Correct, if you store HTML in your database, you need to VALIDATE your data using a HTML Policy tool like OWASP AntiSamy. But really, you should never store ENTITY encoded data in the database, you should encode at your use boundary in your UI layer.
*applause* It's even worse - the new ASP output encoding API's only encode for HTML Entity - what about JS, CSS, HTML Attribute and other encoding contexts that you need for secure programming to stop XSS? Not to mention DOM based XSS where you need to encode for JS Variable AND HTML Attribute, in some cases. Web Security Programming is not easy - and its frankly impossible if you don't have the right tools.
My comment about secure password treatment stands true for enterprise applications, but for a honeypot it makes total sense to log passwords.
But, suppose you had an administration console to the honeypot that you did NOT want hackers to have access to - like some honeypot report/statistical sub-application - well, for that sub-app you would want to take my advise about password treatment.
Oh comon - Bangalore College is a degree farm. That one college pumps out more grad's than all of the US probably. It's not the college or the education - it's the individual. Can you play in the world of computers and discrete math? Can you deal with 6 different programming languages to build a modern website? Some folks with PhD's cant play in this world - while some who never went to school are software engineering masters. The only thing my CS degree got me is a piece of paper - and some practice in learning about computers. All that knowledge is not mostly useless - but the understand that CS is all about constantly learning new stuff - priceless.
The moment you have a system that even has the capacity to log passwords, you have a security anti-pattern. Passwords are to be stored as per-user salted sha-2 hashes and should never be logged.
"Complete" solar's ROI is 20 years, but solar hot water heaters here in Hawaii - where we get a lot of sun - with the federal solar tax credit - I'll make my money back in O N E year!
Coward! That was an awesome and tough level! You need to keep away from the tornados, and manuver correctly - that dropship has powerful weapons and its a lot of fun to blow up aliens with heat seaking misssles and big MG's!
I think Crysis is soso however, COD4 is way better for multi-player.
Go for it - it's a big money market if you can find clients. I prefer Koa for work of this nature - you might want to start by building one for yourself. It's a lot of fun with great $ potential!:)
There is already a niche market for PC's made from high-end hard woods - I saw one advertised in a catalog on a commercial airplane that cost upwards around 3-4k with crappy innards. Go for it man....
wpa 1/2 has been supported by other consumer facing products for several years. Apple is supposed to be about high quality devices that we are happy to pay a premium for. Security is a big deal these days. For Apple to release a product with such a key feature horribly broken is - horrible; this is not a made-up complaint.
So, if I hack a major bank but write an article about it and email it to the bank's admins first I'm ok? No way!
This line of thought in from the OP is a crock.
The moment you even start trying to crack a network or application without legal and/or written permission you are engaging in black hat and most likely illegal activities - regardless of what you do after your intrusion attempt.
He was just trying to use basic Darwinism to filter out idiots. But some defender of white moths told them to fly away and take cover cause da smoke was a comin! Dam u!
Slashdot Mirror
Correct, if you store HTML in your database, you need to VALIDATE your data using a HTML Policy tool like OWASP AntiSamy. But really, you should never store ENTITY encoded data in the database, you should encode at your use boundary in your UI layer.
*applause* It's even worse - the new ASP output encoding API's only encode for HTML Entity - what about JS, CSS, HTML Attribute and other encoding contexts that you need for secure programming to stop XSS? Not to mention DOM based XSS where you need to encode for JS Variable AND HTML Attribute, in some cases. Web Security Programming is not easy - and its frankly impossible if you don't have the right tools.
1967 "The Miracles" reference, very nice. =)
Ah, that makes sense.
My comment about secure password treatment stands true for enterprise applications, but for a honeypot it makes total sense to log passwords.
But, suppose you had an administration console to the honeypot that you did NOT want hackers to have access to - like some honeypot report/statistical sub-application - well, for that sub-app you would want to take my advise about password treatment.
I meant to say "All that knowledge is mostly useless - but the understand that CS is all about constantly learning new stuff - priceless."
Thank god I do not get paid to write. :)
Oh comon - Bangalore College is a degree farm. That one college pumps out more grad's than all of the US probably. It's not the college or the education - it's the individual. Can you play in the world of computers and discrete math? Can you deal with 6 different programming languages to build a modern website? Some folks with PhD's cant play in this world - while some who never went to school are software engineering masters. The only thing my CS degree got me is a piece of paper - and some practice in learning about computers. All that knowledge is not mostly useless - but the understand that CS is all about constantly learning new stuff - priceless.
The moment you have a system that even has the capacity to log passwords, you have a security anti-pattern. Passwords are to be stored as per-user salted sha-2 hashes and should never be logged.
What reasonable explanation can exist for charging me an extra 50 cents per minute
You signed a contract and they want your money. Seems very reasonable to me.
I fucked you're mom!
Daddy, I love you!
His fucked what?
Your sister!
Until they stop providing security updates. Then your fucked.
Please rinse it off when you are done.
Build a bare-bones web app. Works on all phones and you can tweak it as your taste in phones change.
"Complete" solar's ROI is 20 years, but solar hot water heaters here in Hawaii - where we get a lot of sun - with the federal solar tax credit - I'll make my money back in O N E year!
Coward! That was an awesome and tough level! You need to keep away from the tornados, and manuver correctly - that dropship has powerful weapons and its a lot of fun to blow up aliens with heat seaking misssles and big MG's!
I think Crysis is soso however, COD4 is way better for multi-player.
HTTP isn't a stateless protocol anymore? When did this happen?
Someone stole my cookies! Give me back my cookies!
Shafted? AIG has a *trillion USD* in assets. It's a 2 year loan. It was a reasonable move by the US Gov't.
Soap and Water might clean away the blood, but the sins remain.
Go for it - it's a big money market if you can find clients. I prefer Koa for work of this nature - you might want to start by building one for yourself. It's a lot of fun with great $ potential! :)
Gross. Then you would have to buy a crappy mac - no way to build iPhone applications on a non os-x platform that I know of. Shudder.
Me? I'd like to build some out of exotic woods.
There is already a niche market for PC's made from high-end hard woods - I saw one advertised in a catalog on a commercial airplane that cost upwards around 3-4k with crappy innards. Go for it man....
I for one welcome our new bacteria killing, aesthetically pleasing, nano-overlords.
wpa 1/2 has been supported by other consumer facing products for several years. Apple is supposed to be about high quality devices that we are happy to pay a premium for. Security is a big deal these days. For Apple to release a product with such a key feature horribly broken is - horrible; this is not a made-up complaint.
So, if I hack a major bank but write an article about it and email it to the bank's admins first I'm ok? No way!
This line of thought in from the OP is a crock.
The moment you even start trying to crack a network or application without legal and/or written permission you are engaging in black hat and most likely illegal activities - regardless of what you do after your intrusion attempt.
He was just trying to use basic Darwinism to filter out idiots. But some defender of white moths told them to fly away and take cover cause da smoke was a comin! Dam u!