Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
I have been told by my hosting server that my website has had a "DDoS attack". What is a "DDoS attack" and how do I prevent it?
GOOGLE!
Check out and read: http://en.wikipedia.org/wiki/Denial-of-service_attack
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management.
One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
See also http://en.wikipedia.org/wiki/Distributed_denial_of_service_attacks_on_root_nameservers
DDOS stands for Distributed Denial Of Service
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I was just thinking of possible ways to go about temporary login systems. I was thinking having a bunch of your standard images with a jumbled up word and users type in the word. I would have a MySQL table where all the photos have a unique id, link and answer-key. that way the webpage just has to choose a random number the GET photo where id = random number. then compare what the user types in to the answer key of the photo.
I'm not currently trying to create this system, it seems very simple and I was just trying to think if it is a secure system that would work.
so my question really is, would there security risks with this, is it robust enough to keep out bots, would my site be destroyed 10 seconds after implementing it.
What you're describing sounds exactly like a CAPTCHA system. These are used widely to prevent bots from issuing automated requests against an interface. The problem is that it's hard to make images that a bot can't just interpret anyway.
Outsmarted: Captcha security not much of a gotcha is an article about some Stanford researchers who developed an image-recognition tool (which is not publicly available) to test captcha implementations:
Decaptcha was able to decode 66 percent of the Captchas used by Visa's Authorize.net payment site, 70 percent of Blizzard Entertainment's Captchas -- the company's games include World of Warcraft and Diablo -- and 25 percent of Wikipedia's. About one-fifth of Digg.com's Captchas and almost that many of CNN.com's were decodable.
The researchers recommended Google's reCAPTCHA as a much more effective system. You can add a reCAPTCHA widget to your own website. This would be safer and easier than trying to develop your own and find it to be too weak.
Short answer: No, it's not secure. If someone really wants to hack your system he can build his own database of image-word.
The key is to invest in security less than it will cost you if your system will be compromise, so I won't invest in a security system too much (it sounds like you don't really have a sensitive information to hide).
BUT, you have an easy & free solution. You can use reCaptcha, not only it's much more secured, you'll help digitize some useful information.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I'm aware that for adding HTTPs to a site, one can either:
buy a overpriced SSL certificate from a reputed CA like
VeriSign
or purchase a much lower priced certificate from several
other companies
or one could even use his/her own self signed
certificate i.e, for free.
But for a decent HTTPs implementation that is:
you want most of standard browsers recognize the certificate(there shouldn't be any warnings/ errors on standard browsers)
security is tight rather than just a false impression of secure site.
brand name of CA is not that really important to you.
for a public site similar to LinkedIn but smaller in scale(no financial transactions, but users profile data).
economical pricing
Would implementing such an HTTPs always come at a price ? What is the cost effective way to implement it ? I don't want to spend hundred of dollars an year initially, when I have lower user base.
StartSSL offers certificates at prices based on the effort it takes to validate the data that you want to have validated, rather than based on the added value percieved by the customer. As a result, domain validated certificates are free, because validation can be fully automated. These kinds of certificates ensure that the client is talking to the domain advertised in the common name, rather than to some man-in-the-middle or some host that the domain resolves to as a result of DNS poisoning.
None of the personal information that you provide will be available in a domain validated certificate. If it would, than it would imply that the CA actually validated that information.
For a lot of sites, this is enough security. For shops, banks and other sites that require certain personal information from the client, this is clearly not enough. These sites should use certificates that not only ensure that the user communicates with the site that he wants to, but also that the site is run by the company that he wants to do business with.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Currently I'm working in a team creating a custom POS solution. We came to a point were we'd like to integrate with a IC/Credit Card terminal (like VeriFone which we have, i.e. Vx510). I think the simplest mode is to allow Cashier to manually enter into the terminal the amount a client has to pay. In more advanced (the desired) way our POS will send to the terminal the amount to be payed.
Regardless of the "mode" we'd like to get the information from VeriFone if the transaction was successful or not. Here's the dead end we've reached. AFAIK, to program VeriFone terminals or integrate with it you have to become a certified VeriFone developer. If it is so, then I know where to start. If not, please let me know.
