Java Coders Are Getting Bad Security Advice From Stack Overflow

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

thank you /.

for bringing us the late-breaking news

Look at the time investments.

[Mal-2]

You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)

Re: Look at the time investments.

And you post that shit on /. Oh the irony.

Re:Look at the time investments.

[AmiMoJo]

Stack Exchange has gone the same way as Wikipedia. Most of the interesting stuff was handled long ago so there is now few interesting questions left, and content is decaying and becoming out of date because no-one can be bothered to keep it current.

To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.

Throw in a poor interface and harsh treatment of new users and the site is doomed to become a mostly static archive of bad advice. There are better communities on some of the Stack Overflow sites, but they will eventually get the same way unless things change.

Re:Look at the time investments.

"a poor interface and harsh treatment of new users"

I just posted about those very things !

https://developers.slashdot.org/comments.pl?sid=11203467&cid=55327183

Re:Look at the time investments.

[johannesg]

...harsh treatment of new users...

I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

Re:Look at the time investments.

To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.

Good thing here nobody on Slashdot tries that shit, eh?

Re:Look at the time investments.

[hcs_$reboot]

To be fair SO is still the best place to find valuable coding tips. Some snobbish Java pros criticize SO for not answering the way those big Java books are written. A 20 lines answer is not sophisticated enough... well it might actually help a lot someone. The level of an answer corresponds to that of the question. A beginner question will likely get an answer for a beginner (not necessarily written by a beginner). As for the obsolete answers, it seems the search engines gives preferably a newer answer - those Java pros might have searched directly from the tags in SO, and found many obsolete questions. Googling a Java question might have given newer results.

Re:Look at the time investments.

My personal favorite is when you search for a solution to an incredibly common problem, and then follow a chain of like four Stack Overflow questions that have been closed as "duplicates" until you finally find an answer from 2008 that no longer works because the API has changed.

Re:Look at the time investments.

I suspected that, but when I used Google to look for "authenticate user java," the top answer on the top hit on SO, was to save the username and password in cleartext in the app itself and basically roll their own account system. Does that work? Does it answer the user's question? Is it a good idea? The answer to the first two questions are yes, but the last is definitely a bad idea. This is especially since part of the question is to allow the people to sign in using their Facebook or Google accounts.

Re: Look at the time investments.

[ljw1004]

The best way to TRULY understand something is to teach it to someone. I've observed in my field C# that the top stack overflow answered are indeed the real experts - indeed some of them were on the C# team itself and others were given awards for the quality of their help.

Re:Look at the time investments.

[jeremyp]

Yeah, that's bollocks. When I do authenticate user java site:stackoverflow.com, it's not until the third link that I get and answer that looks anything like "store the password in plaintext" and it was on an Android question, where the accepted answer said "use shared preferences". I don't know enough about Android to say whether it is right or wrong, my gut feeling is "wrong".

Re:Look at the time investments.

StackExchange is a mob democracy, not a meritocracy. People don't up-vote something because it's correct, they vote it because they think they can understand it.

One such situation is burned into my mind and about when I stopped participating on StackExchange. I had a question about C#, to which I got several people saying what they thought was intuitive, but I said that flew in the face of the definition of the interface. I asked the question on MSDN, got an answer from the lead dev of the .Net framework who said the current implementation was doing exactly what I thought it was and not what the others thought it should be doing. He admitted it was a flaw of following the code contract too strictly.

I then linked the MSDN response to the StackOverflow discussion and immediately got downvoted and everything saying I was incorrect. WTF?! One lone person came to defend me by disassembling the resulting bytecode and showing what I said was true for all current versions of the .Net framework at the time. They also got downvoted into oblivion. MS did eventually change the behavior of the framework to match "expectations", but the way the community responded was a mixture of denial and mob mentality.

I have experienced a few other such situations and eventually just stopped participating. StackOverflow is mostly full of mediocre people voting each-other with a few unicorns that made the place even worth-while.

Re:Look at the time investments.

[Swave+An+deBwoner]

In a way that's correct though. The question is in fact a duplicate. The answer however is different now.

Re:Look at the time investments.

Your dad’s a fanboi of muh dik up his ass.

Re:Look at the time investments.

It’s not bollocks at all. The hit that on Google UK is third is the top hit for SO on US Google. You’re essentially trying to disprove someone by using a completely different version of Google.

Re: Look at the time investments.

To be fair, every user has a slightly different version of Google, giving slightly different results depending on search history

Re:Look at the time investments.

Both the upvoting and downvoting were probably done by fake users.

Re:Look at the time investments.

That's actually not allowed behavior. You should flag the copypasta posts.

Re:Look at the time investments.

[truedfx]

Please link to one of your copied answers, even if it's been deleted. From my experience, although not all sites on the SE network treat plagiarism equally severely, SO is one of the better ones in this regard.

Re:Look at the time investments.

[Darinbob]

Stack overflow has gone amazingly downhill form the early days. I used to see interesting questions answered with very good answers combined with enlightened discussions. Today I just see dumb questions answered by people who don't know what they're talking about or who didn't even bother reading the question before starting to answer.

This happens because stack overflow has turned into a big of mix between a social network and a gaming site. You can answer questions only if you've spent enough time grinding points, though it doesn't matter much where you've earned those points. Are you an expert? Sorry, you can't even comment to say that the answer is wrong unless you've put in the time to earn enough points to be allowed to comment. Or you're forbidden to answer because the question is too old; but if you try to open up the question again you're told that it's a duplicate of something that has been already answered.

And let's face it. If the question is about security, you do NOT want to get your answer from stack overflow, slashdot, reddit, facebook or any other source of crowd sourced prognostications. If you have to ask the question, you should not be touching the security code and should leave it to the experts on staff; if you don't have such experts, then try to get some; if you can't get one, then change jobs.

Re:Look at the time investments.

[Darinbob]

"I'm sorry, you can't flag this post until you earn 374 more credits."

Re:Look at the time investments.

[Darinbob]

It's a bit like Yelp. The overwhelming urge to pretend to be a serious critic and post nonsense immediately. Is anyone spending a few days to research a correct answer and provide legitimate references to back it up, or do they just have a rush to get an answer in sooner and thus get more points?

I see answers that have no resemblance to the actual questions. The reason the questions are usually asked is because they're not simple questions that can be answered with a quick google search. And yet the people who answer seem to start answering with the obvious responses. Even if the question says "I already tried using X.y.z, but it didn' work", you will see the first or second answer say "you need to use X.y.z" It's down to the 10th answer with 1 or 0 votes before you see some sign of an intelligent answer that understood the question.

Re:Look at the time investments.

[dgatwood]

This is why I make sure to actually read the existing answer(s) before flagging something as a duplicate. If there's no currently valid answer, I just write an answer. If somebody wants to take the time later to flag it as a duplicate and merge it with the other question, fine, but in the grand scheme of things, it is better *not* to do so. After all, the old, no-longer-valid answer will likely continue to be the highest-ranked answer for that old question, barring a miracle, but a new answer could become the highest-ranked answer for a new question. And over time, the page for that old question and answer will slowly diminish in page rank due to lack of inbound links, and the page for the new question will increase in rank due to recency. So the result will be that the most easily found answer will be correct as long as you keep them separate. If you merge them, the most easily found answer will remain wrong forever.

Re:Look at the time investments.

[dgatwood]

And let's face it. If the question is about security, you do NOT want to get your answer from stack overflow, slashdot, reddit, facebook or any other source of crowd sourced prognostications. If you have to ask the question, you should not be touching the security code and should leave it to the experts on staff; if you don't have such experts, then try to get some; if you can't get one, then change jobs.

There are way too many one-person coding shops for that to be a realistic recommendation. Just saying. :-)

Re:Look at the time investments.

[BlackPignouf]

It's true, long gone are the days of getting 1000 upvotes for telling that the result of "1 / 2" is 0, not 0.5.

Still, I started regularly writing answers on SO less than a year ago. I got more than 30000 points, got a golden Ruby badge and I'm close to getting it for Python. After that, I'll finally be able to write some productive code again :D

Re:Look at the time investments.

[Darinbob]

Do you want to fly on an airplane designed, built, and maintained, by a single person? I certainly don't. A one person coding shop should not be taking on projects of that scale. If someone without a strong security background is asked to design and build security, that person should either reject the contract or hire an expert. If I'm asked to perform surgery on a patient as an outsourced contractor, it is my ethical duty to refuse no matter how many episodes of E.R. I have watched.

Re:Look at the time investments.

[dgatwood]

A one person coding shop should not be taking on projects of that scale.

What scale? Every network-using app from the most basic cloud-synchronized pedometer to the most complex stock trading app requires security, and the vast majority of developers need to do things like be able to make debug builds of their app be able to communicate with random internal test servers (possibly even servers specific to a given unit test) without every developer having to have an individual key and cert. That implies nothing about the scale of the app; it is a problem from one-person shops up through very large development shops. And the way you do such things involves mucking with security code.

