I'm trying to use gSOAP to talk to a network camera that supports ONVIF, and I need a way to specify the time that soap_wsse_add_UsernameTokenDigest uses when it hashes the password.
At the moment I'm unable to insure that both the camera and my client have proper NTP time sync. Therefore, I'd like to take the approach used by tools like python-onvif and simply apply an offset to the time used in generating the UsernameToken. The camera's date/time can be retrieved without authentication, so computing such an offset is trivial.
My problem is that I can't see any way to get soap_wsse_add_UsernameTokenDigest to use anything except the current time when it computes the password hash.
Is there any way to change what time soap_wsse_add_UsernameTokenDigest uses, short of changing the system clock?
And a look at the source code for soap_wsse_add_UsernameTokenDigest answers the question: NO, there's no way to specify that time or an offset because it simply calls time(NULL) directly.
So my options are to modify soap_wsse_add_UsernameTokenDigest, compute the hashes myself and call soap_wsse_add_UsernameTokenText, or find some way to insure time sync.
Related
I'm new to PLC programming and I'm trying to keep track of an LREAL variable in some existing structured-text code. I'm using Omron's CX-Programmer with a simulated CJ2M.
My first instinct was to log all changes in value to SD card, using WRITE_TEXT() . Since I need a string value to write, I had hoped that LREAL_TO_STRING() would do the trick, but it appears that function does not exist.
How could I best log that value without losing precision?
Edit: I managed to work around this problem. Having been told CX-Programmer's SD card emulation could be unreliable, I simply wrote the values to an array and examined the contents of those memory locations with the built in tools. I could also export these values into a file if needed. This approach limits the amount of recorded data to available space in the simulated PLC memory.
In CXP you can't convert real into a string. You have to do the conversion yourself.
If you want to know if you can do any other conversion you can follow the table here.
I am Developing an onpremise solution for a client without any control and internet connection on the machine.
The solution is to be monetized based on number of allowed requests(REST API calls) for a bought license. So currently we store the request count in an encrypted file on the file system itself. But this solution is not perfect as the file can be copied somewhere and then replaced when the requests quota is over. Also if the file is deleted then there's manual intervention needed from support.
I'm looking for a solution to store the state/data in binary and update it runtime (consider usage count that updates in binary itself)
Looking for a better approach.
Also binary should start from the previous stored State
Is there a way to do it?
P.S. I know writing to binary won't solve the issue but I think it'll increase the difficulty by increasing number of permutation and combinations for places where the state can be stored and since it's not a common knowledge that you can change the executable that would be the last place to look for the state if someone's trying to mess with the system (security by obscurity)
Is there a way to do it?
No.
(At least no official, portable way. Of course you can modify a binary and change e.g. the data or BSS segment, but this is hard, OS-dependent and does not solve your problem as it has the same problem like an external file: You can just keep the original executable and start over with that one. Some things simply cannot be solved technically.)
If your rest API is within your control and is the part that you are monetizing surely this is the point at which you would be filtering the licensed perhaps some kind of certificate authentication or key to the API and then you can keep then count on the API side that you can control and then it wont matter if it is in a flat file or a DB etc, because you control it.
Here is a solution to what you are trying to do (not to writing to the executable which) that will defeat casual copying of files.
A possible approach is to regularly write the request count and the current system time to file. This file does not even have to be encrypted - you just need to generate a hash of the data (eg using SHA2) and sign it with a private key then append to the file.
Then when you (re)start the service read and verify the file using your public key and check that it has not been too long since the time that was written to the file. Note that some initial file will have to be written on installation and your service will need to be running continually - only allowing for brief restarts. You also would probably verify that the time is not in the future as this would indicate an attempt to circumvent the system.
Of course this approach has problems such as the client fiddling with the system time or even debugging your code to find the private key and probably others. Hopefully these are hard enough to act as a deterrent. Also if the service or system is shut down for an extended period of time then some sort of manual intervention would be required.
