Alright so this is about a game, but more generally this can probably be done for all games, I just want to figure out how the application accomplishes it.
So it's for a game called League of Legends, huge game, has an executable file and a massive LoLClient where you can view all data specific to your account, you can queue for games etc.
Now what this app does (that I've came across) is it logs into the league client, grabs all info related to the character and logs out) but it does this without even displaying the client on the users screen, how is this possible? bare in mind it isn't using a server.
A broad question perhaps, but I'm sure there's a straightforward question (app developed in C#)
Riot has a Json API for devs to use and poll their servers for information they need to create websites and applications. It's not even touching the client; if it is, the dev of the app is either a little slow or scraping more than just 'champion information'.
In general if an application from an untrusted source is asking for login credentials, do some research and figure out why - after that use your best judgement. With that said, in most cases, if it is asking for such things and you didn't create any to use with that application itself, it's probably not a good idea.
If it is asking for authentication from a known good source (twitter, fb, google apis for eg) then make sure you check which permissions it's asking for before authorizing it to use your account. In some cases, it's just as good as giving them your username and password - the only difference being generally you can remove the authentication if weird behaviour starts up.
Riots API
Related
I've searched for solutions for this question everywhere. They all say it's not possible. I know MVC is hosted server-side so Process.Start will affect the server and not the client.
Is there anyway I can still configure the site or the client or the servers to open a desktopprogram or file on the client when the user clicks a button?
Thanks!
Well, out of the blue, it rather hard for YOU to decide to run software on MY computer, right?
I mean, I might want to go view some cute cat pictures on your web site. However, while I am doing that, I doubt that security settings will THEN let you launch my banking applcation. Or how about you go rummage around on my computer, and grab files called passwords, or how about some files called banking information.
As you can see, the idea that since I decide to visit YOUR web site, you NOW going to start launching and running software on my computer? If this was easy, or even possible, then no sane person would EVER use the internet, since then you could at at will run software on my computer - such a possibility would make the internet oh so dangerous to use, and in fact so much so, that no one with a functional brain would ever risk using the internet again, would they?
So, as long as you are 100% clear that you searching for a way to launch and run software on my computer - such as accounting systems, banking systems, and that I would be insane enough to adopt a browser setup in which YOU can run any old software on MY computer?
No problem at all - but you want to at least be trained from the school of abused farm animals as to what you asking for here.
Note that you might be able to convince the users of that web site to eliminate or turn off any browser security, but then all of those users would indeed have a very vulnerable setup, and the resulting security issues would no doubt be deemed un-acceptable to any IT department.
I'm about to release a small tool which uses a database connection for storing data. The question is: How can I prevent people reverse engineering my code and getting the Username and Password to gain access to the database?
For earlier projects (which were used only by myself), I defined the connection-string just as a global variable inside my app. But that's highly unsafe as it only takes minutes to get this string out of the exe.
Also a lot of methods to obfuscate code can be reversed.
I am really a big fan of providing code but I don't know what to post. This is more a question about the theory. Coding is the part I'll take care of myself.
Here is a small idea from me which I don't really like that much:
I could place a second tool on the server. The real app would connect to this second tool, give over the data and the second data would finally connect to my database itself. This way the connection-string would be stored inside the second app where nobody can grab it.
The fact of the matter is that storing sensitive information on the client machine is highly vulnerable to attacks against your database. A suggestion you can look into is a Three-tier architecture model for your application (http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture). In a Three-tier architecture, you have your presentation layer (your application), your logic tier (this layer will be the central pit stop for all your clients will have access to your database), and you have your database layer (the server where your database is). With this architecture, you can ensure all the data being stored and being retrieved from is from a singular source and high level security.
