There have been a few timely posts about IP security and the like, but none that I can find that specifically address an algorithm. In one of my current projects, we've decided to go the route of an offline registration key system. I imagine most of our eventual user base will be honest, so I don't think we have too much to worry about....
Background: I'm designing the authentication scheme for a REST web service. This doesn't "really" need to be secure (it's more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don't want to use SSL since I don't want the hassle and, mostly, the expense of setting it up. These SO q...
I am creating a store using Active Merchant and PayPal sandbox right now. It seems to be working fine, but I don't think it is even remotely secure. I don't really know too much about HTTPS and how to implement secure connections. I am currently passing the credit card and billing information in the session (probably not the smartest i...
I have an ASP.NET MVC application that I'm working on. I've been developing it on Windows Server 2003 with IIS6 and SQL 2008 Express, and everything was working great. I recently decided to try out the Windows 7 beta, so now I'm using IIS7, and have run into a problem with connectivity to my database that I can't seem to figure out. I c...
I have a Silverlight application that communications with an ASP.NET backend through WCF. I have a set of DataContract objects that I defined that (for the most part) match my LINQ to SQL generated types that my ASP.NET backend works with. My WCF code generates instances of my DataContract objects from LINQ to SQL generator types when I ...
I like to post links to Secunia search results to demonstrate (in numbers) how insecure a certain CMS (or blogging software) is. See http://stackoverflow.com/questions/447878/what-are-some-of-drupals-shortcomings#450002 But there was an interesting comment to this answer: Eaton: It's also important to note that Secunia only pub...
What are some methods to prevent screenshots from being taken, if any? I've considered setting the "Print Screen" button as a hotkey, which makes the window fuzzy. However, there would be the problem of other 3rd party screenshot tools. How can I prevent their use? Why would I want such a thing? The idea is to create a chat client wh...
I want to make sure a file path set via query string does not go outside of the desired subdirectory. Right now, I am checking that: The path does not start with "/", to prevent the user from giving an absolute path. The path does not contain "..", to prevent the user from giving a path that is outside of the desired subdirectory. The...
in the CLR, is a local copy of an exe is created when running the exe from a remote folder ? if yes, where ? ...
I am trying to progamrtaiclly allow write access to ASPNET account on a directory. I am using the following code to do this: (Please note that I want the "write access allowed" for ASPNET to be propagated to the child objects as well: static void Main(string[] args) { FileSecurity fileSecurity; ...
On more than one occasion I've been asked to implement rules for password selection for software I'm developing. Typical suggestions include things like: Passwords must be at least N characters long; Passwords must include lowercase, uppercase and numbers; No reuse of the last M passwords (or passwords used within P days). And so on....
I moved a Subversion repository from a Windows box to a UNIX machine. In both environments I've handled authentication through Apache. On the UNIX box after the move, I could checkout source but received the following error when committing anything: svn: Can't open file '/home/brianly/svn/test/db/txn-current-lock': Permission denied ...
Silly question: Does Apple provide specific guidelines for contacting servers via http vs https? Also, what data is considered to require https (ie password, geopoint, bank data, etc.) Is there a concrete guideline from Apple on this? More specifically, does anyone know exactly how Apple checks/verifies that an application should or shou...
How are buffer overflows used to exploit computers? How is one able to execute arbitrary code simply by causing stack or heap overflows? I understand that portions of the programs memory are overwritten that aren't supposed to be, but I don't see how this leads to one executing their own code. Also, must the 3rd party's malicious co...
What is the most secure and easier way to send approx. 1000 different records into database that is not directly accessible - MySQL database on Web provider's server - using Windows application . Data will be stored into different tables. Edited: The application will be distributed to users who have no idea what is database or putty or...
Following on from this question... I have long been of the opinion that the time and resources it would take to write a piece of malicious software, of whatever type, could better be spent on other things. However, as a developer I am constantly worried about the possible security flaws in systems I work on. Of course I know about vali...
What is the best book to read about security issues that should be kept in mind while programming? What should a c++ programmer know about security? Is it worth buying any one of the following book If so which one should I get. Secure Coding In C & C++ Secure Programming Cookbook for C and C++ Writing Secure code ...
I recently joined a firm and when analyzing their environment I noticed that the SharePoint web.config had the trust level set to Full. I know this is an absolutely terrible practice and was hoping the stackoverflow community could help me outline the flaws in this decision. Oh, it appears this decision was made to allow the develope...
We are currently trying to implement a web application which is using the J2EE authentication mechanism with a FORM-based login, inside the Websphere 6.1 web container. If the authentication is successful, we have everything working; the LDAP membership groups are being retrieved, the group to role mapping is being performed, and the ro...
Hello Problem: I can add+use performance counters in w2k8 with normal user privileges. If I try to create or access a Process performance counter, i get a message that the counter does not exist. Same thing can be tried out in a powershell, a message appears that the counter does not exist. If I do the same thing as Administrator ac...