|
Calculate a hash-key and store it in another table with a reference to your original table. If anyone modifies the data, it'll result in a different hash-key than the one that you stored.
Bastard Programmer from Hell
|
|
|
|
|
Hi Eddy, thanks a lot for that response, and I am glad to say you and I have a same understanding on that Issue.
From my previous thought, I think I can at least add a column in the data table, and record the hash key in this column, whereas you mean we can record the hash key in another table.
I think your idea is a little better than me, since if someone delete one row from data table the correlation will be broken for the foreign key doesn't match.
I want to know if tamper man change the data and meanwhile he/she change the hash key, how can we prove the data was not changed.
|
|
|
|
|
songbo07 wrote: I want to know if tamper man change the data and meanwhile he/she change the
hash key, how can we prove the data was not changed.
If the hacker can generate a new hash, you're toast. If the tamper-man has the seal of King Midas - he'll be King Midas.
It's the same as logging who's accesssing your Linux-machine - if a hacker gains root-access, they can change the logs as they like and the logs become useless. Hence the suggestion to store it somewhere else (with limited access).
songbo07 wrote: From my previous thought, I think I can at least add a column in the data table,
and record the hash key in this column, whereas you mean we can record the hash
key in another table. I think your idea is a little better than me,
since if someone delete one row from data table the correlation will be broken
for the foreign key doesn't match.
Not only that; if a hacker sees a column with something that resembles a hash, he/she will focus on that column. If you got .NET code that's not obfuscated, then it might become very easy to break it.
Another layer of security could be added by adding auditing[^], but this requires a licensed version of Sql Server 2008 (not available for Sql Express, but you could leave a trace running there). Additionally, you can have the logs being written to an encrypted drive as suggested by Microsoft.
..and no, there is no fool-proof lock. The idea is to make it as hard as possible, just as you lock the doors around your house. Ask the bank, even their vault is vulnerable to attack in certain (yet hard to create) circumstances.
Bastard Programmer from Hell
|
|
|
|
|
He wants to PREVENT from people modifying the data. Not to KNOW if someone modified it.
Plus, if someone can modify the data, she can also calculate the hash and modify it too. And then you wont even KNOW!
My answer is, use asymmetric encryption. Encrypt data with banks public key. And only the bank can retrieve the data then.
|
|
|
|
|
krumia wrote: He wants to PREVENT from people modifying the data. Not to KNOW if someone modified it
Hmz, might have missed that bit.
krumia wrote: Plus, if someone can modify the data, she can also calculate the hash and modify it too. And then you wont even KNOW!
With the salt in another location, I would now.
krumia wrote: My answer is, use asymmetric encryption. Encrypt data with banks public key. And only the bank can retrieve the data then.
Bastard Programmer from Hell
|
|
|
|
|
Quote: With the salt in another location, I would now.
|
|
|
|
|
songbo07 wrote: designing a system which will store some data in local PC(ATM machine).
songbo07 wrote: know that a third party CA organization would be involved to add proof to my application, but it is not allowed by my customer.
What I see there is a contradiction. How is the bank going to verify that what you wrote does what it says it does?
Not to mention that if an ATM requires PCI compliance, which is probably something that will happen in the near future, it would require a PCI audit.
|
|
|
|
|
This is indeed a contradiction.
When customer came to Bank and claims he/she got a fake money from ATM machine. bank need a proof to prove whether or not this money was dispensed by their ATM or not. Obviously, Bank will always announce the security of their ATM and won't like to pay for the cost of fake money.
If bank and their customer can not get an agreement on that, there is probably a court case to deal with it. The court will ask bank to give our a proof to prove the money was not dispensed from their ATM.
So bank want ATM vender to record transaction information on ATM for at least 30 days, if there is any case like we mentioned happened, ATM should provide this type of information including serial number of each money. it is quite easy to get and record these required information on ATM, but who can prove no one changed in after it is record on hard disk.
Bank ask us do it, we have to do it, because "Customers are always right". this transfer the responsibility of proof from Bank to ATM vender(my company), meanwhile the trouble and risk was changed to us.
