Two Plus Two Publishing LLC
Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

Programming Discussions about computer programming

Reply
 
Thread Tools Display Modes
Old 08-17-2012, 09:30 PM   #5076
Ryanb9
Carpal \'Tunnel
 
Ryanb9's Avatar
 
Join Date: Aug 2006
Location: NEVA!
Posts: 7,086
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

got no responses to my last question, idk if any of you know, but is it possible to program from c# for android without paying for something like mono? (i.e. not paying for anything).

anyone used this?
https://github.com/xamarin/XobotOS
Ryanb9 is offline   Reply With Quote
Old 08-18-2012, 11:18 AM   #5077
Zurvan
Retired
 
Zurvan's Avatar
 
Join Date: Apr 2005
Location: On the front porch, yelling at kids
Posts: 32,281
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by kerowo View Post
The gmail app on iOS is very good and there isn't a reason to think it wouldn't be good on Android.
I can't believe I've been suffering through Gmail on iPhone mail for 2 months and didn't even think there'd be a Gmail app. It's so much better.
Zurvan is offline   Reply With Quote
Old 08-18-2012, 12:48 PM   #5078
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Security question:

Say you're a company with lots of customers and an in-production website at www.company.com. Now you create an internal tool at:

23AN9874FKJSDF897D8S.company.com

Could someone who does not know the key in the subdomain still find it by port scanning or some other means? Or is it effectively hidden to anyone who does not know it is there?
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 12:53 PM   #5079
kerowo
lolcat
 
kerowo's Avatar
 
Join Date: Nov 2005
Posts: 37,139
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Security through obscurity much? Can you block the URL from outside the companies internal network or does it need to accesable to people on the road?
kerowo is offline   Reply With Quote
Old 08-18-2012, 01:01 PM   #5080
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by kerowo View Post
Security through obscurity much? Can you block the URL from outside the companies internal network or does it need to accesable to people on the road?
Let's say it needs to be accessible on the road.

It's a theoretical question though, I'm not actually building this. I would probably just make a login system if I were. But I do sometimes make public subdomains and wonder if it's possible for people to find them in a systematic way (ie, not just by accidentally guessing it).
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 01:09 PM   #5081
kerowo
lolcat
 
kerowo's Avatar
 
Join Date: Nov 2005
Posts: 37,139
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

We've had some obvious ones found during security audits which may have been referenced from other pages so it could have been found that way.
kerowo is offline   Reply With Quote
Old 08-18-2012, 01:17 PM   #5082
PJo336
THRILLHOUSE!
 
PJo336's Avatar
 
Join Date: Mar 2007
Posts: 21,873
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Whoever recommended Vimium for Chrome,
PJo336 is offline   Reply With Quote
Old 08-18-2012, 01:19 PM   #5083
tyler_cracker
Carpal \'Tunnel
 
tyler_cracker's Avatar
 
Join Date: Apr 2005
Location: Shallow End OTKP
Posts: 15,824
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

dns is not designed for this kind of "security". if your users are able to resolve foo.domain.com as whatever IP address it has, then so can an attacker.
tyler_cracker is offline   Reply With Quote
Old 08-18-2012, 01:25 PM   #5084
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by kerowo View Post
We've had some obvious ones found during security audits which may have been referenced from other pages so it could have been found that way.
How about this? I create a fresh site that no one but me knows exists. I also create a very long random string subdomain. Now I tell Anonymous and LulzSec the name of main domain, and tell them that 1 subdomain exists, and if they find it, I pay them a million dollars.

Can they do it and, if so, by what method?
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 01:28 PM   #5085
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by tyler_cracker View Post
dns is not designed for this kind of "security". if your users are able to resolve foo.domain.com as whatever IP address it has, then so can an attacker.
tyler,

i don't think that's what i'm asking (not 100% sure tho). it's fine if they know the IP. i'm asking if they can figure out the precise name of this subdomain from the IP, by doing some sort of scan or something?
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 02:04 PM   #5086
tyler_cracker
Carpal \'Tunnel
 
tyler_cracker's Avatar
 
Join Date: Apr 2005
Location: Shallow End OTKP
Posts: 15,824
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

pretty sure hostnames are not encrypted on https transmissions. so sniffing the subdomain is a possibility. dns traffic is not encrypted, so sniffing that is a possibility.

i guess if your users are all on an encrypted link (vpn) using a dns server which is only available over this link and which never talks to the outside world, you could hide the existence of the subdomain. but at this point, you're relying on transport-level encryption which should be sufficient to guard your resources anyway.