The problem comes when that code accidentally gets deployed in production. Suddenly, code that was never intended to be secure had better be. And this is why it is so important that Stack Overflow answers always tell people how to do it the right way, not the fast way.

If I'm asked to perform surgery on a patient as an outsourced contractor, it is my ethical duty to refuse no matter how many episodes of E.R. I have watched.

To map your analogy onto the real-world security failures that we've frequently seen, the problem comes when you're asked to merely play one on TV while blindfolded, and then you later find out that you were cutting into an actual patient, and the patient died.

Re:Look at the time investments.

[david-bo]

...harsh treatment of new users...

I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

Links or it didn't happen.

Re:Look at the time investments.

> Most of the interesting stuff was handled long ago

Nah, what was handled is questions like "How do I concatenate Strings in Java?"

> so there is now few interesting questions left

There are still highly specific and more complex questions, but those of course rarely get answered. But is it SO's fault? There are questions that almost nobody can answer.

Stackoverflow: how not to help

Stackoverflow suffers like any other forum : reputation.

Keeping user accounts but making submissions invisible to general users would solve so much on that site.
Just the submissions. Ratings and everything else account-based is only seen by said user, mods and admins.

Won't solve every issue since there are idiots out there blinding trusting other idiots who also learned from other idiots that read the language spec off a blog by another idiot that put together said blog horribly when drunk at 4 in the morning.
If people simply hired web developers, most web hacking shit would be gone over fucking night.
It's ridiculous how much crap is on production servers that can be hacked trivially.
APPS especially. You can hack so many apps by entering emojis! It's so dumb.
People trying to DIY it never learn. But hey, that's not limited to software development.
They keep us actual developers in work by fucking things up so hard. Thanks for my higher rate, friends.

Re:Java is in and of itself bad advice

If stack overflow supported nested comments, these "security experts" could post corrections for the insecure code, kinda like how you can correct someone on slashdot. It's pretty stupid to not support nested comments in 2017 (and not the tiny font remarks SO currently uses that make them unsuitable for code).

No way!

News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.

Re:No way!

[hey!]

This of course is an enormous issue: people imprint on the first solution to a problem they understand.

But I think more to the point here is Java's long struggle with overengineered frameworks and libraries. They tend to have a "designed by a committee" feel, and impose significant cognitive load on learners. Add to that first-solution-imprinting, and it's a recipe for trouble.

Ulitmately, though, this is no new thing. There have always been a small number of people who produce elegant, quality code and a much larger body of people who are mediocre. What's happened is that the scope of application has expanded to the point where we're asking mediocre people to do quite difficult things.

Re:No way!

[Bite+The+Pillow]

It's more than that. The answer to "how do I get past this error" is usually a code hack, such as turning off CRL checking. With no explanation on the impact, or a need to solve it another way.

I find great advice for solving problems on a disconnected system, but very rarely the obvious caveats. And this is but one example of the kinds of answers that aren't just simplified, but flat out wrong. You need to solve it a different way.

Re:No way!

[david_thornley]

Also, if you've got a serious logic error, it's likely to bite you fairly fast. If you've got bad performance, you'll notice. If your security is abysmal, you can test all you want and it's going to look just fine. If you're trying to get past an existing problem, you're very likely not that fussy about security.

Stackoverflow is popular, but PITA

I thought I would try and help people out on Stackoverflow.

I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.

I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA

A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer.

I gave up.
I suspect many people with valuable knowledge to impart will have done likewise, and left Slackoverflow to the anal badge collectors that appear to rule it.

Re:Stackoverflow is popular, but PITA

[hcs_$reboot]

Well, you don't seem to be a dev anyway.

> I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces

There is a button to indent a selection and display that as code.... what's wrong with that? (the rest is text)

> I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer

Many new users don't know how to behave, and spam with comments. You need a few reputation points to comment... that's easy to get.

> I suspect many people with valuable knowledge to impart will have done likewise, and left Slackoverflow to the anal badge collectors that appear to rule it

Because *you* have valuable knowledge?

Re: Stackoverflow is popular, but PITA

To indent you highlight the text and hit the code block button. It's fucking simple.

Sorry, but everything in your post indicates you are one of the morons who waste everone's time with shitty half done non-answers on stackoverflow, so I'm glad you gave up.

Re: Stackoverflow is popular, but PITA

Everything in your post indicates you a whining fuckwit who will luckily never leave the cellar,

Stackoverflow's help does not mention the button:

  "
To create code blocks or other preformatted text, indent by four spaces:

        This will be displayed in a monospaced font. The first four spaces
        will be stripped off, but all other whitespace will be preserved.

        Markdown and HTML are turned off in code blocks:
        This is not italic, and [this is not a link](http://example.com)
"

Re:Stackoverflow is popular, but PITA

So, your knowledge about the subject of the conversation is judged by your knowledge on how to use the site?

Re: Stackoverflow is popular, but PITA

This explains why I bypass the stack overflow answers when the come up on google.

I knew SO was complete shit, but now I know why. It is people like you.

Thank you.

Re: Stackoverflow is popular, but PITA

[hcs_$reboot]

Stackoverflow's help does not mention the button

Of course because we're not in 1982 anymore, when you see a bunch of buttons, hover the mouse over the button and it'll tell you what it does.

Re: Stackoverflow is popular, but PITA

How the fuck do we 'hover the mouse over the button' when, like 70% of other web users today, we're using computers like smartphones and tablets that don't even have a mouse?! If anyone is stuck in 1982, it's you with your desktop and mouse. You've totally missed the mobile computing revolution that has taken place over the last decade!

Re: Stackoverflow is popular, but PITA

[jeremyp]

When you answer a question, you get an edit box with some buttons at the top. The first one is a bold "B". Guess what that does. Then there'a an italic I, guess what that does. Then there's an icon that looks like two links of a chain. Guess what that's for. Then there's a double quote mark. Guess what that's for. Then there is a button with two braces {}. You'll never guess what that is for, unless, off course you program in a C-like language or you hover the mouse over it to see the tool tip.

Also, Stackoverflow users a formatting syntax called "markdown". It's the same as Github. Now you know what the "md" in "Readme.md" means.

Re: Stackoverflow is popular, but PITA

[hcs_$reboot]

You're developing directly on your iphone 5??

Re: Stackoverflow is popular, but PITA

No, you stupid moron. We're trying to answer SO questions with small snippets of code while using our iPhone 7s and our iPad Pros. What the heck is wrong with you? You can't even follow our simple thread of discussion here!

Re:Stackoverflow is popular, but PITA

[stephanruby]

You probably won't see these comments since you've posted anonymously:
1. You can highlight multiple lines of code at the same time and press the code bracket button to indent.
2. You can edit an answer to answer a comment. This is not perfect, but the no-comment rule for new accounts is to combat spam
3. Yes, there are anal people on there. If you find something that works better, do let me know

Re:Stackoverflow is popular, but PITA

> You probably won't see these comments since you've posted anonymously:

I post anonymously because just as I have no desire to earn Badges on Stackoverflow, I have no desire for Karma here, but I do check replies.

> 1. You can highlight multiple lines of code at the same time and press the code bracket button to indent.

I followed the instructions, I did not hunt for buttons.

> 2. You can edit an answer to answer a comment. This is not perfect, but the no-comment rule for new accounts is to combat spam

So I can spam with all the answers I like, but not add legitimate replies to legitimate comments on my own legitimate answers.

> 3. Yes, there are anal people on there. If you find something that works better, do let me know

I do not think anyone is arguing that it is not a great, or even the best, resource for quick solutions to common coding problems, but that does not mean it is perfect, and I related my own experience with it as someone with useful knowledge to impart, but being put off by its poor interface and bad ( no matter how well-meaning ) rules.

( Thank you for your civil reply. )

Re: Stackoverflow is popular, but PITA

I refuse to hunt for buttons, but I followed Stackoverflows's help text, which stated "To create code blocks or other preformatted text, indent by four spaces". IIRC, it did not mention Markdown.

Re:Stackoverflow is popular, but PITA

[tepples]

Many new users don't know how to behave, and spam with comments. You need a few reputation points to comment... that's easy to get.

if you have no life beyond stackoverlfow.

It takes 50 points (five answer upvotes) to earn comment privileges, and an accepted answer is worth 15 (an upvote and a half). Does making two upvoted, accepted answers imply "no life beyond Stack Overflow"?

Re: Stackoverflow is popular, but PITA

[tepples]

Users of the Stack Exchange application for Android can long-press buttons to see what they do without activating them.

Re: Stackoverflow is popular, but PITA

[tepples]

With the strict "App Store only" execution privilege model of the iPhone 7 and iPad Pro, how do you test your "small snippets of code" before submitting them through the Stack Exchange app? Do you lease a server somewhere and then SSH into that to test them?

