaster for a small, growing industrial association. Soon, I will have to implement a restricted, members-only section for the website. The problem is that our organization membership both includes big companies as well as amateur “clubs” (it's a relatively new industry…). It is clear that those clubs will share the login ID they will use to log onto our website. The problem is to detect whether one of their members will share the login credentials with people who would not normally supposed to be accessing the website (there is no objection for such a club to have all it’s members get on the website). I have thought about logging along with each sign-on the IP address as well as the OS and the browser used; if the OS/Browser stays constant and there are no more than, say, 10 different IP addresses, the account is clearly used by very few different computers. But if there are 50 OS/Browser combination and 150 different IPs, the credentials have obviously been disseminated far, and there would be then cause for action, such as modifying the password. Of course, it is extremely annoying when your password is being unilaterally changed. So, for this problem, I thought about allowing the “clubs” to manage their own list of sub-accounts, and therefore if abuse is suspected, the user responsible would be easily pinned-down, and this “sub-member” alone would face the annoyance of a password change. Question: What potential problems would anyone see with such an approach?

    Read the article

  • Detecting abuse for post rating system

    - by Steven smethurst
    I am using a wordpress plugin called "GD Star Rating" to allow my users to vote on stories that I post to one of my websites. http://everydayfiction.com/ Recently we have been having a lot of abuse of the system. Stories that have obviously been voted up artificially. "GD Star Rating" creates some detailed logs when a user votes on a story. Including; IP, Time of vote, and user_adgent, ect.. For example this story has 181 votes with an average of 5.7 http://www.everydayfiction.com/snowman-by-shaun-simon/ Most other stories only get around ~40 votes each day. At first I thought that the story got on to a social bookmarking site Digg, Stumbleupon ect... but after checking the logs I found that this story is getting the same amount of traffic that a normal story gets ~2k-3k. I checked if all the votes for this perpendicular story where coming from a the same IP address. I could see this happening if a user was at a school's computer lab using all their lab computers to vote up this story. Not one duplicate IP address in the log for this story. SELECT ip, COUNT(*) as count FROM wp_gdsr_votes_log WHERE id=3932 GROUP BY (ip ) ORDER BY count DESC Next I thought that a use might be using a proxy to vote up a story. I checked this by grouping all the browser user_agent together to see if there a single browser voting in a perpendicular way. At most 7 users where using a similar browser but voted sporadically (1-5), no evidence of wrong doing. SELECT user_agent, COUNT(*) as count FROM wp_gdsr_votes_log WHERE id=3932 GROUP BY ( user_agent) ORDER BY count DESC I check was to see if all the votes came in at a once. Maybe someone has a really interesting bot that can change the user_adgent and uses proxies, ect... At most 5 votes came with in 2 mins of each other. It doesn't seem to be any regularity on how people vote (IE a 5 vote does not come in once a min) SELECT * FROM wp_gdsr_votes_log WHERE id =3932 AND vote=5 ORDER BY wp_gdsr_votes_log.voted DESC The obvious solution to this problem is to force people to login before they are allowed to vote. But I would prefer to not have to go down that route unless it is absolutely necessary. I'm looking for suggestions on things to test for to detect the abuse.

    Read the article

  • Code Smell: Inheritance Abuse

    - by dsimcha
    It's been generally accepted in the OO community that one should "favor composition over inheritance". On the other hand, inheritance does provide both polymorphism and a straightforward, terse way of delegating everything to a base class unless explicitly overridden and is therefore extremely convenient and useful. Delegation can often (though not always) be verbose and brittle. The most obvious and IMHO surest sign of inheritance abuse is violation of the Liskov Substitution Principle. What are some other signs that inheritance is The Wrong Tool for the Job even if it seems convenient?

