One thing that I've always hated more than just about anything in MS SQL Server is the way that security works. The security context constantly switches if you look at the server funny and it's often very hard (for me anyway) to predict or debug. In dealing with an issue today, I though, "I wish I could just add a line to my code that w...
Hi All, I have a piece of nasty javascript that I would like to de-obfuscate. I know that I can spin up a VM and behold the malware in all of its glory, but I am more interested in not having it run, but viewing it in a non-obfuscated form. If it needs to run in order to do this, then so be it, I guess. Anyone know how to do this wit...
What would be the best way to go about giving users the ability to share a private link that enables anyone who clicks it to view a certain page/document/item that have privacy restrictions in place? In my case: A User creates events which are limited to certain groups of relationships in the database (namely: friends, friends of frien...
I'm trying to figure out how to solve the privilege acquisition. The application requires a desktop access, so it cannot be executed as a Windows service: it have to create a window for receiving message sent by other processes using SendMessage (it must be used for waiting message acknowledge). The application shall be started when an...
I would like to perform a dictionary attack, or, if it is easier an attack directly in the database with my hashed passwords in order to find out what users of my site are using simple passwords. I will be implementing some complexity rules when creating passwords but I would love to be able to contact the users who have simple dictiona...
I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure. Now my question, (I know it is subjective, but I am looking for input that you may have received from your users) Is this also decent...
My question is very similar to this question but a bit more specific. My application has multiple companies and multiple users per company. It makes the most sense to me (at this point) for each company to have a "private" set of tables. This makes security extremely simple as I don't have to worry about JOIN-ing up my structure tree to...
Some users will use the database as read-only and some will need to add, delete and update records. Now, users that will be read-only on the database also have the read-only rights as windows permissions on the backend directory. What happens obviously is that the backend becomes read-only. I thought using the access security thingy wo...
On my website we run a contest system and users vote for other user's content. We recently caught someone creating multiple accounts to vote multiple times (consecutive id numbers, and votes within a couple minutes). We would like to prevent that from happening again. Judging how Times handled their "Most Influential Person of the Centur...
Hi all, I am running a simple Java client to connect to a remote MQ queue. When I run the Java code to read write messages with Alias queue name, it works fine. When i try to run the code on the same queue but witha a physical queue name (Because i wish to invoke getQueueDepth), I get a 2035 error at the point when the code tries to...
In ASP.Net, is there ever a reason to flatly make your own authentication instead of using Forms Security(and writing a custom provider)? What limitations exist to Forms Security and why would someone want to write their own authentication? ...
Designing a user content website and the question is for the admin section, from a security point of view, where should it be placed? same domain and allow admin to enter site like other users from signin form using admin email Have a separate sub-domain only for admin login Have a separate secret domain used to access admin features ...
Using windows hooks I send messages to my application, which is notified about Windows events by every application on the system. To execute marshal of the message parameters, I use shared memories. The external process calls DuplicateHandle, but for sharing the handle with my application instance, it shall call OpenProcess with PROCESS...
I've been looking into a legacy application with a web-based user interface. Given its age (nearly 10 years some parts) there's a lot that needs updating and re-architecting, but I'm wondering about a small point regarding how user sessions work. In a nutshell: The entire UI is served via HTTPS. Users are authenticated unremarkably by...
The HtmlDocument class has the following attribute: [PermissionSet(SecurityAction.LinkDemand, Name="FullTrust")] public sealed class HtmlDocument Why? Can I override this somehow? Or would i need to reflect the source and recompile? ...
Pardon my outrageous silliness, I don't know if this is even possible. Here's the situation. There is an MS Access "database" (yes, I know, believe me, I know) which I'll need to SELECT, UPDATE and INSERT to from a remote location. The catch is that this needs to happen securely. I have complete control over the remote machine which h...
Hi, recently i've googled about iphone os security architecture over the net but i have yet to find any comprehensive documentation or whitepaper on iphone os security architecture. Is there anyone who know some sources and is able point me to some of the references? Thanks! ...
I would like to add licensing system to application. For example: user buys license for 1 month and after that program expires (Kinda Anti-Virus style?). Problem is that application is supposed to run in systems which may or may not be connected to internet, so how to protect from date-time changes? Storing app startup and close times ...
I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. I'm using Codeigniter on the backend for server-side data management, which includes tracking use...
Is the assets folder only accessible to the app or can the user see it too? For my app I want to store a credential certificate and video files on local storage but I am not sure how to hide these items from the users. The assets folder seems like the only choice. ...