This may look a bit strange, but I could not find any reference online regarding the first in history multi-factor authentication.
I know FFIEC has published a requirement for ebanking systems in 2005, but with could not find what systems existed at that time or before that.
RFC for HOTP (which is now a de-facto standard for 2FA) is dated 2005.
As of right now, the oldest two-factor system I can find is mOTP, its news section has dates in 2003.
Does anyone has more reliable info on this?
Thanks in advance
The Wikipedia article on Two-factor authentication begins with referring to a 1984 US4720860 patent for a "Method and apparatus for positively identifying an individual".
Related
I operate a private (login required) Wordpress site for a client who recently had an employee move to the UK.
Their ISP there, Virgin Media, is blocking the website. I realize the employee could simply edit their Virgin Media user settings as suggested in the screenshot below, but is there anything I can do as the administrator/developer to whitelist the site?
Edit: I should add that i've done the preliminary check on google and looked for documentation for developers on Virgin's site, but couldn't find a thing.
I have checked the site with Google's Safe Browsing checker and Qualys' SSL Labs and both came out clean.
What the employee sees:
You may want to start by seeing what your site report looks like using a tool like Blocked.org.uk, which will give you a rough idea on if it's a single ISP in the UK that's filtering your site, or the entire gamut. For a single one, you may be able to get an exemption. If your site is blocked by a majority of ISPs, it may be that there is a court order or similar compelling UK ISPs to filter your site for one reason or another (unlikely, but possible).
Next, Virgin's FAQs state you can try to get in touch with someone knowledgable on the subject by posting in their Help forum; search "whitelist" for a few samples of folks with similar issues to yours to get an idea on how to get a helpful response.
Finally, you may have to acknowledge an uphill battle in answering the "why" - it's a fact that these companies make money (directly or otherwise) by providing a service in which they use some form of proprietary data collection and/or heuristic analysis to determine what should be filtered versus what should be allowed to be passed through. Revealing the "secret sauce" of this filtering to answer your "why" is probably not at all beneficial to them in any way. As such you may find the effort of chasing this answer down quite futile (speaking anecdotally from my own experience with similar issues: it is).
can we trace the user geographical location in asp.net ,
I know we can get the user IP address or ServerVariables("REMOTE_ADDR")
but my need is to check the visitors by city name so can my client use this data for his business
As I said in my comment:
I am not .net guy, I am actually a PHP dev but this is quite universal
across board. Yes, you can get A country and A city, but as to whether
it is your users COUNTRY and CITY....well it is unlikely to be your
users city since most ISPs do not hold their exchanges in the same
city as the user...but you have a good chance with country.
But I thought I would elaborate a bit.
The country, especially if they are like me and using an encrypted proxy, won't be of any help to you, however services like cloudflare will give you the users IP country in HTTP headers, and it's free. Better than spending £200 a month on getting nothing but false positives from dedicated services.
A similar question was asked on asp.net forum and it was answered using a good example.
Reference : Link
How do you expect to do that? My IP is assigned by an ISP located 300
miles from me. My web host is in North Carolina, a 16 hour drive
away. My cellular link in my notebook has an IP issued from New
Jersey. It's been two decades since the last time I was in New
Jersey. 1: http://forums.asp.net/post/3072924.aspx
I am probably really late answering this, but I recently worked on this project because I needed it myself. so maybe it might help someone out there.
http://iplookup.tk/service/iplookup/{YOUR IP ADDRESS}
NB: depending on the content-type of your request the result can either be in Json or XML. by default its xml
In Blackberry application I want to check what type of network connection is being used on particular phone, whether it is BES/MDS,BIS-B or Direct Tcp.
Is there any way to find out this?
Many applications like Jive,Opera and many more are doing this kind of check.
Please help.
The question is quite logical and I do agree with Richard as well. Though a better answer lies in the fact that there can be a logic developed which would involve Service Book parsing and making use of system listeners to check the current coverage status.
I had attempted to make one such logic once in my project which worked for me. I had shared my findings and understanding about the concept in more detail at my blog post. May be you would like to check once.
You can find my blog post here.
Your question springs from an incorrect assumption. A Blackberry could be communicating over any or all of those channels simultaneously. In fact any application may as well. At any particular time you can determine if coverage is sufficient for one of those channels, or register a listener for notification of changing status using net.rim.device.api.system.CoverageInfo.
