Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I have a program that prompts for a PIN before performing particular actions. The PIN is stored, encrypted, in a local config file along side the executable binary. User enters PIN, program decrypts and compares to the stored value, if they are equal, ok, if not etc.
I'm aware this kind of security check could potentially be circumvented with forensic tools that alter the binary, in affect, changing the '==' to '!=' in the right place to make all the wrong PIN's pass the test in my example.
This may be a stupid question, as I know from the first 2 minutes of googling it's a big and challenging topic, but I still thought I should start with checking on features of the language/compiler I'm actually using first. So, are there any features natively available with Go to make this kind of attack harder to successfully perform?
No, there is nothing remotely like this in the official go compiler or standard library.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I want the user to be able to write their own math functions in my program. And these functions could possibly be shared with someone else, and run natively on their machine. Algebra is Turing complete. Does it mean I should warn users of my program about potential danger of running math? Sorry if this is a silly question :)
Edit:
I am making a simple diary, but the entries have dynamically calculated properties. I am thinking of using bc for running the user defined functions. It's rather easy to fix things for user if the expression does not end since they can modify the expression outside of the program. But let's say user A sends user B their diary. Should I warn user B that it's not safe to open their diary?
For example, you can have a Turing-complete language with recursion, but limit the stack size and run time (to kill the busy beavers) for each user script. If it's implemented as some kind of a VM it'll be very easy to do. You can also have a total functional language to ensure termination (but that won't solve the busy beavers problem).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
I am a IT Security student and I have to write a paper about a vulnerability in a real life case. I chose a small application that allows to create icons under Windows, which is vulnerable to a stack buffer overflow.
I've already had to do manipulations on exercise scripts (injecting shell code into a script that can be used in the Linux command line, etc.) but never on a real application.
Is it possible for you to help me to use the vulnerability to carry out some kind of "attack" or to execute a program function not supposed to be executed at that moment?
I didn't try to reverse the code yet, I will try to find where the program is storing the long string I use to make it crash, the size of the memory for this variable and the return address.
I found this app when trying to find a vulnerable app on Vulnerability Lab : https://www.vulnerability-lab.com/get_content.php?id=1609
You can also download the app from this link (the vulnerability is still present in the last version): http://www.aha-soft.com/iconlover/
PS : I've only been studying IT Security for a year and a half, so I am a beginner. Sorry if there are some mistakes in my text, I am french. This is one of my first post on this forum, I hope I did it well.
There are already ready made exploits to do what you are asking for iconlover. see here. The script forces the application to open up calculator.exe which indicates a very severe security issue.
You can modify the given shellcode for RCE or to execute malicious programs (assuming you already have some form of access to the target system.)
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I've come across a system that requires you to include a number in your username. I feel this is pointless, as the username should be easy to remember, and not be subject to requirements that may be applied to passwords.
However I can't find a good write up of the reasons for this. Can anyone reference a good source for this, and/or explain it in better words than I can?
Edit: I'm getting answers explaining why they do this, which are certainly of value, but there must be a write up somewhere of how to make a secure login system, that advocates a simple, easy to remember username.
Having no clue about the specific system mentioned, if one can call support and say something like "My username is John and I forgot my password" - adding a number may add just a bit of security.
Also, if the system is not protected against brute-force attacks, one can try common usernames together with common passwords.
I agree with Xavjer: the reason for this is most likely not security-related.
I agree with you: If the requirement is security-related - the security scheme is probably wrong.
Edit:
Another idea - Maybe they want to force you to use a username which is different than the one you use on other sites. Since many users tend to select the same username and password for different sites, and in case the password is compromised on one of these sites - this may help (but again, just a bit).
I would say it could be because if you force a number in an username, you will most likely never receive a dublicate name problem. There wont be someone having for example the name 'peter' and then there is a 'peter95' and a 'peter112'. No one will have the original one.
This is just what I think is the most reasonable answer.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
You know, these things. I assume they run on some old computer language/framework, anyone know what that might be?
The displays themselves are pretty basic, they (in most cases) just have a microcontroller with some firmware that allows them to convert commands they get serially into patterns and/or characters. The more recent ones also give feedback regarding broken LEDs for example. Typically these firmwares are written either in assembly or C.
The real intelligence of these systems is often located in a central control system that coordinates an entire city or even a state. These control systems can perform intelligent tasks on entire groups of signs like given the location of an accident, they add the correct distance to the accident to the warning message, automatically divert traffic, and so on.
I know of such systems written in C, C++, Java, G2, ... Depends on the moment they were designed. So no, they're not by definition outdated and antique! They do tend to have a longer lifespan than your average desktop app though which often leads to the oldest parts being swapped out for more recent developments and these newer modules will in many cases be based on more recent technologies.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 13 years ago.
Improve this question
There are several ways to secure passwords with an automated encryption algorithm, but sometimes it's best to write it down on paper and keep the paper itself secured. Hackers can't easily get to paper. However, if someone finds that paper, they can see the passwords plainly.
What's a non-automated method of securing information on a piece of paper? For example, have the real password be in every other character (eg p1a2s3s4w5o6r7d8 = password).
Take a character sequence from a book you have lying besides your computer. You can take the sequence in any number of ways: First/second/etc. letter of each word in a chapter you decide, for example.
Have a look here for some history and ideas about steganography ;) Your example is a simple working one, you can even use an invisible ink or write it backwards with only every 5th character relevant etc., it is up to your imagination :)
What youre suggesting is a simple cypher. I'm not sure why you'd want to implement something like that vs. using a password manager like KeyPass but you can us a simple substitution cyper where A=Z, Z=A etc. if you need to write it down.