    Read the article

  • Code Smell: Inheritance Abuse

    - by dsimcha
    It's been generally accepted in the OO community that one should "favor composition over inheritance". On the other hand, inheritance does provide both polymorphism and a straightforward, terse way of delegating everything to a base class unless explicitly overridden and is therefore extremely convenient and useful. Delegation can often (though not always) be verbose and brittle. The most obvious and IMHO surest sign of inheritance abuse is violation of the Liskov Substitution Principle. What are some other signs that inheritance is The Wrong Tool for the Job even if it seems convenient?

    Read the article

  • LexisNexis and Oracle Join Forces to Prevent Fraud and Identity Abuse

    - by Tanu Sood
    Author: Mark Karlstrand About the Writer:Mark Karlstrand is a Senior Product Manager at Oracle focused on innovative security for enterprise web and mobile applications. Over the last sixteen years Mark has served as director in a number of tech startups before joining Oracle in 2007. Working with a team of talented architects and engineers Mark developed Oracle Adaptive Access Manager, a best of breed access security solution.The world’s top enterprise software company and the world leader in data driven solutions have teamed up to provide a new integrated security solution to prevent fraud and misuse of identities. LexisNexis Risk Solutions, a Gold level member of Oracle PartnerNetwork (OPN), today announced it has achieved Oracle Validated Integration of its Instant Authenticate product with Oracle Identity Management.Oracle provides the most complete Identity and Access Management platform. The only identity management provider to offer advanced capabilities including device fingerprinting, location intelligence, real-time risk analysis, context-aware authentication and authorization makes the Oracle offering unique in the industry. LexisNexis Risk Solutions provides the industry leading Instant Authenticate dynamic knowledge based authentication (KBA) service which offers customers a secure and cost effective means to authenticate new user or prove authentication for password resets, lockouts and such scenarios. Oracle and LexisNexis now offer an integrated solution that combines the power of the most advanced identity management platform and superior data driven user authentication to stop identity fraud in its tracks and, in turn, offer significant operational cost savings. The solution offers the ability to challenge users with dynamic knowledge based authentication based on the risk of an access request or transaction thereby offering an additional level to other authentication methods such as static challenge questions or one-time password when needed. For example, with Oracle Identity Management self-service, the forgotten password reset workflow utilizes advanced capabilities including device fingerprinting, location intelligence, risk analysis and one-time password (OTP) via short message service (SMS) to secure this sensitive flow. Even when a user has lost or misplaced his/her mobile phone and, therefore, cannot receive the SMS, the new integrated solution eliminates the need to contact the help desk. The Oracle Identity Management platform dynamically switches to use the LexisNexis Instant Authenticate service for authentication if the user is not able to authenticate via OTP. The advanced Oracle and LexisNexis integrated solution, thus, both improves user experience and saves money by avoiding unnecessary help desk calls. Oracle Identity and Access Management secures applications, Juniper SSL VPN and other web resources with a thoroughly modern layered and context-aware platform. Users don't gain access just because they happen to have a valid username and password. An enterprise utilizing the Oracle solution has the ability to predicate access based on the specific context of the current situation. The device, location, temporal data, and any number of other attributes are evaluated in real-time to determine the specific risk at that moment. If the risk is elevated a user can be challenged for additional authentication, refused access or allowed access with limited privileges. The LexisNexis Instant Authenticate dynamic KBA service plugs into the Oracle platform to provide an additional layer of security by validating a user's identity in high risk access or transactions. The large and varied pool of data the LexisNexis solution utilizes to quiz a user makes this challenge mechanism even more robust. This strong combination of Oracle and LexisNexis user authentication capabilities greatly mitigates the risk of exposing sensitive applications and services on the Internet which helps an enterprise grow their business with confidence.Resources:Press release: LexisNexis® Achieves Oracle Validated Integration with Oracle Identity Management Oracle Access Management (HTML)Oracle Adaptive Access Manager (pdf)

    Read the article

  • How to report abuse to website hosting company (GoDaddy)

    - by lgratian
    I'm not sure if this is the right place to ask such a question... Let's say that a website posted a picture of me, without my consent, and I want to be removed (it's something private, could compromise my career if it's seen by someone that shouldn't). I sent them an email asking nicely that they should remove it, but they didn't respond and the picture is still there. Using 'Whois' I found that the website is hosted by GoDaddy. Is there a way (an email address, for ex.) to report to GoDaddy that one of the sites they're hosting does something illegal and to force them to remove the photo? I searched the site and found nothing about such a thing. Thnaks in advance!

