Search Results

Search found 19074 results on 763 pages for 'secure government government cloud security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 247/763 | < Previous Page | 243 244 245 246 247 248 249 250 251 252 253 254  | Next Page >

  • Defeating a Poker Bot.

    - by The Rook
    There is a new Open Source poker bot called PokerPirate. I am interested in any creative ways in which a web application could detect/thwart/defeat a poker bot. (This is a purely academic discussion, in the same spirit that PokerPirate was written.)

    Read the article

  • compare password hashes between c# and coldfusion

    - by czuroski
    Hello, I have a password hash that is stored in a table and is put there by the following coldfusion script- #Hash(EnCrypt(UCase(GetPass.username),EnCode))# I am trying to add some outside functionality within a c# application. I would like to be able to take advantage of the data that already exists so that I can authenticate users. Does anyone know how I can replicate the above coldfusion code in c#? Thanks for any thoughts.

    Read the article

  • Restricting access to records. Is claim-based permissions a good idea.

    - by Vitalik
    in .net Claim-based identity framework If i wanted to restrict users to do an operation (view or edit) on let's say an account, a particular account #123456.(i am talking about business entity, like a bank account.) Is it a good idea to create a claim for each account they can view or edit? Any disadvantages of having a lot of claims in a set? a system admin might have access to all accounts in the system thus creating hundreds of claims (maybe more than one for each account)

    Read the article

  • How to limit setAccessible to only "legitimate" uses?

    - by polygenelubricants
    The more I learned about the power of setAccessible, the more astonished I am at what it can do. This is adapted from my answer to the question (Using reflection to change static final File.separatorChar for unit testing). import java.lang.reflect.*; public class EverythingIsTrue { static void setFinalStatic(Field field, Object newValue) throws Exception { field.setAccessible(true); Field modifiersField = Field.class.getDeclaredField("modifiers"); modifiersField.setAccessible(true); modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL); field.set(null, newValue); } public static void main(String args[]) throws Exception { setFinalStatic(Boolean.class.getField("FALSE"), true); System.out.format("Everything is %s", false); // "Everything is true" } } You can do truly outrageous stuff: public class UltimateAnswerToEverything { static Integer[] ultimateAnswer() { Integer[] ret = new Integer[256]; java.util.Arrays.fill(ret, 42); return ret; } public static void main(String args[]) throws Exception { EverythingIsTrue.setFinalStatic( Class.forName("java.lang.Integer$IntegerCache") .getDeclaredField("cache"), ultimateAnswer() ); System.out.format("6 * 9 = %d", 6 * 9); // "6 * 9 = 42" } } Presumably the API designers realize how abusable setAccessible can be, but must have conceded that it has legitimate uses to provide it. So my questions are: What are the truly legitimate uses for setAccessible? Could Java has been designed as to NOT have this need in the first place? What would the negative consequences (if any) of such design be? Can you restrict setAccessible to legitimate uses only? Is it only through SecurityManager? How does it work? Whitelist/blacklist, granularity, etc? Is it common to have to configure it in your applications?

    Read the article

  • Is it safe to display user input as input values without sanitation?

    - by Svish
    Say we have a form where the user types in various info. We validate the info, and find that something is wrong. A field is missing, invalid email, et cetera. When displaying the form to the user again I of course don't want him to have to type in everything again so I want to populate the input fields. Is it safe to do this without sanitation? If not, what is the minimum sanitation that should be done first? And to clearify: It would of course be sanitized before being for example added to a database or displayed elsewhere on the site.

    Read the article

  • C# hash password create salt question

    - by 5YrsLaterDBA
    If I create salt by using something like this: public class User { private const int Hash_Salt_Length = 8; private byte[] saltBytes = new byte[Hash_Salt_Length]; public User() { RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetNonZeroBytes(saltBytes); } .... } The saltBytes bytes array will be different for each session (restart the application). How can I check password to allow user login our application?