Are there any other ways to get information for a terminal that the payment was successful? Are there any 3rd party libraries to communicate with this kind of devices? The most relevant to my problem SO thread I could find is this but it wasn't much of help for me. We don't want to process any confidential data, therefore we don't want to integrate with Authorize.NET
Ok, things got clear a bit... It turns out that if you buy a device from a manufacturer (e.g. VeriFone) it comes "clean", so you have to program it all by your own and satisfy PCI Compliance. Therefore, you have to be certified developer... at least for VeriFone devices.
However if you order a terminal from some kind of 3rd party provider, for example SIX, or Polskie ePłatności (one of the providers in Poland), it comes with some kind of, let call it "firmware". This "firmware" will, or at least should provide you an application for performing cashless transactions. It also should come with handy communication protocol. Of course you'll have to sign some kind of NDA.
In short:
If you want to integrate with a credit card terminal just call a local credit card payment service and ask them to send you a terminal you want to integrate with. Keep in mind that every country has its own transactions centers so your solution will be country-wide.
payworks offers a SDK to integrate a credit card reader within an iOS/Android app. They manage the connection from the card reader to the merchant's bank. You never have to touch confidential data.
Regarding Verifone terminals, they support the Verifone e105, e315, and e335. You can see the full hardware list here.
Disclosure: I am a software engineer at payworks.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm looking for a new CMS to host my new blog and I was deciding what the best route would be, either using MySQL or a file-based CMS.
I'll probably be writing on the blog every other day so I'm looking for speed.
Does anybody know which one would be better for speed / security?
Thanks!
I'd highly recommend one of the popular ones such as Joomla, Wordpress, or Drupal (why re-invent the wheel?). They're heavily supported by the community, so the standard concerns like security and such are usually found and fixed before you're even aware they existed. My personal favorite is Joomla because of the extensive collection of extensions that are available, with a great many of them focused on social media such as twitter and facebook to "spread the word" from what you're putting on your site.
For security, I see storing content in a database as being more secure, as database access requires one more level of authentication than simply storing content in a file.
If a user pokes around your system and finds your include folder, then all content could potentially be exposed by guessing the paths. Since the database is usually abstracted away from your front-end application, accessing its content by simply guessing url paths is much harder to do.
In addition, your application will probably only expose certain fields from your database to the front-end, (assuming your database access functions are properly written to prevent things like SQL injection etc).
Unless you expect seriously high volumes of traffic on your site, you probably won't notice much of a difference between reading from a file vs. reading from a database.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
In my 4 years of experience,I have developed a lot of web applications. Now, the concept of programmable web getting more and more popular, new APIs are being released almost everyday. I would like to develop a java API/library for a few of these endpoints.Ex stackapps,reddit,digg etc... What I would like to know from you people is ,
How is the API of the regular web
apps differ from the API of these
libraries. Or what is the difference
between these two from design
perspective
What are the best API development
practices.
What are all the factors that I need to consider before designing the API
.
Please comment, if the details are not sufficient.
Stability
If you offer an API to your web app, it is probably because you want other people to build applications using it. If it is not stable they will hate you for forcing them to follow through your frequent changes. If this takes too long, their site might remain non-functional for a long time while they are figuring out the new way of doing things in your API.
Compactness
You want the API to be complete but compact, as in not too much to remember.
Orthogonality
Design it so there is one and only one way to change each property or trigger an action. Actions in an orthogonal API should have minimal (if ever) side effects.
Also, it's not a good practice to remove a feature from a public API once released.
Security and Authentication
Since the API is web-exposed, you will have to authenticate each request and grant appropriate access. Security common sense applies here.
Fast Responses or Break into pieces
I believe in a web environment we should have fast responses and avoid requests that will take too long to complete. If it's unavoidable then it is better to send an ACK and break the task into several pieces and subsequent calls.
From my experience, all good API were not made to solve a generic problem, but to solve a problem for some that requires a certain abstraction. This abstraction is then evolving as the requirement and/or the underlying layer change.
So instead of finding the API that will do it all, I'd start by finding one or two good case problem were your API could help.