    Read the article

  • What is the worst real-world macros/pre-processor abuse you've ever come across?

    - by Trevor Boyd Smith
    What is the worst real-world macros/pre-processor abuse you've ever come across (please no contrived IOCCC answers *haha*)? Please add a short snippet or story if it is really entertaining. The goal is to teach something instead of always telling people "never use macros". p.s.: I've used macros before... but usually I get rid of them eventually when I have a "real" solution (even if the real solution is inlined so it becomes similar to a macro). Bonus: Give an example where the macro was really was better than a not-macro solution. Related question: When are C++ macros beneficial?

    Read the article

  • Prevent abuse of public HTTP directory meant for images

    - by sutre
    The situation: Each user has their own public HTTP directory, meant for images only. This could easily be abused by users using it to serve large files, wasting bandwidth. The question: Is there any fairly simple way to prevent this abuse? Either by allowing the webserver to only images to be served, restricting size, or some other method.

    Read the article

  • Does data mining qualify as an abuse?

    - by Hybryd
    Hi all, today I had a strange experience with my ISP. They disabled my password for internet connection, and when I called them, they enabled it again, but they didn't say why it happened. In the last couple of days I was running a data mining that I made for one forum to get some useful info about business that I'm in. So I thought, maybe my ISP figured that 10,000 page requests in couple of hours to the same site may be some kind of attack. What do you think, does it qualify as an attack? Is it even ok to data mine in that way?

    Read the article

  • How to report abuse to website hosting company (GoDaddy) [closed]

    - by lgratian
    I'm not sure if this is the right place to ask such a question... Let's say that a website posted a picture of me, without my consent, and I want it to be removed (it's something private, could compromise my career if it's seen by someone that shouldn't). I sent them an email asking nicely that they should remove it, but they didn't respond and the picture is still there. Using 'Whois' I found that the website is hosted by GoDaddy. Is there a way (an email address, for ex.) to report to GoDaddy that one of the sites they're hosting does something illegal and to force them to remove the photo? I searched the site and found nothing about such a thing. Thnaks in advance!

    Read the article

  • Imagemagick/File upload abuse causing my memory errors

    - by kidcapital
    I had been running out of memory on my server lately and I noticed some individuals uploading the same "file" over and over in quick succession which locks up my instance of mini_magick. Eventually the morgify gets stuck in an infinite look. I've taken care of it by having a daemon watch the morgify process if it get's out of control, but was wondering if there was a better solution You can see the same *.gif being uploading in quick succession. I tried downloading this file too, and it isn't even a gif. I don't know what it is (I can't open it). Anyone experience this kind of exploit before?

    Read the article

  • Prevent abuse of public HTTP directory meant for images

    - by sutre
    The situation: Each user has their own public HTTP directory, meant for images only. This could easily be abused by users using it to serve large files, wasting bandwidth. The question: Is there any fairly simple way to prevent this abuse? Either by allowing the webserver to only images to be served, restricting size, or some other method.

