Yes, the OID is encoded in the binary data. The OID 1.3.6.1.5.5.7.48.1 you mention becomes 2b 06 01 05 05 07 30 01 (the first two numbers are encoded in a single byte, all remaining numbers are encoded in a single bytes as well because they’re all smaller than 128). A nice description of OID … Read more
http://us3.php.net/image You link the img element to a php file. This file checks if the user has the right permission, if so it can send an img response back. <img src=”https://stackoverflow.com/questions/3990337/url/LoadImg.php?id=1337″ alt=”” /> Still someone with the permission can download the image and provide it to other people somewhere else (webspace/mail/whatever). To make it a … Read more
Here is some stuff from Wikipedia (original source): V1 GUIDs which contain a MAC address and time can be identified by the digit “1” in the first position of the third group of digits, for example {2f1e4fc0-81fd-11da-9156-00036a0f876a}. In my understanding, they don’t really hide it. V4 GUIDs use the later algorithm, which is a pseudo-random … Read more
In all likelyhood, the tool uses ReadProcessMemory or some variant, which requires PROCESS_VM_READ access. With respect to your “malicious” comment, remember that you (or the process invoking this API, which likely needs Administrator-level permissions) already has total control over the machine. The security game is already lost at this point.
A new salt should be randomly generated for each user and each time they change their password as a minimum. Don’t just rely on a site wide salt for example, as that defeats the point of using a salt in the first place. Using a unique salt for each user is so that if two … Read more
You need to hash about 2^64 values to get a single collision among them, on average, if you don’t try to deliberately create collisions. Hash collisions are very similar to the Birthday problem. If you look at two arbitrary values, the collision probability is only 2-128. The problem with md5 is that it’s relatively easy … Read more
4) Crediting their bank account with two random amounts and ask them to enter those in. 5) Snail mail them some new password and ask them to enter it in. 6) Have them text or call some number and enter some value to a phone number with the mobile phone they registered on file. 7) … Read more
The problem with XOR encryption is that for long runs of the same characters, it is very easy to see the password. Such long runs are most commonly spaces in text files. Say your password is 8 chars, and the text file has 16 spaces in some line (for example, in the middle of ASCII-graphics … Read more
There is no way to send a password securely that the user can verify without SSL. Sure, you can write some JavaScript that will make a password secure for over-the-wire transmission through hashing or public-key-encryption. But how can the user be sure that the JavaScript itself has not been tampered with by a man-in-the-middle before … Read more
HTTP Basic Authentication over SSL is perfectly secure from my research. After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with. Therefore passing the username and password without generating a signature is sufficient.