Tag: desktop

Do any desktop PC motherboards require hardware token authentication?

Scenario: I am assembling a desktop computer. I buy an ASUS XYZ motherboard because it will not run — or, even better, its running state cannot be altered, short of pulling the plug — without hardware token authentication. The XYZ motherboard comes with two YubiKeys. If I lose those, I can buy additional copies from ASUS, after posting bond and passing a DNA test.

I’m kidding about the DNA test. Or maybe not. The question is, does anything like the ASUS XYZ motherboard exist?

A prior question initially appeared to be seeking the same information, but its focus on laptops seems to explain its apparent satisfaction with a software solution oriented toward data encryption (e.g., Sophos SafeGuard Easy).

What is the best way to notify a user that updates are available in a desktop application?

I have a WPF desktop application that is used as the front-end for a webservice. This application has a database that could get updated from time to time, but it would also work with an old database. I want my application to do a background check on startup, whether the database needs to be updated.

If that is the case, I want to notify the user.

Question:

What are the best ways to do that ?

Disable the option to edit SP document library in Desktop Word Application

I want to change my document libraries in Sp Online to allow staff to view, download and open in Word Desktop App, however I do not want them to be able to edit the document once it opens in the Word Desktop Application — only to Save As another name on their PC. I want to prevent them from altering the form in SP in any way. What do I do? Thx. Caulene

Disable the option to edit SP document library in Desktop Word Application

I want to change my document libraries in Sp Online to allow staff to view, download and open in Word Desktop App, however I do not want them to be able to edit the document once it opens in the Word Desktop Application — only to Save As another name on their PC. I want to prevent them from altering the form in SP in any way. What do I do? Thx. Caulene

Is this schema between a Desktop App and an API secure?

From my previous question: How secure is this schema between a Desktop App (c++) and an API (php).

To make it short: Client logs in using the Desktop App (and receives a JWT) and every X seconds/minutes the Desktop App sends this JWT to see if it’s still valid. No webpage is involved, everything is done between the Desktop App sending POST requests and the API answering.

I have 2 .php files: check.php (it’s the one that receives the Requests every X seconds/minutes) and login.php (used once to log in everytime the user opens the Desktop App).

Login.php

Receive username, password and a random value. Check if username and password are okay, then generate and store in DB a JWT using the random value and SharedSecret_1. Send the JWT back to the Desktop App so it can check if it’s valid and proceed to let the user use the software.

Check.php

Receive a JWT and a random value. Check if the JWT is the same than the one in the DB then generate and store in DB a new JWT using the random value and SharedSecret_2. Send the JWT back to the Desktop App so it can check if it’s valid.

I had 4 main problems:

  1. How to make sure the Desktop App knows if the JWT it receives is valid and not faked by the user.
  2. How to make sure the API knows if the data sent by the Desktop App is valid and not faked.
  3. The API needs to send a unique JWT everytime because if it’s always “Y” then user would be able to forward the data send by the Desktop App and fake an answer “Y”.
  4. I don’t want multiple users using the same account at the same time. Only 1 connection per account. (Like in an online game were if someone logs in while you are logged in, you get kicked).

From the answer I came with this idea:

  • Desktop App signs data before sending it solving 2nd problem. (Is it secure if the Desktop App sends the data with a JWT using a SharedSecret?)
  • Both Desktop App and API share a Secret Key (would be different in case I can sign data client-side using JWT) that the API will use to generate the JWT and the Desktop App will use to verify this JWT. Solving 1st problem.
  • A random value is sent by the Desktop App (along the JWT) everytime it performs the checks so the API uses it to generate a different JWT.
  • I solve problem 4 Using different SharedSecrets for “login” and “check”. If a user forwards it to login, it will generate a token with SharedSecret_1 and when the Desktop App verifies this token it will use SharedSecret_2 making it invalid.

My questions are:

  1. Is this approach secure?
  2. Can this random value be known by anyone without risking security? (Because the user would still need the shared secret to be able to generate a valid JWT)
  3. Should the random value be sent inside the JWT?
  4. How “random” should this value be? Is it okay if it’s a simple number from 1 to 100000?

