I am trying to expose a WCT REST service and only users with valid username and password would be able to access it. The username and password are stored in a SQL database. Here is the service contract: public interface IDataService { [OperationContract] [WebGet(ResponseFormat = WebMessageFormat.Json)] byte[] GetData(doubl...
Let's say I have two machines, A and B, on the public internet (not an intranet). Machine A has a web server that hosts unencrypted images of confidential documents. Machine B hosts an ASP.net or Java servlet page for allowing manipulations of those images. The URL of media on Machine A can be passed to the page on Machine B, which ca...
Let's say I'm running a hosted service that wishes to allow plugins written by third-party clients. Perhaps a gaming service provider that provides infrastructure but allows clients to develop their own game referees. Or, a coding competition site that allows coders to submit code to be run as their solution to some coding problem. ...
Hi, Disclaimer: I have limited ASP.Net skills I have a couple of websites which I am transferring from my current hosting onto the Mosso hosting service. When I tried transferring one of the websites, I got the error "System.Security.SecurityException: That assembly does not allow partially trusted callers.", which appears to have to d...
Hi I bought a book on Amazon which was meant to prepare me for 70-536 exam. I found there a handful of information which is a bit confusing for me. Let me quote it - I will place my questions inline. To understand how security policies are used, consider an application developer who wants to play with an assembly she downloade...
Hi What is the purpose of the following piece of code?: object[] hostEvidence = {new Zone(SecurityZone.Internet)}; Evidence internetEvidence = new Evidence(hostEvidence, null); AppDomain myDomain = AppDomain.CreateDomain("MyDomain"); myDomain.ExecuteAssembly("SecondAssembly.exe", internetEvidence); As far as I know the CLR automatic...
How do you protect non-open source code against leaks? Today with technologies such as USB drives, Internet drives and E-mail, how do people protect software assets? ...
I don't claim to be an expert in security but it seems to me that adding a salt doesn't really make a huge difference. For example, if the password of the user is john1970 and the salt is 123456, this means that the password is 123456john1970, while this makes things harder for an attacker (if using a dictionary attack, e.g. rainbow tab...
Hello, Imagine you have an ASP.NET based website that users have to authenticate for to get access. The user data (such as username, password and other information relevant for the website) is stored in a Microsoft Sql database. I know that it is possible to write an custom membership provider to create an own authentication method. H...
According to http://support.microsoft.com/kb/883792 , MS can detect installed AV using either WMI or a manual method involving registry keys that MS knows about. Is there an API to access this functionality? ...
Can anyone recommend a way in Windows XP or later to make it possible for users to access cmd.exe while locking out the ability to use type? ...
We are developing a j2ee application backed by any database of customer choice. We will sell to customers based on per user license price. How do I make sure, the application is getting used as per our conditions, i.e., not easily hackable? Are there any tutorials available? ...
I am interested why isn't AntiForgeryToken included in every ASP.NET MVC form by default? It seems the pluses of always including it outweigh the possible disadvantages. And this behaviour could be disabled in case of need like for Web Forms HttpRequestValidationException. ...
I am in the process of configuring a production web server running Debian 5.0. How do you keep an apt-based distro up to date. Is there any best practice or magical ways of doing it? Logging in via ssh and running apt-get upgrade manually seems unrational. EDIT: After some discussion in the comments I am now deciding to upgrade the serv...
Hi, I think I'm going to have to use the Crypto libraries in my iPhone application. I wanted to ask you about the implications regarding the crypto export policy applied by Apple. Do I need to do something extra (such as filling forms etc.) 1) If I use hashing with MD5. 2) If I use symmetric encryption. Thanks, ...
Hello, I've just started learning SSL and boy is it confusing Q1 - How long does SSL connection between a client and server persist? Until client surfs to some other URL or…? Q2 A) Assume a client (browser) establishes a SSL connection with a IIS server. Now how does IIS figure out on each postback that it is dealing with sa...
HttpContext.Current returns an IPrincipal object that represents security context of the current user. I understand principal object combines the identity of a user with other information, such as roles, privileges etc. But why do we say it represents the current context of the user? Why not just say it represent a user? Is there a part...
Pros: I can't remember "good" passwords anyway so remembering them is not an issue. they don't look like passwords they are darn near impossible to guess (128 bits of entropy) easy to generate (offloads the "good PRNG" problem) Cons: ??? In particular; what about for passwords that computers enter like for databases logins on som...
Are there any open source centralized authorization services available? There are lots of solutions for centralizing the authentication information (eg: CAS and JOSSO), but what about the authorization information? There are some really good authorization frameworks (eg: Spring Security (formerly Acegi) and Seam Security), but it seems...
This is probably a stupid question, but how much of a security risk is it to set my web server ssl configuration (e.g. keystore password) via System.setProperty... If I did something like: System.setProperty("javax.net.keyStorePassword", "password"); Is that likely to cause a security problem? Is there a way to safeguard against t...