Security: GreaseMonkey, URL tampering, etc.

Similar Messages

• OS X10.4.11 update, Safari won't connect to secure (HTTPS) URLs

  Didn't find any discussion of this particular symptom of the update, so thought I'd ask.
  Installed 10.4.11 update over the weekend, which contained Safari v3.0.4. After the (uneventful) install and reboot, I'm unable to connect to any secure (HTTPS) URL. Browser seems to work on non-secure connections (HTTP). My FIREFOX browser on the same machine still works.
  Haven't experienced any crashing or other OS issues, only the "Can't make a secure connection" with Safari (so far).
  Suggestions would be appreciated.

  Did you recently install the latest Security upgrade, but did not "repair permissions" on the restart? If so, that's your answer. I have found it essential to "Repair permissions" before and after any Apple system update, or Security update. Otherwise oddities may appear in the operating system.
  Also, sometimes reapplying the Combo Update specific to your current version of OS X remedies these types of problems. Here too, it's important to "repair permissions" etc.

• Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Hi the_mad_movies,
  It seems like this article will be the best option for addressing this issue:
  Error 3194, Error 17, or "This device isn't eligible for the requested build"
  http://support.apple.com/kb/ts4451
  Thanks for coming to the Apple Support Communities!
  Cheers,
  Braden

• Secure ADF URL parameter

  Hi All,
  I have exposed a URL  - http://<IP><Port>/WC/faces/main?userid=1234 - to be called from an EBS application with a parameter value "userid".
  While the connectivity and integration works as expected, I have noticed that the URL parameter (1234 in this example) is visible in the browser and can be accessed directly by calling from the browser window itself.
  Is there a way to secure the URL parameter such that the user is directed back to EBS login page when trying to access the URL directly in the browser window?
  I am using Jdeveloper version 11.1.1.7.
  Best Regards,
  Ankit Gupta

  Hi Frank,
  Thank you for sharing the information.
  The prime objective on passing the userid in URL is to display the user logged in EBS, with user-specific information in the ADF page.
  So when the url is called from EBS, the invoke action is triggered before the page load to refresh the underlying View Object using the userid passed, and display information on databound tables.
  Considering the above use case, is there a better approach of achieving the same?
  Best Regards,
  Ankit Gupta

• SECURITY: Virus Scanners, Spyware, etc

  Mac users have always prided themselves with the fact that they hardly have as many security problems, no viruses, etc, etc. Even the Mac expert told me I didn't really need anti-virus software and all that. OK, I can take that... I got the Macbook.
  But the question is: Is that really wishful thinking? Or do I actually need some sort of additional security software, anti virus and anti spyware software, etc. And if it is important to have such things: What are good programs to get.
  The only antispyware thing ive seen is MACSCAN and i've seen a few anti virus software, and i dont know which is "best"...

  Tom,
  1. Apple recommends using antivirus software. (See above.)
  2. Apple ships antivirus as part of OS X Server. (See above.)
  These two items should give us all pause.
  First things first: Computer security is a process, not an end.
  Step 1: Decide an appropriate level of paranoia for your system.(a) Since it's your system, you are responsible for its use and security.(b)
  The key factors should be the value of your data, the value of your system, and the liability that you create for yourself if you do not take reasonable precautions.
  Step 2: Stay aware of the threats and risks associated with using computers. Over time, threats and risks change, as do effective means to counter and mitigate them.
  Step 3: Take appropriate precautions.(c)
  Step 4: Lather, rinse, repeat.8
  (a) Bad guys really are out to get control of your computer and steal your data.
  (b) A personal computer is a general-purpose computing device, much as an automobile is a general-purpose transportation device. The level of safely of either depends on regular maintenance, properly installed and inspected safety and security equipment, disaster planning and recovery practice, and responsible use. There is no such thing as a completely secure car or computer: In order to be useful, they have to be able to do inherently dangerous things.
  (c) In my practice, I have found the following list to be a decent baseline: At a minimum, you should make sure that your software is up-to-date, your firewall is properly configured, your critical data is backed up, you are reasonably protected from malware and don't spread it to others, your network has proper incoming and outgoing access controls, and you regularly read your logs.
  What you do (or don't do) on your system is your choice. This is a topic that deserves serious attention and thought.
  At the very least, we should be sure to put serious thought, research, and fact into prescriptions and recommendations for other users.
  -Wayne