basically the whole idea is so wrong-headed that i'm not sure what to tell you except: don't do any of this.
tyler_cracker is offline   Reply With Quote
Old 08-18-2012, 02:09 PM   #5087
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by tyler_cracker View Post

basically the whole idea is so wrong-headed that i'm not sure what to tell you except: don't do any of this.
you can sleep easy, i'm not "doing" anything. i am just trying to understand better how this stuff works. if i actually needed to protect a simple admin tool, i would just throw up some basic http authentication with hardcoded u/p or use a simple login system depending on how many users would be accessing.
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 02:13 PM   #5088
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

on a similar note, things like a private "gist" are protected in much the same way, and i assume that is safe? (maybe not). Does the https protect the url from being sniffed? I don't see how this would be different, but I have only a surface understanding of dns...
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 02:39 PM   #5089
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

tyler, just did some research on this myself, and it looks you're right: the crucial difference between the gist example and my example is that the hostname itself is not secure over https:

Quote:
HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
-- some random thing gaming_mouse googled but sounds right

EDIT:

So it looks like setting up a tool at:

https://www.company.com/284asfasfj382asldfkj2489724

actually would be a viable option?
gaming_mouse is offline   Reply With Quote
Old 08-18-2012, 04:34 PM   #5090
tyler_cracker
Carpal \'Tunnel
 
tyler_cracker's Avatar
 
Join Date: Apr 2005
Location: Shallow End OTKP
Posts: 15,824
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

something like that seems more practical for a few reasons; url encryption is certainly high on the list.

but i guess it depends what you mean by private. a gist-like system is fundamentally designed for sharing so it has some security weaknesses -- it's only one layer deep, access cannot really be revoked. am i likely to guess your hash and steal your secret docz? no.
tyler_cracker is offline   Reply With Quote
Old 08-18-2012, 08:51 PM   #5091
jjshabado
Carpal Tunnel
 
jjshabado's Avatar
 
Join Date: Jul 2006
Posts: 22,543
Quote:
Originally Posted by gaming_mouse View Post
tyler, just did some research on this myself, and it looks you're right: the crucial difference between the gist example and my example is that the hostname itself is not secure over https:

-- some random thing gaming_mouse googled but sounds right

EDIT:

So it looks like setting up a tool at:

https://www.company.com/284asfasfj382asldfkj2489724

actually would be a viable option?
Yeah. It's kind of counter intuitive that it would be secure but lots of companies do it (I think google docs for example) and it seems reasonable once you think about it.

Now you still have the non-technical risks like someone sharing the URL in a non secure way.
jjshabado is offline   Reply With Quote
Old 08-19-2012, 09:01 AM   #5092
sorrow
old hand
 
sorrow's Avatar
 
Join Date: Apr 2008
Location: Perth, Western Australia
Posts: 1,531
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by gaming_mouse View Post
Let's say it needs to be accessible on the road.

It's a theoretical question though, I'm not actually building this. I would probably just make a login system if I were. But I do sometimes make public subdomains and wonder if it's possible for people to find them in a systematic way (ie, not just by accidentally guessing it).
Quote:
Originally Posted by gaming_mouse View Post
How about this? I create a fresh site that no one but me knows exists. I also create a very long random string subdomain. Now I tell Anonymous and LulzSec the name of main domain, and tell them that 1 subdomain exists, and if they find it, I pay them a million dollars.

Can they do it and, if so, by what method?
Short version. Its probably not going to be accessible these days.

You used to be able to do a read only zone transfer on pretty much anything to do this, but this is being prevented these days.

Code:
# dig google.com soa

;; QUESTION SECTION:
;google.com.			IN	SOA

;; ANSWER SECTION:
google.com.		31	IN	SOA	ns1.google.com. dns-admin.google.com. 1494867 7200 1800 1209600 300

# dig @ns1.google.com. google.com axfr
; <<>> DiG 9.9.1-P2-RedHat-9.9.1-5.P2.fc17 <<>> @ns1.google.com google.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.
So access to a root DNS server, or a trusted DNS server of your provider will get you the list pretty trivially.

It won't give you hidden ones but:
http://www.wolframalpha.com/input/?i=twoplustwo.com expand sub-domains
sorrow is offline   Reply With Quote
Old 08-19-2012, 09:57 AM   #5093
Gullanian
Carpal \'Tunnel
 
Gullanian's Avatar
 
Join Date: Dec 2006
Location: London
Posts: 14,008
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

I wouldn't do it, but you need to bear in mind things like search engines.

Perhaps Chrome submits browsing history to Google to index, perhaps if it's bookmarked it does this, perhaps a plugin finds the URL somehow and indexes it somewhere, perhaps someone links to it somewhere and it gets crawled, perhaps it's accidentally listed in a sitemap, or if it's specified as a 'no crawl' it would be easy to find. Perhaps Google doesn't index URL's in this way, but maybe they will do in the future.

Also, because it's an obscure URL I'm assuming everyone who needs to use it will bookmark it somewhere, and have it all over their emails.

