Search Results

Search found 962 results on 39 pages for 'consumer'.

Page 27/39 | < Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >

  • Java/C++ communication via pipe on Windows

    - by Warlax
    Hi, I have two separate programs, one in Java and one in C++, both running on Windows. We need to do bidirectional interprocess communication between the two. Up until now, we were using this awkward solution of writing to text files and reading them on the other side, where the producer would generate a .lock file when it's done writing and the consumer would remove that when it's done reading... like I said, awkward. If we were on *nix, we would use a pipe using popen() on the C++ and RadomAccessFile on the Java side. It seems to work well. What can we do on Windows? Can we use named pipes? Thank you.

    Read the article

  • Dependency Injection -Colloquial explanation

    - by nettguy
    Recently I was asked to express the DI in colloquial explanation. I answered : 1) I am going to a hotel.I ordered food.The hotel management asks me to clean the plates and clean the tables.So here i am a client,I am responsible for managing the service (Instantiating,executing,disposing).But DI decouples such tasks so the service consumer no need not worry about controlling the life cycle of the service. 2) He also asked is there any microsoft API follows DI ?.I answered (This was my guess) In WCF you can create a Proxy using ChannelFactory that controls the life time of your factory. for item (1) he said only 10% is correct for item(2) he said that is factory pattern not dependency injection. Actually what went wrong in my explanation (apart from my bad English) ? What is the real answers for those? I am waiting for your valuable suggestions.

    Read the article

  • How to append to an XML response an error attribute using Ruby on Rails 3?

    - by user502052
    I am trying to implement REST APIs, so in my RoR3 application I have XML responses. Before to pass to a consumer the XML, I wuold like to check if there are errors and, if so, send back a response with error messages. I read "Active Record Validations and Callbacks" guides on the RoR website, but it seems not work in my case. I extract from the database a resource doing @response = User.find_by_id(1) and I wuold like, if possible, to add error to it. Seeing some examples I have seen how to report errors in an XML file format.xml { render :xml => @response.errors } but how I can add append new errors to the @response? Maybe something like this: errors.add(:password, "is invalid")

    Read the article

  • Hosting an NServiceBus subscriber in the same application as the producer.

    - by Jack Ryan
    Is it possible to use NServiceBus to publish and consume messages in the same application, specifically a web application? In the future we will almost certainly need to maintain a separate long running service to process messages generated by this application, and this is why we are hoping to use NServiceBus from the start, but right now it would be nice to just start up the consumer and the publisher when the web application starts. This will make testing and deployment far easier for us. I presume I will need to reference the NServiceBus.Host.exe and start up the process in the global.asax, but need help on what exactly I need to call to do this.

    Read the article

  • yum update fails

    - by user1670818
    i have RHEL 6.3 [root@RHEL6 yum.repos.d]# uname -a Linux RHEL6.3-64-BuildMac 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux My /etc/yum.conf looks like [main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=3 reposdir=/etc/yum.repos.d/rhel.repo The contents of my /etc.yum.repo.d/rhel.repo looks like [rhelrepo] name=my rhel repo baseurl=http://mirror.centos.org/centos/6.3/os/x86_64/ #gpgkey=http://mirror.centos.org/centos/6.3/os/x86_64/RPM-GPG-KEY-CentOS-6 enabled=1 gpgcheck=0 But my yum update fails with the following error [root@RHEL6 yum.repos.d]# yum update Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Unable to read consumer identity Setting up Update Process No Packages marked for Update please could somebody help

    Read the article

  • Reading and writing dates to the registry for trial version purposes.

    - by LeeW
    Hi all, Here's what I want to do, I want to store the date the first time the program is installed and also store a date when was the program was last run. I want the code to check to see if it was more than 30 days since the installation so I can turn off features. I also want to check if the system date is less than the last opened date and if so write the installed date to 1/1/1901 to prevent the program from running. Keeping in mind that this is not a consumer program but a business program I don't expect hackers to crack it, they may do but that is fine I simply want to give potential customers a reason to consider purchasing the program and the end of the trial will prompt this. 1: Does this sound reasonable? 2: How should I hide the fact this is a date so it's not easily changed? Many thanks Lee

    Read the article

  • Ways to make your WCF services compatible with non-.NET consumers

    - by Mayo
    I'm working on adding a WCF services layer to my existing .NET application. This layer will be hosted in IIS and will be consumed by a variety of UIs, at least one of which will not use Microsoft technologies. I can make a Web service in WCF that is consumed by my .NET application. However, I'm concerned about things that work in the .NET world but not with other technologies. For example, simply throwing an exception from my WCF service works fine in .NET. But according to this article, one should approach exception handling with fault contracts to ensure compatibility with non-.NET consumers. The author labels this lack of foresight as The Fallacy of the .NET-Only World. Does anyone have any high level suggestions or links to articles that cover interoperability between WCF and non-.NET consumers? I realize I'm potentially working against the YAGNI principle. I'm only really looking to avoid things that will be incredibly difficult to overcome later when the developers of the non-.NET consumer report problems to me.

