gis計算各省河流長度
by Andrea Zanin
由Andrea Zanin
用河流和各方解釋安全漏洞 (Security Vulnerabilities Explained with Rivers and Parties)
Security vulnerabilities can be boring to learn. But you still need to learn them, unless you want some hacker to delete all your production databases. To make it a bit more entertaining, I tried to explain 3 major vulnerabilities in terms of every day life. So without further delay let’s begin.
安全漏洞可能很無聊。 但是,除非您希望某些黑客刪除所有生產數據庫,否則您仍然需要學習它們。 為了使它更具娛樂性,我嘗試從日常生活的角度來解釋3個主要漏洞。 因此,讓我們立即開始吧。
中間人攻擊 (Man-in-the-middle attack)
When you open a website you are connecting to a server. You can imagine this connection like a river and the data (for example Tweets in Twitter) are messages in bottles that float down the river.
當您打開網站時,您正在連接到服務器。 您可以想象這種連接就像一條河,而數據(例如Twitter中的Tweets)是漂浮在河中的瓶子中的消息。
If Alex (the server) wants to send you a dinner invitation he has to put it in a bottle and send it down the stream. But what if John (the attacker) takes the bottle out of the river and changes the message into an insult, then puts it back in the river? You will have no way of recognizing that the message you received hadn’t been sent by the Alex!
如果Alex(服務器)想要向您發送晚餐邀請,則必須將其放入瓶中并沿流發送。 但是,如果約翰(攻擊者)將瓶子從河里拿出來并將消息變成侮辱,然后又把它放回河里怎么辦? 您將無法識別Alex并未發送您收到的消息!
This is called a Man-in-the-middle attack.
這稱為中間人攻擊 。
To solve this you and Alex can decide that you will write your messages reversing the order of the characters. For example, secret message becomes egassem terces.
為了解決這個問題,您和Alex可以決定您將反轉字符順序編寫消息。 例如, 秘密消息變成egassem字符串 。
John doesn’t know the method you used to generate the secret code, so he can’t understand what the message says nor change what’s written on it without you noticing.
John不知道您用來生成密碼的方法 ,因此,在您不注意的情況下,他無法理解消息內容,也無法更改消息內容。
This is what the HTTPS protocol does, just with a fancier method.
這就是HTTPS協議所做的,只是采用了一種更高級的方法。
DoS和DDoS (DoS and DDoS)
Another way you can see a server is like your home’s Inbox. You receive mail, read them and reply.
您可以看到服務器的另一種方式是在家中的收件箱。 您收到郵件,閱讀并回復。
What if John starts to write you a ton of mail? You wouldn’t be able to respond to Alex’s dinner invitation in time, because you would be too busy replying to all the other Spam messages sent by John.
如果約翰開始給您寫很多郵件怎么辦? 您將無法及時回復Alex的晚餐邀請,因為您將太忙于答復John發送的所有其他垃圾郵件。
This is called a Denial-of-service attack, DoS in short.
簡稱為拒絕服務攻擊 (DoS)。
A way to mitigate this is reading the sender on top of the mail before opening it. If it’s John then don’t bother opening the mail. This way you don’t need to reply to John and can focus on handling serious stuff, like Alex’s dinner invitation.
減輕這種情況的一種方法是在打開郵件之前先在郵件頂部閱讀發件人。 如果是約翰,那就不用費心打開郵件了。 這樣,您無需回復??John,而可以專注于處理嚴肅的事情,例如Alex的晚餐邀請。
This is IP Blacklisting in a nutshell, only with digital sender internet protocol addresses.
簡而言之,這是IP黑名單 ,僅包含數字發送者Internet協議地址。
Unfortunately John convinced a lot of other evil people to send you Spam mails. So now you can’t simply discard John’s mails, because there are lots of people writing you.
不幸的是,約翰說服了許多其他邪惡的人向您發送垃圾郵件。 因此,現在您不能簡單地丟棄John的郵件,因為有很多人在給您寫信。
This is a Distributed Denial of Service (DDoS) and it’s very hard to deal with.
