The Witnet Foundation is creating one of the most important building blocks of the new decentralized economy: an oracle network that connects smart contracts to any external data source.
If you want to learn more about Witnet check this post for a quick overview.
We are looking for the best talent to help us build Witnet. Remote work is OK with us, but we’d love to have you in our offices, in the very center of Madrid. We have a beautiful terrace and flexible working hours.
If you love the crypto space and you want to change the world for the better with open source software don’t hesitate to drop us a line at firstname.lastname@example.org and join our revolution!
Due to many requests from both the public and our partners Stampery is adding Ethereum to its blockchain anchoring API. All data certified via Stampery is now anchored simultaneously to three blockchains: Bitcoin, Ethereum Classic and Ethereum.
Stampery is the leading startup in blockchain anchoring. Backed by Draper&Associates, Stampery leverages blockchain technology to ensure the existence, integrity and attribution of any file, document or communication. Once a file is anchored to the blockchain through Stampery anyone can independently verify its integrity — at zero cost and from anywhere in the world.
Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less, fast, scalable. We all love its deep query-ability.
But it’s no secret that MongoDB pays more attention to scalability, performance and ease of use than to security. There are quite a few holes in its default configuration settings.
This, combined with lazy admins and devs led to what the press has dubbed the MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it.
Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices. …
When creating new users and assigning them roles:
These methods can be really convenient, but they pose a huge security risk to your database integrity if your application does not sanitize and escape user-provided values properly, as proven by many reports of NoSQL injection attacks.
/etc/mongod.conf with your favorite code editor and look for the security section:
If you can’t find
mongod.confor it is named
mongodb.confinstead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.) …
Mlab (formerly Mongolab) is one of the most popular “MongoDB as a service” cloud providers.
IP whitelisting is available in Mlab for dedicated plans only, starting at $180. Sadly enough, this option is not available to sandbox or shared cluster plans.
Whether creating a new deployment or upgrading an existing deployment, you can enable SSL support for MongoDB connections directly from the mLab management portal.
Unfortunately, Mlab consider TLS encryption to be a “ premium offering” and SSL domains incur an additional monthly charge (currently $80).
If you are creating a new deployment, you can enable SSL by choosing a domain scope toward the bottom of the form. The option will only appear if you have chosen a Dedicated plan running MongoDB 2.6 …
Compose by IBM is one of the most popular “MongoDB as a service” cloud providers.
TLS/SSL encryption is available in Compose for deployments created with the default New MongoDB Deployment option, which will create a new MongoDB 3.2 server.
Sadly enough, this option is not available to deployments created before October 2015, as well as to those provisioned through the Classic MongoDB Deployment option.
The only thing you need to do to enable TLS/SSL on Compose MongoDB is activating the Enable SSL access option when provisioning a new deployment.
Unfortunately, this option can not be enabled for any existing deployment.
Log into your Compose account, select your MongoDB deployment and on the Overview page you’ll see an SSL Public Key panel with a Show SSL Public Key button. …
Never run a production server without authentication on.
Really, never do so. No authentication means inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data.
Running a testing server? Enable authentication either way, just in case you move it into production one day and you forget to enable it then!
Disclaimer: this how-to guide only applies to self-managed MongoDB servers. All “MongoDB as a Service” providers already enable authentication preemptively.
That’s easy, as this is the default behavior.
$ mongo mongodb://<host>:<port>
The port numberwill likely be
27017, but for additional security, you can always change it to a different one. …
SCRAM-SHA-1 is the default authentication mechanism for versions of MongoDB newer than 3.0. SCRAM-SHA-1 is an IETF standard (RFC 5802), and verifies the user’s name, password and authentication database.
SCRAM-SHA-1 is more secure than the previously-used MONGODB-CR, given that it provides a tunable work factor, per-user random salts, stronger hashes (SHA-1 rather than MD5), and bidirectional client<>server authentication.
SCRAM-SHA-1 is enabled by default in MongoDB versions beginning with the 3.0 series. There’s nothing special you need to do in order to use it, apart from enabling authentication.
The MongoDB 2.x series did not support SCRAM-SHA-1 and there’s no way to make it work. For this and many other reasons (among them some alarming security issues), please consider upgrading your MongoDB server to the latest stable version. …
These instructions assume that you have already installed a build of MongoDB that includes TLS support and that your client driver supports TLS. Please read this guide for instructions on how to upgrade to a TLS-enabled MongoDB version.
Your production MongoDB deployments should always use valid certificates generated by a certificate authority. You can get a free, full-fledged TLS certificate for your server signed by Let’s Encrypt using EFF’s Certbot tool.
Self-signed certificates encrypt communications, but provide no validation of server identity. Although they prevent eavesdropping, they leave you vulnerable to man-in-the-middle attacks. Only certificates signed by a trusted certificate authority will allow MongoDB drivers to verify the server’s identity. …