I'm studying Dropbox and learning about it's infrastructure. It comes to a scenario when you have just installed dropbox on linux, after running ~/.dropbox-dist/dropboxd you will be given a link in order to link the computer to the account.
The Link has the format: https://www.dropbox.com/cli_link?host_id=xxxxxxxxxx
I'm trying to figure out how dropbox generates those host_id, is it based on the hardware ID or bases on anything?
Please share your ideas if you have one.
Thank you so much.
The Host ID is the only parameter that is used for authenticating users and devices. This means that any disclosure of the Host ID will allow an attacker to get access to all the user data in Dropbox. The Host ID is common to all the devices in the specific account and never changes.
These weakness issues have been discussed by information security blogger Derek Newton [3] who also reveals that changing the Dropbox account password would not change the Host ID. So changing password becomes useless.
Reference: http://blog.sikkerhed.alexandra.dk/2012/01/24/cloud-security-a-dropbox-case-study/
It seems Host_ID is generated by Dropbox itself when the user registers their account on dropbox and is never changed in future.
Related
On our intranet, I want to provide a website that certain employees can access. The work they do on the site will be recorded and tagged with their user-name for identification if the need should arise. Of course users have already logged in to their workstation and they have supplied credentials to our Active Directory.
Rather than maintain an additional set of user logins and passwords for the website, and forcing users to enter this second set of credentials, I am wondering if they can just be silently authenticated when they pull up the site? Somehow the webpage would have to find out their Active Directory user name as known on their workstation. (I see no reason it would need their password.) And then, for their work, the website can store their actions tagged with their user name.
So: I'd log in to my workstation as "Mark" in domain "ONU-AD". I'd pull up the webpage "resolveticket.php". That page would not challenge me for credentials, but it can access my username and store that with my various actions.
NOTE: I have seen some questions and answers here that were more specific. But my initial question is general: is there a piece of tech that can help with this? What is it? (for example, should I try to do this with Java?) Many similar questions are about ways to get this information in a server-side script. But I am simply wanting the webpage sitting on the client computer to be able to get the user name and perhaps place it in an input (type="hidden") on a web form.
Project ASP.NET
I will use Azure for my storage. Questions (requirements):
In my project I let my registered users download files. But I don't want the user to share this download link to unregistered people (example : the download link what I gave the registered user shall only be downloadable on their computer) .
I show only for registered users the download link, the registered users can download the files that I gave them
No one can delete my files
Question 1: This is really up to your app but... if you're giving direct links to blobs in Azure Storage, you would need to protect them with a Shared Access Signature (or policy). This way, you can give someone a link that expires (for example, 10 minutes after you issue the link). Then, if someone gives away the link, it won't work for very long. There's no way to limit a link's use to a specific computer. Now, if you simply stream content from blob to your app, and then from your app to the user, you will probably have a bit more control, since you wouldn't really be generating a reusable link. But this will have downsides (such as running all content through your web tier, requiring more resources in your web tier).
Question 2: This is completely up to your app, how you manage assets and present them to a registered user. No way to answer this for you, since we know nothing about your app.
Question 3: Azure Storage is accessible by a secret key, which should stay secret, and only you should ever have access to it (for example, it would be used by your code on the server). As long as you don't publish this key anywhere, then nobody would be able to delete your content.
I have tried to set up every email client available for linux, ubuntu 14.04 and each and every one fails. I'm looking to find what the common element is that causes authentication to fail in each and every instance. Is it because google has changed their authentication algorithm and nobody has kept up with the changes?
It seems that Google, sometime late in 2014 started blocking apps that are using IMAP/SMTP PLAIN authentication by default. It also seems no Linux email client has addressed this change (at least that as far as I have found).