    Read the article

  • MS Access: Permission problems with views

    - by Keith Williams
    "I'll use an Access ADP" I said, "it's only a tiny project and I've got better things to do", I said, "I can build an interface really quickly in Access" I said. </sarcasm> Sorry for the rant, but it's Friday, I have a date in just under two hours, and I'm here late because this just isn't working - so, in despair, I turn to SO for help. Access ADP front-end, linked to a SQL Server 2008 database Using a SQL Server account to log into the database (for testing); this account is a member of the role, "Api"; this role has SELECT, EXECUTE, INSERT, UPDATE, DELETE access to the "Api" schema The "Api" schema is owned by "dbo" All tables have a corresponding view in the Api schema: e.g. dbo.Customer -- Api.Customers The rationale is that users don't have direct table access, but can deal with views as if they were tables I can log into SQL using my test login, and it works fine: no access to the tables, but I can select, insert, update and delete from the Api views. In Access, I see the views, I can open them, but whenever I try to insert or update, I get the following error: The SELECT permission was denied on the object '[Table name which the view is using]', database '[database name]', schema 'dbo' Crazy as it sounds, Access seems to be trying to access the underlying table rather than the view. Any ideas?

    Read the article

  • How to manually verify a user against the asp.net memberhip database

    - by Ekk
    I would like to know how I can verify a user's credential against an existing asp.net membership database. The short story is that we want provide single sign on access. So what I've done is to connect directly to the membership database and tried to run a sql query against the aspnet_Membership table: private bool CanLogin(string userName, string password) { // Check DB to see if the credential is correct try { string passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1"); string sql = string.Format("select 1 from aspnet_Users a inner join aspnet_Membership b on a.UserId = b.UserId and a.applicationid = b.applicationid where a.username = '{0}' and b.password='{1}'", userName.ToLowerInvariant(), passwordHash); using (SqlConnection sqlConn = new SqlConnection(ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString)) using (SqlCommand sqlCmd = new SqlCommand(sql, sqlConn)) { sqlConn.Open(); int count = sqlCmd.ExecuteNonQuery(); sqlConn.Close(); return count == 1; } } catch (Exception ex) { return false; } } The problem is the password value, does anyone know how the password it is hashed?

    Read the article

  • How can I make CAPTCHA work across multiple pages?

    - by jm04469
    Ever visit a website such as myspace where they leverage CAPTCHA to prevent spam? The typical pattern is to present a challenge to each URL that is opened, yet the challenge doesn't actually belong to the page itself which causes additional bandwidth usage. So, if I open up six pages at the same time and want to present a challenge on each page. I want the challenge to be tied to the page and not to the session. How can I make this work with Spring and/or Struts.

    Read the article

  • Php referrer works or not?

    - by Camran
    I need to know the referring server for a page on my site. Is there any safe method to check where the user "came" to the page FROM? I tried uploading this to my server, but this wont output anything at all when I write the adress to the file in the browsers adress bar: <?php echo $_SERVER['HTTP_REFERER']; ?> I need to check this in order to display a link on the page or not... Thanks

    Read the article

  • Safest communication method between applications on same machine

    - by Radu
    What is the safest communication method between two applications on the same machine, both Java and C/C++ clients with a Java server. Are SSL sockets safe enough or they can be broken by "man in the middle" attacks? As i saw in the documentation and code samples, JSSE retrieves private/public keys and certificates from keystore files which a malicious user can see. The only thing that you can hide in the code is the password used to unlock the keystores. Can hackers retrieve that password?

    Read the article

  • How to implement Administrator rights in Java Application?

    - by Yatendra Goel
    I am developing a Data Modeling Software that is implemented in Java. This application converts the textual data (stored in a database) to graphical form so that users can interpret the data in a more efficient form. Now, this application will be accessed by 3 kinds of persons: 1. Managers (who can fill the database with data and they can also view the visual form of the data after entering the data into the database) 2. Viewers (who can only view the visual form of data that has been filled by managers) 3. Administrators (who can create and manage other administrators, managers and viewers) Now, how to implement 3 diff. views of the same application. Note: Managers, Viewers and Administrators can be located in any part of the world and should access the application through internet. One idea that came in my mind is as follows: Step1: Code all the business logic in EJBs so that it can be used in distributed environment (means which can be accessed by several users through internet) Step2: Code 3 Swing GUI Clients: One for administrators, one for managers and one for viewers. These 3 GUI clients can access business logic written in EJBs. Step3: Distribute the clients corresponding to their users. For instance, manager client to managers. =================================QUESTIONS======================================= Q1. Is the above approach is correct? Q2. This is very common functionality that various softwares have. So, Do they implement this kind of functionality through this way or any other way? Q3. If any other approach would be more better, then what is that approach?

    Read the article

  • Should I be concerned with infected zip files?