這是一種分布式拒絕服務(DDoS) ,很難處理。
One way to handle this is to receive mail only from Alex. It’s unfortunate that your other friends won’t be able to write you, because you will discard their emails too. But desperate times call for desperate measures. But gradually, you can increase the number of legitimate people you’d like to receive mail from.
一種解決方法是僅接收來自Alex的郵件。 不幸的是您的其他朋友無法寫信給您,因為您也將丟棄他們的電子郵件。 但是,絕望的時代要求采取絕望的措施。 但逐漸地,您可以增加想要接收郵件的合法人員的數量。
This is called IP Whitelisting and can be used to mitigate the impact of a DDoS attack, but it’s not a perfect solution.
這稱為IP白名單 ,可用于減輕DDoS攻擊的影響,但這不是一個完美的解決方案。
DDoS attacks are hard to deal with, luckily they are also hard to organize, because you need a lot of people helping you. But with attackers leveraging vulnerable IOT devices, misconfigured servers and DDoS-for-hire services to launch DDoS attacks, it is becoming very easy to launch such attacks.
DDoS攻擊難以應對,幸運的是,它們也難以組織,因為您需要很多人的幫助。 但是,隨著攻擊者利用易受攻擊的物聯網設備,配置錯誤的服務器和DDoS租用服務發起DDoS攻擊,發起此類攻擊變得非常容易。
注射 (Injection)
Let’s say that Alex decided that he will organize a party with some friends. He prepared a template invitation:
假設亞歷克斯決定與一些朋友一起組織一個聚會。 他準備了一個模板邀請:
Next Saturday I’m throwing a party, wanna come? If possible bring some [blank space left for food item here].
下周六我要舉行一個聚會,想參加嗎? 如果可能的話,請帶些[在此處留出空白的食物]。
He also decided to take suggestions for the food, so he left a suggestion box in the school’s cafeteria. Then he mindlessly copied one suggestion from the box in the blank space left on each invitation.
他還決定對食物提出建議,因此他在學校食堂里放了一個建議箱。 然后,他無意中從每個邀請的空白處的框中復制了一個建議。
These were the suggestions:
這些是建議:
- coke 可樂
- chips 籌碼
- pasta 意大利面
- oranges. I also wanted to tell you that Rick is dumb 橘子。 我也想告訴你里克很笨
You see what’s going on here? A friend of Tom’s will receive this message
你知道這里發生了什么嗎? 湯姆的朋友將收到此消息
Next Saturday I’m throwing a party, wanna come? If possible bring some oranges. I also wanted to tell you that Rick is dumb.
下周六我要舉行一個聚會,想參加嗎? 如果可能,帶些橘子。 我還想告訴你里克很蠢。
Tom’s friend will think that the whole message was written by Tom including the part regarding Rick! The guy who left the food suggestion (I think we know his name) just injected a message in Alex’s invitation.
湯姆的朋友會認為整個消息是湯姆寫的,包括有關里克的部分! 誰留下的食物的建議(我想我們知道他的名字)那家伙就注入亞歷克斯的邀請的消息。
To avoid injection all together simply validate (in technical lingo escape) what you are accepting from a user when it doesn’t come from a trusted source.
要避免一起注入 ,只需驗證(以技術術語逃逸為準)當您從用戶那里接受的內容不是來自可信來源時。
離開之前 (Before you leave)
If your name is John I owe you an apology, but stick around, I promise that in the next article you will be the good one.
如果您的名字叫約翰,我應該向您道歉,但是請您堅持,我保證在下一篇文章中,您會很不錯。
I hope you enjoyed the article. Don’t forget that you can ? up to 50 times!
希望您喜歡這篇文章。 別忘了你可以嗎? 多達50次!
翻譯自: https://www.freecodecamp.org/news/security-vulnerabilities-explained-with-rivers-and-parties-9c08798289b9/
gis計算各省河流長度
)
)
)
周報)
)