Re: Stackoverflow is popular, but PITA

[Darinbob]

Add a link to the markdown info page. Many people browse with noscript, which makes some of these blog/forum oriented sites extremely vague (and no, they do not all use the same mark up/down syntax and the syntax will likely change in a couple of years anyway).

Re:Stackoverflow is popular, but PITA

[Darinbob]

This is why if feels so wrong. Any idiot can answer, but you have to grind the point before you can comment. Newcomers will be confused and likely look at the answers first. But over time even the commenters have become clueless, so you can't trust the comments either anymore. The only way to use it is to not trust it; read all the answers and comments, if it feels off then follow the "related questions" instead, and soon you may be at an older question answered back when people who actually knew things participated.

Re:Stackoverflow is popular, but PITA

[dgatwood]

Arguably, being unable to comment on your own answers is a bug, regardless of reputation....

Re: Stackoverflow is popular, but PITA

SO does have some good answers and discussions. Sometimes you need to look for the -1 voted answers instead of the +700. They're in there, just lots of noise.

Re:Stackoverflow is popular, but PITA

[nasch]

I still use SO, but I gave up on editing after one edit got rejected for being too small, and another one was rejected for being too big.

Re:Stackoverflow is popular, but PITA

[tepples]

What do you mean by that? A user who isn't suspended can comment on his own question or answers to his question or reply to comments on his own answer.

Re:Stackoverflow is popular, but PITA

[dgatwood]

I mean that the GP post relative to my post said that he/she couldn't reply to comments on his/her own answers. Whether that's true or not, or whether it has ever been true or not, I couldn't say.

Re:Stackoverflow is popular, but PITA

"A user who isn't suspended can comment on his own question or answers to his question or reply to comments on his own answer."

A user cannot comment ATALL until they have 50 points.

Re:Stackoverflow is popular, but PITA

[tepples]

A user cannot comment ATALL until they have 50 points.

This must be a bug, as the behavior you describe doesn't match the behavior described in "Help Center > Privileges > comment everywhere": "Please note that you can always comment on your own posts, and any part of your questions."

If you are seeing behavior other than as described, could you provide a link to the question and a screenshot of the post, including the author box and the missing or grayed out comment link?

Re:Stackoverflow: how not to help

[Fly+Swatter]

If people simply hired web developers, most web hacking shit would be gone over fucking night.

Thanks for the chuckle.

Java is very secure

Java is [garbage collecting ] very s [gc] e [gc] [gc] cure.

The garbage collection [gc] algorithm [gc] [gc][gc] ensures that [gc] [gc][gc] you never know [gc] [gc][gc] when it will [gc] [gc] [gc] crash and [gc] [gc] can't explot [gc] [gc] [gc] common stack [gc] [gc] [gc] pointer [gc] [gc] [gc] bugs.

Also, since java is slow [gc] [gc] [gc]thats another security feature [gc] [gc].

fast programs crash [gc] [gc] too fast [gc] [gc]. Making exploits [gc] [gc][gc] trivial [gc] [gc].

All operating systems should [gc] [gc] be java based. Try [gc] [gc] [gc] hacking [gc] [gc] [gc] something that [gc] [gc] [gc] takes 3 days to [gc] [gc] [gc][gc] boo java expection error.

Re:Java is very secure

Stop using that 286 machine... it belongs in a museum.

Re:Java is very secure

Modern Java doesn't need to GC anywhere near that frequently.

Instead it goes for using as much RAM as it can before doing a GC pass, and then never returns the memory it no longer needs to the OS, ensuring that all running Java processes slowly end requiring whatever the default memory cap is. I think it's something like 25% of the available system RAM by default, meaning that if you have four Java programs running, eventually you WILL run out of memory, even if the Java programs don't need anywhere near that much memory. The theory being that you have infinite swap space so it's OK to just keep memory allocated that isn't used for anything and may never be used for anything again.

I think there may be an option somewhere to let Java return memory to the OS, but if there is, I don't know what it is, because I only looked this up on Stack Exchange.

Re:Java is very secure

[jeremyp]

WordPerfect 5.1?

Re:Java is very secure

Funny, I can still compile a "hello world" program in C/C++ and have it work on say, may 80x86.

Try that in Java.

I shouldn't need 4Gb of RAM to execute 4 copies of "hello.exe", or sorry, "java hello.jar".

Why does java need 4GB of ram for "hello world"?

Isn't java suposed to be "write once, run anywhere"?

My C++/C programs run anywhere...can Java run hello world on my 1GB raspberry pi?

How about my small embedded system?

java is great for programmers learning, and other low skilled IT folks who want to throw something against the wall and see what sticks.

Re:Java is very secure

My C++/C programs run anywhere...can Java run hello world on my 1GB raspberry pi?

Amusingly enough, the default Raspbian distribution comes with Java for some unknown reason. I wouldn't recommend using it (Java requires at least 1GB of free memory to start the JVM) but it's THERE.

Re:Java is very secure

I don't know about raspberry pi, but I regularly run java swing app (with DB + dozens of libs) on 386MB xbuntu 32bit VM, and it works fine.

Re:Java is very secure

Look, the runtime installer tries to trick the user into installing unwanted software by default and should be considered to be malware.
After that, do you really care if program you were trying to run has some security holes?

Re:Java is very secure

If you'd stop creating new objects for every tiny thing you're doing, the GC would hardly ever run. And if you upgraded from your single threaded CPU you'd never even notice the new GC running on its own thread.

Re:Java is in and of itself bad advice

[] kinda like how you can correct someone on slashdot.

Typical Slashdot correction: "Have you stopped raping your neighbor's goat?"

Reminds me of Michael Scott in "The Office"

[mykepredko]

When he asks for the YouTube people to come in and film him.

You can hope for good advice but in the long run when it comes to security features, you have to know who you are talking to, what their qualifications are and make sure they're there to support you down the road - which means you are going to pay them. "Gr8CdrGrl427" on Stack Overflow might have an interesting approach as to how to position and code a slider control but taking security advice from them is simply dumb - the worst case is they're making a suggestion that will lead to an exploit they work.

A basic rule of the internet is, don't trust somebody that's helping you for the good of their health.

Re:Reminds me of Michael Scott in "The Office"

I use SE/SO for idea generation. I have very rarely found complete workable stuff on there that's immediately useful, but really it's not for that, because so often your situations are simply different than the original question or the context in which the answer is being given.

However, it's extremely useful when analyzing answers to find that "hey, they're using that interface for this, what is that interface, I've never noticed that before..." and "ahh, so they are also finding that this is buggy and trying to work around it, and it's not just that I'm doing it wrong...". Usually, the code in the answers are worth 20%, and summaries in the answers plus associated comments (which often point out security/resource risks) are the other 80%.

If you're trying to use SE/SO as your sole answer to any potential problem you get stuck on ever, you're absolutely doing it wrong.

Re:Java is in and of itself bad advice

[Junta]

Not really the fault of the language....

Of course the secure 'solutions' should take note that something is deeply wrong with how they go about providing secure options when this happens so much.

People don't do this because they like being insecure, they do it because it's easier.

Disabling CSRF is popular because it's *generally* implemented in a pain-in-the-ass way. Not only in a pain in the ass way, but it seems every five seconds another framework comes up with a slightly different approach to CSRF that isn't any better or worse than the myriad of approaches already. One massive improvement on that front in general would be to disable all that crap if no referrer is set at all, which would solve 99% of the situations where people feel compelled to weaken CSRF protection (non-browser automation).

There are two accepted approaches for TLS if you are note doing things for internet sites: Maintain a convoluted CA setup or if you can't bring yourself to do that, well, disabling it is the only other easy way provided. In my software I tend to provide option of treating TLS software similar to ssh known hosts if CA verification is not an issue, and users are never bothered, until something does go awry.

Using obsolete communication protocols and hashes is generally the consequence of having to interact with data or equipment or older setups. Sure some of it is just people got taught that specific way once upon a time directly addressing low level crypto functions, but a lot is intentional. Of course this is a problem that propagates, new interface to old setup uses old protocol, new thing to talk to new thing, well might as well use old protocol there.

Re: Java is in and of itself bad advice

Of course not. That goat's ass is so tight...I need to rape it daily.

Lazy Apathetic Enterprise Coders

Coders today are completely lazy, don't give a fuck about doing anything other than writing code and meeting goals. Management didn't tell them to do it? They don't fuckin' do it. I grew up developing web sites and web apps and learned security the hard way ...getting fucking rooted dozens of times! when I started doing development for money I had to make sure someone couldn't just bypass security controls and hack the customer's sites and when they did, you bet your ass i had to FIX IT. It should be obvious to anyone with a fucking pulse that as soon as you put a site online, SOMEONE WILL ATTEMPT TO BREAK INTO IT.