    Read the article

  • Creating a templated silverlight control that has a story board.

    - by Mrt
    I'm trying to create a templated silverlight control that has a simple animation (swap a few color properties). An example would be a control that is similar to the 'questions' menu item in stackoverflow. So the consumer of the control can specify the background color and the background color for the mouseover event. I've run into the issue that I can't use template binding for a storyboard animation (http://stackoverflow.com/questions/1336689/is-it-possible-to-use-templatebinding-in-a-storyboard-in-silverlight). Whats the best work around to this ? Cheers, MrT

    Read the article

  • Will this make the object thread-safe?

    - by sharptooth
    I have a native Visual C++ COM object and I need to make it completely thread-safe to be able to legally mark it as "free-threaded" in th system registry. Specifically I need to make sure that no more than one thread ever accesses any member variable of the object simultaneously. The catch is I'm almost sure that no sane consumer of my COM object will ever try to simultaneously use the object from more than one thread. So I want the solution as simple as possible as long as it meets the requirement above. Here's what I came up with. I add a mutex or critical section as a member variable of the object. Every COM-exposed method will acquire the mutex/section at the beginning and release before returning control. I understand that this solution doesn't provide fine-grained access and this might slow execution down, but since I suppose simultaneous access will not really occur I don't care of this. Will this solution suffice? Is there a simpler solution?

    Read the article

  • API verbs for an interruptible operation

    - by 280Z28
    I have a long running task as part of my application. The task can be started, paused, resumed, and cancelled. I'm trying to find the best interface for these operations. Two seem clear: Pause and Cancel. This leaves the start and resume operations. I could include both Start and Resume. This has the downside of either requiring the API consumer to check the state before starting/resuming the operation to call the right method, or making the methods aliases of each other. I'm thinking I should include either Start or Resume, but I don't know which one is the most appropriate. Does anyone have any examples in the .NET Framework of such behavior? I prefer to follow established patterns whenever they are available.

    Read the article

  • create and insert values using mysql JDBC

    - by S.PRATHIBA
    Hi all, I have the sample code. public void UpdateTable1() { for(int t=0;t<20;t++) { if(consumer==1 && number==1 && provider1==31 && feedback==1) { try{ Class.forName(driverName); con = DriverManager.getConnection(url+dbName,"root","mysql"); try { Statement st = con.createStatement(); int val = st.executeUpdate("INSERT Consumer1 VALUES ("+31+","+"'Printer'"+", "+1+" "+")"); System.out.println("1 row affected"); } catch (SQLException s) { System.out.println("SQL statement is not executed!"); } con.close(); } I want to insert the same set of values(31,printer,1) into the table consumer2,consumer3.Is it possible without using another try catch statements...Please help me.

    Read the article

  • Storing API keys in Android, is obfustication enough?

    - by fredley
    I'm using the Dropbox API. In the sample app, it includes these lines: // Replace this with your consumer key and secret assigned by Dropbox. // Note that this is a really insecure way to do this, and you shouldn't // ship code which contains your key & secret in such an obvious way. // Obfuscation is good. final static private String CONSUMER_KEY = "PUT_YOUR_CONSUMER_KEY_HERE"; final static private String CONSUMER_SECRET = "PUT_YOUR_CONSUMER_SECRET_HERE"; I'm well aware of the mantra 'Secrecy is not Security', and obfuscation really only slightly increases the amount of effort required to extract the keys. I disagree with their statement 'Obfustication is good'. What should I do to protect the keys then? Is obfustication good enough, or should I consider something more elaborate?

    Read the article

  • Drupal OAuth Service Module

    - by user470714
    I am trying to do some research into potentially setting up an existing Drupal site with user accounts/login page to also be an OAuth service provider, basically authenticating users to make calls with a web service. I am looking for a Drupal module which will give this functionality. Most of what I run into are OAuth consumer modules, which is not what I want in this case. I've found a few modules which I think might do this for me, but the module descriptions are generally pretty vague and don't have much of a user base which doesn't inspire much confidence. Has anyone else done this before? What are the best modules available for doing this?

