amazon web services – Is there a way to dynamically update a security group from networks in a route table?

a bit surprised that there is no closer integration between these two services (I think maybe there is one, but I just missed it)

I have a route table with routes to different networks and I have also configured it to route routes from a VPN over BGP. It's all dynamic

Now I have an EC2 instance on a subnet that uses this route table

Is there a possibility / function for a security group that automatically enables incoming access from all destination routes in a route table? The route table is updated dynamically by BGP. It would be nice to have a SG that tracks this for me so that new routes are automatically allowed

Ports – Is it a security risk to host a CS: GO server on my PC?

The greatest risk is probably a 0 days or just one unpatched vulnerability in the server software from CS: GO.

You are rather helpless against a 0 day. You can give The user who runs the CS: GO process has as few privileges as possible. If your server is compromised, the attacker can only act with this user's permission, unless he also exploits a local escalation of privileges. Being the victim of such a 0-day is not very likely, but it is always a residual risk if a service is exposed to the Internet.

In order not to be endangered by an unpatched vulnerability, Patch your CS: GO server regularly. Find out where users are notified of new patches and vulnerabilities Monitor these sources. If you cannot patch immediately, shutdown the server until you can patch it.

If you don't offer the server around the clock and mostly play yourself, Shut down the server when it is not needed. Reducing the attack surface also means reducing the time that the service is available.

Security – CSS was ignored due to a MIME type mismatch

I'm working on a client-side web part with JavaScript and CSS for customization.

I have added custom CSS and JS to the page and am getting the message on the browser console, i. H.

CSS was ignored due to mime type mismatch

I checked the paths of the CSS files and they are all correct. I searched for the same problem over the internet and used the following paths, but none of them worked.

  • Installed the core update in SharePoint, which is available here.

  • Installed the language update package available here

  • Checks whether the Static Content feature is installed on the computer

  • Mime Type is available in IIS

  • Checked the registration for the CSS and the correct file type was specified, i. H. Text / CSS.

The solutions above did not work.

The interesting part is: When I load the same CSS from SharePoint Hive (15), it loads properly.

Can someone please help me solve the problem?

Surroundings: SP2019 Windows Server 2019 standard rating

TIA.

Linux – Are security checks performed by independent agencies for open source software such as Ubuntu or Mozilla Firefox?

Any deliberate malware injected into open source software by the same people who develop it may become known because the source code is open to the public. However, if the code base is large, ordinary people do not have the time and resources to go through it, and so it is possible that such malware may go undetected for a long time. It is therefore important to develop independent agencies to regularly check changes to the software. Are there such agencies and are they reliable?

Security – can I see my direct colleague's address?

Can I see the Bitcoin address (pkh) of my directly connected colleagues?

I ask this question, because if I can, I can decanonymize my colleagues based on their IP addresses (from the TCP header), right? If this is the case, it is not a security vulnerability because a node can be set up and connected to as many nodes as possible. You can then create an IP mapping to Bitcoin addresses and thus decanonymize most users if they don't use a proxy service like Tor.

Thank you all

Possible security problem with the custom taxonomy search function

I would like to add some features to a client WordPress site that allow you to include taxonomy terms from custom post types in WordPress search, and encounter the following answer:

Include a custom taxonomy term in the search

This solution works, but in the comments, one user mentioned that "it is probably not a good idea to insert the raw publicly available search string directly into an SQL query". and added a link for further reading. I can't see anything in this link that relates to the details of the answer.

For quick reference, the code for the answer is below. Would this code be a security risk? If so, what would the solution look like so that you still have the functionality to be able to include taxonomy terms in the WP search without any security risk?

Many thanks

// search all taxonomies, based on: http://projects.jesseheap.com/all-projects/wordpress-plugin-tag-search-in-wordpress-23

function atom_search_where($where){
global $wpdb;
if (is_search())
    $where .= "OR (t.name LIKE '%".get_search_query()."%' AND {$wpdb->posts}.post_status = 'publish')";
return $where;
}

function atom_search_join($join){
global $wpdb;
if (is_search())
    $join .= "LEFT JOIN {$wpdb->term_relationships} tr ON {$wpdb->posts}.ID = tr.object_id INNER JOIN {$wpdb->term_taxonomy} tt ON tt.term_taxonomy_id=tr.term_taxonomy_id INNER JOIN {$wpdb->terms} t ON t.term_id = tt.term_id";
return $join;
}

function atom_search_groupby($groupby){
global $wpdb;

// we need to group on post ID
$groupby_id = "{$wpdb->posts}.ID";
if(!is_search() || strpos($groupby, $groupby_id) !== false) return $groupby;

// groupby was empty, use ours
if(!strlen(trim($groupby))) return $groupby_id;

// wasn't empty, append ours
return $groupby.", ".$groupby_id;
}

add_filter('posts_where','atom_search_where');
add_filter('posts_join', 'atom_search_join');
add_filter('posts_groupby', 'atom_search_groupby');

C # – API Layer ClientId and security style

I got to the point where I designed my API security and used a custom attribute. I don't want to use third party systems because they cost money.

I wanted to use the client ID and the secret ID approach and asked if this is a sure way to do this. I interact with my API over a database level.