    Read the article

  • VoteCounts: bookmarklet to display up/down votes even for rep<1k

    - by SztupY
    Screenshot / Code Snippet About This small bookmarklet will allow anyone to use the "vulnerability" of the API that it allows you to check the up/down vote count - a feat you could normally achieve by being a 1k+rep user. Mainly useful for sites where you don't have this amount of rep, but want to check the stats of the more controversial questions (usually on meta) No API key is actually used here, but it's trivial to add one. License I don't think a code like this deserves anything other than WTFPL Download It's the following line (javascript - 375 bytes): javascript:(function(){a='jsonp';c=' .vote-count-post';d='up_vote_count';e='down_vote_count';$.ajax({url:document.location.href.replace(/(http:\/\/)(.*)(\/questions\/.*)\/.*/,'$1api.$2/1.0$3'),dataType:a,jsonp:a,success:function(x){b=x.questions[0];$('#question'+c).html(b[d]+"-"+b[e]);$.each(b.answers,function(z,y){$('#answer-'+y.answer_id+c).html(y[d]+"-"+y[e])})}})})() EDIT: This is longer, but it will make the result look like exactly on SO. Took a while to make it exactly 508 chars, so it works with IE too. javascript:(function(){w=function(t,q){l='_vote_count';h='up'+l;j='down'+l;k='</div>';s='<div style="color:';$(t).html(s+'green">'+(q[h]?'+':'')+q[h]+k+'<div class="vote-count-separator">'+k+s+'maroon">'+(q[j]==0?'':'-')+q[j]+k)};a='jsonp';c=' .vote-count-post';$.ajax({url:document.location.href.replace(/(http:\/\/)(.*)(\/questions\/.*)\/.*/,'$1api.$2/1.0$3'),dataType:a,jsonp:a,success:function(x){b=x.questions[0];w('#question'+c,b);$.each(b.answers,function(z,y){w('#answer-'+y.answer_id+c,y)})}})})() Platform For any jquery/bookmarklets compatible browser. Tested with Chrome, FF3.6 and IE8 for SU,SO,MSO Contact sztupy.hu Code It was written in notepad already in minified form. Used firebug to debug. Code is above. Contribute(=decrease code size or make the output nicer) any way you want. I'd be great if you'd do the second code shorter than 508 bytes. Known bugs If a question has more than 30 answers then some of the answers won't be resolved. This can be solved easily for <=100 answers, but for questions with more than 100 answers this is more difficult EDIT: updated to API version 1.0. Answers doesn't work yet.

    Read the article

  • sizeof abuse : get the size of a const table

    - by shodanex
    When declaring a const table, it is possible to get the size of the table using sizeof. However, once you stop using the symbol name, it does not work anymore. is there a way to have the following program output the correct size for table A, instead of 0 ? #include <stdio.h> struct mystruct { int a; short b; }; const struct mystruct tableA[] ={ { .a = 1, .b = 2, }, { .a = 2, .b = 2, }, { .a = 3, .b = 2, }, }; const struct mystruct tableB[] ={ { .a = 1, .b = 2, }, { .a = 2, .b = 2, }, }; int main(int argc, char * argv[]) { int tbl_sz; const struct mystruct * table; table = tableA; tbl_sz = sizeof(table)/sizeof(struct mystruct); printf("size of table A : %d\n", tbl_sz); table = tableB; tbl_sz = sizeof(tableB)/sizeof(struct mystruct); printf("size of table B : %d\n", tbl_sz); return 0; } Output is : size of table A : 0 size of table B : 2

    Read the article

  • Designing rules to fight smallpox in Civ-style TBS games

    - by Williham Totland
    TL;DR: How do you design a ruleset for a Civ-style TBS game that prevents city smallpox from being a profitable or viable strategy? Long version: Civ-style games are pretty great. Bringing a civilization from cradle to grave is a great endeavor, and practicing diplomacy with hard-line human players is fun and challenging. In theory. In practice, however, many of these games has, especially in multiplayer, exactly one viable strategy: City smallpox, a.k.a. infinite city spread, a.k.a. covering all available space with 1-citizen cities, packed as tight as they will go. I suppose this could count as emergent gameplay, but still; it could hardly be considered to be in the spirit of the class of game. The Civilization series, of course, is stuck in their more or less fixed rule sets, established with Civilization. Yes, there have been major changes in some respects, but the rules pertaining to city building and maintenance have stayed pretty similar. So the question, then: If you build a ruleset for a TBS from the ground up; what rules should be in place to prevent Infinite City Sprawl from being a viable strategy? Or should ICS be a viable strategy?