    Read the article

  • Twitter oauth php problems

    - by Patrick Gates
    I'm writing some backend script for a twitter app and heres how it's going On the app you click a button that sends you to login.php on my server which logs into my database connects to twitter with my consumer key and secret: $to = new TwitterOAuth($consumer_key, $consumer_secret); $tok = $to->getRequestToken(); $request_link = $to->getAuthorizeURL($tok); and then writes the token and secret to the database, sets a session equal to the id in the database of the token and secret and then redirects to the "$request_link" You then go through the process of logging in and such on twitter and it redirects you to callback.php on my server Callback.php consists of logging into the database again, getting the new token and secret, and then writing the new token and secret to the database and then prompts you to go back to the app Then on the app, all I'm trying to do is access the basic credentials$to->get('account/verify_credentials') and it keeps coming back "could not authenticate you" What am I doing wrong?? Thank you for all the help :)

    Read the article

  • CoreData Model Objects for API

    - by theiOSguy
    I am using CoreData in my application. I want to abstract out all the CoreData related stuff as an API so that the consume can use the API instead of directly using CoreData and its generated model objects. CoreData generates the managed objects model as following @interface Person : NSManagedObject @end I want to define my API for example MyAPI and it has a function called as createPerson:(Person*)p; So the consumer of this createPerson API needs to create a Person data object (like POJO in java world) and invoke this API. But I cannot create Person object using Person *p = [Person alloc] init] because the designated initializer for this Person model created by CoreData does not allow this type of creation. So should I define corresponding user facing data object may be PersonDO and this API should take that instead to carry the data into the API implementation? Is my approach right? Any expert advise if design the API this way is a good design pattern?

    Read the article

  • Why doesn't Google OpenID provider work with PHP-OpenId on my server?

    - by Steven Devijver
    Hey, I'm using PHP-OpenId 2.1.3 which I've unzipped on my server here (this is the consumer example that comes with PHP-OpenId). When I enter the Google OpenId url (https://www.google.com/accounts/o8/id) and submit I get a blank screen. When I try the exact same example code on the PHP-OpenId website here with the same URL it works fine. I don't understand what I'm doing wrong. The only thing I can think of is that somehow Google does not want to work with my server. Any ideas how to make this work? Thanks

    Read the article

  • Fusion Table Layer Caching issue

    - by user1854791
    I have created a series of fusion table layers and apply filtering to one of the layers in response to checkbox click events. The base layer of the map contains a gradient applied over county boundaries. When the base layer is unchecked, the filtered layer loses it's styling. I have added unique timestamps to all queries to avoid caching, however I get the feeling that these image tiles are still be cached for this situation. Is there any way to force the google fusion tables api to invalidate a cached image? Test site here: http://map.inquestmarketing.com/new.html Unchecking the Other - Consumer Prospects checkbox reproduces the issue. This is a pure client app, all of the source is in the single page.

    Read the article

  • An invalid character was found in text content.'

    - by Praveen Nambiar
    An invalid character was found in text content.'. Could not find prepared statement with handle 0. sp_xml_removedocument: The value supplied for parameter number 1 is invalid. Below is the xml that i am generating. <NewDataSet> <ControlManagementItems><ControlId>74</ControlId><Value>wqeqe</Value></ControlManagementItems> <ControlManagementItems><ControlId>76</ControlId><Value>Yes</Value></ControlManagementItems> <ControlManagementItems><ControlId>78</ControlId><Value>Consumer Core $100 infinite – Nov 2010</Value></ControlManagementItems> <ControlManagementItems><ControlId>108</ControlId><Value>Samsung Galaxy S 16GB</Value></ControlManagementItems> </NewDataSet>

    Read the article

  • How to make web service methods return string value in lines format?

    - by Born To Learn
    How to make web service methods return string value in lines format? My web service method looks like this [WebMethod] public string GetSomeLines() { System.Text.StringBuilder builder = new StringBuilder(); builder.AppendLine("Line1."); builder.AppendLine("Line2."); builder.AppendLine("Line3."); return builder.ToString(); } But when I get the result from web browser or from delphi/c# consumer it will be like this: Line1. Line2. Line3. While I expect to see: Line1. Line2. Line3. I know may be returning a StringBuilder or String Array is an option here but I want to know if there is a way to make this with string result. Thanks for your help.

    Read the article

  • RabbitMQ as a proxy between a data store and a producer ?

    - by hyperboreean
    I have some code that produces lots of data that should be stored in the database. The problem is that the database can't keep with the data that it gets produced. So I am wondering whether some kind of queuing mechanism would help in this situation - I am thinking in particular at RabiitMQ and whether is feasible to have the data stored in its queues until some consumer gets the data out of it and pushes it to the database. Also, I am not particular interested whether that data made it to the database or not because pretty soon, the same data will be updated.

    Read the article

  • Getting rails to execute root level file edits on system files without compromising security.

    - by voxobscuro
    I'm writing a Rails 3 application that needs to be able to trigger modifications to unix system config files. I'd like to insulate the file modifications from the consumer side by running them in a background process. I've considered writing out a temp file in rails and then copying the file with a bash script but that doesn't really insulate the system. I've also considered pulling from the database manually with a cron based script and updating the configs. But what I would really like is a component that can hook into the rails environment, read out what is needed from the database, and update the config files. This process needs to be run as root because the config files mostly live in /etc/whatever. Any suggestions? Thanks!