The first thing that is called is this code bit that goes out to match the database and is then called by the controller

public bool FindKeysByClientIdByApiKey(Guid apiKey, Guid clientId)

  {

       ApiKeys results = new ApiKeys();

        using (var connection = new SqlConnection(constr))

        {

            return connection.Query($"SELECT * FROM {schemaDefination}.(ApiKeys) where ClientId= @ClientId and ApiKey=@ApiKey and isActive=1 and isDeleted!=1",

              new { ApiKey = apiKey, ClientId = clientId }).Any();

        }

  }

Controller code

public class ApiKeysController : ControllerBase

{

    DBContext db = new DBContext();

    (HttpGet)

    public int Get(Guid ApiKey, Guid ClientdId)

    {            

        if (!db.FindKeysByClientIdByApiKey(ApiKey, ClientdId))  {

            return StatusCodes.Status401Unauthorized;

        }else

            return StatusCodes.Status200OK;

    }

}

To enable or disable this at will, I create a custom attribute with the following properties.

public async  Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)

{

        //before

        if(!context.HttpContext.Request.Headers.TryGetValue(ApiKeyHeaderName, out var potentialApiKey))

        {

            context.Result = new UnauthorizedResult();

            return;



        }



        // before

        if (!context.HttpContext.Request.Headers.TryGetValue(ClientId, out var potentialClientId))

        {

            context.Result = new UnauthorizedResult();

            return;





        }

            var getConfigurationResult = Do Stuff here



        await next();

        //after



}

This should mean that I can just call an attribute on my controller if that method is fine. I'm assuming that this method also allows me to decorate my gets and puts to make sure they're authorized, which is what I should return in ApiControllers so that I can make it more general

(API key)

Java – how do i fix an Android security error (startActivity)?

I am trying to open my app through a terminal emulator on my Android device, but the following error keeps appearing:

java.lang.SecurityException: Permission Denial: startActivity asks to run as user -2 but is calling from user 0; this requires android.permission.INTERACT_ACROSS_USERS_FULL

Here is the code I entered in the terminal emulator that led to the error: am start -n com.segway.robot.locomotionsample/com.segway.robot.locomotionsample/MainActivity

I was able to open the app from the command line on my development computer by:
adb shell am start -n com.segway.robot.locomotionsample/com.segway.robot.locomotionsample.MainActivity, but for some reason I get the above-mentioned user error when I try to run it through the terminal emulator on my Android device. Any help would be appreciated!

Security – API authorization for first-party apps and third-party apps

I have a few microservices that I want to combine in the form of an API. The main purpose of the API is to use it through our (first-party) mobile app. Incidentally, we do not currently have a mobile app or web app and want the backend to be completely decoupled from the front end. But I can see that some third parties will soon need access to the same API. I designed the API with the base endpoint for all types of resources. My question is about the authorization flow of the API and the client.

I tend to use Oauth 2.0. Password flow for our own app (first provider) and authorization flow or authorization flow with PCKE, depending on the type of third party customer. Is it a safe way to solve it? How is it usually done?

The process would be something like this for a third-party developer. You log in with our mobile app, create an app (customer ID and secret) and can then use it for authorization. This leads me to another question

1) Would it be safe to disclose the registration and create an app endpoint for third parties? Or should only our app be able to create apps and register new users?

Security – are DAG-based cryptocurrencies as secure as proof-of-work-based blockchains?

It is interesting that so many believe that the original Bitcoin way is the only way to achieve Byzantine fault tolerance. It is not.
Explaining why mining PoW is safer than other methods boils down to math being the most trustworthy element. This is also the case with Byteball (now called Obyte). The Obyte white paper explains that PoW mining is considered a loss of network value. to energy supply companies etc.
The Obyte consensus protocol follows a deterministic set of rules. The role of the witnesses is only to order or order the units in a fair FIFO manner. Remember that an unlimited number of units can be created in a DAG at the same time Fair The order was determined by the witnesses who send their encounter with the unit as soon as they enter. and not by the amount of the fee paid to prioritize it, as is the case with BTC. Witnesses have no other powers and should not be compared to Bitcoin miners. They are trusted to act rationally to protect their own reputation in the real world. Full nodes are anonymous nodes that run the consensus log to validate and save the entity. The consensus protocol they run is deterministic (while Bitcoin's is probabilistic) Once a unit has been confirmed stable in Obyte, it is final. It is not only extremely unlikely that it will become invalid, as is the case with Bitcoin after an x ‚Äč‚Äčnumber of confirmations. in Obyte it is 100% impossible.
The Obyte network is designed so that the number of witnesses can only be limited by the number of full nodes in the network. However, only twelve are required per transaction.
Anyone can set up a witness node with relatively little hardware, etc. The Bittrex Witness Node at QR542JXX7VJ5UJOZDKHTJCXAYWOATID2 is used by anyone who trusts that he will deal with transmitters honestly and reliably as he sees them. They use it, but maybe others don't. Bittrex has a strong logical incentive to keep an honest, reliable witness, and Bittrex partners, customers, etc. who deal with Obyte Bytes with them expect Bittrex to protect their brand. If they failed, however, it would only mean that other nodes would "vote" for them by not using them as witnesses. A transaction only takes seven out of twelve witnesses to confirm the sight of the unit. It would take seven witnesses (of a particular transaction) to fail at the same time to get a unit stuck in an unstable position or sequenced in an unfair order. The likelihood of this is considered extremely unlikely, especially in a mature network.
The white paper explains this in detail.