    Read the article

  • Tool to detect use/abuse of String.Concat (where StringBuilder should be used)

    - by Mark Rushakoff
    It's common knowledge that you shouldn't use a StringBuilder in place of a small number of concatenations: string s = "Hello"; if (greetingWorld) { s += " World"; } s += "!"; However, in loops of a significant size, StringBuilder is the obvious choice: string s = ""; foreach (var i in Enumerable.Range(1,5000)) { s += i.ToString(); } Console.WriteLine(s); Is there a tool that I can run on either raw C# source or a compiled assembly to identify where in the source code that String.Concat is being called? (If you're not familiar, s += "foo" is mapped to String.Concat in the IL output.) Obviously, I can't realistically search through an entire project and evaluate every += to identify whether the lvalue is a string. Ideally, it would only point out calls inside a for/foreach loop, but I would even put up with all the false positives of noting every String.Concat. Also, I'm aware that there are some refactoring tools that will automatically refactor my code to use StringBuilder, but I am only interested in identifying the Concat usage at this point. I routinely run Gendarme and FxCop on my code, and neither of those tools identify what I've described.

    Read the article

  • C#, MEF - Sign trusted plugins for abuse reduction

    - by Marks
    Hi there. I have a program that is extendable by plugins using the Microsoft Extensibility Framework. But i dont want untrusted sources to give out plugins that may be insecure. So i want to sign the plugins (maybe with Visual Studio's built in signing) and check if the plugins are trustworthy at program start. I didn't find a way to check DLL signing from inside C#. And also there is the problem, that I load the plugins with a DirectoryCatalog. There is no way to tell, which plugin is from which file. Anyone knows a way to do this? Thanks for any help, Marks

    Read the article

  • Spam in Whois: How is it done and how do I protect my domain?

    - by user2964971
    Yes, there are answered questions regarding spam in Whois. But still unclear: How do they do it? How should I respond? What precautions can I take? For example: Whois for google.com [...] Server Name: GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM IP Address: 217.107.217.167 Registrar: DOMAINCONTEXT, INC. Whois Server: whois.domaincontext.com Referral URL: http://www.domaincontext.com Server Name: GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM IP Address: 69.41.185.195 Registrar: TUCOWS DOMAINS INC. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Server Name: GOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM IP Address: 209.126.190.70 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COM IP Address: 50.23.75.44 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COMMAS2CHAPTERS.COM IP Address: 216.239.32.21 Registrar: CRAZY DOMAINS FZ-LLC Whois Server: whois.crazydomains.com Referral URL: http://www.crazydomains.com [...] >>> Last update of whois database: Thu, 05 Jun 2014 02:10:51 UTC <<< [...] >>> Last update of WHOIS database: 2014-06-04T19:04:53-0700 <<< [...]

    Read the article

  • Can I append to a preprocessor macro?

    - by JCSalomon
    Is there any way in standard C—or with GNU extensions—to append stuff to a macro definition? E.g., given a macro defined as #define quux_list X(foo) X(bar) can I append X(bas) so that it now expands as if I’d defined it #define quux_list X(foo) X(bar) X(bas)? I’m playing with discriminated/tagged unions along these lines: struct quux_foo { int x; }; struct quux_bar { char *s; }; struct quux_bas { void *p; }; enum quux_type {quux_foo, quux_bar, quux_bas}; struct quux { enum quux_type type; union { struct quux_foo foo; struct quux_bar bar; struct quux_bas bas; } t; }; I figure this is a good place for the X-macro. If I define a macro #define quux_table X(foo) X(bar) X(bas) the enumeration & structure can be defined thus, and never get out of sync: #define X(t) quux_ ## t, enum quux_type {quux_table}; #undef X #define X(t) struct quux_ ## t t; struct quux { enum quux_type type; union {quux_table} t; }; #undef X Of course, the quux_* structures can get out of sync, so I’d like to do something like this, only legally: struct quux_foo { int x; }; #define quux_table quux_table X(foo) struct quux_bar { char *s; }; #define quux_table quux_table X(bar) struct quux_bas { void *p; }; #define quux_table quux_table X(bas) (Well, what I really want to be able to do is something like member_struct(quux, foo) { int x; }; but I’m well aware that macros cannot be (re)defined from within macros.) Anyhow, that’s my motivating example. Is there a way to accomplish this? Boost.Preprocessor examples are fine, if you can show me how to make the X-macro technique work with that library.