In the past (and still in the present), programmers would have to create their own socket servers or do advance network programming to develop a solution like this, however Microsoft has developed a tool called Windows Communication Foundation (WCF) which takes away the pain of coding your own socket server and lets you focus on developing your own implementation. Be warned though, WCF is secure by default, but it is no excuse not to research into ways of making your product robust against hackers (like knowing what protocol you are going to use, what security measures you are going to use (Transport vs Message, etc), encrypting data on client side so potential viruses don't uncover sensitive informations, etc). In saying that, WCF is a highly polished service and is really easy to get something up and running.
A good beginner video tutorial on WCF can be found here: https://www.youtube.com/playlist?list=PLhq7kqloVlM-bI9W_7iDZhObAeyrFt1y_
EDIT: The playlist for the videos are gone, but the videos themselves are still there. Just search through all his videos looking for the keyword 'WCF'
Here's the link: https://www.youtube.com/user/JesseDietrichson/featured
I recently launched my desktop application and it got cracked after a few days. I posted a question on stack overflow and people said that i cannot stop that. In the start of the software i cannot allow this to happen and i want a solution. So, following is what i am thinking.
Currently, I have desktop application that communicates with the web server to verify the user. Once the user is verified it saves the values in Registry. The hacker has bypassed the communication code and added fake values in registry and he can use my software now.
Now, i am planning to take some of my code from MAIN features of the software to a WEB SERVICE hosted somewhere else on a web server. Whenever the software needs to run that feature the software will give a call to the WEB SERVICE with the values in REGISTRY. I will verify those values and return the results. But if the values will not match my database then i will reject the call.
So, my questions is:
1- Do you think this solution is feasible ?
2- According to my thinking, it will make the software useless to the hacker. What do you think ?
3- Any flaws in this solution ?
You don't have to get cracked. Jeez, everybody thinks there's no solutions available to prevent piracy, but there are. Disclaimer: I work for a company (Wibu Systems) that prevents software piracy and provides license management solutions.
Here's the thing: this (like all security issues) is a highly specialized area of focus and the crackers are smarter at this than you are. They are already familiar with the different home-grown solutions people roll themselves and can crack those quickly.
Commercial solutions (ours is CodeMeter; in all fairness other companies make good solutions too like SafeNet and KeyLoc) rely on strong encryption with multiple layers of protection against key discovery. These companies have spent years developing, improving, and testing their solutions; it's unlikely you will be able to come close to the robustness and quality of such a solution on your own. I can almost guarantee you that any solution you create on your own will get cracked very quickly, unless your product is uninteresting to the crackers.
I'm not trying to create an ad here; I just want to set the record straight. Companies that traditionally got cracked constantly who switched to CodeMeter stopped getting cracked. Check out Propellerhead's Record product for a good example.
Friends,
I know there are lots of similar topics, but I'm creating this thread to take expert suggestions/guidance regarding my project for a non-profit NGO website. I'm a volunteer for rotary International and They need a utility which can be used to send their newsletter.
I'm not aware of the kind of email database they have, let's assume
.xls file with three columns (to, cc, bcc), maybe 1000s of data,
No database is available in their hosting plans, and I can't make
them spend now.
Most probably a msword (.doc) file would be available with some heavy
images as newsletter.
They have google apps ID
So what I'm seeking is: A way which is Right, shortest, quick, and easy to understand.
Lot of code is available on the internet but the right way to do things comes only with experience. So plz suggest me what do u say about this?
Standalone/Desktop, or web based? A WinForm application, or ASP.NET?
Desktop application may hang/crash due to 1000s of mail requests on google. Web application may force them to share their email database on ftp and then I will need to create another way to subscribe & unsubscribe online.
Plz help me start...
Personally I'd use (and do use) an integrated mailing system such as MailChimp
Why re-invent the wheel right? Services like this allow for uploading data from many types of storage, they manage your suscriptions and provide an easy method for users to unsubscribe.
You've suggested in your comment on Jamie's answer that you're worried about there being "nobody to take care of it after development" - but who's going to take care of whatever code you write? At least a system like MailChimp has documentation and is understood by a small but accessible group of people: code you write will only be understood by you, and won't be maintainable or extensible.
