Front-line programmers default to insecure practices unless they are instructed to do otherwise

Originally published at: https://boingboing.net/2019/03/27/neither-is-md5.html

…

That’s what building a registration system is worth? I’m so screwed.

So they’re like people then?

But of course. Freelance programming is very mercenary: get paid, and GTFO. Especially if you are not a direct freelancer but working for an agency, where they hammer it into you to get the code out and deployed so that they can send out the bills. Under no circumstances do you do more than the customer requested!

I mean, really. This ought to be common knowledge by now.

And yes, it is why I do not do freelance work, but prefer to be on salary. I want to take pride in my code.

Ummmm, you get what you pay for? I don’t know what else to say here.

In either case they’re paying incredibly paltry sums to total strangers on the Internet. They shouldn’t be surprised at all that they’re getting some incredibly low effort “check the boxes” work out of it. Don’t entrust your security to some guy working for less than minimum wage that you don’t even know.

Good programmers are in high demand. There is no reason for them to take jobs for peanuts on some freelance website.

BASE64 IS NOT ENCRYPTION

That’s why I always use rot13. And when I want to be really secure I do it twice.

What does taking pride in your code mean ? It is not your code, right ?

I call that Cargo Cult Programming: You have no idea how an airplane works, so you grab something airplane-ish and hope it flies.

I encrypt everything I write (even this reply) in double rot-13, to make it extra secure.

Eh, everybody looks up stuff on StackExchange. Working examples are often worth ten times their weight in traditional documentation.

I am not surprised at all that these programmers copied and pasted a lot, crypto libraries tend to have notoriously inscrutable APIs, often built with the assumption that the developer has completed a semester of college level crypto theory. Don’t know what an IV is? Well tough shit because the docs aren’t going to tell you. How big should the salt be? Well, that’s something you should discuss with your professor. You think your library will pick some sane default? Well think again because this library dates back to the 80s and for compatibility reasons none of the defaults have changed in 30 years.

you could be more efficient and just use rot26. half the code.

While StackExchange is a great resource that I use daily even 10 years into the game, it is shocking how many times the question-asker is asking about something pretty damned elemental on what sounds, from their description, like a pretty mission-critical application (and then saying in the comments “I didn’t understand your answer or where to put the code, can you just send me the whole thing?”) It’s like “Who the fuck hires these kiddies?”

Heh. I always assume that even high-ranked answers on those sites are subtly wrong. The question might be slightly different from what you’re looking for, the answer might have bit-rotted over the years, there might be hidden assumptions…

Clear answers that explain and let you understand what’s going on are gold.

Everybody has to start somewhere I guess. I do agree that if your lead engineer in charge of site security is asking StackExchange what CBC means then you’re in trouble.

The bit rot point is an interesting one. If you’re talking about C/C++ then there’s a good chance an example you find on StackExchange is still fine. However, if you’re talking about Rust or even Node then it’s a lot more problematic since the languages and practices evolve fairly quickly. I’ve found Rust examples to be especially problematic, anything older than 6 months is automatically suspect.

I mean, I think that’s why the example of freelancers is so apt. “Starting somewhere” would ideally be somewhere with a supervisor, if the jobs are going to involve any kind of security and/or handrolling of code.

I guess the name Rust is a warning?

OSes and APIs change too. An example on how to talk to specific hardware in Wheezy Debian, is likely wrong by Stretch.

This is because security is hard. Like, really hard. Even really good programmers still should get audits of their code and design from security experts - people that live and breathe that shit.

Real elyte programmer d00dz use four factor rot13.