Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed yesterday.
Improve this question
I have affiliate links from Amazon and eBay in my bicycle app. I've tried to understand what data is shared from having them integrated into my clients or having the links clicked but have not been able to figure it out.
The only info I find is for how data is used if they go to a page controlled by these corporations but not the affiliate linking API specifically or clicking their links in my app specifically
Ive followed up with EPN support by email again and am curious if anyone knows the answer for this as I need it for the iOS/Android/Facebook privacy reports
Thanks!
Simply by clicking on a link (any link), the server hosting the link tends to get access to the same information about the visitor, such as IP address, cookie files, the type of action performed on the site, data time of the click, browser and OS info, supported languages, resolutions etc and lots of other kind of metadata which ones browser / device etc sends anyway to facilitate opening a webpage and create a good experience for the user.
For example, supported languages headers can be used to determine which language to display. Resolutions / browser info can be used to customize the experience further.
A link by itself is just a link. In the case of an affiliate link, it will have additional information about your site / app, so that the affiliate running company can identify your website or app. There could be additional information such as the exact product they were looking at on your site etc, so that when they click on it, they are directed to the appropriate page on Amazon / ebays site etc.
So in a nutshell, aside from all the information that Amazon / Ebay would receive by clicking on a link to their website anyway, by virtue of being an affiliate they would receive additional information to:
Identify your site / app (this means they will know the user visited / came from your site / app)
The product / page that was being looked at on your site etc - to direct them to the relevant product / service on eBay / Amazon etc
Things like that. Note that above I was just talking about links. If you have code / widgets embedded in your site / app then you could be sharing a lot of additional information with them such as how much time they spent on your site, what they looked at etc. So depends exactly on what you have embedded in your app.
Because you mentioned epn:
https://epn.bz/en/privacy
IP address and cookie files; Type of action performed on the site
(click, mouseover, etc.); Date and time of the action; Page URL;
Number of page visits; Information about moving through the pages of
the site; Duration of the user session; Entry points (third-party
sites from which the user enters the Site by the link); Exit points
(links on the Site which the user follows to visit third-party sites);
Country; Region; Provider; User Browser; List of supported languages
on the device; OS type Screen options.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Tumblr allows users to edit the HTML and CSS of their blogs through a Templating system. In fact, it even allows users to include their own external scripts into their pages. Doing this obviously opens a lot of security holes for Tumblr; however, it's obviously doing fine. What's even more interesting is how Tumblr's team managed to do all these through a LAMP Stack before.
One thing that I found out through pinging different Tumblr sites is that the blog sites are dispersed through multiple servers.
Nonetheless, hacking the root of just one of those servers could compromise a ton of data. Furthermore, while some could argue that Tumblr may just be doing manual checks on each of its blogging sites, it still seems pretty risky and unpractical for Tumblr's team to do so because of the amount of data that Tumblr has. Because of this, I think there are still some aspects that checking manually hasn't covered yet, especially in terms of how Tumblr's team filters their user input before it enters their database.
My main question: How does Tumblr (or any other similar site) filter its user input and thereby, prevent hacking and exploits from happening?
What is Tumblr.
Tumblr is a microbloggin service, which lets its users to post multimedia and short text blogs on their website.
Formating and styling blog
Every blog service lets its user to edit and share the content. At the same time they also let their users to style their blog depending on what type of service they are providing.
For instance, A company blog can never have a garden image as its background and at the same time a shopkeeper can never show a beach image; unless they are present at that place or include such objects in their work.
What Tumblr. does
Well, they just keep checking the files for any error!
As a general bloggin platform. It is necessary to allow the users to upload and style them blogs. And at the same time it is a job for the company to keep the control of how their service is used!
So Tumblr. keeps a great note on these things. They also donot allow to upload files that infect the system, and are well-known to delete such accounts if anything fishy is caught!
Tumblr. allows the users to upload files and multimedia that is used to style the blog. They used a seperate platform where to save all such files! So when you upload it, it does not get executed on their system. They access it from the server or from the hard drive which these files are saved on and then provide you with the blog that includes those files.