When I got my first professional IT job as a developer, I had to be aware of security on publicly exposed web sites. I had to understand basic concepts such as how requests are handled, how variables are managed, preventing SQL code injections. When I came across vulnerabilities it was my responsibility to communicate that to management and GET THEM FIXED. Oh what you wanted the new company site live thursday? Fuck that, but i'll see what I can do AFTER we fix these other issues. You know something? Not once was I ever told NOT to focus on a major issue when I found one. Those were the "Good old days" - working for a small not-for-profit of all things.

Now, as an IT "Engineer" I manage systems, not code and it's not my place to open my big fucking mouth every time i see something so cringeworthy, i want to just jump out the fucking window. Our fucking developers don't even understand how mother fucking SSL works. I'm NOT MAKING THIS UP. "I don't have time to learn that." they actually say this! Here are a bunch of highly paid professional fucking developers and they don't even know how SSL(ok, TLS now) WORKS ...and here's the kicker, to them, it's not even THEIR FUCKING RESPONSIBILITY to know. Their job is writing code. If two web services can't talk because they don't know how certificate based authentication works, that's not their problem ...to them that's a system problem. How the hell do you think they're going to approach security and vulnerability management?

Is it any surprise then that these very same people don't give one fuck about security, much less even understand the impact of a security vulnerability might be? Hack after fucking hack, all of our personal and private information is being stolen and sold and it's because of people like this. People whose job it is to write code, and whose job it IS NOT to give even a single solitary fuck about security.

Now your typical enterprise may have third party security assessment and penetration testing - which is OK, but most of the time it's testing well-known exploits. The average exposure to vulnerability remediation an enterprise developer gets is putting a ticket into the engineering queue to ask them to modify the load balancer/WAF to add "httponly" and "secure" flags to the fucking cookies. That's when the company starts blowing millions on software and tools to do the work for you, but we all know the buck's gotta stop somewhere. Don't professional enterprise developers have a goddamn duty to be aware of these things and to put the time and effort into avoid such common fucking failures?

Re:Lazy Apathetic Enterprise Coders

Been there, done that. Try teaching MCSE's and security consultants how to spell "DNS".

I just spent way, way, way too much time explaing to an AWS certified engineer that writing an AWS script to look up and get report the IP address of each instance as you wanted to connect to it was *not* a workable replacement for DNS and would not help with their SSL invalid certificate problems.

Re: Lazy Apathetic Enterprise Coders

You sound like the one who is clueless about how AWS works. The AWS expert who you didn't understand knew that when you're spinning up and shutting down EC2 spot instances on a continual basis to match load variations it's better to query the EC2 API directly instead of trying to keep a DNS server up-to-date and fully synced. While he's getting real work done you're sitting around wasting time figuring out why your goddamn hostnames aren't resolving properly. You're trying to apply your outdated, irrelevant, pre-cloud misunderstanding to a modern world that's far beyond where you're stuck.

Re:Lazy Apathetic Enterprise Coders

[Antique+Geekmeister]

> Now your typical enterprise may have third party security assessment and penetration testing - which is OK, but most of the time it's testing well-known exploits.

They're typically not allowed, by the company paying them, to probe for the most dangerous vulnerabilities. Passwords sent via github, VPN's that open full access to unencrypted services from poorly secured internal networks, permanent root credentials embedded in source code,and other issues abound.

I've recently been forced to cope with a software architect who insisted on a common OpenBSD policy, that if your local system is not secure, then there was never any point to having security, so they refused to have any on their local systems. The result is that they opened tunnels between the production network and their laptop, and opened SSH tunnels to and from their laptop into their home desktop, all tunnels open 24x7. These tunnels used private keys with no encryption, stored locally on all of these systems, and available on NFS and CIFS shares, and on publicly recoverable backups throughout the network.

Recovering from that was quite painful. I was compelled not to being up the issue formally in my project reports. I _may_ have been aware of someone inside their company to whom I presented a report on this, who _may_ have taken some private, internal steps to flood the channels. That brought it to the visible and official attention of their network group when the architect complained about poor performance of these channels. Unfortunately, this architect was in the habit of doing all their work on their laptop and never submitting their work to source control.

Before completing my designated tasks, I did hand over tools to take daily snapshots of the workspace on that exposed laptop, as a "proof of concept". I also hoped they could use that backup to reconstruct some of the work if that engineer quit or was let go.

Re:Lazy Apathetic Enterprise Coders

Our fucking developers don't even understand how mother fucking SSL works. I'm NOT MAKING THIS UP.

I agree with you but...many web developers even use OS X or Linux...but have no concept of command line, or scripting. Python maybe...PHP...but no concept of stdin/stdout/stderr. Or pipes. Or tee sed tr cut find uniq xargs sort wc od bc ...

I am not defending them...but noone pays them to learn. If they dont learn, they get paid the same. If there is a hack, they can always blame the sysadmins.

Why should they care? Management doesn't care. If they did, they would make them "learn" such things.

On the other hand, management does care about things that are checklist items, certifications...even admitted to me such things are useless, wont help me in anyway whatsoever, i already know more than that test...but you have to get it anyways, it is policy.

So, management is capable of policies and "certifications" ...they just choose not to give a crap about such things.

Notify management. Whats the worst they can do? Just tell them you think it should be something everyone knows the basics of to prevent security issues.

Smart the OP posed as AC.

[mykepredko]

Yeah seriously - This is a case where using AC tag is warranted.

It protects the original poster the shame in being labeled a frickin' moron.

The main problem with StackOverflow et al:

They hate discussion. Many, many times I've seen a question closed because they were asking a question that was more complicated than mere Q&A. And once an answer is up, "replies" to it are limited to basically Twitter-sized comments. Good luck posting your own answer that corrects people and/or presents a different solution: don't worry, it's not like it will get removed, but you're competing against an accepted answer - which is not the same thing as a "best" or "correct" answer.

Anyone remember programming forums? They're dying because of StackOverflow. But you can find there a community, varied discussions, multiple answers from different viewpoints, and people who are interested more in helping than in getting badges.

If I had a dollar for every time I've had to correct bad advice someone got from StackOverflow, I could take annual vacations to Hawaii.

Re:The main problem with StackOverflow et al:

[jeremyp]

Stackoverflow is specifically a Q&A site. It's not for discussion but answering questions. Don't criticise it for not being something it is not meant to be.

Re:The main problem with StackOverflow et al:

[tepples]

you're competing against an accepted answer - which is not the same thing as a "best" or "correct" answer.

So perhaps the real problem is how to make it more obvious to readers that the good answer has twice the upvotes of the accepted answer.

Re: Java is in and of itself bad advice

Is it rape? I donâ(TM)t hear the goat complaining.

Even college teaches bad coding

I had a friend taking a college course to learn C coding, a supposed good example from class on reading a file was

#include
char c;
while ( (c=getchar() ) != EOF) {
}

I'm surprised they're not blaming Russia

for this.

Re:I'm surprised they're not blaming Russia

[hcs_$reboot]

Russia is actually advanced in computer science and doesn't use Java.

I trust advice from people who dislike Rust.

When I've had to make a quick judgment about a programmer's knowledge and competency, I've found that there's one simple question to ask that works wonders:

"What do you think about the Rust programming language?"

Some people will say, "Rust? What's that?". These are typically unskilled people who probably don't know more than elementary JavaScript or PHP. I tend to ignore these people going forward. They're not worth my attention.

Other people will say, "Rust! Rust is fantastic! It's so safe!". These people are typically hype-loving suckers. They've heard of Rust, probably at Hacker News or Stack Overflow, and have bought into the hype about it. They want to come off as "trendy", so they talk about how great Rust is. I tend to ignore these people going forward, too. I don't want to deal with small-minded people like this.

Others will say, "Rust... I tried it. I was not impressed." These people can be respected. They have up-to-date technical knowledge, and they're willing to try new technologies, but they're not blinded by hype. These people are worthy of consideration. One thing to be aware of is that they're neutral about something they should not be neutral about. There are just some things that people should have strong negative feelings for.

Finally, the most intelligent will say, "Rust? Fuck, no. I use C++." These are the people to take seriously. They aren't just neutral about Rust. They actively dislike it. This means that they've probably got a thorough understanding of Rust and its flaws. What's more, they clearly know that C++ is a better alternative, and actively choose to use the best option available. These people get my attention, and I respect what they're saying.

It's really surprising how much insight you can get about somebody from such a short and simple question.

Re: I trust advice from people who dislike Rust.

Awesome. It's a breath of fresh air to finally hear this.

Re:I trust advice from people who dislike Rust.

Nuh uh! Rust is the second coming of Jesus! It will cure all diseases!

Re:I trust advice from people who dislike Rust.

Others will say, "Rust... I tried it. I was not impressed." These people can be respected.

why thank you!

