got no responses to my last question, idk if any of you know, but is it possible to program from c# for android without paying for something like mono? (i.e. not paying for anything).

anyone used this?
https://github.com/xamarin/XobotOS

I can't believe I've been suffering through Gmail on iPhone mail for 2 months and didn't even think there'd be a Gmail app. It's so much better.

Security question:

Say you're a company with lots of customers and an in-production website at www.company.com. Now you create an internal tool at:

23AN9874FKJSDF897D8S.company.com

Could someone who does not know the key in the subdomain still find it by port scanning or some other means? Or is it effectively hidden to anyone who does not know it is there?

Security through obscurity much? Can you block the URL from outside the companies internal network or does it need to accesable to people on the road?

Let's say it needs to be accessible on the road.

It's a theoretical question though, I'm not actually building this. I would probably just make a login system if I were. But I do sometimes make public subdomains and wonder if it's possible for people to find them in a systematic way (ie, not just by accidentally guessing it).

We've had some obvious ones found during security audits which may have been referenced from other pages so it could have been found that way.

Whoever recommended Vimium for Chrome,

dns is not designed for this kind of "security". if your users are able to resolve foo.domain.com as whatever IP address it has, then so can an attacker.

How about this? I create a fresh site that no one but me knows exists. I also create a very long random string subdomain. Now I tell Anonymous and LulzSec the name of main domain, and tell them that 1 subdomain exists, and if they find it, I pay them a million dollars.

Can they do it and, if so, by what method?

tyler,

i don't think that's what i'm asking (not 100% sure tho). it's fine if they know the IP. i'm asking if they can figure out the precise name of this subdomain from the IP, by doing some sort of scan or something?

pretty sure hostnames are not encrypted on https transmissions. so sniffing the subdomain is a possibility. dns traffic is not encrypted, so sniffing that is a possibility.

i guess if your users are all on an encrypted link (vpn) using a dns server which is only available over this link and which never talks to the outside world, you could hide the existence of the subdomain. but at this point, you're relying on transport-level encryption which should be sufficient to guard your resources anyway.

basically the whole idea is so wrong-headed that i'm not sure what to tell you except: don't do any of this.

you can sleep easy, i'm not "doing" anything. i am just trying to understand better how this stuff works. if i actually needed to protect a simple admin tool, i would just throw up some basic http authentication with hardcoded u/p or use a simple login system depending on how many users would be accessing.

on a similar note, things like a private "gist" are protected in much the same way, and i assume that is safe? (maybe not). Does the https protect the url from being sniffed? I don't see how this would be different, but I have only a surface understanding of dns...

tyler, just did some research on this myself, and it looks you're right: the crucial difference between the gist example and my example is that the hostname itself is not secure over https:

-- some random thing gaming_mouse googled but sounds right

EDIT:

So it looks like setting up a tool at:

https://www.company.com/284asfasfj382asldfkj2489724

actually would be a viable option?

something like that seems more practical for a few reasons; url encryption is certainly high on the list.

but i guess it depends what you mean by private. a gist-like system is fundamentally designed for sharing so it has some security weaknesses -- it's only one layer deep, access cannot really be revoked. am i likely to guess your hash and steal your secret docz? no.

Yeah. It's kind of counter intuitive that it would be secure but lots of companies do it (I think google docs for example) and it seems reasonable once you think about it.

Now you still have the non-technical risks like someone sharing the URL in a non secure way.

Short version. Its probably not going to be accessible these days.

You used to be able to do a read only zone transfer on pretty much anything to do this, but this is being prevented these days.

So access to a root DNS server, or a trusted DNS server of your provider will get you the list pretty trivially.

It won't give you hidden ones but:
http://www.wolframalpha.com/input/?i=twoplustwo.com expand sub-domains

I wouldn't do it, but you need to bear in mind things like search engines.

Perhaps Chrome submits browsing history to Google to index, perhaps if it's bookmarked it does this, perhaps a plugin finds the URL somehow and indexes it somewhere, perhaps someone links to it somewhere and it gets crawled, perhaps it's accidentally listed in a sitemap, or if it's specified as a 'no crawl' it would be easy to find. Perhaps Google doesn't index URL's in this way, but maybe they will do in the future.

Also, because it's an obscure URL I'm assuming everyone who needs to use it will bookmark it somewhere, and have it all over their emails.

Lots of perhaps and maybes, it's not a good solution. A simple login screen really is the best solution here.

Stars used to use company.com/hash to let you download large amounts of your own hand histories, fwiw. I have no idea why they didn't do something blatantly more secure like a simple login.

Most popular web servers have some form of basic authentication support. You don't even have to touch your application code to put it behind authentication. There's no excuse not to protect sensitive stuff with a login/password.

How many hands did it take for Stars to point you to a web address instead of just e-mailing you the hands? I sort of remember them sending e-mails for hands back in 2003ish but I never asked them to send a lot of hands at once. At most it was a few thousand (before I learned about saving them locally and PT).

Are the stars hash URLS temporary or permanent?

@Sorrow, thanks for the info

i'm assuming github has considered these things and either thinks they are not a problem or has set things up in such a way to make them not a problem?

The way github has setup private gists is infinitely more convenient. Also, with lots of users, and changing users, setting up basic doesn't make sense.

I would guess that they'd do it whenever the amount of data exceeds e-mail attachment limits. So the limit likely would've been on the order of 10k-100k hands depending on how they packaged the data and whatever attachment limits they had.

Dunno. This was a long time ago too. It might not be their current strategy.

I e-mailed stars security about it forever ago. I identified the wrong vulnerability, though; I talked about a program that would try all possible URLs, which obviously isn't a legitimate threat, instead of one of the many other ways that someone might get one of the URLs, which obviously is. Josem correctly pointed out that that was not a legitimate risk.

I'm not talking about Github. For GH is makes sense to do it the way they have it setup.

If you're setting up a service for company X and you want to restrict access because it holds the keys to company X's secrets and you can't lock it internally because you want people to be able to access it from anywhere then I'm not sure how you could think about releasing that info into the wild without it being behind a login.

If I understand correctly, GM isn't suggesting that it's a good idea. He's just using the discussion as a way to understand more about how this stuff works.