A blog about tech, programming, security, and various other subjects.




Found 16 results for your search query or tag selection. Clear search.
Bitcoin  Tags: privacy, security, other.
You know laws and banks right? Financial constructions, interest rates (the magic multiplication of your money), inflation (the magic disappearing of your money), etc. Transferring money across borders is subject to taxes that I don't even know of (why do they mention donations are tax-deducible on Wikipedia and The Internet Archive?), and your bank usually makes you pay a fee.

Paypal partially fixes this, but they are blocked in over 60 countries. Why? Not because of Paypal's own interest surely; the more users they have, the more money they can make.
How does SSL work?  Tags: security, networking.
Crosspost from security.stackexchange.com/questions/how-does-ssl-work.

General

SSL (and its successor, TLS) is a protocol that operates directly on top of TCP. This way, protocols on higher layers (such as HTTP) can be left unchanged while still providing a secure connection. Underneath the SSL layer, HTTP is identical to HTTPS.

When using SSL/TLS correctly, all an attacker can see on the cable is which IP and domain you are connected to, roughly how much data you are sending, and what encryption and compression is used. He can also terminate the connection, but both sides will know that the connection has been interrupted by a third party.
Amplification attacks explained  Tags: security, networking.
A Google search for amplification attacks returned a disappointing number of appropriate hits (none, actually); all results are specific for the DNS protocol. This post will explain in more general terms what an amplification attack is and does.

Definition
An amplification attack is an attack where the attacker triggers a big response from a third party to be sent to the target.

Basics
CSRF: It's not trivial  Tags: security, webdevelopment, websites.
In the past few weeks I've found two websites with CSRF vulnerabilities. I wasn't really looking for it, but when they don't require me to enter my current password to change the password (or e-mail address, by which the password can be reset), it raises flags.

So what can you do with a CSRF vulnerability?
In one case, I could easily have gained myself admin permissions on a website with thousands of visitors a day.
The other, I'm not entirely sure what the extent was, but certainly get myself access to FTP accounts from websites.

CSRF stands for Cross-Site Request Forgery. It works like this:
PHP functions to be disabled on shared hosting  Tags: webhosting, security.
There are plenty of websites giving you advice on which PHP functions to disable in a shared hosting environment. Trying like 15 blogs and websites, all of them got it wrong, including (to my surprise) the Security Stack Exchange**.

I don't know who or when, but someone once posted a list with PHP functions to be disabled and everyone copied it. There are roughly 3 variants on this, which block random functions like mysql_pconnect (but not mysql_connect or sockets themselves), FTP functions, or even string manipulation functions which are obviously totally benign.
Time to set things right.


Previous page / Newer posts
Next page / Older posts
 
lucb1e.com

Circle on Google+
Follow at Twitter


Tagcloud:
AI apps chat computers databases datetime e-mail hardware keyboard keyboards lol me music my blog my server networking nostalgia other privacy programming randomthought real life school security social networks software spam tutorials webdevelopment webhosting websites Windows writing