When I’m asking about security I mean against piracy, preventing users from accessing my paid app for free. (I know it can’t be 100% secure, but I want it to be as secure as possible). I’m not taking into account what happens if a user reverses my Desktop App because if this happens then the user will simply remove the checks or will know the shared secret.

AMP pages in Google search results on desktop

I have a WordPress-based website with the “AMP for WP” plugin installed. It seems to be configured properly so that AMP pages point to respective non-AMP pages with “rel canonical”, but I noticed some AMP pages showed up in Google search results even on a desktop browser.

What could cause that and how to make sure AMP pages are shown in SERP only for mobile?

How secure is this schema between a Desktop App (c++) and an API (php)

as title says I’m writing a paid Desktop App that automates some process, it indirectly requires internet connection because MY app automates another Desktop app that requires internet connection. There is no webpage or such, only my Desktop App and my API.

Normal Workflow:

  1. User opens Desktop App: Login prompt shows on screen (it’s a simple interface written in c++ that then posts to my API).
  2. User presses the “Login” button: Data is sent via POST to my API.
  3. API validates and verifies the data, then generates a JWT and sends it to the user.
  4. User then uses the App all the time he/she wants: Every X seconds the JWT is sent to the API to see if it’s still valid.
  5. The user stops using the App: It might be because the App crashed, because he lost connection or because he closed it.

What I want to achieve:

  1. I need it to be secure for the users and for me (by me I mean I don’t want it to be easily pirated):
    • I’m using HTTPS.
    • I’m hashing the Password before sending it to my API.
    • I’m validating and verifying all the data.
    • I don’t know how to make sure that this data comes from my Desktop App and was not modified in the middle by the user (like replacing an unique identifier with a simple string).
  2. I want to prevent multiple clients logging in using the same account at the same time:
    • I don’t want multiple Apps connected at the same time using the same account. I don’t mind if an user uses the same account on different computers as long as he is not having more than 1 App connected at the same time.
    • When a user logs in with an account it will kill the rest of the “sessions” that this account had. (Like an online game where if you log in with an account that’s already logged in, it will kick the user that was logged in preventing from 2 clients using the same account at the same time).

My schema:

Using JWT, when user “A” logs in it will generate a new JWT using his username and some kind of unique information like IP or computer information.

My Desktop App will verify and store this JWT in memory. Then every X seconds it will do a POST request sending the JWT to see if it’s still valid.

  • If everything is okay then the App will continue to run normally.
  • If the token is not valid anymore or something is wrong it will log out.

Problems I found:

  1. Let’s say User “A” logs in and a JWT is then generated and sent to the Desktop App, how can the Desktop App tell that this JWT is valid and that is not a fake response the user is using so the App thinks it’s logged in?.

  2. What happens if user “A” logs in and then fakes responses every X seconds? I mean, how can I make this response unique? Is it a good fix to generate a new JWT everytime it performs this check?

  3. Let’s say I make it unique using some kind of unique identifier for each client (like IP, computer information, etc.), what if the user intercepts the information and replaces it with something simple like “hello world” so then all clients can use the same account and have a valid token at the same time. How do I prevent user from being able to intercept the data sent?

So my questions are:

  • How do I fix those problems.
  • Is it a good schema? I mean is it secure (to prevent piracy)? (I know nothing is 100% secure, but I don’t want to make an authentication system that can be easily broken or with no security at all).
  • Is JWT a good choice here? Are there alternatives that are “better” or “different”?
  • Do you see any other problems, flaws, bugs, etc.?
  • Do you have another schema or idea to achieve this?

Thanks in advance.

P.S.: I’m not taking into account what happens if the user reverses my Desktop App because that’s another topic and in that case nothing here is important.

Removing / Editing Desktop Right Click Actions 16.04

I would like to remove the ‘Organize Desktop by Name’ action, or at least edit the desktop right click menu to put an indent between ‘paste’ and ‘Organize Desktop by Name’, so I don’t keep mucking up my desktop icon layout when I missclick and hit the latter when intending to hit the former.

Nautilus actions helps define and add new actions, but I’ve been unable to use it to remove already existing actions.

Any help is much appreciated.