Re:I trust advice from people who dislike Rust.

[Junta]

I think there's room for "I've looked at rust, it might be a good idea, but not to the extent it is hyped".

I will concur that I see too many folks saying roughly "oh yeah, Java/Javascript/(etc.) are so much less secure than rust". Those people obviously don't understand *why* rust has the claims about security and/or really piss poor understanding of other languages. It also implies a huge misunderstanding about security in general, that a language design can fix the most usual offenders nowadays (it's generally poor design rather than some sort of buffer overflow or use after free) It is over hyped and way too many people champion it without understanding other than hip to be novel. Hype indeed can inspire a healthy wave of skepticism. Particularly after Go went through just about the exact same hype cycle about 5 minutes ago and has much of the same benefits.

Rust has some decent concepts as a "c-like" language, but with far less tedium around making sure you don't go off into undesired places when your code executes. While most security problems stem from design, there are certainly problems that are still caused by careless mistakes with pointers taken at face value.

Re: I trust advice from people who dislike Rust.

Rust cured my blind aunt Maggie. Now she can dance again.

Re: I trust advice from people who dislike Rust.

Jesus F Christ on a stick! Think, man, think!

There's a reason there are so few java based root exploits!

Because who in their right mind would give a java app root permissions?

Re:I trust advice from people who dislike Rust.

Of course Rust code isn't often exploited. Nothing important has actually ever been written in Rust! It's damn near impossible to exploit software that doesn't actually exist.

It's excusable that there are holes in some C code. Much of this code was pioneering, and didn't have the hindsight of experience when it was being written. A lot of C code actually predates the widespread use of networking.

Of course, many people and organizations what would have used C in the past now use Modern C++. While Modern C++ does allow you to write insecure code, it's actually quite difficult to do. As long as you use the STL template algorithms and classes, and as long as you use smart pointers, your code will be quite safe.

Re: I trust advice from people who dislike Rust.

Me, I do that. Root everything all the tim

Re:I trust advice from people who dislike Rust.

[HiThere]

Again it's the question of what your problem is. For some problems Rust is probably a reasonable solution. It wasn't for mine, because their model of parallel execution didn't mesh with what I need. But if I were to try to do it in C/C++ I'd need to run multiple independent threads of execution each handling a custom UDP server. So go is a better solution to what I need. For other problems that wouldn't be the correct language at all.

There *is* no "one size fits all" programming language. Just because you can shoehorn something into a language doesn't mean it's a good idea. Otherwise we'd be writing everything in assembler or Forth or something.

Re:I trust advice from people who dislike Rust.

Although my gut feeling is to agree with this poster and laugh, it seems that there is no real substance to the parent comment. First, it appeals entirely to the sensibility of the unknowable poster: why do we trust the judgement this AC? Because we cannot know anything about this "anonymous" user, we are more likely to project our own prejudices and thoughts. So here I am likely allowing confirmation bias to write my preconceptions and experiences with Rust onto the specific, affirming anecdotes I am being presented with.

We are then presented with an arbitrary pecking order and some kind of personal code-physiognomy. Seriously, this reads like one of those trashy clickbait "The 5 Kinds of Programmer" drivel articles that Hacker News gobbles up, where you're definitely not allowed to point out the implied 6th kind, who fingerwags and gossips about the profession rather than doing the fucking work and improving.

Your "conclusion" highlights the fact that you willingly blinker to yourself during human interactions, preferring intellectual shortcuts over the burden of mindfulness.

In short, Rust is still shit, but so is your argumentation.

Re:I trust advice from people who dislike Rust.

You forgot those who would say: Rust? Nah, it is just another programming language I don't care about. I heard it isn't worth it, i don't have time to test every language of the week personally.

Re:I trust advice from people who dislike Rust.

[humankind]

It annoys me that "competent programmers" are those that are supposedly always researching newer technologies.

The fact remains that the core of everything software-related is still operating on 40+ year old technology that is time-tested and proven reliable and secure.

Every time someone tosses out a new API, SDK, or programming language, I cringe. Most of the time those systems provide a false sense of security.

Re:I trust advice from people who dislike Rust.

[guruevi]

Almost every *real* program out there in the wild is also found in C/C++ code. Even Java, Python and Rust is in the end written in C/C++ and they also have had their exploits. You can program securely in C/C++, you can program insecurely in Java, you can have efficient code in C/C++, you can't have efficient code in Java/Rust/Python.

Whether your application crashes and gives root or allows full access to the data, it doesn't matter in the end how you do it if you need unauthorized access to the data.

Re:I trust advice from people who dislike Rust.

What is actually wrong with Rust, oh great and wise off-topic troll?

Re:I trust advice from people who dislike Rust.

[nasch]

PowerPoint is Turing complete, we should just use that.

Re:I trust advice from people who dislike Rust.

I know 27 languages, I haven't looked at Rust yet. I guess I'm outdated? :) Enjoy using my Apache Spark backed applications!

Re:I trust advice from people who dislike Rust.

I'm sorry, but who the fuck are you? Why should I care what your opinion is?

Re:I trust advice from people who dislike Rust.

[phantomfive]

The most common security exploits are XSS or sql injection. It's not easy to exploit a buffer overflow on a modern OS because of protections like ASLR, so truly exploitable remote exploits based on buffer overflows are relatively rare.

They do get a lot of attention though because things like OpenSSL are used on almost every website.

Re: I trust advice from people who dislike Rust.

The experience of reading his post was more like a lung full of fart.

Re:I trust advice from people who dislike Rust.

[emag]

How would you rate "Rust? Heard of it. Has some interesting concepts, but I haven't had the time to really look into it myself yet"? Because, that's where I'm coming from. I want to look at both Rust and Go, but between work and real life, it's probably not going to happen until I manufacture a real reason to do so...

Re:I trust advice from people who dislike Rust.

I modded the above "interesting" because it shows some expenditure of thought and is a welcome respite from mindless "Rust is hipster cancer" trolling, but I think it still overhypes the hype and misses the point of Rust's safety guarantees: buffer overflows and use-after-free may not be significant issues in the entirety of modern software, but they definitely are in the niche that Rust is targeting, that of high-performance, non-garbage-collected, predictable time/memory footprint code often lumped under "system programming". Those guarantees are not going to eliminate all bugs, of course, but they will enable spending the programmer's mental energy more profitably.

Re: I trust advice from people who dislike Rust.

[swilver]

Root exploits are nasty because the program hacked isn't running as root...

If it only it was so easy to simply not run anyhing as root...

Re:I trust advice from people who dislike Rust.

[tmjva]

Actually I would say: "Rust?  I wouldn't know, I don't use it."

I'm blinded by hype, rather I'm blinded by job-security and an eye towards retirement and already getting one retirement check.  Still here on Fortran/77.

Re: I trust advice from people who dislike Rust.

Minix 3.

Re:I trust advice from people who dislike Rust.

[david_thornley]

You can easily get protection from buffer overflows and use-after-free in C++, also, and that language is very good for systems programming. You don't have to go to a new language for that.

Re:Java is in and of itself bad advice

[zieroh]

If stack overflow supported nested comments, these "security experts" could post corrections for the insecure code, kinda like how you can correct someone on slashdot. It's pretty stupid to not support nested comments in 2017 (and not the tiny font remarks SO currently uses that make them unsuitable for code).

I've actually studied this at length, and even read a few treatises on the subject. Short answer: nope. Nested comments pretty much suck.

Nested conversations (like those here on slashdot) don't actually make conversations better. They just splinter the conversation into a thousand shards, each of them relatively short, and rarely on topic. They also promote shitty quoting habits and make it difficult to pick up a conversation where you left off without re-reading the whole damn thing.

Flat, linear comments tend to stay on topic, force people to quote properly, and are ordered properly with respect to time.

Stack Overflow provides comfort for autists.

What a lot of people don't understand is that Stack Overflow is a very comforting place for autists.

Don't get me wrong, I'm being completely serious about this. I'm not joking about autism and Aspergers, which are very serious disorders that can have a huge impact on somebody's life.

Stack Overflow's community has a rigidity that's nearly unmatched. The only other community that might be as rigid is the Rust programming language community. Both have a strict set of rules that the community must follow, and there's absolutely no flexibility with regards to how these rules are followed. Anyone who deviates from these rules is harshly treated, and in many ways driven out of the community.

This rigid community foundation essentially gives autists a script they can follow. It takes away the difficulties they find with more natural, free-flowing social interaction. All interactions within the Stack Overflow and Rust communities are like following a checklist. They don't have to think about their social interactions; they just follow a template.

Of course, to non-autists this sort of a system seems remarkably strange, and often tyrannical. Non-autists can sometimes find it difficult to understand why people would want to engage in such faux "socializing". But these non-autists fail to realize that those with autism often find great comfort in being subjected to a very strict set of rules, and a sequence of steps they can follow in order to engage in an activity that resembles socializing.