I'm using joliver/EventStore library and trying to find a way of how to get a stream not reading any events from it.
The reason is that I want just to write some events into that store for specific stream without loading all 10k messages from it.
The way you're expected to use the store is that you always do a GetById first. Even if you new up an Aggregate and Save it, you'll see in the CommonDomain EventStoreRepository that it will first correlate it with the existing data.
The key reason why a read is needed first is that the infrastructure needs to work out how many events have gone before to compute the new commit sequence number.
Regarding your citing of your example threshold that makes you want to optimize this away... If you're really going to have that level of events, you'll already be into snapshotting territory as you'll need to have an appropriately efficient way of doing things other than blind write too.
Even if you're not intending to lean on snapshotting, half the benefit of using EventStore is that the facility is buitl in for when you need it.
I am programming a 30-Day-trial application, I need to make sure if the user changes the system time it will not harm my application and the 30-day-trial will still be calculated, or at least I will be able to figure he did something wrong.
The best way I found is to check for a system file which its contents updated and every update contains the time with its data, so I can find out if the user changes the date or not, by comparing the dates with each other ...
I know it is not certain way, but it is kind of make it harder and shrink the area of who can crack it.
I found about Event log
windows7 log files
it can help..
Any solution proposed can be hacked. But it sounds like you only want to ward off the casual pirate, not the determined hacker.
Instead of trusting the system clock, how about just making a network request back to your own website or time server to get the current date and time?
Another idea is to just limit the number of times the application can be launched instead of limiting it to a specific amount of time.
In the iphone game "Tiny Tower", I'm guessing it uses some kind of simulation based on the time spent between the last play and the current time, because you can set the current time forward and you will get the benefit from the fake elapsed time span.
Is there an algorithm that I can use to prevent this sort of thing? (Or at least make it difficult enough for the average user to pull off!)
Edit: thanks, I understand that, despite my wording, there's no way to prevent things you store on the client side, but I want to make it at least more difficult than "changing the time" to hack it!
The gamecube had a way to do this so it must be possible.
Is there an event triggered when the iphone time is set ? In that case you can react that.
Another solution is to require to be online when the game is launched, this way you can check time on a remote server.
You could has well check if you got an event on the phone login or wake up react to it, saving the time at that moment in your DB. You would have the last non modified time.
A last possible trick is to check for a file you know is going to be modified by an action prior to time change (such as login), and check the 'last modification' date.
You can investigate in the GPS direction as well. A GPS need to be synchronised with the satellite it contact, so it must keep track of time in some way, and maybe there is an API for that.
Unfortunatly you are on an iphone, which mean your possibilities are limited since applications got very few rights and are sandboxed.
EDIT:
Just though about it but, can you create event in the iphone calendar ? And check if it has been trigered ? Cause you could set a fake meeting or something for every day. Not clean, but creative.
EDIT 2: can you set a timer as a code for IOS to execute in 60 minutes ? If you can, set this timer, pass the time expected to be when this code run, then when the code run, compare and inform your program.
One way to prevent it is to monitor time passing by checking timestamps for their logins in a database. It doesn't matter if the client's iPhone's time is off; the database on your end will still know how long it's been since the last login.
I think if you have internet access you can take the time from a server.
A second solution : You can record the "datetime" and every time you see a "BIG" difference between the record datetime and the running datetime you know there might be a problem.
but this is not elegant, i know.
You can also record a small ammount of datetimes that the application started and check the diffrence with the running datetime.
Also you can use "Activity"->"Datetime" so the "Updates" (levels etc) can't be retaken.
Because the system Datetime can be changed by user, there is potential for "hack".
call a web service to get the time, rather than rely on the phone. There are several places you could get time from, google is your friend i'm sure, or create one yourself, and use the local time of the machine the service runs on for the time.
You could also use the Network Time Protocol (NTP) servers to get a consistent time