• ACE url tampering and other security capabilities

  Hi,
  I was wondering if anyone knows weather it's possible with the ACE to secure administrative/backend urls from the internet? ie. https://x.company.com/IGGS/Admin I would like to block access to this url from the internet for example. I have read the documentation but it only mentions HTTP deep packet inspection and alot of RFC stuff
  Regards
  Tyrone

  I can answer myself because I finally found a link to another post.
  The following will restrict certain source addresses from accessing certain URL via the ACE, I have tried this in one armed-mode, but should work even with routed-mode.
  ### Also important to notice is that doing Layer-7 loadbalancing with ssl the ACE will need to terminate the tunnel otherwise all traffic passed the ACE encrypted###
  class-map type http loadbalance match-all ten
    2 match source-address 10.0.0.0 255.0.0.0
    4 match http url .*
  class-map type http loadbalance match-all seventeen
    2 match source-address 17.16.0.0 255.255.0.0
    4 match http url .*
  class-map type http loadbalance match-any restrict
    2 match http url /public.*
    4 match http url /downloads.*
  then use in load balance policy as follows:
  policy-map type loadbalance first-match WEBSERVER_L7 class ten sticky-serverfarm WEBSERVER_StickyGroup class seventeen sticky-serverfarm WEBSERVER_StickyGroup class restrict sticky-serverfarm WEBSERVER_StickyGroup
  if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.

• URL, title etc of webpages do not print on pages printed off internet despite selecting these in header/footers in page set up. How do I get URL etc to print on the page?

  No matter how I try I cannot get the URL of a webpage or other options such as page title, date etc to print if I print up a webpage. I have done the necessary selections in file>page setup>headers & footers choosing the options from the drop downs. I have even tried making top or bottom margin bigger thinking there was not space on the page. This is still the case if I try to print to different printers.
  Is there something I am missing that needs to be done via some other setting or menu item?

  Thanks, this was a good idea to try, however it doesn't seem to have helped.
  I reset:
  print.print_printer
  Also tried resetting:
  print.printer_Lexmark_6500_Series.print_footercenter
  print.printer_Lexmark_6500_Series.print_footerleft
  print.printer_Lexmark_6500_Series.print_footerright
  print.printer_Lexmark_6500_Series.print_headercenter;
  print.printer_Lexmark_6500_Series.print_headerleft
  print.printer_Lexmark_6500_Series.print_headerright
  Closed and restarted the browser.
  I then selected URL in footer right in page setup but still it refuses to show in print preview or print on the page in hard print. It is most peculiar. Any other ideas? Thanks.

• Beware Latest 10.3.x security update - it replaces /etc/named.conf

  The latest security update for 10.3.9 replaced "my" /etc/named.conf with a new one - fortunately the old one is saved in /etc/named.conf.applesaved
  This caused me a huge nightmare as I had no idea what had happened to our network services. This was the last thing I expected.

  Yes it did that for me too a few minutes ago, when I looked into the Server Admin window and only saw two records, one for localhost and reverse for localhost I figured it had to do something with named.conf, and of course it was the issue with that. We always keep backups of everything so I wasn't too much in a panic, and thanks to the saved backup by apple I was able to recover fast.
  I still don't understand what exactly the developers of this security update where thinking with this, this is a HUGE bug with this update, have they not noticed and corrected this by now?

