Most Popular

1500 questions
40
votes
8 answers

Isn't "Dave's protocol" good if only the database, and not the code, is leaked?

I've read "Is my developer's home-brew password security right or wrong, and why?", but there's still a question in my mind: Even if someone uses a bad, home-brewed security algorithm just like Dave, an attacker can't get the real password if the…
Rick
  • 1,027
  • 1
  • 9
  • 23
40
votes
4 answers

How to protect printers from being hacked

Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link) As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to…
aMJay
  • 3,645
  • 5
  • 11
  • 20
40
votes
5 answers

How should source code security be checked?

How to check whether the source code of an open-source project contains no malicious content? For example, in a set of source code files with altogether 30,000 lines, there might be 1-2 lines containing a malicious statement (e.g. calling curl…
tonychow0929
  • 2,247
  • 3
  • 13
  • 14
40
votes
3 answers

How to safeguard physical keys stored in a fire dept. lockbox?

The workplace has a physical access key stored in a fire department lockbox (sometimes called a Knox Box), how it's possible to mitigate the risk that the Knox Box gets picked, or that an unauthorized key may exist? What could the local fire…
jth
  • 726
  • 6
  • 10
40
votes
7 answers

Does password protecting an archived file actually encrypt it?

For example if I use WinRAR to encrypt a file and put a password on the archive how secure is it? I keep a personal journal and am thinking of doing this, or is there a better way? It's just one huge .docx file.
Celeritas
  • 10,089
  • 22
  • 79
  • 144
40
votes
1 answer

How does the attacker know what algorithm and salt to use in a dictionary attack?

I am curious about password cracking methods like dictionary and brute force attacks. Nowadays passwords are stored as hashes and not plaintext on the server. Then how can the plaintext passwords in the dictionary be compared with the hashes in the…
andjava
  • 578
  • 1
  • 5
  • 7
40
votes
6 answers

How "scrambled" is the data on a RAID5 disk?

My concern is the disposal of a replaced disk from a private RAID5 disk array. I have had to replace a disk from my personal RAID5 disk-array. It had started developing errors, so out it went. But now, I have this disk lying on my desk and that…
Mausy5043
  • 511
  • 4
  • 6
40
votes
1 answer

How does OpenSSL generate a big prime number so fast?

In order to generate a 2048 bit RSA key pair, you need to generate two big prime numbers with 1024 bits length. As far as I know, OpenSSL chooses a random 1024 bit number and starts looking for a prime number around it. How can OpenSSL check if the…
user167246
  • 401
  • 4
  • 3
40
votes
4 answers

Is demanding a "donation" before disclosing vulnerabilities black hat behavior?

We have been contacted by an "independent security researcher" through the Open Bug Bounty project. First communications were quite OK, and he disclosed the vulnerability found. We patched the hole and said "thank you", but declined to pay a…
Jacco
  • 7,512
  • 4
  • 32
  • 53
40
votes
8 answers

Why do password strength requirements exist?

Password strength is now everything, and they force you to come up with passwords with digits, special characters, upper-case letters and whatnot. Apart from being a usability nightmare (even I as a developer hate it when a website requires a…
Bozho
  • 1,173
  • 1
  • 10
  • 12
40
votes
3 answers

How do hacking groups register domains remaining anonymous?

Let's take lulzsec as an example; they registered lulzsecurity.com. There are two problems that I don't understand how they solved: They had to pay for it. Tracking down money is generally much easier than tracking down IP addresses. I assume they…
Andreas Bonini
  • 591
  • 1
  • 4
  • 10
40
votes
6 answers

Why is external access to a server via SSH considered insecure?

I recently had a conversation with my boss and an IT contractor that they use. My request to allow outside access to a machine on the network via SSH was denied on the grounds that SSH is insecure. I asked for an explanation and unfortunately did…
user142998
40
votes
3 answers

What security measure one should implement before executing user uploaded files?

I want to make a little programming puzzle on my website. There's going to be a task. The user will be asked to upload a C++ source file with their solution. The file should be compiled, run with some input and checked if it produces right output.…
Jen
  • 503
  • 4
  • 5
40
votes
4 answers

Are CVE counts a good indicator of a software's security?

Looking at the count of CVE reports by product, I'm tempted to use it as an indicator of which programs are the most secure, and choose the ones I install accordingly. But I wonder if these numbers are misleading. For example, the Linux kernel is…
Hey
  • 1,915
  • 1
  • 17
  • 24
40
votes
11 answers

Can software passwords be bypassed by reverse engineering?

Let's say, on any software (that is installed on Client-Side OS), is it possible, to alter the software in such way (i.e. Zip Passwords) so for incorrect input it redirected to correct "result", like: Is it possible to alter software logic to…
T.Todua
  • 2,707
  • 4
  • 20
  • 29