    Read the article

  • Toorcon14

    - by danx
    Toorcon 2012 Information Security Conference San Diego, CA, http://www.toorcon.org/ Dan Anderson, October 2012 It's almost Halloween, and we all know what that means—yes, of course, it's time for another Toorcon Conference! Toorcon is an annual conference for people interested in computer security. This includes the whole range of hackers, computer hobbyists, professionals, security consultants, press, law enforcement, prosecutors, FBI, etc. We're at Toorcon 14—see earlier blogs for some of the previous Toorcon's I've attended (back to 2003). This year's "con" was held at the Westin on Broadway in downtown San Diego, California. The following are not necessarily my views—I'm just the messenger—although I could have misquoted or misparaphrased the speakers. Also, I only reviewed some of the talks, below, which I attended and interested me. MalAndroid—the Crux of Android Infections, Aditya K. Sood Programming Weird Machines with ELF Metadata, Rebecca "bx" Shapiro Privacy at the Handset: New FCC Rules?, Valkyrie Hacking Measured Boot and UEFI, Dan Griffin You Can't Buy Security: Building the Open Source InfoSec Program, Boris Sverdlik What Journalists Want: The Investigative Reporters' Perspective on Hacking, Dave Maas & Jason Leopold Accessibility and Security, Anna Shubina Stop Patching, for Stronger PCI Compliance, Adam Brand McAfee Secure & Trustmarks — a Hacker's Best Friend, Jay James & Shane MacDougall MalAndroid—the Crux of Android Infections Aditya K. Sood, IOActive, Michigan State PhD candidate Aditya talked about Android smartphone malware. There's a lot of old Android software out there—over 50% Gingerbread (2.3.x)—and most have unpatched vulnerabilities. Of 9 Android vulnerabilities, 8 have known exploits (such as the old Gingerbread Global Object Table exploit). Android protection includes sandboxing, security scanner, app permissions, and screened Android app market. The Android permission checker has fine-grain resource control, policy enforcement. Android static analysis also includes a static analysis app checker (bouncer), and a vulnerablity checker. What security problems does Android have? User-centric security, which depends on the user to grant permission and make smart decisions. But users don't care or think about malware (the're not aware, not paranoid). All they want is functionality, extensibility, mobility Android had no "proper" encryption before Android 3.0 No built-in protection against social engineering and web tricks Alternative Android app markets are unsafe. Simply visiting some markets can infect Android Aditya classified Android Malware types as: Type A—Apps. These interact with the Android app framework. For example, a fake Netflix app. Or Android Gold Dream (game), which uploads user files stealthy manner to a remote location. Type K—Kernel. Exploits underlying Linux libraries or kernel Type H—Hybrid. These use multiple layers (app framework, libraries, kernel). These are most commonly used by Android botnets, which are popular with Chinese botnet authors What are the threats from Android malware? These incude leak info (contacts), banking fraud, corporate network attacks, malware advertising, malware "Hackivism" (the promotion of social causes. For example, promiting specific leaders of the Tunisian or Iranian revolutions. Android malware is frequently "masquerated". That is, repackaged inside a legit app with malware. To avoid detection, the hidden malware is not unwrapped until runtime. The malware payload can be hidden in, for example, PNG files. Less common are Android bootkits—there's not many around. What they do is hijack the Android init framework—alteering system programs and daemons, then deletes itself. For example, the DKF Bootkit (China). Android App Problems: no code signing! all self-signed native code execution permission sandbox — all or none alternate market places no robust Android malware detection at network level delayed patch process Programming Weird Machines with ELF Metadata Rebecca "bx" Shapiro, Dartmouth College, NH https://github.com/bx/elf-bf-tools @bxsays on twitter Definitions. "ELF" is an executable file format used in linking and loading executables (on UNIX/Linux-class machines). "Weird machine" uses undocumented computation sources (I think of them as unintended virtual machines). Some examples of "weird machines" are those that: return to weird location, does SQL injection, corrupts the heap. Bx then talked about using ELF metadata as (an uintended) "weird machine". Some ELF background: A compiler takes source code and generates a ELF object file (hello.o). A static linker makes an ELF executable from the object file. A runtime linker and loader takes ELF executable and loads and relocates it in memory. The ELF file has symbols to relocate functions and variables. ELF has two relocation tables—one at link time and another one at loading time: .rela.dyn (link time) and .dynsym (dynamic table). GOT: Global Offset Table of addresses for dynamically-linked functions. PLT: Procedure Linkage Tables—works with GOT. The memory layout of a process (not the ELF file) is, in order: program (+ heap), dynamic libraries, libc, ld.so, stack (which includes the dynamic table loaded into memory) For ELF, the "weird machine" is found and exploited in the loader. ELF can be crafted for executing viruses, by tricking runtime into executing interpreted "code" in the ELF symbol table. One can inject parasitic "code" without modifying the actual ELF code portions. Think of the ELF symbol table as an "assembly language" interpreter. It has these elements: instructions: Add, move, jump if not 0 (jnz) Think of symbol table entries as "registers" symbol table value is "contents" immediate values are constants direct values are addresses (e.g., 0xdeadbeef) move instruction: is a relocation table entry add instruction: relocation table "addend" entry jnz instruction: takes multiple relocation table entries The ELF weird machine exploits the loader by relocating relocation table entries. The loader will go on forever until told to stop. It stores state on stack at "end" and uses IFUNC table entries (containing function pointer address). The ELF weird machine, called "Brainfu*k" (BF) has: 8 instructions: pointer inc, dec, inc indirect, dec indirect, jump forward, jump backward, print. Three registers - 3 registers Bx showed example BF source code that implemented a Turing machine printing "hello, world". More interesting was the next demo, where bx modified ping. Ping runs suid as root, but quickly drops privilege. BF modified the loader to disable the library function call dropping privilege, so it remained as root. Then BF modified the ping -t argument