Is it possible to sign only part of an applet? Ie, have an applet that pops up no security warnings about being signed, but if some particular function is used (that requires privileges) then use the signed jar? From what I can tell, some (perhaps most) browsers will pop up the warning for a signed applet even if you don't request priv...
Our application commonly used an ActiveX control to download and install our client on IE (XP and prior), however as our user base has drifted towards more Vista boxes with "Protected Mode" on, we are required to investigate. So going forward, is it worth the headache of trying to use the protected mode API? Is this going to result in ...
I'm working on a game for the iPhone and would like it to be able to submit scores back to the server. Simple enough, but I want the scores to be verified to actually come from a game-play. With the (defacto) prohibition on real crypto with the export conditions, what would be the best way to get information back in a secure/verified c...
In Sql Server 2000/2005, I have a few NT user groups that need to be granted access to hundreds of stored procedures. Is there a nice easy way to do that? ...
I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in a...
How do I create a self-signed certificate for code signing using tools from the SDK? ...
I mean really erase. In a secure way. (It's Ubuntu) UPDATE: Ok, "shred -vfz -n 10 /dev/hda" looks like what I was after. ...
So I like the OpenID idea. I support it on my site, and use it wherever it's possible (like here!). But I am not clear about one thing. A site that supports OpenID basically accepts any OpenID provider out there, right? How does that work with sites that want to reduce bot-signups? What's to stop a malicious OpenID provider from s...
The eval function is a powerful and easy way to dynamically generate code so what are the caveats? ...
If the owner of a web site wants to track who their users are as much as possible, what things can they capture (and how). You might want to know about this in order to capture information on a site you create or, as a user, to prevent a site from capturing data on you. Here is a starting list, but I'm sure I have missed some important ...
I am searching for a host for a new commercial website. Among other things, I'd like to know what the various OS - Webserver combinations have in terms of vulnerabilities. What are the vulnerabilities of Windows 2003 + Apache? ...
I am searching for a host for a new commercial website. Among other things, I'd like to know what the various OS - Webserver combinations have in terms of vulnerabilities. What are the vulnerabilities of Redhat + Apache? ...
I was browsing and came across a rather back-end state-government site that's vulnerable to SQL injection. (Searching for a ' yielded an error, and I toyed around with it until I got a list of tables.) I know the proper thing to do is to alert the webmaster of the problem, but I've had bad luck simply sending an email. I've done this ...
I've been trimming the UI of our website by doing the following in the onload event of that control: btnDelete.isVisible = user.IsInRole("can delete"); This has become very tedious because there are so many controls to check again and again. As soon as I get it all working, designers request to change the UI and then it starts all ov...
I am trying to write an application that uses pretty URLS or REST (still learning what this entails). Anyway my urls look like www.foo.net/some_url/some_parameter/some_keyword. I can be sure a url will never exceed N characters. Should I validate the url length with every request in order to protect against buffer overflow/injection atta...
I have a program that creates a Windows user account using the NetUserAdd() API which is suggested by Microsoft. The user is created successfully, and I can log in as that user. However, on Windows XP, the newly-created user is missing from the Welcome screen. If I disable the Welcome screen, I can log in as the new user by typing the...
Which is generally considered "best practice" when wanting to securely transmit flat files over the wire? Asymmetric encryption seems to be a pain in that you have to manage keysets at endpoints and make sure that the same algorithm is used by all clients, where as SFTP seems to be a pain because of NAT issues with encrypting the contro...
We have a CMS system whose web interface gets served over HTTPS. This works beautifully for Firefox, but when we load it in IE6 or IE7, it complains that "This page contains both secure and nonsecure items." I've loaded the page in Firefox and checked with Firebug, and every connection seems to be going through HTTPS, as should be the c...
I have an assembly which should not be used by any application other than the designated executable. Please give me some instructions to do so. ...
In the new login dialog of the SQL Server 2005 Management Studio Express, what is the User Mapping actually doing? Am I restricting access to those databases that are checked? What if I check none? ...