Highest Voted Questions - IT Security Stack Exchange

40

votes

2 answers

Role Based Authorization vs. Claim Based Authorization

What is the difference between "role based authorization" and "claim based authorization"? Under which circumstances would it be appropriate to implement each of these authorization models?

authentication authorization identity federation rbac

asked Nov 11 '13 at 13:34

user960567

2,491
4
17
16

40

votes

2 answers

Why does Google cripple the 2FA Google Authenticator PAM module?

If you enable 2FA for Google Apps the shared secret is 160 bits. The google_authenticator PAM module on the other hand seems to use 80 bits for the shared secret. According to RFC 4226: R6 - The algorithm MUST use a strong shared secret. The…

passwords authentication compliance multi-factor google

asked Nov 06 '13 at 17:50

Akshay Kumar

502
4
7

40

votes

4 answers

Is generating random numbers using a smartphone camera a good idea?

Forgive my ignorance on the subject, but I wish to know more and asking (stupid) questions are one way. I was reading http://www.random.org/randomness/ and this idea popped into my head (before the bit about lava-lamps) Considering the…

random

asked Sep 14 '13 at 10:31

ian

1,302
11
21

40

votes

1 answer

Consequences of tampered /etc/ssh/moduli

What are the consequences if an attacker is able to modify the /etc/ssh/moduli file?

cryptography ssh backdoor

asked Sep 06 '13 at 15:38

vergoglio

403
1
4
5

40

votes

6 answers

Secure Linux Desktop

I'm looking for hints about secure linux desktops. Securing servers is no problem. Most recent Software Updates, run only the services required etc. But what about desktops? I'm thinking about details like Noscript for Firefox. ASLR, PIE and similar…

operating-systems linux hardening desktop

asked May 27 '11 at 17:29

chris

401
1
5
3

40

votes

5 answers

Client-side encryption, but cloud service can still decrypt data in the event of a death? Is this possible?

I've been worried about this password manager, PasswordBox that seems to be gathering quite a bit of steam lately. They seem to have raised VC funding and are offering a free password management and storage tool. Their team does not seem to have…

encryption privacy client

asked Jun 12 '13 at 15:01

Mallory

401
4
5

40

votes

6 answers

How do I safely inspect a suspicious email attachment?

I received a pretty blatantly spammy email to my Gmail account. Attached to the email is a supposed HTML file. My first hunch was that it was probably one of the following: A nasty executable file masquerading as a simple HTML file, or An actual…

malware email spam

asked Mar 20 '13 at 15:38

lsdfapoinsafpr

503
1
4
6

40

votes

1 answer

TLS: RC4 or not RC4?

I was reading another interesting article by Matthew Green today, saying that if you're using RC4 as your primary ciphersuite in SSL/TLS, now would be a great time to stop As far as I'm aware RC4 has been up'd on the list of ciphersuites to…

tls beast cipher-selection rc4

asked Mar 12 '13 at 21:45

Yoav Aner

5,329
3
25
37

40

votes

3 answers

Block chaining modes to avoid

Everyone knows that ECB operation mode with a block cipher should be avoided because of clear and obvious weaknesses. But little attention is given to comparison of the other modes in the context of security, and people instead appear to simply…

encryption

asked Jan 09 '13 at 17:31

tylerl

82,665
26
149
230

40

votes

6 answers

Software vendor refuses to fix security vulnerability - what to do?

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!), who (in…

disclosure

asked Sep 06 '22 at 16:59

TravelingFox

433
2
7

40

votes

2 answers

Why is there no web client for Signal?

I’ve read about E2EE (end to end encryption) of Signal in web clients on a Signal Community discussion forum, and wonder why they say that the browser is insecure for E2EE and native apps are secure. I think the security issues for clients are the…

man-in-the-middle javascript secure-coding end-to-end-encryption signal

asked Sep 06 '20 at 07:59

SeyyedKhandon

517
1
4
7

40

votes

8 answers

What is the attack scenario against which encrypted files provide protection?

There are a couple of files / tools which provide file-level encryption. I guess PDF and ZIP are probably the most commonly known ones. I wonder what scenario they actually help with or if it just is a bad solution. For example, if I want to be sure…

file-encryption

asked May 10 '20 at 11:26

Martin Thoma

3,902
6
30
42

40

votes

8 answers

Are all USB-based attacks dependent on being able to inject keystrokes?

From what I've seen, USB-based attacks such as RubberDucky need to be able to open a terminal and then execute commands from there, usually to download and then install malware or to open a reverse shell. Is this how most, if not all USB-based…

hardware badusb keyboard

asked Jan 23 '20 at 10:20

user942937

983
8
14

40

votes

5 answers

Security impact of using a public password for free WiFi

We have a WiFi network that we want to be public and free. Does having a password that is known to everyone provide any additional security advantage to the people using this network as opposed to just leaving it without a password? i.e. Can a…

network passwords wifi

asked Feb 20 '11 at 11:34

epeleg

625
1
8
13

40

votes

4 answers

What benefits are there to blocking most search engines?

While on a client's site using the corporate network, I see that only a few search engines are allowed. Google and Bing, possibly others; while my fav DuckDuckGo is blocked, and a few others that I've tried are also blocked. The search engines are…

web-browser proxy search-engines

asked Sep 27 '19 at 12:22

YetAnotherRandomUser

2,290
2
14
20

Most Popular