|
Nathan Minier wrote: if ignoring security is unethical Maybe this programmer didn't ignore it, but simply didn't know about proper user and password management.
Or he knew, but didn't have the skills to implement it, and was afraid to ask for help because it would cost him his job.
Or he thought he knew, but obviously didn't.
I'm not making excuses, this guy should find another career asap.
I'm just saying we don't know the full story.
The only thing we know is that one or more people were not ready to take on such a project
|
|
|
|
|
Sander Rossel wrote:
Why, as I saID TO ONE COMNPANY TRHAT WANTED TO HIRE ME:"i'VE MADE A PRETTY NICE CARREER OUT OF CLEANING UP AFTER THE MESSES YOUR COMPANY LEFT.i THINK i'LL JUST STAY HERE AND CONTINUE UNTIL YOU OFFER ME A POSITION IN CHARGE OF NOT LEAVING THE DISASTERS IN YOUYR WAKE.
Surprisingly, they agreed with me, unsurprisingly, they never called back again.
CQ de W5ALT
Walt Fair, Jr., P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
i need user managemnent coez, snd urgend plz.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Nathan Minier wrote: Maybe @chris-maunder could make a poll out of that one
Sure! Send me some thoughts and I'll whip one up.
cheers
Chris Maunder
|
|
|
|
|
Problem is: if a developer ignores security it is unethical. If a developer knows Jack and sunshine about security, and Jack left town...
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Then that's not a developer; because a developer would do some research while assessing requirements. That's a random dude doing C&P from SO, and has behaved unethically by misrepresenting themselves.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
And you're right, except that a lot of "developers", either with engineering degrees or those certificates "become a Web Developer in 1 month and find a job" are actually certified developers.
Yet they do know less than 0 about developing, security, architecture and whatsnot.
Also, managers will invariably check out the prices of professiona, deem them too high and then have the work be done by their nephew who "knows computers".
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Well, the losers will keep the rest of us employed, I suppose.
I'm just worried that if we don't start policing ourselves, various governments will start to do it for us (like PCI-DSS, HIPAA, or GDPR have for the industry at large). That way lies madness.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
Madness is unavoidable either way.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Sander Rossel wrote: 1. We want full control over the system, including passwords because we know better.
2. We want to be able to log in as any user for testing purposes.
3. Changing passwords is a hassle and not user friendly, so just mail it to them.
You know how managers pointy haired bosses think (if at all)
This. I've seen a spec for a system that was remarkably similar to this (if somewhat wordier).
The key theme was: Management er.... pointy haired ones, must have ultimate and full control.
|
|
|
|
|
Sander Rossel wrote: Makes you wonder exactly how unqualified some people are for their job (or maybe this programmer wrote it exactly according to specs?)
Hanlon's razor:
Never attribute to malice that which is adequately explained by stupidity.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
|
Speaking of that. Whatever happened to Dalek Dave?
CQ de W5ALT
Walt Fair, Jr., P. E.
Comport Computing
Specializing in Technical Engineering Software
|
|
|
|
|
Quote: Hey Lord don't ask me questions, Hey Lord don't ask me questions
Hey Lord don't ask me questions please!
Hey Lord don't ask me questions, Hey Lord don't ask me questions
Hey Lord ain't no answer in me.
|
|
|
|
|
Very clever. A hacker pops in, looks at it, and says "Yeah, right. Like I'm gonna fall for that," decides to try hacking some other site.
|
|
|
|
|
Sander pops in, looks at it, and says "That needs a complete rewrite."
So basically any new programmer on any old project
|
|
|
|
|
Sander Rossel wrote: We did find how to reset a password... Change it directly in the database. That is identical to one of the vendor products we use! They created my account and sent me a password. To call it weak would be very generous, so I went looking for a way to reset it to something stronger. Couldn't find it.
Email support about it and get told, "Oh, we do that for you. What would you like your password to be changed to?"
The scariest thing is that while the product is a bit niche it is the leader in their market! Oh, and they are still using Flash.
|
|
|
|
|
Been there! Scary thing was this was a company that made stuff that went BANG (with a mushroom cloud!)
|
|
|
|
|
I'm off digging my bunker. Thanks for the heads up.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Is this a VoIP provider?
A very popular UK VoIP provider does not allow users to change their own passwords since, according to its help files, (a) the same password is used both for the management web UI and the actual VoIP SIP login, and (b) it would therefore create an excessive support burden if users could change their own passwords.
No, I'm not going to say who this is.
|
|
|
|
|
No, it is a very niche product. I started to type up what they do but realized that just describing it would be enough to identify the company combined with the knowledge they are the leader in their chosen space.
|
|
|
|
|
RJOberg wrote: it is the leader in their market Is it a market where IT is considered a necessary evil and afterthought?
That's the case for the business where I'm in and what you see is that pretty much everyone is using outdated technologies (most still have applications running in VB6 and dBase; barely anyone has web applications; on-premises .NET WinForms and SQL Server < 2013 is the most advanced you'll find; for data interchange sometimes SOAP, but more often CSV).
They simply don't care if it's good or not as long as it doesn't cost too much.
|
|
|
|
|
Sander Rossel wrote: Is it a market where IT is considered a necessary evil and afterthought? I think it is because they are such a niche product. When you look at similar but slightly less focused solutions the options become much more current in their IT technology choices.
If I were to venture a guess, it is because they don't have the same level of competition so they don't have to be the best and smoothest operator. When Chrome/Firefox started disabling Flash by default a few years back, their solution wasn't to update. Instead their support suggested we use IE11 instead because that didn't disable Flash (at that time, not sure now).
|
|
|
|
|
On the plus side, at least they want it replaced.
You may find (though given the other shortcomings it seems unlikely) that "impersonating" is not quite the same as logging in with another user's credentials. I've written apps where admin can impersonate another user (in order to see exactly what the user is seeing, but optionally without the option to update anything) but the login logs it as impersonation, and by whom, so at least that session is auditable.
|
|
|
|
|
DerekTP123 wrote: You may find (though given the other shortcomings it seems unlikely) that "impersonating" is not quite the same as logging in with another user's credentials They were pretty much the same though.
Under GDPR I doubt such a thing is legal.
Maybe it is in this system, since the customer is already known and can only download their own data that's coming from the business, but I've seen this option in a system with highly sensitive information like where someone was at what time.
|
|
|
|