• Weblogic security: coping URL into other tab

  Hi,
  We have two Weblogic servers on two phisically different locations.
  First of them, WLS A, have perfect security. When you login into any application that is deployed on it, and try:
  - copy URL into another tab or browser window, you are getting returned at login page
  - when you close browser (without logout), and try to start application from history, you are getting login page, again
  So, URL that you have when you enter the application is absolutely useless. Closing the browser, or tab with application have practicaly same meaning as logout.
  Second of them, WLS B, have not that security. When you login into any application that is deployed on it, and:
  - copy URL into another tab or browser window, you are getting application without need to login! So that URL can be very dangerous, because it is possible to misuse it, if the user don't make logout
  - closing browser without logout: it is possible to find out the URL in history and go back into application without login!
  It is obvious that the problem is some setting on weblogic server. We tried to compare the settings on WLS A and WLS B but we have not found the setting that we have search for. The programmer that have found and set that property on WLS A working not more in our company.
  Can anybody help, we will be very greatful!
  Thanks,

  Hi,
  The authenticate method would take the user and the password details from the environment
  (env) that is passed and after successful authentication would populate the subject with
  the principals (i.e user, group the user belongs to ..)
  It should work with any user that is defined in the WLS not just weblogic/weblogic.
  Do you have any other users defined and which group do they belong to?
  Vimala
  Khalid Rizvi wrote:
  I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule
  as a LoginModule using JAAS based authentication. Surprisingly, the only userid
  and password combination acceptable is uid=weblogic, pw=weblogic combination.
  I went through and looked at the example code under
  http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1042212. I found that
  the UsernamePasswordLoginModule.login calls into
  if (url != null) {
  Environment env = new Environment();
  env.setProviderUrl(url);
  env.setSecurityPrincipal(username);
  env.setSecurityCredentials(password);
  try {
  Authenticate.authenticate(env, subject);
  Seems like UsernamePasswordLoginModule only is a router, as it instantiates an
  instance of Environemt using the userid and password and passes this Environemtn
  instance (env) to Authenticate.authenticate along with the empty Subject instance.
  I read about that the Subject instance will be filled in with Principals by the
  WL Server.
  My question is that firstly,
  1. As Authenticate.authenticate is not passed in the uid and pw, will it pick
  those from the env?
  2. Secondly, why does it only accept uid=weblogic & pw=weblogic.
  I will appreciate if some one can put me in the right direction.
  Khalid R. Rizvi
  508-641-1192
  [email protected]

• Does an mac air need any internet/security protection from viruses etc. ?

  I was wondering does the mac need any interent security such as kaspersky or norton installed for protection? or is there already protection from viruses etc on the software installed? Thanks

  1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to log in to it remotely. That threat is in a different category, and there's no easy way to defend against it.
  If you find this comment too long or too technical, read only sections 5, 6, and 10.
  OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
  2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
  The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
  The following caveats apply to XProtect:
  It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
  It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
  As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.  3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)    Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
  It can easily be disabled or overridden by the user.
  A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
  An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
  4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
  5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, and a technological fix is not going to solve it. Trusting software to protect you will only make you more vulnerable.  The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the scam artists. If you're smarter than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
  Software from an untrustworthy source
  Software of any kind is distributed via BitTorrent. or Usenet, or on a website that also distributes pirated music or movies.
  Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, your browser, or anything else.
  Rogue websites such as Softonic and CNET Download distribute free applications that have been packaged in a superfluous "installer."
  The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
  Software that is plainly illegal or does something illegal
  High-priced commercial software such as Photoshop is "cracked" or "free."
  An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission.
  Conditional or unsolicited offers from strangers
  A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
  A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
  You win a prize in a contest you never entered.
  Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
  A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
  Anything online that you would expect to pay for is "free."
  Unexpected events
  You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
  An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
  Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
  Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
  Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
  Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
  Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
  7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
  Why shouldn't you use commercial AV products?
  To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
  Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
  By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
  Most importantly, a false sense of security is dangerous.
  8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
  An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
  Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
  London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
  You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an institutional policy requires it. Windows malware is so widespread that you should assume it's in every email attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
  The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
  9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
  10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It's as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices.