Very simple question, is there any cloud server enviroments avaliable these days for us .NET guys that rivals Amazons ec2?
EDIT:
PDC 2008 looks like there are some very interesting info, and only 4 days 2 hours to wait :-). Looks like I need to get saving fast for the conference fee though.
Hold your breath for PDC 2008 and you'll see. Also Amazon's EC2 service support for Windows images is in Beta. AWS Windows Support Blog Post
Oct 23 Update : AWS Windows Support Released To Production (details here)
Oct 27th Update : So you held your breath and saw the Reddog folk become "Windows Azure" cloud services and Sitka - SQL Server Data Services. Lots of activity to read and learn at MSDN, MS PDC site, Channel 9 etc. Have fun!
I use Mosso, a subsidiary of Rackspace. I've been pleased with them.
You can run PHP, Perl, .NET, and RoR on their system. MySQL as well as SQL Server.
http://www.mosso.com
Check out Sql Server Data Services and make sure to tune in to PDC 2008 next week.
It's not public yet but EasyDb is very .net-focused, it wraps your tables into an ASMX web service. There was a dnrtv episode on it, http://www.dnrtv.com/default.aspx?showNum=121
We took Mosso for a trial run earlier this year, and it was disastrous. On a number of criteria - uptime, customer service, flexibility - we would have been better off a $6/month shared hosting account. And they changed their pricing model midstream from a per-request model to a per-"compute cycle" model, the "compute cycle" being a mysterious proprietary metric that's impossible to optimize for because you don't know how it's calculated - the end result being that you could suddenly find yourself on the hook for thousands of dollars in charges for no good reason.
This is a shameless information gathering exercise for my own book.
One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Form Requests and so on.
So, if you can think back to being one, as a beginning web developer (be it ASP.NET or not) what do you feel would be useful information about web security and how to develop securely? I will already be covering the OWASP Top Ten
(And yes this means stackoverflow will be in the acknowledgements list if someone comes up with something I haven't thought of yet!)
It's all done now, and published, thank you all for your responses
First, I would point out the insecurities of the web in a way that makes them accesible to people for whom developing with security in mind may (unfortunately) be a new concept. For example, show them how to intercept an HTTP header and implement an XSS attack. The reason you want to show them the attacks is so they themselves have a better idea of what they're defending against. Talking about security beyond that is great, but without understanding the type of attack they're meant to thwart, it will be hard for them to accurately "test" their systems for security. Once they can test for security by trying to intercept messages, spoof headers, etc. then they at least know if whatever security they're trying to implement is working or not. You can teach them whatever methods you want for implementing that security with confidence, knowing if they get it wrong, they will actually know about it because it will fail the security tests you showed them to try.
Defensive programming as an archetypal topic which covers all the particular attacks, as most, if not all, of them are caused by not thinking defensively enough.
Make that subject the central column of the book . What would've served me well back then was knowing about techniques to never trust anything, not just one stop tips, like "do not allow SQL comments or special chars in your input".
Another interesting thing I'd love to have learned earlier is how to actually test for them.
I think all vulnerabilities are based off of programmers not thinking, either momentary lapses of judgement, or something they haven't thought of. One big vulnerability that was in an application that I was tasked to "fix up", was the fact that they had returned 0 (Zero) from the authentication method when the user that was logging in was an administrator. Because of the fact that the variable was initialized originally as 0, if any issues happened such as the database being down, which caused it to throw an exception. The variable would never be set to the proper "security code" and the user would then have admin access to the site. Absolutely horrible thought went into that process. So, that brings me to a major security concept; Never set the initial value of a variable representing a "security level" or anything of that sort, to something that represents total god control of the site. Better yet, use existing libraries out there that have gone through the fire of being used in massive amounts of production environments for a long period of time.
I would like to see how ASP.NET security is different from ASP Classic security.
Foxes
Good to hear that you will have the OWASP Top Ten. Why not also include coverage of the SANS/CWE Top 25 Programming mistakes.
How to make sure your security method is scalable with SQL Server. Especially how to avoid having SQL Server serialize requests from multiple users because they all connect with the same ID...
I always try to show the worst-case scenario on things that might go wrong. For instance on how a cross-site script injection can work as a black-box attack that even works on pages in the application that a hacker can’t access himself or how even an SQL injection can work as a black box and how a hacker can steal your sensitive business data, even when your website connects to your database with a normal non-privileged login account.