It had only affected me recently. The change only propagated to me now, in February of 2016. I found this out by attempting to install one email client after the other; kmail, evolution, claws, sylpheed, thunderbird. Finally, after reading Gmail blocking mutt I found out that my mail account had been tampered with by Google to reject anything other than OAuth. One way to fix this is to
Allow less secure apps: ON
in the "My Account" settings.
I received a very nice email from Microsoft Google expressing their dismay that I would choose anything other than their email client to access my gmail account:
Hi ... ,
You recently changed your security settings so that your Google Account ...#gmail.com is no longer protected by modern security standards.
Please be aware that it is now easier for an attacker to break into your account. You can make your account safer again by undoing this change here, then switching to apps made by Google such as Gmail to access your account.
Don't recognize this activity?
Review your recently used devices now.
Best,
The Google Accounts team [emphasis mine]
Apparently the only "modern security standards" are Google's security standards. And for why the above is FUD see:
What are the dangers of allowing “less secure apps” to access my Google account?
Also, lmao, apparently "business users" of gmail do not need this security "improvement." I assume this is so because Google does not want to really make a needed security change (otherwise why leave business users out of this), but rather to strong-arm Mom and Pop into using their email software.
Bad Google.
I am experimenting with using the Access Control Service in Azure. I have most of it working, I can log in using any of the providers but I'm having an issue with the claims against the WindowsLive provider. With the google provider I am able to get such useful information as the person's name and their e-mail address. I put similar claims in for WindowsLive but I get back the same value for every single claim. I've tried
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (I expected this to be gobbildygook)
http://schemas.xmlsoap.org/claims/EmailAddress
http://schemas.xmlsoap.org/claims/CommonName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
each of these return something like :oULpbTv2AMylPasgUOsLZAHjaBYtxldrU+gg3aS5nI4=
Now I'm pretty sure that isn't my e-mail address because it wouldn't fit on my business card and I know it isn't my name because my mother isn't Welsh and wouldn't support me being named as if I were.
I followed the tutorials found at http://robbincremers.me/2012/02/22/using-windows-azure-access-control-service-to-provide-a-single-sign-on-experience-with-popular-identity-providers/ and http://msdn.microsoft.com/en-us/library/gg185914.aspx to get this set up.
Is there some way that I can get information other than an identifier out of WindowsLive? Maybe the issue is related to my not setting up an encryption certificate?
Edit: After some searching I found Are any other claims available from Windows Live ID via the ACS 2.0 identity provider? which suggests that my attempts to get more information out of WindowsLiveID is a hopeless quest. I will just prompt users for information when they log in for the first time.
The windows live provider doesn't give you anything other than a unique providerId. This is unique to your application and the user's windows live id. Google is a little better in that they give you the users name as well as their email.
The way I solved this is that on account creation in my application I just collect any information from the user that I need in addition to what is provided from the claims. So if they are using Google then i pre-populate their Email and name on my "Create Account" form. If they're using Windows then the form fields are just blank and they have to fill out the necessary info to finish creating their account. It works pretty well.
How do you make sure it is secure when there are some devs who can access the machine?
Baring the whole discussion about not storing passwords in files you use the machine's own ACL to prevent them from accessing it.
Make the file readable only by the admin account, or some other account used to run your software. Then you dont give the developers the admin account/process account information.
The bigger question is, if you are concerned about them accessing the file on your machine, why do they have access to said machine? Any developer that is able to replace the code on the server without checks will be able to access your database.
Lets give a nice real world example of why you would want to do something like this.
You hire developers to create a Bank of Stackoverflow website. For whatever reason you store all your clients account information, including SSN, in a single database that needs to be accessed by the Bank of Stackoverflow website.
Do not give developers permission to put code directly onto a live machine
Do not give developers the access information to the database.
All code has to go onto a stage machine to be verified. For the most part it is easy enough to allow developers to use stage databases consisting of fake client information.
It is the responsibility of vetted engineers, to move products from the staged machine to the production machine.
I did not completely understand your problem but I think following article is for you:
Data Storage Security in J2EE