• Item Level Security and url not working

  Hi,
  I have a SharePoint 2010 web application for internal users with windows authentication that contains a infopath forms library with content approval enabled. This web application is extended as extranet for external sites and it's using forms authentication
  and all the users are in a group that has read permissions. What we are doing is to create infopath files in the internal site and give permissions to certain groups so external users can access these infopath files from the external site. 
  Everything works fine we create a infopath form and its status is draft so users in the external site cannot see the files at that moment until the file is approved. If we remove the permissions from a group the user has not access to the item (file) in
  the external site which is ok, the user can't see the file BUT if the user tries to access the file through the URL directly the user has access. 
  In conclusion the user has access to the item when its group is assigned to the permissions in the item and the user can see the file in the library. 
  If the group is removed from the item the user can't see the file in the library but the user can still access the file using the URL pointing to the infopath xml file directly.
  It is worth to mention that we tested the same in a none content approval form library and users have not access using the URL.
  I hope i explained myself correctly, any help would be much appreciated.

  Does the library have versions enabled? Also are these logins occuring within word/excel etc?
  If there's multiple login prompts which occur even if entering valid credentials what does hitting escape (after the first prompt) achieve, does the document open anyway?
  There's a situation where Office will prompt for credentials if you open a document when you've only got read access but there's a version history (to which you don't have access). This is to allow you to enter more highly privelidged credentials if you
  want to.

• Generate client from secured WSDL URL

  I was playing arounf with the (excellent) Web Service Proxy generation wizard in JDeveloper.
  It works great but I did run into one annoying issue.
  When I try to enter an URL to a WSDL that will serve as the source for the proxy generation JDeveloper is not able to find it if the URL requires some form of authentication. In my example the service requires basic username/password authentication (and so does the ?WSDL).
  I can work around it by accessing the WSDL through my browser and storing it locally but I'd prefer to use the direct URL so that I can easily refresh it. Is there something I'm doing wrong?

  Thanks for the assistance, I've saved the WSDL locally and secured the proxy, now I get the following error :
  SEVERE: No username found
  Exception in thread main
  oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: No username found
  at oracle.security.wss.interceptors.AbstractSecurityInterceptor.throwSOAPFaultException(AbstractSecurityInterceptor.java:222)
  at oracle.security.wss.interceptors.AbstractSecurityInterceptor.handleOutbound(AbstractSecurityInterceptor.java:196)
  at oracle.security.wss.interceptors.ClientInterceptor.handleRequest(ClientInterceptor.java:48)
  at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleRequest(InterceptorChainImpl.java:122)
  at oracle.j2ee.ws.common.mgmt.runtime.AbstractInterceptorPipeline.handleRequest(AbstractInterceptorPipeline.java:87)
  at oracle.j2ee.ws.client.StubBase._preRequestSendingHook(StubBase.java:646)
  at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:141)
  at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:111)
  at testsms.runtime.Service1Soap_Stub.ws_submitSimple(Service1Soap_Stub.java:453)
  at testsms.Service1SoapClient.ws_submitSimple(Service1SoapClient.java:52)
  at testsms.Class1.main(Class1.java:41)
  Caused by: FAULT CODE: InvalidSecurity FAULT MESSAGE: No username found
  at oracle.security.wss.WSSecurity.build(WSSecurity.java:1627)
  at oracle.security.wss.interceptors.AbstractSecurityInterceptor.handleOutbound(AbstractSecurityInterceptor.java:188)
  ... 9 more
  The only thing I enabled when securing it was Authentication, when I right click and edit the security propertes the "Authentication" tab has "Use Username to Authenticate" password type "Plain text" and I disabled "Add Nonce" and "Add create time" after it failed first time.
  Where is it expecting to get username and password from ? I have the right username and apssword in Tools->Preferences->Web Browser and Proxy, is that where it comes from ?
  Just to reitterate its the internet proxy server at my end that I'm trying to get through - the web service itself does not use WS Security, so I'm thinking that the mention of WSSecurity in the error means I'm going the wrong way here.

• On a desktop computer you would normally have some form of security software(Norton,AVG etc).Is this also arequirement of one's i pad?