What would I do
I would do the same, I would first upload and save the files on a seperate place, where if executed they donot harm my system if are infected by a virus. Not all the users upload virus. But once they do, you should use an antivirus system to detect and remove the virus and at the same time block that account.
I would have let the users to use my service, now its user's job to upload content and its my job to prevent hacking.
All this stuff (HTML/CSS/External scripts) does not run on Tumblr machines. So to them it does not matter. One is responsible for the stuff that runs on your own PC. As to Javascript it lives in a sandpit
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
A spam bot has found my sign-up form and is filling my database with spam submissions. The form is a basic asp.net registration that creates a new membership user and captures account information such as name, address, phone, etc. Rather than implement a captcha I plan to try a honeypot field. However, my question is not about prevention* but rather about security. What potential risk does form spam pose? I already parameterize all of my SQL to handle the obvious SQL injection stuff. What are the other risks? Is anyone aware of how one might use a bot to attack a site through the site's form(s)? When do spam submissions represent more than just spam?
**Here are some posts related to prevention for anyone who is interested:*
fighting spam bots
How to deal with botnets and automated submissions
When the bots attack!
Any security risks you may have are completely independent of whether the form is being submitted in bulk.
The only new security risk relates to what happens if the bots fill up your disk.
I guess one problem could be the kind of spam they post. If they post links to other websites which in turn try infect the visitor with malware it doesn't pose a direct threat to your site but to your visitors.
You should also make sure they can't insert scripts etc to prevent XSS.
XSS on wikipedia
From a security perspective, this is really a question about how secure your website is in general. Yes, a spambot could exploit vulnerabilities but then so could any user, be they human or robot.
You mentioned parametrisation of SQL which is a good start, try these as well:
Are you validating all input against a whitelist of trusted values?
Are you applying the principle of least privilege and not allowing the SQL account public users connect with to do more than it needs? (more on that here)
Are you output encoding every piece of data when it's presented back via the UI?
If you're doing all this then you're in good shape security wise. Dealing with the inconvenience created by bots is another issue altogether.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
From what I understand, you have to enter in all of your usernames and passwords into Mint, so I assume they are actually logging into your bank account and scraping the resulting screen to put this data into a form that Mint and others use.
How do they actually simulate the keypresses and mouse clicks? I assume banks don't like it when they do this - how do their scrapers avoid detection?
I'm pretty sure they don't simulate clicks, etc. In the end, any data that ends up on a user's page is transmitted in a response to a request. If you can figure out how to construct a valid request and then how to parse the response, you'll have the data you want.
As far as I could gather after using Yodlee for quite a while, they deal with sites in two major ways: the sites they have official agreements to work with and the sites they don't have official agreements with. For the first category of sites they, most often, have agreed upon APIs for getting the data. For the sites in the second category they reverse-engineer layer 7 communication protocols and data structures (a.k.a. screen/html scraping).
The way I understand it, Yodlee uses the OFX specification to access banks' financial information.
http://www.ofx.net/
For the banks that don't implement OFX, they use custom screen scrapers, which must constantly be updated when banks change the information that's displayed on their site.
I don't know Yodlee so i simply assume it's like "sofortüberweisung.de" where you give a 3rd party your bank login data (and depending on what you do even a valid TAN) and thus trust them not to abuse it and additionally break your bank's security regulations ("NEVER GIVE YOUR YOUR PIN/TAN").
They most likely simulate what a browser would do. As web-based banking interfaces are usually just HTML/JavaScript everyone can look at the client-side code and do whatever it does with a custom program. Since those actions are not done in a malicious way, actions which require e.g. a TAN or a CAPTCHA to be solved can be simply forwarded to the legit user who will then enter the necessary TAN or solve the CAPTCHA.
Nonetheless to say, it is really bad to use services like that. While they most likely won't do anything bad you cannot know it for sure. And your bank is damn right if they don't refund you anything if you ever get scammed by such a service.
