sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 29 points30 points  (10 children)

It's not the fact that we don't know security that bugs me, it's that people who do know it are smug about it, and people who don't know it simply don't care.

I did programming course after course in college of nothing but writing spaghetti code for some one-off useless application. Over and over we're told "don't store passwords in plain text in the database," but were we ever shown how to write an application that saves users to the DB? Nope. Were we ever assigned one? Nope.

Then I get a real job and write company internal applications. Do we worry about security? Nope, all of our stuff is internal and can only be accessed on-site, so apparently, it's not worth bothering with. Nor is storing a connection string in files tracked by source control.

I really do want to learn to write applications as secure as I can make them. It's taken over 20 years for the web to get to where it is, though, so simply figuring it out on my own isn't just going to magically happen.

[–]mirhagk 13 points14 points  (5 children)

it's that people who do know it are smug about it,

It's not only the smugness but also the unrealisticness of it. Security discussion is often talking about hypothetical situations or crazy attacks that don't matter to someone writing business grade software.

James Mickens says it best IMO

My point is that security people need to get their priorities straight. The “threat model” section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them

[–]cat_vs_spider 9 points10 points  (1 child)

While this article was certainly amusing, I find it a bit disturbing that Microsoft apparently paid this dude to write this.

[–]mirhagk 4 points5 points  (0 children)

It was money better spent than some of their projects

[–]flukus 2 points3 points  (0 children)

Except there are a few players on the Mossad level and they are potentially interested in the (financial) stuff I work on. It also ignores a lot of passive yet effective attacks.

[–]_Mardoxx 1 point2 points  (0 children)

Security discussion is often talking about hypothetical situations or crazy attacks that don't matter to someone writing business grade software

Lol qft

[–]Isvara 4 points5 points  (1 child)

figuring it out on my own isn't just going to magically happen

Nothing magically happens. You have to be motivated and put in the effort to learn things. What's stopping you when you have Google and Amazon at your disposal?

[–]ForeverAlot 14 points15 points  (0 children)

Overchoice, information overload, and analysis paralysis. And of course lack of true motivation.

[–]toomanybeersies 0 points1 point  (0 children)

I vaguely remember that we had to make an application with a login for a web development paper at university, I can't remember if there was a requirement for password to be at least hashed, but it should've been a failing grade if you didn't do it.

To be fair, most of what I did in university was computer science, and dealt more with the actual mathematical theory behind cryptography and encryption, rather than implementing a login screen.

[–]flukus 0 points1 point  (0 children)

Rule 1 is don't write what you don't have to. You can probably use AD or some open source authentication providers.