I think sometimes it is best to look into different research scheme , get information on which is the best place to get this programmer guys , I was once a victim and I vowed never to contact again . I work in a place where we do mostly marketing and I always like to get information by any means . My colleague in the office was always was always having treasures and most customers , I kept wondering how , until we had lunch together sometime , I asked him whats up with that . They only thing I heard was , He uses the services of Greyhatzhackers to gain access to emails of competitors , and then he gives their customers a better deal ( and that was it ) It sounded strange and weird to me until I gave it is a shot . haha He told me that all I needed to do was add ATGmaiilDOTco m to their name and I should be able to get with them . I was scared because I know most times these things are illegal but 2 weeks later , this is me now smiling and getting more customers too . haha God bless this hacker guys . lol
I have the following architecture for accessing a REST service that requires authentication:
- Oidc token flow managed at the client
- Access token verified at the server in the auth service (proxied by the api gateway), exchanged for a jwt that contains authorisation information about the user.
- The resource is accessed
In the current model, every request needs to verify the access token (which is normal), but also needs to retrieve the authorization information on every request, which I don’t feel is ok.
The jwt used in this model is only for internal use at the server cluster, as there really is no need to send it back tot the client. Also generating a jwt on every request doesn’t feel quite right.
Storing the jwt in a server store (cache / database) is something I don’t feel is right with this model, because this makes the system stateful again (in case of multiple api gateways, there is need again for sticky sessions, synchronisation etc). Hence this doesn’t offer a solution.
One possible solution would be that authorization is not checked upfront along with the authentication (i.e. verification) process, but only depending on the requested route / action. I don’t particularly like this, as this requires back and forth messaging when a protected resource is accessed. It doesn’t smell like clean architecture.
What is the advised way to go about this?
Related, I wondered if it is enough to perform authentication in the api gateway. These microservices work independently, and I feel a bit uncomfortable that the api gateway grants all access while keeping the underlying services ‘dumb’. Is this a misplaced sense of paranoia?
The very interesting question I have is when “ethical” hackers/pen testers harvestthese repositories of stolen credentials to then use them in pen testing for paying clients what ethical boundaries are broken? What laws are broken? If a lazy hacker leaves their captured credentials out on un insecure, public facing server and then an “ethical” hacker grabs them for their own paid services, it seems to me that it’s stealing already stolen goods.
What about a penetration tester taking credentials gathered from a paid/contracted job and adding them to a database to be used in future client jobs?
Python websites Repl.it and Glot.io – are they both considered secure in the programming world? Any security issues known for one of them?
And if you run python codes within those two webservices, is there technical way that your local operating system could be infected, or is everything -by design- isolated from your own system when you run code via those websites?
Just want to make sure they are totally safe to use.
We have some development and test environments being served of our canonical domain, e.g. dev.example.com. We also have some services using obscure domains names from 3rd party providers like xjkhasdkjvhas.dns.ashdfb.3rdparty.io.
The canonical domain is maintained strictly by our sys admins.
Furthermore some services are not served on port 80 which means any new instances need to be opened on our company firewall. And also some of these services have dynamic IP which also causes our firewall to need updating/scripting.
To clean it all up I’d like our developers to use their own public dns, e.g. dev.ex.io. They can then standardise easily memorable names for services, create reverse proxies with certbot for dynamically changing services on obscure ports and also clean up our canonical DNS so it’s only used for production services.
Are there any real risks associated with this? The only thing I can think of is a public domain will provide clues as to our company and what services lie behind the domain (but that’s already an issue with dev.example.com). As long as developers don’t use this domain for production services is there a problem with this approach?
Can you have Anti Virus and Anti Malware layer sitting deep with the microservice layer and have the malicious file flow through all the services ? Argument being the file is in memory and not getting processed until the service we will put the Anti Virus and Anti Malware layer on.
Shouldn’t this be stopped at the routing layer of the application?
I personally trust Google in terms of security but I’m not sure whether man-in-the-middle (MITM) attacks against Google services AS OF TODAY possible or not. As far as I know, Google uses some protections against (MITM) regarding certificates in Chrome browser. Is MITM possible for Google services (TLS/SSL) as of today?
This is a continuation of a previous question.
I’m developing an app whose only purpose is to display the closest
Joe's Florida Tacos locations to my current location in Florida. It will have the usual list (closest first) and a map with the markers. The app doesn’t have any use outside of Florida.
Under normal circumstances, the user enabled “current location” so the app will display a list with the closest locations to user (like this). If the user switches to the map, the map will display location of the user and several markers.
But let’s say that “current location” is disabled. What will be displayed in the initial screen, where the list should be? Will it be empty or will it display everything? And let’s say that the user switches to map, what will the map display?
Is it possible to get an approximate location even if current location is off?
I don’t want to require that the user enables current location, but I don’t know what to display if it’s disabled.
Paycron offers best merchant services for your business. You can get a merchant account with features like low processing fee, fast approval, no cost for setup, and solutions for high risk as well as bad credit. Contact us for more information.