    - by Peter Smith
    I'm writing a ASP.NET application to process user submitted zip files and limiting my extraction of files from it to only the extensions I want. I've heard of infected zip files attached to emails and I was wondering if I should be concerned about extracting data from infected zip files in my application. I don't plan on executing the content inside of the zip file, but will opening and extracting from an infected zip file cause the file to execute a virus even if I'm not executing any content inside of the zip file?

    Read the article

  • What is a good way of checking to see if a particular user may access a particular file?

    - by Rising Star
    I am working on application which runs as a special unprivileged user. I would like to be able to easily check to see if the user can read a given file. It seems like this should be easy, even when I go into the file in Windows Explorer and see that the read permission is checked, it sometimes seems that there is still something preventing the user from reading the file (such as a parent directory that the user cannot browse) when I try to read it as the user programmatically. The user has no console logon permission, so I can't just log in as the user and try to read the file. So... If I want to know, "Does UserBob have access to file c:\specialPath\specialFile, what is an easy way to find out? BTW, my environment is Windows Server 2003.

    Read the article

  • [PHP] md5(uniqid) makes sense for random unique tokens?

    - by Exception e
    I want to create a token generator that generates tokens that cannot be guessed by the user and that are still unique (to be used for password resets and confirmation codes). I often see this code; does it make sense? md5(uniqid(rand(), true)); According to a comment uniqid($prefix, $moreEntopy = true) yields first 8 hex chars = Unixtime, last 5 hex chars = microseconds. I don't know how the $prefix-parameter is handled.. So if you don't set the $moreEntopy flag to true, it gives a predictable outcome. QUESTION: But if we use uniqid with $moreEntopy, what does hashing it with md5 buy us? Is it better than: md5(mt_rand())

    Read the article

  • Are PDO prepared statements sufficient to prevent SQL injection?

    - by Mark Biek
    Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says The parameters to prepared statements don't need to be quoted; the driver handles it for you. Is that truly all I need to do to avoid SQL injections? Is it really that easy? You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.

    Read the article

  • What's wrong with XOR encryption?

    - by Colin
    I wrote a short C++ program to do XOR encryption on a file, which I may use for some personal files (if it gets cracked it's no big deal - I'm just protecting against casual viewers). Basically, I take an ASCII password and repeatedly XOR the password with the data in the file. Now I'm curious, though: if someone wanted to crack this, how would they go about it? Would it take a long time? Does it depend on the length of the password (i.e., what's the big-O)?

    Read the article

  • Cross-Origin Resource Sharing (CORS) - am I missing something here?

    - by David Semeria
    I was reading about CORS (https://developer.mozilla.org/en/HTTP_access_control) and I think the implementation is both simple and effective. However, unless I'm missing something, I think there's a big part missing from the spec. As I understand, it's the foreign site that decides, based on the origin of the request (and optionally including credentials), whether to allow access to its resources. This is fine. But what if malicious code on the page wants to POST a user's sensitive information to a foreign site? The foreign site is obviously going to authenticate the request. Hence, again if I'm not missing something, CORS actually makes it easier to steal sensitive information. I think it would have made much more sense if the original site could also supply an immutable list of servers its page is allowed to access. So the expanded sequence would be: 1) Supply a page with list of acceptable CORS servers (abc.com, xyz.com, etc) 2) Page wants to make an XHR request to abc.com - the browser allows this because it's in the allowed list and authentication proceeds as normal 3) Page wants to make an XHR request to malicious.com - request rejected locally (ie by the browser) because the server is not in the list. I know that malicious code could still use JSONP to do its dirty work, but I would have thought that a complete implementation of CORS would imply the closing of the script tag multi-site loophole. I also checked out the official CORS spec (http://www.w3.org/TR/cors) and could not find any mention of this issue.

    Read the article

  • SimpleMembership updating the "isconfirmed" flag

    - by Vijay V
    My Users table (the one that I created) has the following columns: UserId,UserName,FirstName,LastName,DOB After I ran this command WebSecurity.InitializeDatabaseConnection("DefaultConnection", "Users", "UserId", "UserName", autoCreateTables: true); it created the required simple membership tables for me. How would I go about "UnConfirming" an user or setting the "IsConfirmed" flag to false in the webpages_Membership using the new SimpleMembership API? (Earlier, before going to simplemembership using the "Membership" class I could update an user using the api call : Membership.UpdateUser( user );)

    Read the article

  • OpenID PAM module

    - by Harvey Kwok
    I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download. I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login. Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module. Thanks!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 243 244 245 246 247 248 249 250 251 252 253 254  | Next Page >