As with any project, there is no "right." There are simply tradeoffs. You've talked about automation of thousands of emails, subscribing and unsubscribing, and basing the email on a Word document. That's a lot of functionality to ask for help with on a simple Q&A site.
You say "Desktop application may hang/crash" - but that's equally true of a web application, you just won't see the hang. The trick would be to code your application in a way that doesn't hang.
This may have already been asked before but I did not see it anywhere.
Essentially, what I'm looking to do is to have a small C# app (EDIT: or BHO) run and detect when IE (8 or higher) has been launched by a user. Once it has launched, it needs to just sit there until it notices that an authentication challenge popup has been presented from within IE. It would then hide the IE popup and present the user with a custom authentication popup. This new popup would then pass the entered credentials back to IE for authentication.
The app (or service) would cache the credentials and pass them to any further authentication popups received on a local Intranet. So, this is a sort of custom quasi single sign-on solution.
Before people start suggesting changing settings in IE or on the server(s), please know that this is not possible. The above explanation is exactly what we need to do. I don't like it either.
We currently have a small in-house utility written in C++ (not .NET) that handles this exact identical behavior very successfully, but the source code is no longer available for fixes/upgrades.
Anything would be helpful. Thanks all!
FYI - Just saw the first comment. No, this is not a type of malware, pwd spoofer, or similar. The employee gets a customized, company-logo'd credential pop-up to handle everything. The purpose of it is to handle multiple different types of authentications (some are custom) specific to the varying sites within our Intranet.
I finally found and decided upon a solution that is already working as a prototype (very limited prototype). There's still much work to be done, but at least there is light at the end of the tunnel. If I head a different route or receive better suggestions, I'll be sure to update this information. For those whom might ever need something similar (doubtful), here's essentially what I'm doing.
Browser Helper Object
Instantiated with each new IE instance.
Registers with IE to receive events and new windows/controls being created.
Hooks to receive descriptions of controls for logic to decide what to do.
Handles to each authentication dialog windows or control.
Handle to UIAutomation COM to inspect requesting server and realm.
Multi-threaded support capable of thread blocking.
Encrypted credentials cached in memory.
.... and a whole lot more.
I hope that helps anyone needing to do the same. Thanks all for any assistance you could give. I guess everyone is as much of a noob with BHO's as I am.
EDIT 2/14: This is indeed the answer. I have the BHO working as desired. There is still some very minor tweaking to accomplish. (Actually, it's not that minor but it's working.)
Honestly this concept is dangerous. You are side-stepping the security model of the operating system to accomidate lazy users.
The other problem is that your architecture is fragmented. If you have tonnes of workstations across a big organization that don't use a proper platform for unified authentication (Such as AD / LDAP / Etc...) then you're going to run into a very-hard to maintain mess.
What you're doing here is plugging a hole, you're not fixing the crack. I strongly suggest you use this lack of source-code to keep "patching" the system together as the catalyst for change.
If you're so hell-bent on keeping the infrastructure as-is, then you should look to tested & proven software solutions to help aid in keeping things sane for your users.
Take a look at a FOSS Application KeePass. It will allow you to store your passwords securely (a problem your proposal would have to address anyway) and you can have your users store thier DB on a USB-Stick they keep with themselves at all times. They can log in once to thier KeePass DB and use the Auto-Type hotkeys to enter thier passwords in the various login boxes they are prompted for. This can work for more than just IE authentication requests, it can do all your applications.
The nice part about this is you can get people to use relatively strong passwords as they'll only have to remember the one (KeePass DB).
Ultimately you're going to run into issues trying to catch Authorization Challenges, even your existing solution is probably doing it in a very hack-ish way and you're going to find it increasingly hard in the future to continue this behaviour. This is mainly because it's an "IFFY AT BEST" solution, and will likely be made harder to execute as security matures.