Lots of perhaps and maybes, it's not a good solution. A simple login screen really is the best solution here.
Gullanian is offline   Reply With Quote
Old 08-19-2012, 10:25 AM   #5094
NoahSD
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,865
Stars used to use company.com/hash to let you download large amounts of your own hand histories, fwiw. I have no idea why they didn't do something blatantly more secure like a simple login.
NoahSD is offline   Reply With Quote
Old 08-19-2012, 10:32 AM   #5095
Shoe Lace
Pooh-Bah
 
Join Date: Sep 2004
Posts: 3,654
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Most popular web servers have some form of basic authentication support. You don't even have to touch your application code to put it behind authentication. There's no excuse not to protect sensitive stuff with a login/password.

How many hands did it take for Stars to point you to a web address instead of just e-mailing you the hands? I sort of remember them sending e-mails for hands back in 2003ish but I never asked them to send a lot of hands at once. At most it was a few thousand (before I learned about saving them locally and PT).
Shoe Lace is offline   Reply With Quote
Old 08-19-2012, 11:18 AM   #5096
Gullanian
Carpal \'Tunnel
 
Gullanian's Avatar
 
Join Date: Dec 2006
Location: London
Posts: 14,008
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Are the stars hash URLS temporary or permanent?
Gullanian is offline   Reply With Quote
Old 08-19-2012, 01:08 PM   #5097
gaming_mouse
Carpal \'Tunnel
 
gaming_mouse's Avatar
 
Join Date: Oct 2004
Location: taking notes on u (see profile)
Posts: 13,782
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

@Sorrow, thanks for the info

Quote:
Originally Posted by Gullanian View Post
I wouldn't do it, but you need to bear in mind things like search engines.

Perhaps Chrome submits browsing history to Google to index, perhaps if it's bookmarked it does this, perhaps a plugin finds the URL somehow and indexes it somewhere, perhaps someone links to it somewhere and it gets crawled, perhaps it's accidentally listed in a sitemap, or if it's specified as a 'no crawl' it would be easy to find. Perhaps Google doesn't index URL's in this way, but maybe they will do in the future.

Also, because it's an obscure URL I'm assuming everyone who needs to use it will bookmark it somewhere, and have it all over their emails.

Lots of perhaps and maybes, it's not a good solution. A simple login screen really is the best solution here.
i'm assuming github has considered these things and either thinks they are not a problem or has set things up in such a way to make them not a problem?

Quote:
Originally Posted by Shoe Lace View Post
Most popular web servers have some form of basic authentication support. You don't even have to touch your application code to put it behind authentication. There's no excuse not to protect sensitive stuff with a login/password
The way github has setup private gists is infinitely more convenient. Also, with lots of users, and changing users, setting up basic doesn't make sense.
gaming_mouse is offline   Reply With Quote
Old 08-19-2012, 01:13 PM   #5098
NoahSD
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,865
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by Shoe Lace View Post
Most popular web servers have some form of basic authentication support. You don't even have to touch your application code to put it behind authentication. There's no excuse not to protect sensitive stuff with a login/password.

How many hands did it take for Stars to point you to a web address instead of just e-mailing you the hands? I sort of remember them sending e-mails for hands back in 2003ish but I never asked them to send a lot of hands at once. At most it was a few thousand (before I learned about saving them locally and PT).
I would guess that they'd do it whenever the amount of data exceeds e-mail attachment limits. So the limit likely would've been on the order of 10k-100k hands depending on how they packaged the data and whatever attachment limits they had.

Quote:
Originally Posted by Gullanian View Post
Are the stars hash URLS temporary or permanent?
Dunno. This was a long time ago too. It might not be their current strategy.

I e-mailed stars security about it forever ago. I identified the wrong vulnerability, though; I talked about a program that would try all possible URLs, which obviously isn't a legitimate threat, instead of one of the many other ways that someone might get one of the URLs, which obviously is. Josem correctly pointed out that that was not a legitimate risk.
NoahSD is offline   Reply With Quote
Old 08-19-2012, 02:15 PM   #5099
Shoe Lace
Pooh-Bah
 
Join Date: Sep 2004
Posts: 3,654
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

Quote:
Originally Posted by gaming_mouse View Post
The way github has setup private gists is infinitely more convenient. Also, with lots of users, and changing users, setting up basic doesn't make sense.
I'm not talking about Github. For GH is makes sense to do it the way they have it setup.

If you're setting up a service for company X and you want to restrict access because it holds the keys to company X's secrets and you can't lock it internally because you want people to be able to access it from anywhere then I'm not sure how you could think about releasing that info into the wild without it being behind a login.
Shoe Lace is offline   Reply With Quote
Old 08-19-2012, 02:21 PM   #5100
NoahSD
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,865
Re: ** UnhandledExceptionEventHandler :: OFFICIAL LC / CHATTER THREAD **

If I understand correctly, GM isn't suggesting that it's a good idea. He's just using the discussion as a way to understand more about how this stuff works.
NoahSD is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 07:57 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright 2008-2017, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online