After eight years the skype communication protocol has been reverse engineered. See for yourself:
http://www.enrupt.com/index.php/2010/07/07/skype-biggest-secret-revealed
Since the year 2004 I’m a member of the Web of Trust from Thawte and have been giving trust points to a number of people. To spread the web of trust we did also signing parties at some universities and schools. This era has come to an end! Thawte decided to discontinue the personal e-mail certificate and the web of trust services. Thawte recently published that security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. The effort Thawte had been taking lately to adapt their services to these changes is now for Thawte to high to be taken. As a result Thawte Personal email certificates and the web of trust will be discontinued on November 16, 2009 and will no longer be available after that date.
In the first post of this serie I describe the problem which can be read here. In the second post of this serie I explained how the problem was analyzed using Live HTTP Headers which can be read here.
In this post I want to present you a possible solution how to achieve a succesful login on a sharepoint server which uses form based authorization. The WebDavSession from the ITHit component has unfortunately no public interface to set cookies from the outside (although I’m in contact with the developers there to see if they could provide some kind of access method to inject cookies). Therefore the internal cookie container of the WebDavSession must be extracted using System.Reflection.
In the previous post I described the problem of accessing WebDav resources by using WebDav on a sharepoint server which has enabled form based authentication. The basic idea behind the solution is actually quite easy:
When accessing the sharepoint portal on the external zone with the ASP.NET membership accounts you have to fill out the login form with your credentials. When you click on the “Sign In” button a HTTP Post is sent to the server containing some uniquely generated IDs for your current browser session and your credentials with the name of the containing form component in plain text. If the authentication is successful the server returns a cookie containing the authorization state of the client. This cookie must be saved in the clients session and provided to the server every time the client communicates with it.
In one of my projects I’m currently using WebDav to communicate to a sharepoint server. To minimize the developing costs regarding WebDav and to speed up the project I evaluated a nice library from ITHit which fully implements WebDAV RFC 2518 and DeltaV RFC 3253. The library is pretty straight forward to use and implemented in TDD manor. The cool thing also about this library is that resources and items from the remote location are returned as interfaces which really simplifies testing in your application basing on this library.
Today we take a closer look at the Microsoft Active Directory in the 2008 native mode. One of the problems that windows administrators often face in the daily business is the setting of password policies for the whole company. Under Windows Server 2003 it was not possible to set more than one policy for the accounts. So from the domain administrator to the user every body needed the same complex password. Under active directory in version 2008 there is a new object type in the schema which is called PSO (password settings object). The only way to create the PSO is in ADSI edit. Click on start and enter “adsiedit.msc”.
One of the hard tasks in the daily live of an IT administrator is to ensure that the network and the server are secure. The perfect security is not possible. There will always be some small leaks either provoked through the behavior of the user in version 1.0 or the administrator of the system. Not to mention design leaks in the software itself. Most environments are too large and too complex for a manual checkup of all security patches and service packs. One other factor is most users need some higher rights on their machine to do their work. This often results in disabling the windows firewall. These two scenarios are big the root of all evil.
As we all know the major issue with security is the user itself, because current security systems don’t consider the human factor. Most of the security measures neglect the human limitation in the real world with the result that the users are annoyed by the system. Annoyed users stop paying attention or even worse they stop considering the whole security aspect of the system they are using. OpenSSH 5.1 implements a new (experimental) feature based on an innovative visualization technology, which care about the human being.