to execute the -t filename as root. It's best to show what this modified ping does with an example: $ whoami bx $ ping localhost -t backdoor.sh # executes backdoor $ whoami root $ The modified code increased from 285948 bytes to 290209 bytes. A BF tool compiles "executable" by modifying the symbol table in an existing ELF executable. The tool modifies .dynsym and .rela.dyn table, but not code or data. Privacy at the Handset: New FCC Rules? "Valkyrie" (Christie Dudley, Santa Clara Law JD candidate) Valkyrie talked about mobile handset privacy. Some background: Senator Franken (also a comedian) became alarmed about CarrierIQ, where the carriers track their customers. Franken asked the FCC to find out what obligations carriers think they have to protect privacy. The carriers' response was that they are doing just fine with self-regulation—no worries! Carriers need to collect data, such as missed calls, to maintain network quality. But carriers also sell data for marketing. Verizon sells customer data and enables this with a narrow privacy policy (only 1 month to opt out, with difficulties). The data sold is not individually identifiable and is aggregated. But Verizon recommends, as an aggregation workaround to "recollate" data to other databases to identify customers indirectly. The FCC has regulated telephone privacy since 1934 and mobile network privacy since 2007. Also, the carriers say mobile phone privacy is a FTC responsibility (not FCC). FTC is trying to improve mobile app privacy, but FTC has no authority over carrier / customer relationships. As a side note, Apple iPhones are unique as carriers have extra control over iPhones they don't have with other smartphones. As a result iPhones may be more regulated. Who are the consumer advocates? Everyone knows EFF, but EPIC (Electrnic Privacy Info Center), although more obsecure, is more relevant. What to do? Carriers must be accountable. Opt-in and opt-out at any time. Carriers need incentive to grant users control for those who want it, by holding them liable and responsible for breeches on their clock. Location information should be added current CPNI privacy protection, and require "Pen/trap" judicial order to obtain (and would still be a lower standard than 4th Amendment). Politics are on a pro-privacy swing now, with many senators and the Whitehouse. There will probably be new regulation soon, and enforcement will be a problem, but consumers will still have some benefit. Hacking Measured Boot and UEFI Dan Griffin, JWSecure, Inc., Seattle, @JWSdan Dan talked about hacking measured UEFI boot. First some terms: UEFI is a boot technology that is replacing BIOS (has whitelisting and blacklisting). UEFI protects devices against rootkits. TPM - hardware security device to store hashs and hardware-protected keys "secure boot" can control at firmware level what boot images can boot "measured boot" OS feature that tracks hashes (from BIOS, boot loader, krnel, early drivers). "remote attestation" allows remote validation and control based on policy on a remote attestation server. Microsoft pushing TPM (Windows 8 required), but Google is not. Intel TianoCore is the only open source for UEFI. Dan has Measured Boot Tool at http://mbt.codeplex.com/ with a demo where you can also view TPM data. TPM support already on enterprise-class machines. UEFI Weaknesses. UEFI toolkits are evolving rapidly, but UEFI has weaknesses: assume user is an ally trust TPM implicitly, and attached to computer hibernate file is unprotected (disk encryption protects against this) protection migrating from hardware to firmware delays in patching and whitelist updates will UEFI really be adopted by the mainstream (smartphone hardware support, bank support, apathetic consumer support) You Can't Buy Security: Building the Open Source InfoSec Program Boris Sverdlik, ISDPodcast.com co-host Boris talked about problems typical with current security audits. "IT Security" is an oxymoron—IT exists to enable buiness, uptime, utilization, reporting, but don't care about security—IT has conflict of interest. There's no Magic Bullet ("blinky box"), no one-size-fits-all solution (e.g., Intrusion Detection Systems (IDSs)). Regulations don't make you secure. The cloud is not secure (because of shared data and admin access). Defense and pen testing is not sexy. Auditors are not solution (security not a checklist)—what's needed is experience and adaptability—need soft skills. Step 1: First thing is to Google and learn the company end-to-end before you start. Get to know the management team (not IT team), meet as many people as you can. Don't use arbitrary values such as CISSP scores. Quantitive risk assessment is a myth (e.g. AV*EF-SLE). Learn different Business Units, legal/regulatory obligations, learn the business and where the money is made, verify company is protected from script kiddies (easy), learn sensitive information (IP, internal use only), and start with low-hanging fruit (customer service reps and social engineering). Step 2: Policies. Keep policies short and relevant. Generic SANS "security" boilerplate policies don't make sense and are not followed. Focus on acceptable use, data usage, communications, physical security. Step 3: Implementation: keep it simple stupid. Open source, although useful, is not free (implementation cost). Access controls with authentication & authorization for local and remote access. MS Windows has it, otherwise use OpenLDAP, OpenIAM, etc. Application security Everyone tries to reinvent the wheel—use existing static analysis tools. Review high-risk apps and major revisions. Don't run different risk level apps on same system. Assume host/client compromised and use app-level security control. Network security VLAN != segregated because there's too many workarounds. Use explicit firwall rules, active and passive network monitoring (snort is free), disallow end user access to production environment, have a proxy instead of direct Internet access. Also, SSL certificates are not good two-factor auth and SSL does not mean "safe." Operational Controls Have change, patch, asset, & vulnerability management (OSSI is free). For change management, always review code before pushing to production For logging, have centralized security logging for business-critical systems, separate security logging from administrative/IT logging, and lock down log (as it has everything). Monitor with OSSIM (open source). Use intrusion detection, but not just to fulfill a checkbox: build rules from a whitelist perspective (snort). OSSEC has 95% of what you need. Vulnerability management is a QA function when done right: OpenVas and Seccubus are free. Security awareness The reality is users will always click everything. Build real awareness, not