Non-autists shouldn't expect to enjoy engaging in a community like the Stack Overflow community or the Rust community. The structures of such communities have become tailored to work pretty much only for people suffering from autism or Aspergers or some other similar condition.

Re:Stack Overflow provides comfort for autists.

Maybe if this was pointed out to new users, they might be more willing to take the nonsense.

Re:Stack Overflow provides comfort for autists.

[mrbester]

If the template is "when you think a question is a duplicate, don't bother checking, just mark it and move on to the next. Don't link to the duplicate, the loser noob should have found it themselves" or "Don't answer a simple question if you can just respond with derision of the language (programming or textual, doesn't matter, but bonus points for both)" or "downvoting to oblivion an answer that, whilst correct, you don't agree with, either by tone, implementation or just because it's Wednesday and you're annoyed about something" then that's not a good base to establish learned behaviour from.

Encouraging such dismissive behaviour purporting as a set of rules and "the way things are done" (a fallacy of a societal norm) to those on the spectrum who are unaware it isn't doesn't help them cope and is more likely to be deleterious to them in the real world.

Re:Stack Overflow provides comfort for autists.

SO is not a social network. It is not meant to enable social interactions. Its purpose is to become an excellent collection of high quality questions and answers. On topic, interesting, and relevant. So yeah, that requires some rigid rules.

Re: Stack Overflow provides comfort for autists.

Only a severe autism sufferer could seriously say that a site involving users communucating with one another isn't a social media site!

Re:Stack Overflow provides comfort for autists.

[Darinbob]

Rules such as "All C questions must be answered in the form only suitable for C++", or "For a question about a programming language, always give an answer from the Visual Studio manual in preference to a language's official published standard."

Re:Stack Overflow provides comfort for autists.

[Darinbob]

And yet the rules have resulted in extremely low quality answers, many of which are utterly wrong and unable to be corrected according to the rules. Stack overflow has become a cesspool of bad advice; albeit a cesspool with a set of rigid rules.

It's a bit like the US Congress, only without the high minded sense of cooperation, duty, and high mindedness that Congress has.

Re:Stack Overflow provides comfort for autists.

[dgatwood]

It's a bit like the US Congress, only without the high minded sense of cooperation, duty, and high mindedness that Congress has.

*blink*. *blink*.

It's a miracle! Darinbob—in a coma since the Reagan administration—just woke up and posted on Slashdot!

Re:Java is in and of itself bad advice

[zieroh]

I'm a veteran of the software industry (3 decades, now) and regularly screen, interview, and hire software engineers -- mostly college grads, some with a few years of experience in the industry. I can tell you with absolute certainty that Java programmers -- those who primarily learned Java in college -- are easily the worst programmers I encounter while hiring. And to date, I haven't hired a single one of them, even though I've talked to and interviewed countless numbers of them.

Want to learn to program? Start with C. You can expand to whatever you want after that, but you have to master C first.

tied to Spring Security

so to get this straight people are having trouble understanding a framework that is hard to use and changes faster than the documentation can keep up with it? one of SO's biggest weaknesses is that it keeps obsolete answers around forever, and is hard to use when you have version N+3 of some framework that has changed almost completely since the answers about version N + 1 were posted a year or two ago

the irony is that spring started as a SIMPLIFIED, EASIER java framework to replace heavyweight, difficult stuff like EJB - and now has become what it set out to destroy - so we need a new framework-of-the-weak that is easier to understand to replace spring - the real irony is spring mvc was designed to be a simplified version of struts, but apparently struts hasn't gone away

Re:tied to Spring Security

[guruevi]

I've learned that, and this is especially so in Java, that you can start with a simplified framework but without a doubt at some point you'll be stuck on a complicated piece and you need a more complicated framework.

This is the same for any framework, whether it be C or Java or PHP, at some point you need to get out of the 'simple' and into the 'hard' and the framework becomes 2 or 3 or 5 full-stack frameworks.

Re:Java is in and of itself bad advice

[zieroh]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.

Re:Stackoverflow: how not to help

[zieroh]

If people simply hired web developers, most web hacking shit would be gone over fucking night.

No. Just no. The only thing worse than Java programmers are web developers.

Re:Java is in and of itself bad advice

My neighbour doesn't have a goat you insensitive clod!

This explains the quality of java applications...

... just about all of them are terrible, low quality memory hogs.

QED

How is this news?

Developers absolutely suck at security. This might be for nerds, but how is this news?

If a developer was given root access on an internet-facing server, then within 10 minutes the whole filesystem would be 777, all ports would be wide open, SELinux would be turned off, direct root login from the outside would be enabled, and all processes would run as root or with root permissions.

(Yes, I am a grumpy sysadmin who has had to clean up far too many messes from you clowns. The examples I cited weren't even the most egregious that I've had to deal with after being overruled by management.)

Re:How is this news?

[hcs_$reboot]

within 10 minutes the whole filesystem would be 777

Beware that would remove some 's' bits as well ... thus making the system more secure (in that it has less usable features...)

Re:How is this news?

[swilver]

Jeez, hire some real developers. I have no sympathy for companies that hire the cheapest monkeys they can find that can utter the required resume keywords in an intelligible way.

Hiring people with 10+ years of experience in multiple languages and systems, even though far more expensive will save money in the long run. The savings on maintenance, security and extensibility alone will easily pay itself back, not to mention they'll build better, more scalable solutions, and do it in less time and with less lines of code...

(Yes, I am a grumpy developer that went freelance because managers have no clue what the difference is between a fresh graduate and someone with 20 years of experience).

Re:How is this news?

[CanadianMacFan]

When meeting the new CIO he called everyone in the web development group (comprised of project managers, developers, graphic artists, etc) a bunch of interchangeable cogs and meant it as a compliment. He couldn't see why everyone was upset by the remark.

Re:How is this news?

Thanks. I will try a chmod a+rwx!

Re:How is this news?

Anyone worth their salt wears many hats. I'm on very good terms with my sysadmins. They went so far as to give me admin permissions to most of the systems. I was one of a few in the entire company. I had nearly as much power as they did. But as paranoid as I am, I worked with them to restrict my permissions, but make it so I can still easily do my job while not bothering them. This was a mixture of helping them automate their systems, some slight rearchitecting on their end, and making sure my department's projects were designed in a way that played well with their security implementations. Worked the problem from both ends.

I'm always looking for ways to further restrict my permissions without affecting my ability to do my job.

Re:How is this news?

[Billly+Gates]

When meeting the new CIO he called everyone in the web development group (comprised of project managers, developers, graphic artists, etc) a bunch of interchangeable cogs and meant it as a compliment. He couldn't see why everyone was upset by the remark.

Come on man all it takes is $500 and a week to make a myspace/facebook look alike and beat google on google.com with SEO complete with a professional photographer. I mean how hard can it be if your best friends boyfriend can make the default template in Microsoft Word?

News at 11

stackoverflow contains shitty advice

Re: Java is in and of itself bad advice

Often, it happens because some framework has a convenience method for md5, but not SHA. For example...

String hash = myframework.md5hex(value);

where 'value' can be a String or byte[] compared to... // instantiate a ShaConfigBuilder // set 17 options // instantiate a ShaHashFactory with myShaConfigBuilder // call myShaHashBuilder.parse(myInputStream); // finally get the goddamn hash value // I lied... myShaHashBuilder.parse() returned a ShaHash, and ShaHash has no convenient method to return the hash as a hex string. If you're lucky, it returns it as a BigInteger & you can call its toString(16) method. If you're not, it returns it as a byte[] (or worse, as a base-10 signed value in String form), so you still have to instantiate a new BigInteger.

The point is, md5-related stuff often has nice, easy-to-use no-ceremony convenience methods that return hex strings, while SHA-related stuff is often implemented in a more "modern" (convenience-free) manner that requires a shit-ton of boilerplate tedium to do ANYTHING. Yes, loose-coupling is usually the "right" way to do something... but modern frameworks often take it to tedious extremes.

There's also the fact that Apache HttpClient & Android historically made development on real devices using https to call a web service running on the developer's computer a total nightmare, because HttpClient's certificate list was different than Android's browser cert list, and most factory ROMs made it IMPOSSIBLE to add your own test certs (...growls angrily at Motorola in particular...)

Basically, HttpClient made it SO HARD to do the right thing, nobody DID the right thing.

Things have gotten quite a bit better in recent releases of Android, but this is something that was a never-ending, ongoing pain point for almost 8 years (long after Android itself addressed the problem, there was still the problem of having to support phones with older versions of Android that were stuck with the status quo).

Re:Easy solution

https://www.nbcnews.com/science/space/why-indias-mars-orbiter-mission-cost-less-gravity-movie-n210681

Even CERT is hard to use.

