Search Results

Search found 95527 results on 3822 pages for 'the curious one'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 412/3822 | < Previous Page | 408 409 410 411 412 413 414 415 416 417 418 419  | Next Page >

  • Basic visual studio intellisense question

    - by maxp
    Ive used visual studio for years, but the answer this eludes me: When intellisense pops up, for a method call that takes more than one parameter, the summary for the first parameter is shown. The only way i've found to show the summary for the following parameter(s) is to either supply each parameter or just hit comma until i get the one im looking for. Ive tried ctrl+right arrow, shift + right arrow etc etc, without success. Just curious is all.

    Read the article

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • is depth buffers mandatory

    - by numerical25
    I am just trying to better understand the directX pipeline. Just curious if depth buffers are mandatory in order to get things work. Or is it just a buffer you need if you want objects to appear behind one another.

    Read the article

  • File structure for PHP-based website.

    - by John Berryman
    I'm building a PHP-based web app for the first time and I haven't found anything to pattern it after. At this point I'm mostly curious about how the files should be arranged into directories so that development of the website can be manageable. This includes javascript scripts, images, stylesheets, cgi scripts, html files, pure php files that define common functions, etc. Question: Can someone point me to an explanation about how such a website is typically organized on the server?

    Read the article

  • .NET Based Radio Automation

    - by Brent Pabst
    I'm curious if anyone has seen an Open Source radio automation package (I found one in Russian on CodePlex) built on .NET In addition if I wanted to build something like this in a client server environment is WCF and WPF the best way to do it? Is it fast enough to trigger songs to play/encode on the server from a remote WPF client? Sort of vague questions but I wanted to get some community feedback.

    Read the article

  • Strategy for wiring up events?

    - by Jeffrey Cameron
    I'm using Ninject (1.5 ... soon to be 2) and I'm curious how other people use Ninject or other IoC containers to help wire up events to objects? It seems to me in my code that I'm doing it herky-jerky all over the place and would love some advice on how to clean it up a bit. What are people doing out there to manage this?

    Read the article

  • Can an html element have multiple ids?

    - by webmat
    I understand that an id must be unique within an HTML/XHTML page. My question is, for a given element, can I assign multiple ids to it? <div id="nested_element_123 task_123"></div> I realize I have an easy solution with simply using a class. I'm just curious about using ids in this manner.

    Read the article

  • why no += operator for vectors in stl

    - by Akshay Bhat
    I am curious? What high fundu logic goes behind not implementing: result+=vector1; where both result and vector1 are stl vectors. Note: i know how to implement that bit, but i need to know what logic, the sages who designed STL were using when they chose not to implement this feature?

    Read the article

  • More dry views?

    - by Pravin
    I have a simple index page for clients. Client has 20 fields. I am displaying list of clients in a table. For this I have to write in my views something like: - @clients.each do |client| %tr %td=client.name %td=client.email %td=client.address %td=client.phone etc... I am just curious if I can do it something like - @clients.each do |client| - client do %tr %td= name %td= email %td= address %td= phone etc...

    Read the article

  • Sharing code between Android and Windows Mobile

    - by reuscam
    I'm doing some initial research on smart phone development, and I noticed that Android and Windows Mobile both support c++ for application development. I was curious if anyone had any experience trying to manage shared files between both Android and Windows Mobile, and to what extent that code can be shared? e.g. no user interface can be shared, but web service and business logic classes can be shared, etc.

    Read the article

  • Three-way full outer join in SQLite

    - by Vince
    I have three tables with a common key field, and I need to join them on this key. Given SQLite doesn't have full outer or right joins, I've used the full outer join without right join technique on Wikipedia with much success. But I'm curious, how would one use this technique to join three tables by a common key? What are the efficiency impacts of this (the current query takes about ten minutes)? Thanks!

    Read the article

  • C++ - gcc-specific warnings

    - by HardCoder1986
    Hi! Got the following warning output when using GCC 4.5.0 & MinGW. Warning: .drectve `-aligncomm:___CTOR_LIST__,2 ' unrecognized Warning: .drectve `-aligncomm:___DTOR_LIST__,2' unrecognized What does it mean? I guess it's version-specific, because GCC 4.3.4 under cygwin didn't give that warning on the same project. If anyone had the following output (just curious that's that about), please advise me what to do.

    Read the article

  • Pi/Infinite Numbers

    - by Ben Shelock
    I'm curious about infinite numbers in computing, in particular pi. For a computer to render a circle it would have to understand pi. But how can it if it is infinite? Am I looking too much into this? Would it just use a rounded value?

    Read the article

  • C - Rounding number up

    - by Dave
    Hi all, I was curious to know how I can round a number to the nearest tenth. For instance If I had int a = 59 / 4 /* which would be 14.75 and how can i Store the number as 15 in "a"*/ Thanks, Dave

    Read the article

  • What is the relationship between programming and music?

    - by pheze
    Who here is both a musician and a programmer? I would also be curious to know which instruments you play, the ages at which you started programming and playing music, your personal experiences, etc. Perhaps we can find a relationship between these two things. I'll begin: Piano since 10, Computer since 12, I am 21. Note: Question originally from pheze.myopenid.com. Related: Jazz Programmer

    Read the article

  • Who "invented" i,j,k as integer counter variable names? [closed]

    - by mjy
    Possible Duplicate: Why are we using i as a counter in loops I've used these myself for more than 15 years but cannot really remember how/where I picked up that habit. As it is really widespread, I'm curious to know who originally suggested / recommended using these names for integer loop counters (was it the K&R book?).

    Read the article

  • Determining the word width in C

    - by das_weezul
    Hi! I'm learning C right now and so I'm fiddling about with pointers. Is there a way to determine the word width of the CPU in C because I'm writing a small program which prints it's own stack (Because I'm curious how it is structured), so that information would come in handy. Right now I'm using an int pointer, as an integer is 4 Bytes wide and I'm using a 32-bit Intel Atom CPU. Thanks in advance, C gurus ;o)

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 408 409 410 411 412 413 414 415 416 417 418 419  | Next Page >