compliance driven checkbox, and have it integrated into the culture. Pen test by crowd sourcing—test with logging COSSP http://www.cossp.org/ - Comprehensive Open Source Security Project What Journalists Want: The Investigative Reporters' Perspective on Hacking Dave Maas, San Diego CityBeat Jason Leopold, Truthout.org The difference between hackers and investigative journalists: For hackers, the motivation varies, but method is same, technological specialties. For investigative journalists, it's about one thing—The Story, and they need broad info-gathering skills. J-School in 60 Seconds: Generic formula: Person or issue of pubic interest, new info, or angle. Generic criteria: proximity, prominence, timeliness, human interest, oddity, or consequence. Media awareness of hackers and trends: journalists becoming extremely aware of hackers with congressional debates (privacy, data breaches), demand for data-mining Journalists, use of coding and web development for Journalists, and Journalists busted for hacking (Murdock). Info gathering by investigative journalists include Public records laws. Federal Freedom of Information Act (FOIA) is good, but slow. California Public Records Act is a lot stronger. FOIA takes forever because of foot-dragging—it helps to be specific. Often need to sue (especially FBI). CPRA is faster, and requests can be vague. Dumps and leaks (a la Wikileaks) Journalists want: leads, protecting ourselves, our sources, and adapting tools for news gathering (Google hacking). Anonomity is important to whistleblowers. They want no digital footprint left behind (e.g., email, web log). They don't trust encryption, want to feel safe and secure. Whistleblower laws are very weak—there's no upside for whistleblowers—they have to be very passionate to do it. Accessibility and Security or: How I Learned to Stop Worrying and Love the Halting Problem Anna Shubina, Dartmouth College Anna talked about how accessibility and security are related. Accessibility of digital content (not real world accessibility). mostly refers to blind users and screenreaders, for our purpose. Accessibility is about parsing documents, as are many security issues. "Rich" executable content causes accessibility to fail, and often causes security to fail. For example MS Word has executable format—it's not a document exchange format—more dangerous than PDF or HTML. Accessibility is often the first and maybe only sanity check with parsing. They have no choice because someone may want to read what you write. Google, for example, is very particular about web browser you use and are bad at supporting other browsers. Uses JavaScript instead of links, often requiring mouseover to display content. PDF is a security nightmare. Executible format, embedded flash, JavaScript, etc. 15 million lines of code. Google Chrome doesn't handle PDF correctly, causing several security bugs. PDF has an accessibility checker and PDF tagging, to help with accessibility. But no PDF checker checks for incorrect tags, untagged content, or validates lists or tables. None check executable content at all. The "Halting Problem" is: can one decide whether a program will ever stop? The answer, in general, is no (Rice's theorem). The same holds true for accessibility checkers. Language-theoretic Security says complicated data formats are hard to parse and cannot be solved due to the Halting Problem. W3C Web Accessibility Guidelines: "Perceivable, Operable, Understandable, Robust" Not much help though, except for "Robust", but here's some gems: * all information should be parsable (paraphrasing) * if not parsable, cannot be converted to alternate formats * maximize compatibility in new document formats Executible webpages are bad for security and accessibility. They say it's for a better web experience. But is it necessary to stuff web pages with JavaScript for a better experience? A good example is The Drudge Report—it has hand-written HTML with no JavaScript, yet drives a lot of web traffic due to good content. A bad example is Google News—hidden scrollbars, guessing user input. Solutions: Accessibility and security problems come from same source Expose "better user experience" myth Keep your corner of Internet parsable Remember "Halting Problem"—recognize false solutions (checking and verifying tools) Stop Patching, for Stronger PCI Compliance Adam Brand, protiviti @adamrbrand, http://www.picfun.com/ Adam talked about PCI compliance for retail sales. Take an example: for PCI compliance, 50% of Brian's time (a IT guy), 960 hours/year was spent patching POSs in 850 restaurants. Often applying some patches make no sense (like fixing a browser vulnerability on a server). "Scanner worship" is overuse of vulnerability scanners—it gives a warm and fuzzy and it's simple (red or green results—fix reds). Scanners give a false sense of security. In reality, breeches from missing patches are uncommon—more common problems are: default passwords, cleartext authentication, misconfiguration (firewall ports open). Patching Myths: Myth 1: install within 30 days of patch release (but PCI §6.1 allows a "risk-based approach" instead). Myth 2: vendor decides what's critical (also PCI §6.1). But §6.2 requires user ranking of vulnerabilities instead. Myth 3: scan and rescan until it passes. But PCI §11.2.1b says this applies only to high-risk vulnerabilities. Adam says good recommendations come from NIST 800-40. Instead use sane patching and focus on what's really important. From NIST 800-40: Proactive: Use a proactive vulnerability management process: use change control, configuration management, monitor file integrity. Monitor: start with NVD and other vulnerability alerts, not scanner results. Evaluate: public-facing system? workstation? internal server? (risk rank) Decide:on action and timeline Test: pre-test patches (stability, functionality, rollback) for change control Install: notify, change control, tickets McAfee Secure & Trustmarks — a Hacker's Best Friend Jay James, Shane MacDougall, Tactical Intelligence Inc., Canada "McAfee Secure Trustmark" is a website seal marketed by McAfee. A website gets this badge if they pass their remote scanning. The problem is a removal of trustmarks act as flags that you're vulnerable. Easy to view status change by viewing McAfee list on website or on Google. "Secure TrustGuard" is similar to McAfee. Jay and Shane wrote Perl scripts to gather sites from McAfee and search engines. If their certification image changes to a 1x1 pixel image, then they are longer certified. Their scripts take deltas of scans to see what changed daily. The bottom line is change in TrustGuard status is a flag for hackers to attack your site. Entire idea of seals is silly—you're raising a flag saying if you're vulnerable.