After reading this post, I decided to check out the CERT C Coding Standards and C++ Coding Standards. They want you to create an account to in order to download! Even CERT is clueless on how to make secure programming easily accessible for developers.

Re:Java is in and of itself bad advice

Linkies to "a few treatises" ? ( because I think they are very wrong and would like to discuss them, using nested comments ).

Leave out the words "Java" and "security"

[Antique+Geekmeister]

Many of the Stackoverflow first answers are very poor, as are many followups from people who don't sanitize their inprts. The problem is aggravated for Java, where error reporting is often very poor and where programmers have been taught with object oriented principles to pay no attention to the rest of the system: it's considered outside the scope of their immediate task.

I do find Stackoverflow useful: there are often extremely useful hooks to start from, and it's well worth thanking the community by following up with my more detailed or robust answers, especially when the published answers did not quite work. That kind of feedback is critical to open source and free software projects.

Re:Leave out the words "Java" and "security"

This guy gets it. Wisdom of the crowds requires people that are experts in what is being discussed, not experts at gaming StackOverflow points.

Re:Leave out the words "Java" and "security"

[Darinbob]

Yup, I rarely find quality answers on stack overflow, but I do find links to other sources of information that lead to good answers.

Re:Stackoverflow: how not to help

...
If people simply hired web developers, most web hacking shit would be gone over fucking night. ...

"Web developers" are the Thalidomide babies of the IT world.

Re:Java is in and of itself bad advice

I tried starting with Basic, but it made little sense to me. I then tried C, but I couldn't quite grasp it, but I did like the syntax. Then I tried ASM, and it was perfect. Around the age of 8, I gave C another shot, and it suddenly made sense because I understood ASM.

Re:Java is in and of itself bad advice

[Dragonslicer]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

How is that relevant to cryptographic hash algorithms, CSRF, certificate validation, or encrypted communication protocols? One could argue the exact opposite: by spending more time on teaching students exactly how variables are stored in memory, you would have less time to teach students about all of the other security issues involved in writing software.

Re:Java is in and of itself bad advice

[Dragonslicer]

I'm a veteran of the software industry (3 decades, now) and regularly screen, interview, and hire software engineers -- mostly college grads, some with a few years of experience in the industry. I can tell you with absolute certainty that Java programmers -- those who primarily learned Java in college -- are easily the worst programmers I encounter while hiring.

Then you aren't trying to hire software engineers, you're trying to hire programmers.

Re: Java is in and of itself bad advice

[Junta]

Yeah, I will confess to not knowing your specific scenario, but I too was faced with a language/library set that had a terrible TLS implementation. I subclassed the plain http class to provide my own tls handling because I know precisely what happens using the default scheme.

This of course drew incredulous response from a security architect that worked on a similar product, saying that I was running a terrible risk by authenticating certificates ssh-style rather than with a CA. I then asked if that concerned him so much, why did his product have a client that allowed user to disable cert validation? He said because users demanded it as soon as they released, and it's the user's fault if that screws them over. I informed him that I didn't provide an option to disable validation, and not one of my users has asked for it. I never could convince him this was a good thing. Note the target market is 99.99% private services not even resolvable by the internet DNS servers. I helped a few of his clients and every last one had hard set it to disable cert validation, and besides I suspect he didn't really understand the underlying way the certificates work, since manually blessed certificates are no more blessed if you use a CA to mark that rather than storing the fingerprints directly.

Too much work in security is about offering a hypothetical possible credibly secure way that no one wants to do, and then offering a feasible approach to get work done so they can blame the users or downstream developers for mistakes. Not enough sentiment of "must make the secure approach also the easy choice".

Re:Stackoverflow: how not to help

If people simply hired web developers, most web hacking shit would be gone over fucking night.

No. Just no. The only thing worse than Java programmers are web developers.

This is a web site, made by web developers. Criticizing web developers is childish and pointless.

Re:Java is in and of itself bad advice

[Junta]

Perhaps offtopic maybe. The scenario here is indicative of general programmer behavior: easy and functional without looking at the consequences.

The annoyance of runtimes and vulnerabilities in those runtimes are a distinct phenomenon. In fact, I'd say that Java's experience is a good example of the problems of shipping language runtime with your app, which can extend to static linking and providing 'appliance' virtual machines or containers. The lazy mindset that infects java app deployment to cause the phenomenon you see,.. those people will crew up *any* target they may have the exact same way (and sadly this happens more and more, with many libraries no longer making the effort to be api compatible version to version, and pointing to dockerhub in general or virtualenv in python or similar strategies as why it doesn't matter to be compatible and have maintenance streams and other such work devs have no interest/patience for if they are allowed to skip it.)

Re: Java is in and of itself bad advice

[Ronin+Developer]

You have heard the screaming goat, right? Thatâ(TM)s not pleasure.

Honestly, getting back to the story....a language for which advice is riddled with security holes should scare the crap out of you? Imagine hiring one of these so-called experts. Your business would be in jeopardy because they donâ(TM)t know what they donâ(TM)t know.

Bad Advice from Stackoverflow?

[tylersoze]

Well I never!

Canoncial example of a Stackoverflow exchange:

Answer: Why in the world would you want to do that? Here do this

Answer:

#1 upvote:

#2 upvote:

#4 or #5 most upvoted:

further down:

Stackoverflow is the best for people that sort of know what the answer should be and can separate the wheat from the chaff.

I often point to this on as a good canonical example. https://stackoverflow.com/ques...

Re:Bad Advice from Stackoverflow?

[tylersoze]

Eh I should have preview my posted, tags got eaten:
Answer: Why in the world would you want to do that? Here do this (unhelpful thing that doesn't answer this question)

Answer: (Complete wrong buggy implementation)

#1 upvote: (Answer that technically works but completely pedestrian, not generalized, etc)

#2 upvote: (mostly the same as #1, but with an added glaring bug)

#4 or #5 most upvoted: (probably the right answer)

further down: (a number of technically correct but a completely stupid ways to solve the problem)

Stackoverflow is the best for people that sort of know what the answer should be and can separate the wheat from the chaff.

I often point to this on as a good canonical example. https://stackoverflow.com/ques...

Re:Bad Advice from Stackoverflow?

[Darinbob]

That example is good. The whole question is wrong, Stack Overflow shouldn't be a site for brand new programmers. Spend some time learning the language before you ask how to do something that anyone with one month's experience can do. In the early days of Stack Overflow the questions were very interesting questions, about subtleties in a language, mysterious problems to overcome, and so forth. Now the questions are "help me do my homework!"

Re:Bad Advice from Stackoverflow?

[david_thornley]

Answer: Why in the world would you want to do that? Here do this

This is often the best answer possible. Back when I was on SO a lot, there were a lot of questions asked that made bad assumptions. The questioner had a problem, had started solving it in a bad way, and ran into trouble, and was basically having trouble pounding the screw into the block using the wrench (one of my analogies for certain software development). In a case like that, it's far more useful to tell them to use a screwdriver and turn it, instead of recommending duct-taping a tape measure to the back of the end of the wrench you're not holding to increase the force.

Re:Bad Advice from Stackoverflow?

> Why in the world would you want to do that?

Because I want to be famous on TheDailyWTF.

Re:Java is in and of itself bad advice

[Khyber]

"by spending more time on teaching students exactly how variables are stored in memory, you would have less time to teach students about all of the other security issues involved in writing software."

Most of the problems that exist in code are PRECISELY because people don't know where shit is stored, or how it is accessed. Solid fundamentals means solid and informed coding practice. Java is not a solid fundamental for people to start with.

Automated fallacy

[istartedi]

If poor answers are floating to the top because of reputation, then Stack Overflow has effectively automated argument from authority.

This is not too surprising. Automating fallacy is probably easy. Automating security is likely to be hard. Trust me. I'm an expert on this.

Re: Java is in and of itself bad advice

You could just press edit and fix the answer, the way it's intended

OK, but why are they on SO? What did we do wrong?

[Wrath0fb0b]

So, I agree with all the haterade at SO and all the things it does wrong and stuff. But let's take a moment of reflection and see if maybe we as a community also did something wrong.

My opinion is that it's a total lack of actually useful documentation. And by that I mean there's almost always documentation, but it's at a level of specificity that makes it totally useless.

By way of analogy, imagine getting into an airplane and there's tons of man pages for each instrument like "The throttle control the amount of forward thrust generated by the engines. It has three auto-throttle modes for speed, trim and power, you can enable those modes by setting the auto-throttle switch to the ON position and adjusting the rotary dial to the desired mode. The power mode cannot be used while the autopilot for level is set."

And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

Yeah but

[SCVonSteroids]

They're Java coders. Easily replaced.

Re:Yeah but

Haha that's funny considering I spent the last month cleaning up the technical debt of a C++ app for a team of C++ 'pros' that shat their pants in terror at something so simple as an IOC architecture. Don't let me stop you from conflating your mediocrity with a superior language choice though.