Now, without 3rd party certification organization, I think we need to hold a hash function in same assembly and generate runtime key with this function, then encrypt sensitive data with the generated key.
I don't know if this method have the legal validity, all in all, I think I have to do it for time urgency.
And I believe other venders will have the same problem. we can do it first and see what need to do to solve this problem.
|
|
|
|
|
|
I want to design and implement an arquictecture for manage alert in real time for geofencing information. The system must trigger an alert (email/sms) when a vehicle arrive or aprouch in an pre definined route.
My actual system is based in Java (server), php, google map, OpenLayers and Postgis database.
I have no experience in this area, I would appreciate any kind of help, either in reference bibliografica, sites or ideas.
|
|
|
|
|
Outside of your normal n-tier approach there is not so much different going on.
email
for email you can always write it to use smtp. This implies you have an smtp server. (IIS eg is already capable of doing this, so I guess a java equivalent can also)
An smtp mail is pretty straightforward, to, cc, bcc, from, subject, mailbody and attachments depending on what you need and I'm pretty sure Java has objects available.
Sms.
To send an sms you'll need an application that can do this and provides a component that you can use. I say application, because that will have to go through a phone central or something similar. The best thing you can do is check with the provider, who knows they have a webservice that you can use. Once you have that, it's basically the same as an email: phonenumber sender, phonenumber receiver, smstext.
shelltton wrote: when a vehicle arrive or aprouch in an pre definined route
This will be the hard part depending on your needs. If it is a real route they're following you'd somehow need to match the 'triggering' route with the real followed route. Can't help you here.
If the 'route' corresponds to an area and you need to trigger if an object entered that area this might be simpler, unless the area is polygon (polygons can be pretty complex), in that case you need a special algorithm that divides the polygon in seperate regular polygons (square, triangle, ...). If the area is a circle or a square or something like that you just need to check if the XY coordinate of the object is within the regular square/triangle/circle/... If you can go for a square or circle.
Triggering
Normally you can subscribe to a callback of the object that provides the coordinates of the moving vehicle (GPS?). In that callback you need to check whether it is within the boundaries of the area or is on the triggering route for an email/sms and send.
I realize that this not a complete answer to what you probably want, but I hope it might give you enough information to start. if you have more detailed questions, shoot, I'm no wizard, but I can try to answer
V.
|
|
|
|
|
I wonder how you can mention real-time and e-mail in one thread. All an email system does is try and deliver your message at some undefined point in time, there is no guarantee whatsoever as to success nor speed. Messages that typically arrive in under one minute may as well take hours to arrive, or get lost permanently.
I'm not sure, however I guess the same holds true for SMS.
|
|
|
|
|
Is this a real (business) system?
Then I doubt anyone cares if it gets to a location on time. What they care about is when they don't get there on time.
And humans are not "real time" and email/sms isn't either.
If you are using a GPS then it sends location information every X interval.
You have a map (on a server) tied to GPS id which locates itself on the map and which receives the GPS info.
If the analysis finds a problem (or maybe a ontime for a student app) then it sends a notification.
The notification api (its own layer not part of the above) determines who to send the notification to and how to send it.
For a real business system it probably needs throttling as well. That way the COO doesn't get 1000 pings an hour when the city has a snow storm.
|
|
|
|
|
sexy girlï¼video for adult ï¼ more than 30 videos,just for make money from sharecash.org while you download the files.http://sharecash.org/download.php?file=2531204
|
|
|
|
|
sexy girlï¼video for adult ï¼ more than 30 videos,just for make money from sharecash.org while you download the files.http://sharecash.org/download.php?file=2531204
|
|
|
|
|
Hello,
I got a requirement from the admin group of a public website that they need to get a report everyday. The reports can be created wth an operation in the site and at the end of the day admin should be able to access the data. I am exploring the possibilities of exposing an ftp path location without compromising the security.
Any suggestions on this?Basically, I want to know is it risky to do this in this way and should i suggest some alternate solution.
Regards,
Jith
|
|
|
|
|
Presumably you have a web site rather than a ftp server. And you are going to support a ftp protocol on the web site.
