Suppose you have written a testing program, to be used in a classroom. How would you enforce the participants don't use any other software (no Internet, no calculator, no console etc.) during the exam time? Something similiar to "testing mode" in one of TI calculators. Another possible application: lock players during a chess/bridge co...
Hi, I'm interested in writing a PAM module that would make use of a popular authentication mechanism for Unix logins. Most of my past programming experience has been in Python, and the system I'm interacting with already has a Python API. I googled around and found pam_python, which allows PAM modules to invoke the python intrepreter, t...
We have a web application running on ASP.NET 3.5. It is viewed by the world as one URL but in reality there are multiple IIS boxes hosting the application controlled by a load balancer. My problem is that it is a sensitive application with strict security controls around it, and that post authentication if you open another browser to th...
Hi, I'm building a system that need to collect some user sensitive data via secured web connection, store it securely on the server for later automated decryption and reuse. System should also allow user to view some part of the secured data (e.g., *****ze) and/or change it completely via web. System should provide reasonable level of s...
I get to see this word in almost every cross service application these days. What exactly is an API key and what are its uses Also please explain the difference between public and private API keys. ...
I have an application that provides real time log messages for users. Currently the application works by having the server listen on a straight forward TCP socket and the users can use a telnet client to connect. Once connected they get asked for their username, password and can then set a filter for the realtime events they want sent to...
I have a web application where I would like to allow end users to customise the look of the web site by uploading their own css file. Are there any security issues with this? I can't see anything obvious but thought I'd ask in case there was anything I'd missed. ...
I'm currently working on an ajax-based application using PHP on the server-side and javascript(jQuery) on the client-side. I want to make sure my application is as secure as possible and need to know what things are absolutely necessary to do before launch of such application. What to check and what are the most vulnerable areas? I'm not...
I want to collect certain information from people/devices via email. These emails will never be delivered to anybody, but simply processed on the server. Received emails will be processed - some simply dropped, most stored (in a database), attachments may or may not be stored (but never executed) depending on certain conditions. I have ...
I have a GoogleAppEngine application that is required to connect to another localhost server, but when I'm trying to do this from the server code, I get: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I know that I can specify my additional security grant by using java virtual machine ...
I was looking for ways to mimic something I've seen, however I'm really not even sure where to start or how to search for it. Lets say my page was: foo.com/ and my index page could take an argument of: index.php?id=5 What I'm wanting to do is create the following: foo.com/5/ rather than placing index.php?id=5 just use the webstring t...
--BEGIN RANT-- ALL I want to do is copy the "Documents and Settings" folder to back it up in Windows Server 2003, so we can grab old files from it, as needed, easily, after I wipe the server to upgrade the OS to Windows Server 2008. BUT, I get errors about NTUSER being in use, etc., when I try to copy it. It's VERY irritating that an ad...
I just read about zip bombs, i.e. zip files that contain very large amount of highly compressible data (00000000000000000...). When opened they fill the server's disk. How can I detect a zip file is a zip bomb before unzipping it? UPDATE Can you tell me how is this done in Python or Java? ...
Hi, I have an ASP.Net website running on IIS7. The developers have created a CMS in the \admin folder, which allows the website admin to create/edit/delete pages. They have said: "The read/write permission should be given to the user that requires login access to the admin panel, not the anonymous user that has general public access t...
Hello everybody, I've been searching for several days but I'm not able to find the solution. I want to write an aplication that can access to a folder where the user runnig the application has no access. That is. There is a folder F with some files. User A can read/write folder F. User B cannot read/write folder F. User B must use th...
I'm building file-encryption based on AES that have to be able to work in random-access mode (accesing any part of the file). AES in Counter for example can be used, but it is well known that we need an unique sequence never used twice. Is it ok to use a simplified Fortuna PRNG in this case (encrypting a counter with a randomly chosen u...
Does the following PHP MySQL statement protect against SQL Injection? $strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'"; The Variables $Benutzer and $PW are inputs from the User. We're checking the username and password against common SQL Injection techniques: ' or 0=0 --, " or...
We recently were forced to move to a new domain server half-way around the world. This may not seem like much of a change, but one of the processes that we run frequently has suddenly gone form a 2-second command to a 5-minute command. The reason? We are updating the permissions on many directories based on a "template" directory struct...
I've been looking through the MSDN trying to understand the crytoapi. Below are some questions and guesses as to how things might work. Any answers or confirmations or refuting of my surmises much appreciated. According to the note I found at http://msdn.microsoft.com/en-us/library/ms867086.aspx, the CSP keeps public private key pairs ...
A client is receiving a "You don't have permission to read [REPORT NAME]" error message when attempting to launch a report in a MS Access database. When I go to the “Change Owner” tab under Tools > Security > User Groups and Permissions, the owner is <unknown>. If I attempt to change the owner, I get a "You don't have permission to cha...