    Read the article

  • Trouble with __VA_ARGS__

    - by Noah Roberts
    C++ preprocessor __VA_ARGS__ number of arguments The accepted answer there doesn't work for me. I've tried with MSVC++ 10 and g++ 3.4.5. I also crunched the example down into something smaller and started trying to get some information printed out to me in the error: template < typename T > struct print; #include <boost/mpl/vector_c.hpp> #define RSEQ_N 10,9,8,7,6,5,4,3,2,1,0 #define ARG_N(_1,_2,_3,_4,_5,_6,_7,_8,_9,_10,N,...) N #define ARG_N_(...) ARG_N(__VA_ARGS__) #define XXX 5,RSEQ_N #include <iostream> int main() { print< boost::mpl::vector_c<int, ARG_N_( XXX ) > > g; // ARG_N doesn't work either. } It appears to me that the argument for ARG_N ends up being 'XXX' instead of 5,RSEQ_N and much less 5,10,...,0. The error output of g++ more specifically says that only one argument is supplied. Having trouble believing that the answer would be proposed and then accepted when it totally fails to work, so what am I doing wrong? Why is XXX being interpreted as the argument and not being expanded? In my own messing around everything works fine until I try to pass off VA_ARGS to a macro containing some names followed by ... like so: #define WTF(X,Y,...) X , Y , __VA_ARGS__ #define WOT(...) WTF(__VA_ARGS__) WOT(52,2,5,2,2) I've tried both with and without () in the various macros that take no input.

    Read the article

  • How do you perform macro expansion within #ifdef?

    - by Malvineous
    Hi all, I have some fairly generic code which uses preprocessor macros to add a certain prefix onto other macros. This is a much simplified example of what happens: #define MY_VAR(x) prefix_##x "prefix_" is actually defined elsewhere, so it will be different each time the file is included. It works well, but now I have some code I would like to skip if one of the tokens doesn't exist, but this doesn't work: #if defined MY_VAR(hello) What I want it to expand to is this: #ifdef prefix_hello But I can't figure out how. I need to use the MY_VAR() macro to do the expansion, so I can't just hardcode the name. (It's actually for some testing code, the same code gets included with a different prefix each time to test a bunch of classes, and I want to skip a couple of tests for a handful of the classes.) Is this possible with the C++ preprocessor?

    Read the article

  • Remove extra junk from C proprocessor?

    - by Brendan Long
    I'm trying to use the C proprocessor on non-C code, and it works fine except for creating lines like this at the top: # 1 "test.java" # 1 "<built-in>" # 1 "<command-line>" # 1 "test.java" The problem is that these lines aren't valid in Java. Is there any way to get the preprocessor to not write this stuff? I'd prefer not to have to run this through something else to just remove the first 4 lines every time.

    Read the article

  • Remove extra junk from C preprocessor?

    - by Brendan Long
    I'm trying to use the C preprocessor on non-C code, and it works fine except for creating lines like this at the top: # 1 "test.java" # 1 "<built-in>" # 1 "<command-line>" # 1 "test.java" The problem is that these lines aren't valid in Java. Is there any way to get the preprocessor to not write this stuff? I'd prefer not to have to run this through something else to just remove the first 4 lines every time.

    Read the article

1 2 3 4 5 6 7 8 9  | Next Page >