As such the web site is what provides the authentication/authorization.
|
|
|
|
|
I assumed you meant this:
* Admin clicks 'generate report' button
* System writes file into 'reports' folder
* Admin uses FTP to access the 'reports' folder to access a report
If so, you can make this work well: FTP is done independently of HTTP, so you can make an entire FTP address that can ONLY access the reports folder, depending on how you configure your server.
You can also make the reports read-only to the FTP user etc. If you really wanted, you could just point the FTP access to the root of the site, and deny access to everything except the reports folder, as you see fit.
If you manage your permissions correctly, there is absolutely no risk involved.
Don't forget to rate my post if it helped!
"He has no enemies, but is intensely disliked by his friends."
"His mother should have thrown him away, and kept the stork."
"There's nothing wrong with you that reincarnation won't cure."
"He loves nature, in spite of what it did to him."
|
|
|
|
|
sexy girlï¼video for adult ï¼ more than 30 videos,just for make money from sharecash.org while you download the files.http://sharecash.org/download.php?file=2531204
|
|
|
|
|
I've done very little formal diagramming, so I'm wondering what the standards are these days. I'm particularly talking about program structure, class structure and database structure, but I'd love to hear about any others you use too.
For reference, the only diagramming I've done was back in high school IPT: Nassi Schneiderman Diagrams (Structograms)[^] and Conceptual Schema diagrams[^].
Don't forget to rate my post if it helped!
"He has no enemies, but is intensely disliked by his friends."
"His mother should have thrown him away, and kept the stork."
"There's nothing wrong with you that reincarnation won't cure."
"He loves nature, in spite of what it did to him."
|
|
|
|
|
Never heard of those.
UML, Unified Modeling Language, is basically the standard for most of that.
|
|
|
|
|
Those diagramming standards are probably 20 years old? Older perhaps?
Don't forget to rate my post if it helped!
"He has no enemies, but is intensely disliked by his friends."
"His mother should have thrown him away, and kept the stork."
"There's nothing wrong with you that reincarnation won't cure."
"He loves nature, in spite of what it did to him."
|
|
|
|
|
UML has evolved since it was first defined. It is a very powerful tool.
Panic, Chaos, Destruction. My work here is done.
Drink. Get drunk. Fall over - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer
Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
|
|
|
|
|
As mentioned before, UML is the standard for software design and architecture. SysML is a bit more general and not restricted to software lifecycle management. These are being standardized by the OMG (object management group, not 'oh my god ).
UML and SysML are in fact a whole bundle of diagram types and elements, some of which may even look familiar to what you know. However, using them correctly isn't exactly easy, and a constant source of discussion even between experts. If you wish to properly learn to use them, the best way is probably to visit a course: being able to discuss ambiguous areas with real persons is invaluable!
Personally I mostly stick to class diagrams, because the UML tool I have can directly generate code from them and even synchronize changes in the code with the model. I also occasionally use sequence diagrams to describe the workflow of a particular function or algorithm that involves several objects. I've also found state machines or state diagrams helpful when modeling embedded software components. if you're involved in the early phase of project lifecycles you might also want to look at Use Case diagrams or Requirement diagrams. The latter are rather new and actually part of SysML, not UML, but can be used in conjunction with Use Case diagrams nonetheless.
Personally I do not know of any good online source that would be good for a beginner to learn UML. I've learned it in a course about the Unified Process (back then it was the Rational Unified Process, but it's now open source), which uses all of these diagrams. Maybe there's some useful info around in that area.
I suggest you look up these keywords on wikipedia or elsewhere:
UML, SysML, class diagram, sequence diagram, state machine or state diagram, Use Case diagram, Requirements diagram, Unified Process.
|
|
|
|
|
Thank you very much. I suppose I'll just have my own little home-brewed flowcharts until I need something on that scale. I suspect I'll learn about that in university though.
Thanks for taking the time to write such a detailed and practical reply!
Don't forget to rate my post if it helped!
"He has no enemies, but is intensely disliked by his friends."
"His mother should have thrown him away, and kept the stork."
"There's nothing wrong with you that reincarnation won't cure."
"He loves nature, in spite of what it did to him."
|
|
|
|
|