    Read the article

  • Oracle WebCenter Portal: Pagelet Producer – What’s New in 11.1.1.6.0 Release

    - by kellsey.ruppel
    Igor Plyakov, Sr. Principal Product Marketing Manager is back to share what's new in Oracle WebCenter Portal: Pagelet Producer. In February 2012 Oracle released 11g Release 1 (11.1.1.6.0) for WebCenter Portal. Pagelet Producer (aka Ensemble) that came out with this release added support for several new capabilities that are described in this post. As of 11.1.1.5.0 release the Pagelet Producer can expose WSRP and JPDK portlets as pagelets that can then be consumed in any portal or any third-party application that does not have a WSRP consumer. Now Pagelet Producer team is working on simplifying use of pagelets in WebCenter Sites. To expose WSRP portlets a new Producer should be registered with Pagelet Producer which can be done using Enterprise Manager, WLST or the Pagelet Producer Administration Console (for details see Section 25.9 of Administrator’s Guide for Oracle WebCenter Portal). If the producer requires authentication, Pagelet Producer allows you to select and use one of standard WSS token profiles.  After registration is finished a new resource is created and automatically populated with pagelets that represent the portlets associated with the WSRP endpoint.  For 11.1.1.6.0 release we completed extensive testing of consuming all WebCenter Services that are exposed as WSRP portlets by E2.0 Producer and delivery them as pagelets to WebCenter Interaction portal. In Pagelet Producer 11.1.1.6.0 release we added OpenSocial container that allows consuming gadgets from other OpenSocial containers, e.g. iGoogle, and expose them as pagelets. You can also use Pagelet Producer to host OpenSocial gadgets that could leverage OpenSocial APIs that it supports – People, Activities, Appdata and Pub-Sub features. Note that People and Activities expose the People Connections and Activity Stream from WebCenter Portal, i.e. to use these features Pagelet Producer requires connection to WebCenter Portal schema. Pub-Sub allows leveraging OpenAJAX Hub API for inter-gadget communication. In addition to these major new additions in Pagelet Producer 11.1.1.6.0 release we also extended several functional modules: The Clipping module was extended to support clipping of multiple regions on web resource page and then re-assembly of these separately clipped regions into a single pagelet. The auto-login feature can now be applied to web resources protected with Kerberos authentication; you would find this new functionality handy for consuming SharePoint web parts The logging module now supports full HTTP traffic between the Pagelet Producer and proxied web resource. At last, as the rest of WebCenter Portal stack the Pagelet Producer 11.1.1.6.0 can run on IBM WebSphere Application Server.

