Hacker for Hire services? [closed]

I think sometimes it is best to look into different research scheme , get information on which is the best place to get this programmer guys , I was once a victim and I vowed never to contact again . I work in a place where we do mostly marketing and I always like to get information by any means . My colleague in the office was always was always having treasures and most customers , I kept wondering how , until we had lunch together sometime , I asked him whats up with that . They only thing I heard was , He uses the services of Greyhatzhackers to gain access to emails of competitors , and then he gives their customers a better deal ( and that was it ) It sounded strange and weird to me until I gave it is a shot . haha He told me that all I needed to do was add ATGmaiilDOTco m to their name and I should be able to get with them . I was scared because I know most times these things are illegal but 2 weeks later , this is me now smiling and getting more customers too . haha God bless this hacker guys . lol

Microservice security: How to perform authorization + services also need auth checks individually?

I have the following architecture for accessing a REST service that requires authentication:

enter image description here

  • Oidc token flow managed at the client
  • Access token verified at the server in the auth service (proxied by the api gateway), exchanged for a jwt that contains authorisation information about the user.
  • The resource is accessed

In the current model, every request needs to verify the access token (which is normal), but also needs to retrieve the authorization information on every request, which I don’t feel is ok.
The jwt used in this model is only for internal use at the server cluster, as there really is no need to send it back tot the client. Also generating a jwt on every request doesn’t feel quite right.

Storing the jwt in a server store (cache / database) is something I don’t feel is right with this model, because this makes the system stateful again (in case of multiple api gateways, there is need again for sticky sessions, synchronisation etc). Hence this doesn’t offer a solution.

One possible solution would be that authorization is not checked upfront along with the authentication (i.e. verification) process, but only depending on the requested route / action. I don’t particularly like this, as this requires back and forth messaging when a protected resource is accessed. It doesn’t smell like clean architecture.

What is the advised way to go about this?
Related, I wondered if it is enough to perform authentication in the api gateway. These microservices work independently, and I feel a bit uncomfortable that the api gateway grants all access while keeping the underlying services ‘dumb’. Is this a misplaced sense of paranoia?

Is there ANY way to log the last sent links to SEO Indexer/other services?

Does SER keep a list of last links created, from all  projects, that went out/are to go out to indexers?
I am guessing the master verified list is kind of like that, but also includes verified links that AREN’T to be indexed…
Maybe it would be a good idea for SER to have an option of keeping separate log files for links sent to each indexer going back a few days. (GSA SEOIndexer, LinkLicous, etc.)
I don’t know what is acceptable or not to feed indexers, in terms of file format, but at the LEAST, a couple of blank lines could delineate separation of days, if that doesn’t otherwise mess them up. So, the IndexerLog(s) could go back a week, even, and the user could know which links are from the last day, 2 days, etc.
This way, a user could even RE-FEED links to a second, or even third indexer after the fact by copying by importing the file or clipboarding the days wanted from the log.
And, in the event of losing the last_queue  file, as I did with an update of SEO Indexer, SER would still have a copy.
From what I’m now leaning (and should have a while ago :| ) indexing is key. So we should have the ability to re-index with another service, for very important project runs, in case of losing the queue in SEO Indexer, etc.
For now, I guess I can go to SER’s verified list and take the last 3 days** links and index ALL of them, even tho not all were to be indexed. So, the links ARE there, just not separated into ones I wanted to index and others, initially.
(**I had been saving the links to index keeping the thread count low so I could have threads higher on other programs.)


Where is the line drawn for ethical hackers using stolen credentials in their paid services?

The very interesting question I have is when “ethical” hackers/pen testers harvestthese repositories of stolen credentials to then use them in pen testing for paying clients what ethical boundaries are broken? What laws are broken? If a lazy hacker leaves their captured credentials out on un insecure, public facing server and then an “ethical” hacker grabs them for their own paid services, it seems to me that it’s stealing already stolen goods.

What about a penetration tester taking credentials gathered from a paid/contracted job and adding them to a database to be used in future client jobs?

Python websites Repl.it and Glot.io – any malicious activities known by those web services?

  1. Python websites Repl.it and Glot.io – are they both considered secure in the programming world? Any security issues known for one of them?

  2. And if you run python codes within those two webservices, is there technical way that your local operating system could be infected, or is everything -by design- isolated from your own system when you run code via those websites?

Just want to make sure they are totally safe to use.


Risks associated with developers using their own domain for development services

We have some development and test environments being served of our canonical domain, e.g. dev.example.com. We also have some services using obscure domains names from 3rd party providers like xjkhasdkjvhas.dns.ashdfb.3rdparty.io.

The canonical domain is maintained strictly by our sys admins.

Furthermore some services are not served on port 80 which means any new instances need to be opened on our company firewall. And also some of these services have dynamic IP which also causes our firewall to need updating/scripting.

To clean it all up I’d like our developers to use their own public dns, e.g. dev.ex.io. They can then standardise easily memorable names for services, create reverse proxies with certbot for dynamically changing services on obscure ports and also clean up our canonical DNS so it’s only used for production services.

Are there any real risks associated with this? The only thing I can think of is a public domain will provide clues as to our company and what services lie behind the domain (but that’s already an issue with dev.example.com). As long as developers don’t use this domain for production services is there a problem with this approach?

Should Anti Virus and Anti Malware layer be the first layer in web application stack or can it seat behind services?

Can you have Anti Virus and Anti Malware layer sitting deep with the microservice layer and have the malicious file flow through all the services ? Argument being the file is in memory and not getting processed until the service we will put the Anti Virus and Anti Malware layer on.

Shouldn’t this be stopped at the routing layer of the application?

What to display if user does not enable location services?

This is a continuation of a previous question.

I’m developing an app whose only purpose is to display the closest Joe's Florida Tacos locations to my current location in Florida. It will have the usual list (closest first) and a map with the markers. The app doesn’t have any use outside of Florida.

Under normal circumstances, the user enabled “current location” so the app will display a list with the closest locations to user (like this). If the user switches to the map, the map will display location of the user and several markers.

But let’s say that “current location” is disabled. What will be displayed in the initial screen, where the list should be? Will it be empty or will it display everything? And let’s say that the user switches to map, what will the map display?

Is it possible to get an approximate location even if current location is off?

I don’t want to require that the user enables current location, but I don’t know what to display if it’s disabled.