Another solution which would be perfectly safe (as long as you are not concerned about a 3rd party knowing about your financial status etc.) would be the yodlee company making contracts with major banks allowing them to access your data after you've authorized it through some way (you can already do that on pages like Twitter - I'd never do that for bankign though but technically it wouldn't be hard to realize something like that). That would be clean and secure as it would not involve "screen-scraping" or customers entering their banking login data anywhere but on their bank's website. But I believe no bank does something like that and in my opinion that's good as there are way too many people out there who are far too trustworthy and we all know how many information they give out on Facebook & Co. Now imagine a facebook<->bank integration... M.Zuck.'s wet dreams which hopefully never become true... And even if it's not Facebook.. There'll always be companies who want people's personal data and enough people giving them out; especially if it's easy and looks secure ("I have to confirm it on MY BANK's page. so it MUST be safe - it's supported by MY BANK").
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Social networking is great, but there is something fundamentally wrong with the way social networking is implemented today in most popular services. I'll put it in this example: Imagine that there is no SMTP, and consequently, it is globally assumed and accepted that you can only send email to addresses on the same domain. The result would be the emergence of a single email service, let's call it emailbook.com, which we all have to subscribe to, if we really want to communicate with the world.
This is what's happening with social networking today. You HAVE to use the same service your fiends/colleagues are using to talk to them.
I would like to be able to put up my own social site, invite my friends who trust me, share amongst us, but still be able to share with the world at large.
What are the chances of this scenario happening in the future? What does it take?
There sure is, and not just one! The future you wanted is now here.
By the time of the question, back in the end of 2010, OStatus had already existed for half a year, and the year before that there was OpenMicroBlogging (OMB), and at about the same time as OMB, the XMPP XEP 0277.
Since then several other protocols have popped up, such as diaspora* just half a year later, and later some smaller players like Friendica's DFRN and HubZilla's Zot.
OStatus never left draft status, but the big buzz[0] these days is about ActivityPub, which is a W3C recommendation since January 2018 and came out of the Social WG mentioned by #keithjgrant in his answer. There is a multitude of implementations[1], finding their niches with different use cases like microblogging, blogging, link sharing, picture sharing, video sharing and audio sharing.
There is also the collection of blog-oriented protocols described on https://indieweb.org/.
[0] pun intended
[1] Diaspora and GNU Social, although shown at fediverse.party, do not implement ActivityPub. The other applications shown do. There are several other applications not shown there, such as FunkWhale, Plume, WriteFreely, Prismo ... There is no terse and complete overview of all of them, but several are listed at https://switching.social/ and https://wedistribute.org/ publishes news and interviews related to all of them.
There are a few. One Social Web uses XMPP which is open and decentralized like SMTP.
Check it out.
http://onesocialweb.org/
I absolutely agree. The good news is, yes, things are happening. Even better, they are happening in the W3C, which means open standards.
The W3C now has a Social Web working group. They are actively working on a handful of standards. The biggest of these seems to be the Social Web Protocol.
Today, they also posted the W3C Recommended spec for Webmention, which is sort of an improved version of the old pingbacks that used to be used on blogs, this time built on HTTP. It allows a post to notify another page on the web when it references it. There are already a number of libraries and services that implement this today.
I think you should take a look at http://code.google.com/apis/opensocial/. It is a spec developed by google and other social networking players. It supports interoperability and much more.
OpenSocial is currently being developed by a broad set of members of the web community. The ultimate goal is for any social website to be able to implement the API and host 3rd party social applications. There are many websites that support OpenSocial, including hi5, LinkedIn, MySpace, Netlog, Ning, orkut, and Yahoo!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
Currently all our files are stored on a Windows network drive and with 15 members of staff and 3 external workers, file control is beginning to become a bit of a nightmare. Even though we have a policy in place, people still seem to save file to their PCs, make changes, and copy them back without notifying anyone, send files via email instead of its location, and create folders/structures which only make sense to them.
Consequently on a recent project we found that 3 members of staff were using different versions of the same document and when those 3 people are editors and proof readers, you can probably imagine the problem that ensued in the end.
