I'm developing a C# Winforms application for a customer. The customer wants the program secured by a hardlock, so only people having the appropriate hardlock can access the program. I know there are a ton of ways to secure accessing to a Winforms application, but he inststs on using a hardlock. I have never experienced implementing a ...
There's plenty of discussion on the best algorithm - but what if you're already in production? How do you upgrade without having to reset on the user? EDIT/DISCLAIMER: Although I originally wanted a "quick fix" solution and chose orip's response, I must concede that if security in your application is important enough to be even bothe...
Hi, my team is building a game in flash to be embeded in a asp.net application. When the game is over the player have the chance to type his name to save his score. This is done using web services called from flash. The webservice receives the name and score. Since the webservice is publicly available how can I make it only callable fr...
Here's how my servers (in Amazon EC2) would look like: Server 1 Server 2 Server 3 __________________________ _____________________ _______________ | Cloud Monitor Daemon | | Memcached daemon | | beanstalkd | | | | Memcached daemon | ____...
XOR encryption is known to be quite weak. But how weak is it if I have a key that is made up of multiple keys of different (ideally prime) lengths which are combined to make a longer key. eg I have a text keys of length 5, 9 and 11. If I just apply the first key using XOR encryption then it should be easy to break as the encryption byte ...
Why do sites offer an MD5 hash of a file? How does that help you verify the integrity/source of the file? Wouldn't paying attention to your URL be enough security? ...
I'm trying to figure out how best to set up Authenticode signing at my workplace. The security implications are stressing me out. My initial thought is that the person who controls the key should install it to the build server and secure it so that only the build account can access it. This seems reasonably secure, but it actually isn...
I was just wondering why certain website don't allow anything other than letter and numbers in the password field. Is there a security reason or perhaps it's just a limitation of the DB they are using? Thanks for the info. Edit: It appears that Oracle's database doesn't acknowledge uppercase and lowercase? Is this true? I was told that...
Hi, I have a question that is somewhat similar to this one (which was never answered): http://stackoverflow.com/questions/989328/gwt-mark-of-the-web-motw I have an Online Help package built using javascript/HTML. Other teams in my company make use of this package in their apps, swapping in the content they need. One team in particular...
Folks, I am building a RESTful service that is secured by providing an XMLDSIG XML signature at the bottom of the XML document. When I send this document to the server, the WCF service is doing the XML de-serialization method on the HTTP payload to give me a C# class. Unfortunately for this de-serialization to occur properly, the C# cl...
Is there a good resource or list of known fixes for exploits in Drupal (including common modules) that I can use to close up holes in my sites? I'm using 6.19 on all my sites, as well as making sure that any security updates for modules are installed immediately. Is there anything else I can realistically do? (Such as restricting access...
I have just read about this article about Code Access Security. It has such an example in it: using System.Security.Permissions; public class MyFileAccessor { public MyFileAccessor(String path, bool readOnly) { path = MakeFullPath(path); // helper fcn FileIOPermissionAccess desiredAccess = readOnly ? FileIOPermissionA...
I'm writing a Safari extension and want it to behave differently when the user turns on Private Browsing mode (I want to respect this private mode). I found no mention of this in Apple's docs. I'm aware of the discussion in this thread: Detecting if a browser is using Private Browsing mode which suggests using a (browser-agnostic) js...
We're working on a site that will make use of the OFX standard to provide access to customer financial data. However, for security we make use of secret question/secret answer, machine tagging, etc. Does the OFX standard provide any mechanisms for security beyond just the simple username/password? I've taken a look at the schema and s...
I have a dedicated server hosted on Rackspace Cloud, and this morning as I was casually checking the Security event log, I saw a series of successful Logon events that are troubling. It appears random IPs are successfully "logging in" to my server somehow. How is this possible? I have a very strong Administrator password. Am I overre...
Hi, I have created a form that inserts the entered data into the database. It works perfectly except when I put SHA1('$password') into the INSERT INTO VALUSE tag. If I put only '$password it works fine. Putting SHA1 displays - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the r...
We recently changed our login to use HTTPS, and we are experiencing issues with the login. After the login, the user is redirected to an unencrypted (HTTP) page. When it reaches this page, the site checks if the user is logged in. It creates a new session and it appears that the user is not logged in, and thus our user is redirected to ...
I plan to use those functions in web-environment, so my concern is if those functions can be exploited and used for executing malicious software on the server. Edit: I don't execute the result. I parse the AST tree and/or catch SyntaxError. This is the code in question: try: #compile the code and check for syntax errors compil...
I'm working on a web app that can allow the user to input some code, and it will be compiled and executed, and they can see the result. I'm coding the app in PHP and I need a way to ensure that if the user inputs some harmful code (this example is PHP), it can't execute and destroy my server. Example: <?php shell_exec('rm -rf /'); ?> ...
I'm trying to use an Java Applet for uploading files to my rails application. However I keep getting the following error and I can't figure out why: Processing CategoriesController#upload_image (for 127.0.0.1 at 2010-10-18 20:32:54) [POST] Parameters: {"partitionIndex"=>"0", "fileId"=>"8278320", "lastModified"=>"2010-09-18T14:31:...