  On a desktop computer you would normally install some form of software security(AVG,Norton etc.) Is this necessary on one's I Pad?

  No (unless you jailbreak your iPad), and there aren't any 'proper' anti-virus or security apps in the app store. You can only download programs onto your iPad from the App Store, so they will have gone through Apple's vetting process.

• Key Mapping / URL hiding etc

  Hi All APex Fans,
  I'm in the process fo deploying a public application . ( i.e. zero authentication)
  My URL is a typical HTMLDB URL which reveals certain key fields depending on which page of the application you are :
  https://xx.xx.xx/htmldb/production/f?pp=xxx:2:1276630965096638381::NO::P2_USERTYPE,P2_USERID:employee,E0999
  In other words , Managers are horrified by the fact that this URL reveals a bunch of key fields and information .
  I can hide the first part using virtual host - but How do I create "key mappings" for the rest of the URL that starts with ?p=.....
  Is there such a thing called Key Mapping available for HTMLDB ? ( similar to what we have in Oracle Reports)
  Or is it much preferable to use Frames ( where the main frame stays static to the main URL and the Window frames play the HTML DB application pages without revealing HTMLDB URLS ?
  Could be a dumb question - but I am also being a mouth piece to some Oracle Reports experts who feel very strongly about HTMLDB URLS which they said reveal too much of its key info.
  Any suggestions ?
  Indira

  Only pass the items that you need to (for example primary keys of records you wish to manipulate). Most other item values can actually be set in the page itself.REPLY : That's exactly what I do / did.
  typically , the USERID does not show on any page at all- it only shows up IF and only IF i open a "drill-down" pop-up in a new window from a main page that brances to it using a USERID.
  - pop-ups typically don't show URLS. I know.
  But I was only playing both good and devil's advocate to explain my anti-SQL-Injection strategy . I was trying to explain how I made sure "malicious users" won't be able to play with URL to reveal confidential info because I have other checks in the SQL code to block confidentation info, even if the user=USERID is displayed if that USERID is set from the browser.
  Unfortunately , I had to show them how you could substitute portions of the pop-up URL , for the actual URL and play with URL.
  ( I won't say I have shot myself in the foot) - But now the users are expressing general concerns about setting this USERID from the browser.
  Who said DBA's and developers only struggle with machines ... ? It's complicated for users to understand .
  Are your managers horrified because they can see the information? Or are >>they horrified because they believe that if they can see it then it must be insecure? REPLY :: Yes - they horrified because they believe that if they can *see
  I think the use of FRAMES can definitely soothe the climate because the blanket/main FRAME will always show a lovely https://xxx.xxx.com/myapp/
  no matter which page of the application you are in.
  Due Dilligence .
  Any other ideas ?
  Regards...

• Any websites requiring security, electric company, banking, etc. are not working with 3.6.12. Tried to uninstall and reinstall an older version but they are still not working.

  I updated to the latest firefox about 3 weeks ago. I run version 3.6.12 on a Vista 32 Home Edition.
  I have not had this problem before but when I try to access my banking, pay my electric bill, purchase from different websites, pay my isp company, anything with security - most pages are having errors. My banking says I was logged out do to inactivity but I just signed on, other secure pages either say error or keep me in an infinite loop of answering the same pages over and over and cannot move forward.

  Hi thanks,
  amenzhisnky wrote:Try to downgrade xf86-video-intel package 1 version back, the last one seems to be buggy.
  The crash still happens when xf86-video-intel is downgraded. It also happens when the package is removed.
  Sekre wrote:
  Seems as if you are using glamor according to your X log. Have you perchance tested with UXA?
  I have had issues with SNA in the recent driver, but seems that switching to UXA and ditching all other options is a temporary workaround for me. Sadly this breaks VSync and introduces some tear, but I got rid of other nasties such as lock-ups and flickering.
  For extra info, we have different chips you and I, but it might be a common error.
  The problem is with the tty display crashing before I even get a chance to invoke X. I'll give UXA a go but I think the problem is in the i915 module of the kernel itself.