    Read the article

  • Facebook Sponsored Results: Is It Getting Results?

    - by Mike Stiles
    Social marketers who like to focus on the paid aspect of the paid/earned hybrid Facebook represents may want to keep themselves aware of how the network’s new Sponsored Results ad product is performing. The ads, which appear when a user conducts a search from the Facebook search bar, have only been around a week or so. But the first statistics coming out of them are not bad. Marketer Nanigans says click-through rates on the Sponsored Results have been nearly 23 times better than regular Facebook ads. Some click-through rates have even gone over 3%. Just to give you some perspective, a TechCrunch article points out that’s the same kind of click-through rates that were being enjoyed during the go-go dot com boom of the 90’s. The average across the Internet in its entirety is now somewhere around .3% on a good day, so a 3% number should be enough to raise an eyebrow. Plus the cost-per-click price is turning up 78% lower than regular Facebook ads, so that should raise the other eyebrow. Marketers have gotten pretty used to being able to buy ads against certain keywords. Most any digital property worth its salt that sells ads offers this, and so does Facebook with its Sponsored Results product. But the unique prize Facebook brings to the table is the ability to also buy based on demographic and interest information gleaned from Facebook user profiles. With almost 950 million logging in, this is exactly the kind of leveraging of those users conventional wisdom says is necessary for Facebook to deliver on its amazing potential. So how does the Facebook user fit into this? Notorious for finding out exactly where sponsored marketing messages are appearing and training their eyeballs to avoid those areas, will the Facebook user reject these Sponsored Results? Well, Facebook may have found an area in addition to the News Feed where paid elements can’t be avoided and will be tolerated. If users want to read their News Feed, and they do, they’re going to see sponsored posts. Likewise, if they want to search for friends or Pages, and they do, they’re going to see Sponsored Results. The paid results are clearly marked as such. As long as their organic search results are not tainted or compromised, they will continue using search. But something more is going on. The early click-through rate numbers say not only do users not mind seeing these Sponsored Results, they’re finding them relevant enough to click on. And once they click, they seem to be liking what they find, with a reported 14% higher install rate than Marketplace Ads. It’s early, and obviously the jury is still out. But this is a new social paid marketing opportunity that’s well worth keeping an eye on, and that may wind up hitting the trifecta of being effective for the platform, the consumer, and the marketer.

    Read the article

  • Best of "The Moth" 2010

    - by Daniel Moth
    It is the time again (like in 2004, 2005, 2006, 2007, 2008, 2009) to look back at my blog for the past year and identify areas of interest that seem to be more prominent than others. After doing so, representative posts follow in my top 5 list (in random order). 1. This was the year where I had to move for the first time since 2004 my blog engine (blogger.com –> dasBlog), host provider (zen –> godaddy), web server technology and OS (apache on Linux –> IIS on Windows Server). My goal was not to break any permalinks or the look and feel of this website. A series of posts covered how I achieved that goal, culminating in a tool for others to use if they wanted to do the same: Tool to convert blogger.com content to dasBlog. Going forward I aim to be sharing more small code utilities like that one… 2. At work I am known for being fairly responsive on email, and more importantly never dropping email balls on the floor. This is due to my email processing system, which I shared here: Processing Email in Outlook. I will be sharing more tips with regards to making the best of the Office products. 3. There is no doubt in my mind that this is the year people will remember as the one where Microsoft finally fights back in the mobile space. Even though the new platform means my Windows Mobile book sales will dwindle :-), I am ecstatic about Windows Phone 7 both as a consumer and as a developer. On the release day, to get you started I shared the top 10 Windows Phone 7 developer resources. I will be sharing my tips from my experience in writing code for and consuming this new platform… 4. For my HPC developer friends using Visual Studio, I shared Slides and code for MPI Cluster Debugger and also gave you all the links you need for getting started with Dryad and DryadLINQ from MSR. Expect more from me on cluster development in the coming year… 5. Still in the HPC space, but actually also in the game and even mainstream development, the big disruption and opportunity comes in the form of GPGPU and, on the Microsoft platform, (currently) DirectCompute. Expect more from me on gpgpu development in the coming year… Subscribe via the link on the left to stay tuned for 2011… I wish you a very Happy New Year (with whatever definition of happiness works for you)! Comments about this post welcome at the original blog.

    Read the article

< Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >