Search Results

Search found 103784 results on 4152 pages for 'engr am'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 191/4152 | < Previous Page | 187 188 189 190 191 192 193 194 195 196 197 198  | Next Page >

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • To display the images in mobile devices is it necessary that the images should resides on device in

    - by Shailesh Jaiswal
    I am devloping smart device application in C#. In this application I have some images in my application which I used to dispay on emulator from my application. To display the images on emulator I need to create the one folder of images which resides on the emulator. Only after that I am able to display the images in emulator. I am able to create the folder in emulator by using File-Configure-General-Shared Folder. For sharing the folder I am giving the path of the folder which contains the images. Once I share the folder the folder of images which resides in my application will get copied in emulator with the name "Storage Card". Now I need to use the path as Bitmap bmp=new Bitmap(@"/Storage Card/ImageName.jpg"); Now I am able to display the images in emulator. Can we display the images in the emulator without any image folder which resides on emultor (so that we dont need to place the image folder in emulator as in the above case by sharing the folder) ? If the answere is no then to run the application on different mobile devices we need to place the folder which contains the images on different mobile devices. Isnt it? If the answere is yes then how we can display the images on different mobile device from our application without placing any folder of images on mobile devices?

    Read the article

  • Controlling the USB from Windows

    - by b-gen-jack-o-neill
    Hi, I know this probably is not the easiest thing to do, but I am trying to connect Microcontroller and PC using USB. I dont want to use internal USART of Microcontroller or USB to RS232 converted, its project indended to help me understand various principles. So, getting the communication done from the Microcontroller side is piece of cake - I mean, when I know he protocol, its relativelly easy to implement it on Micro, becouse I am in direct control of evrything, even precise timing. But this is not the case of PC. I am not very familiar with concept of Windows handling the devices connected. In one of my previous question I ask about how Windows works with devices thru drivers. I understood that for internal use of Windows, drivers must have some default set of functions available to OS. I mean, when OS wants to access HDD, it calls HDD driver (which is probably internal in OS), with specific "questions" so that means that HDD driver has to be written to cooperate with Windows, to have write function in the proper place to be called by the OS. Something similiar is for GPU, Even DirectX, I mean DirectX must call specific functions from drivers, so drivers must be written to work with DX. I know, many functions from WinAPI works on their own, but even "simple" window must be in the end written into framebuffer, using MMIO to adress specified by drivers. Am I right? So, I expected that Windows have internal functions, parts of WinAPI designed to work with certain comonly used things. To call manufacturer-designed drivers. But this seems to not be entirely true becouse Windows has no way to communicate thru Paralel port. I mean, there is no function in the WinAPI to work with serial port, but there are funcions to work with HDD,GPU and so. But now there comes the part I am getting very lost at. So, I think Windows must have some built-in functions to communicate thru USB, becouse for example it handles USB flash memory. So, is there any WinAPI function designed to let user to operate USB thru that function, or when I want to use USB myself, do I have to call desired USB-driver function myself? Becouse all you need to send to USB controller is device adress and the infromation right? I mean, I don´t have to write any new drivers, am I right? Just to call WinAPI function if there is such, or directly call original USB driver. Does any of this make some sense?

    Read the article

  • Disable source of the asp.net page

    - by Zerotoinfinite
    Hi All, I have developed my application in asp.net 3.5 and C#. I have deployed my application on internet and now when I am going to the source of the page, I am able to see all my asp.net controls defined [ie. my aspx page], is their any way I can hide it so that user can't see my source of the page [except right click of mouse] or at least display in pure HTML form so that people can not identify that I am using asp.net. Thanks in advance

    Read the article

  • How can I add a class to my flash cs4?

    - by WarrenFaith
    I am about to create a simple demo in flash where I have 3 layers, 3 keyframes. Currently I am just use some simple gotoAndStop() to move to the next keyframe. But now I need a custom event to do that but I can't create a class inside the action of a keyframe so I am not able to create a custom event. I just have AS3 developing experience in flex so far. Thanks in advance.

    Read the article

  • Creating attribute sets and attributes programatically magento

    - by digital_paki
    I am using the code listed on the following link =: http://www.magentocommerce.com/wiki/5_-_modules_and_development/catalog/programmatically_adding_attributes_and_attribute_sets Everything works until the point: // Just add a default group. else { $this->logInfo("Creating default group [{$this->groupName}] for set."); $modelGroup = Mage::getModel('eav/entity_attribute_group'); $modelGroup->setAttributeGroupName($this->groupName); $modelGroup->setAttributeSetId($id); // This is optional, and just a sorting index in the case of // multiple groups. // $modelGroup->setSortOrder(1); $model->setGroups(array($modelGroup)); } I am unsure where the object reference would need to be set from - I am attempting to have this as a separate file that can be automated - I am running this file by doing a require_once 'app/Mage.php'; Mage::app(); Any help in this would be greatly appreciated Thanks

    Read the article

  • Log files legal aspect?

    - by relwarc
    I like data. That is why I add a standalone PHP script which logs all relevant HTTP variables like: Date of visit IP User-agent Request URI Referer Am I allowed to store all this in non-public text files? Am I allowed to evaluate the data? What am I allowed to do with the log files? Do I have to delete them after some time?

    Read the article

  • PHP: Check if 0?

    - by tarnfeld
    Hi, I am using a class which returns me the value of a particular row and cell of an excel spreadsheet. To build up an array of one column I am counting the rows and then looping through that number with a for() loop and then using the $array[] = $value to set the incrementing array object's value. This works great if none of the values in a cell are 0. The class returns me a number 0 so it's nothing to do with the class, I think it's the way I am looping through the rows and then assigning them to the array... I want to carry through the 0 value because I am creating graphs with the data afterwards, here is the code I have. // Get Rainfall $rainfall = array(); for($i=1;$i<=$count;$i++) { if($data->val($i,2) != 'Rainfall') // Check if not the column title { $rainfall[] = $data->val($i,2); } } For your info $data is the excel spreadsheet object and the method $data->val(row,col) is what returns me the value. In this case I am getting data from column 2. Screenshot of spreadsheet http://cl.ly/1Dmy Thanks! All help is very much appreciated!

    Read the article

  • PHP CURL works fine from localhost not from server

    - by Joby Joseph
    I have 2 servers, srv1 and srv2. All client sites are stored in srv2 and all authentication details are stored in srv1. Each time a client site is loaded, the site in srv2 sends a curl request to srv1 to validate. I am always getting bool(false) when I print the curl response using var_dump. But if I am requesting for validation from my local wamp installation(localhost) it is perfectly returning the response. According to my understanding srv2 is blocking srv1 ip or something like that. Any help or suggestions will be greatly appreciated. The solution is really urgent as all my clients are stuck with invalid authorization message. Edit: Now when i tested curl in srv2 is working fine i think. Because I am able to fetch other websites without any trouble. But I am not able to fetch data from srv1. I can view a page from srv1 through browser url but not through curl.

    Read the article

  • NSMutableRequest skd problem

    - by user2164
    Hi, I am trying to make a web call with the iPhone. I have done this before and it works fine but now I can't make it work. I am trying to use the following method call which the documentation says is availble in 2.0 and later: - (void)addValue:(NSString *)value forHTTPHeaderField:(NSString *)field; I am attempting to build for version 3.2 and 4.0. NSMutableURLRequest *request = [NSURLRequest requestWithURL:url cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30]; [request addValue:@"0" forHTTPHeaderField:@"Content-Length"]; The error that I'm getting is a runtime error that says "-[NSURLRequest addValue:forHTTPHeaderField:]: unrecognized selector sent to instance 0x600e0c0" Can anyone tell me what I am missing that stops this code from working? Thanks.

    Read the article

  • XAML-based applications - Event Naming Conventions for C#

    - by user118190
    For event handling, I am starting to see many coders doing this: XButton.Click += OnXButtonClicked() ... void OnXButtonClicked() { ... } Where did this On_ convention come from? It just doesn't feel right in terms of methods. I am starting to see this as well and am wondering what others thought: XButton.Click += HandleXButtonClick() ... void HandleXButtonClick() { ... } When using intellisense, Visual Studio handles these like so: XButton.Click += XButton_Click; ... void XButton_Click(object sender, RoutedEventArgs e) { ... } I am seeking some advice on these naming conventions and would greatly appreciate some advice.

    Read the article

  • How can I create a menu in the start menu for my program?

    - by Joe
    This may be an easy question but I am not even sure of the terminology to search, so I have to ask. I want my program to have a menu when it is hovered over if it is pinned to the start menu. I am attaching a screenshot where windows powershell illustrates this function, and presents a list of tasks. Other programs sometimes use this to list recently opened files, etc. I am sure this is standard enough that there is a tutorial on it somewhere, would someone mind pointing me to it, or explaining how to do this? I hope that it doesn't matter too much what language is used, but I am proficient in Delphi, C++, and C#.

    Read the article

  • Yet another question about C++ books..

    - by suicideducky
    Intro rant Hey all, so after just over a year of browsing I decided it's time to ask a question for myself, it's sadly similar to many that have been asked before. I'm 18, am studying towards a BSc in Comp SCi and have been programming 'on and off' for about 6 years now, after wrestling with C++ for a bit then stumbling upon (and reading cover to cover) "Programming: Principles and Practice Using C++" by the great man himself I feel pretty comfortable with C++, I am almost finished writing my first open source program in C++ (a mediawiki parser, http://code.google.com/p/apertium-mediawiki/). I have decided I want to really get to know the power of C++, get familiar with some of its 'darker' corners and also delve into game programming, at this point I am rather keen on the book "Essential 3D Game Programming: with C++ and OpenGL" (released 24 may '10), I would also like to get 1 or 2 other books on 'general C++' that I can read cover to cover during my spare time. At this point I am pretty open to suggestions I would like something in the intermediate/advanced zone, some books I am rather keen on include: The C++ Standard Library: A tutorial and reference, C++ Template, the complete guide, and Modern C++ Design: Generic Programming and Design Patterns Applied Thanks in advance.

    Read the article

  • Why use Entity Framework over Linq2SQL if...

    - by Refracted Paladin
    To be clear, I am not asking for a side by side comparision which has already been asked Ad Nauseum here on SO. I am also Not asking if Linq2Sql is dead as I don't care. What I am asking is this.... I am building internal apps only for a non-profit organization. I am the only developer on staff. We ALWAYS use SQL Server as our Database backend. I design and build the Databases as well. I have used L2S successfully a couple of times already. Taking all this into consideration can someone offer me a compelling reason that I should use EF instead of L2S? I was at Code Camp this weekend and after an hour long demonstration on EF, all of which I could have done in L2S, I asked this same question. The speakers answer was, "L2S is dead..." Very well then! NOT! (see here) I understand EF is what MS WANTS us to use in the future(see here) and that it offers many more customization options. What I can't figure out is if any of that should, or does, matter for me in this environment. One particular issue we have here is that I inherited the Core App which was built on 4 different SQL Data bases. L2S has great difficulty with this but when I asked the aforementioned speaker if EF would help me in this regard he said "No!"

    Read the article

  • How do I get the Bake console for CakePHP?

    - by ggfan
    I am having trouble getting the Bake console. I am on windows running xampp. I'm doing the IBM cakphp tutorial. Here is my directory: C:\\ xampp htdocs ibm2(a test project--orginally called cakephp) app cake vendors (etc) It says to To use Bake, cd into the /webroot/app directory and launch the Cake Console: ../cake/console/cake bake. You should be presented with a screen that looks like Figure 2. So I write in my command prompt till I am at: C:\xampp\htdocs\ibm2\app Then I type ../cake/console/cake bake but I get this error: '..' is not recognized as an internal or external command, operable program or batch file. What am I doing wrong? I use the window's command prompt

    Read the article

  • Caching result of SELECT statement for reuse in multiple queries

    - by Andrew
    I have a reasonably complex query to extract the Id field of the results I am interested in based on parameters entered by the user. After extracting the relevant Ids I am using the resulting set of Ids several times, in separate queries, to extract the actual output record sets I want (by joining to other tables, using aggregate functions, etc). I would like to avoid running the initial query separately for every set of results I want to return. I imagine my situation is a common pattern so I am interested in what the best approach is. The database is in MS SQL Server and I am using .NET 3.5.

    Read the article

  • Split by Caps in Javascript,

    - by user1294188
    I am trying to split up a string by caps using Javascript, Examples of what Im trying to do: "HiMyNameIsBob" -> "Hi My Name Is Bob" "GreetingsFriends" -> "Greetings Friends" I am aware of the str.split() function, however I am not sure how to make this function work with capital letters. I've tried: str.split("(?=\\p{Upper})") Unfortunately that doesn't work, any help would be great.

    Read the article

  • Eclipse + CVS use custom commit

    - by WizKiranPuttur
    Hi All, My admin has set up the "cvs commit" in a very non traditional way, instead of typing "cvs commit" I use the admin provided "scriptname modified file" to checkin the file to CVS. I am using Eclipse to my day to day work and till now I am using the Eclipse CVS Plugin to checkout the repo,update,compare,etc and use the command line to checkin. I am getting annoyed by having to go to command line to do the commit, is there any way I can make Eclipse accept when I say commit it invokes the admin script instead of "cvs commit" ? I spoke to Admin and moving the under the cvs pre-commit hooks is not an option. What can I do ? I know fair amount of "Java" I am willing to do some changes to CVS plugin if I know how and where. Thanks

    Read the article

  • mysql insert with auto-increment column

    - by czuroski
    Hello, I am trying to insert data into a mysql table from a csv file. I am using the infile sql command, but I am having trouble because the first column of the table is an id that is set as an auto increment field. what do I have to set my first column value to in order to get this to work, or can I do it at all? Thanks

    Read the article

  • EXC_BAD_ACCESS from AudioBuffer

    - by jfalexvijay
    I am trying to do the record using AudioUnit for iPhone app. Changes: (start) I have added the following code bufferList = (AudioBufferList *)malloc(sizeof(AudioBuffer)); bufferList-mNumberBuffers = 1; bufferList-mBuffers[0].mNumberChannels = 2; bufferList-mBuffers[0].mDataByteSize = 1024; bufferList-mBuffers[0].mData = calloc(256, sizeof(uint32_t)); Changes: (end) static OSStatus recordingCallback(void *inRefCon, AudioUnitRenderActionFlags *ioActionFlags, const AudioTimeStamp *inTimeStamp, UInt32 inBusNumber, UInt32 inNumberFrames, AudioBufferList *ioData) { OSStatus status; status = AudioUnitRender(appdelegate-audioUnit, ioActionFlags, inTimeStamp, inBusNumber, inNumberFrames, appdelegate-bufferList); if(status != 0) NSLog(@"AudioUnitRender status is %d", status); SInt16* samples = (SInt16*)(ioData-mBuffers[0].mData); ..... } fixed: (I am getting OSStatus -50 error code)- Because I didn't initialize the bufferList. I am EXC_BAD_ACCESS from AudioBuffer (ioData-mBuffers[0].mData). I am not sure with this error. Please help me to resolve it.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 187 188 189 190 191 192 193 194 195 196 197 198  | Next Page >