So we are looking for some nice simple file management apps. MS Sharepoint has been mentioned but we are looking to get away from being tied to a Windows machine, and the cost of setup etc. seems expensive particularly for a non-profit company. Also it seems Sharepoint may be a little over-the-top for our needs.
All we need is something that can fulfill the following:
can be used to store and control files
allow different user access
provide basic versioning
hopefully accessible through a web-browser so our remote workers can access it
We are not keen on SAAS solutions because of the nature of our confidentiality and also because we use these files all day everyday and the internet connection does go down from time to time. We want to be able to install in-house.
Ideally the solution will be FOSS, although we will consider buying software if it meets our needs.
You can try Alfresco:
Alfresco is the Open Source
Alternative for Enterprise Content
Management (ECM) led by John Newton,
founder of Documentum, and John
Powell, former COO of Business
Objects, and is backed by Accel
Partners, Mayfield Fund and SAP
Ventures.
Here has a good howto install it on linux.
The first question you probably need to ask is why the existing Windows file shares aren't working, and people are still saving files to their own computers.
For example, if they're often working outside of the office and can't access the file shares or they need to maintain a working copy, these are problems that can be fixed with SharePoint or other version control/file management software.
However, if they're just not following policy, then it's not going to matter what software you put in its place. Figuring out what problems the users have is going to help you choose the right solution.
Not sure this is the best place for such a question (its a discussio with no write/wrong answer) but anyway
Google apps for business?
http://www.google.com/apps/intl/en/business/index.html
Totally easy, low TOC (OSS is not free in a time sense).
You can share docs (read/write or read only) with external people or just do the old fashioned copy/paste the detail into OpenOffice/Word/iLife whatever and send a copy to them
Wouldn't something like a source control system be useful? SVN for example? admittedly binary files are a problem here, but if you're using a basic format you could convert to rtf or the new document standards used by Office 2007\OpenOffice.
It's worth noting that SharePoint and other variants are used widely for a reason; they do what you need.
Are you trying to avoid Windows Server completely, or just avoid buying Microsoft SharePoint Server?
If you are willing to purchase a Windows Server license you will get a basic version of SharePoint Server called SharePoint Services as part of the package. SharPoint Services allows you to have a powerful document management and collaboration system without having to buy an additional software package. It does include a version control system and you can integrate it with other applications. You can find more information here: Windows SharePoint Services 2.0 Overview.
Another MS provided solution that can handle file management and version control is Microsoft Groove. You can find more information on it here: Microsoft Groove. A great feature of Groove is that it can act as a front-end for Sharepoint (and most likely SharePoint Services) to allow users to more easily interact with the file storage mechanism.
A third option but will be less powerful would be to use your existing network file shares (through Windows or Samba), map the shares to local drives and/or reconfigure their My Documents to point to the network, and turn on Offline Storage. This will allow the users to interact with their documents as if they were local files even when they are offline. There will be a few small issues that you will experience with this route but it would break you from having to use a pure Microsoft solution.
In answer to some of the above questions.
The main reason its not working is because. One person will open a document from the shared drive and save a copy to their pc, which they work on. The changes they make are then not on the shared drive, when they copy it back, which everyone does the changes they have made overwrite any anyone else has done, they also dont inform anyone so if someone is working from that document they are now working on an old document. It is a case of getting users into a better frame of mind! But we feel software may help that, plus our external workers do not have access to the internal drive at present.
We have a number of servers, only one is windows and so we want to get away from using that windows server and have all linux servers for ease of management. Any MS product will require we run a dedicated MS machine!!
Local drives mapped is not really a good option as many people work out of the office and so wont be on the network to contribute, plus the file structure would probably not allow it.
It does seem that a MS solution might be the only one, i was just hoping there were some good alternatives available which were also a little simpler.
thnkx
A standard sharepoint document library, with versioning turned on, and checkin/checkout required, would meet your needs. Like previously posted, WSS comes free with Windows Server.