Re:Yeah but

[SCVonSteroids]

Oh boy.

Well, of course they are

[Chris+Mattern]

You always get bad advice from Stack Overflow.

Re:Java is in and of itself bad advice

[Bender0x7D1]

Want to learn to program? Start with C. You can expand to whatever you want after that, but you have to master C first.

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

So, after reevaluating, I decided we should throw out the "Programming 1 & 2" paradigm that so many schools use. Instead, I would like to see:

Programming 1 (in Java or Python): Focuses on logic, syntax, and simple control statements (if, while, etc.)

Programming 2 (in C or C++): Focuses on what was happening "under the hood" in Programming 1, and starts getting into data structures

Programming 3 (still C or C++): Heavy data structures with an introduction to algorithms. This is where they start learning a bit of architecture, compiler theory, and details on how things work. This is not meant to replace an architecture/compiler/etc. class - but to give the foundation so those classes make sense from day 1.

Yes, this means it adds another full class to an undergraduate program, but it also means that capable, interested students don't get blown out of the water because they don't have the background - or are just bad at classwork. It also makes sure that a student does need to understand the details to obtain their Bachelor's degree.

It's not java or security, it's Stack Overflow

Really, I don't know how that god-forsaken site, stackoverflow became the standard go-to for problem solving.

90% of the content on that site are pompous programmers talking down to people and questioning their every motive, or modding newbies down. That site seems to exist to give 99% of most programmers an inferiority complex, more than it does to educate people, or provide quality code.

A standard StackOverflow query tends to go like this:

* User asks a question

Responses:

* instant downvote with no explanation
* mod critique that the question is not properly formatted
* "Why do you want to do that?"
* (wrong answer, but posted really fast)
* "your question is too detailed/not detailed enough"
* "what are you trying to do?"
* pointing out the question has kinda been asked before (but not really)

Re: Java is in and of itself bad advice

Here's what I don't get about people harping about using MD5 over SHA or more elaborate encryption... as long as you use a decent salt, and implement system probes, should it really matter? It may be easier to crack MD5 than SHA, but if your authentication code stops brute force attempts, shouldn't it be moot?

blah blah blah

[Reverend+Green]

By far the hardest part of security is getting companies to care about it.

Re: Java is in and of itself bad advice

Well - have you stopped?

Re:OK, but why are they on SO? What did we do wron

[GlennC]

And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

That's because the general assumption, in this case, is that the reader already knows how to fly planes in general, and only needs the specifics for this model.

Of course, given the number of coders whose training consisted solely of rote memorization, this assumption is provably wrong. That leads to the sorry state the IT industry is in now, and why I'm very glad I'm training to get my CDL and drive a truck.

Calling BS

[pooh666]

First off, I hate fucking Java. Second, the data may be correct, but the conclusion is out of reality. The reason this is an issue and the up votes go for the easiest not most secure answer, is 1. Human nature, 2. Companies don't give a flying fuck about security. If a "business" leader in a ecom org can't even be bothered to learn a single thing about how a web page even works, then they certainly don't really understand the impact of a few coding side steps and no budget will be allocated DAY TO DAY, to deal with it. After the fact security reviews are doomed to fail, because there is just to much rot after a while.

Re:Calling BS

[Billly+Gates]

First off, I hate fucking Java. Second, the data may be correct, but the conclusion is out of reality. The reason this is an issue and the up votes go for the easiest not most secure answer, is 1. Human nature, 2. Companies don't give a flying fuck about security. If a "business" leader in a ecom org can't even be bothered to learn a single thing about how a web page even works, then they certainly don't really understand the impact of a few coding side steps and no budget will be allocated DAY TO DAY, to deal with it. After the fact security reviews are doomed to fail, because there is just to much rot after a while.

Dude any clueless CIO can order a myspace/facebook/youtube for a single programmer to be done in a single 3 weeks complete with learning Ruby in one evening. Emailing the VP ordering the project asking for information may have your contract revoked?

Re:Java is in and of itself bad advice

Sounds like you don't know how it works. The only really problematic part of Java was the browser plugin.

Who's going to paygor training?

[Monster_user]

Who's going to pay for training so that developers can recognize bad advice on Stack Overflow, or possibly increase the amount of good advice on Stack Overflow?

Who's going to invest? Who's going to spend the money? And on who's time are they going to be researching better security in code?

Pajeet Overflow

What the fuck did you expect?

Revisiting old questions

[Miamicanes]

One big problem SO has is reconciling old questions with "best" answers that might no longer be the best -- or even still RELEVANT.

Suppose that someone posted a message to SO in 2012 asking how to hide the mouse pointer arrow that appears if the user connects a bluetooth or USB mouse to the device when their app (say, an OpenGL ES game) is in the foreground.

Five years ago, the correct and concise answer would have been, "You can't".

Today, the proper answer would be, "You can't do it unless the device has Android N (7.0) or newer AND you target API 24+, in which case here's what you need to do..."

The problem is, if someone posted a new question like this TODAY, some mod looking for easy points would likely flag it within minutes for closure-as-duplicate, EVEN IF the older question's only answer is "you can't". Often, the mods who are the most aggressive about flagging for closure-as-duplicate aren't even subject matter experts in the platform whose questions they're moderating... they're just looking to score easy points for their "Google" skills, and don't BOTHER to actually read anything beyond the search result summaries (let alone consider whether the original questions' answers are still relevant).

This happened on a grand scale for MONTHS after Android Studio moved to Gradle-based projects. People would post questions asking how to do something specific in a Gradle-based Android Studio 2.x project, then get their question swatted down almost instantly (as "duplicate-of-older-question", usually some question about Eclipse or Android Studio 1.0) by users with high reputations, but no discernible expertise in ANDROID development (because the real Android experts KNEW that Gradle was a HUGE change that broke things up, down, left, right, and diagonally).

Quite ironic.

> Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

So, in essence, qualified answers by low ranking posters -- let's call them ACs -- are not as upvoted as BS from registered users?

Who would imagine that?

Don't Blame Developers for Security Problems

When the people signing the checks don't want to pay for security. Try telling the powers that be that the software project, which seems perfectly functional in the demo you just gave them, is still weeks or months away from delivery because we have to implement security. You will see how fast security goes out the window when the money men smell profit and see "first mover" advantage in the marketplace through their tunnel vision.

Claims that Slashdot should have been NNTP

[tepples]

This is a web site, made by web developers.

A few hardline anti-JavaScript users I've run into are under the impression that Slashdot ought to have been an NNTP site viewed through a news reader, not a website viewed through a web browser. They tolerate web-based discussion forums, though they would prefer a discussion-specific protocol.

Re: Java is in and of itself bad advice

[F.Ultra]

With MD5 you can have all the salt of the great oceans and the password would still be easily deducted in an offline attack (which hash you use does not matter in an online attack which is what you describef, heck you could even go with plaintext).

Re:Java is in and of itself bad advice

[Darinbob]

There are two ways to view programming, both of which are very important to understand. There is an abstract model view of programming, and that's what Java could be good at. Except that something like Scheme is ever better at this. This is supposed to be a high level view of what what algorithms actually are as a concept, rather than the implementation details at a machine level.

But you also need the low level view, how things actually get done. If your only model of a program is a bunch of magical black box operators that all take 0 time and space, you can't think well about the problem. Big-Oh notation is meaningless if you don't know what you're measuring. Missing this knowledge is a major hindrance, and yet so many don't realize they have this flaw.

You certainly won't be any good at even basic security without having both an abstract and a concrete model.

Re: Java is in and of itself bad advice

[Darinbob]

There are brute force attempts, and smart brute force attempts. Defending against a brute force attack from your kid sister is easy compared to defedning against a brute force attack from the school bully. The quality of security you have depends upon the value of what you're protecting.

If you don't care about what happens if someone breaks your system, then MD5 is fine and it doesn't hurt much of you ask stack overflow for advice. If your company can be put out of business if your back office data can be cracked or spoofed, then MD5 is foolish to use and any developer relying on hint from stack overflow should be assigned to other less important tasks. If you government can collapse and the country invaded if your data is laid bare then hopefully you're so far beyond stack overflow that you're inventing these security frameworks yourself.

Unlike GitHub, Stack Overflow doesn't have ```

[tepples]

Also, Stackoverflow users a formatting syntax called "markdown". It's the same as Github.

In this case, no, it isn't the same as GitHub. GitHub recognizes several extensions to Markdown that Stack Exchange does not, such as the triple-backtick for code blocks as an alternative to the four-space indent.

Ask some random person if your house is secure

Go on, now tell me why that's a bad idea.

People are simply too lazy nowadays. This reminds me of the heady days of BASIC interpreters everywhere.

There's a reason I switched to assembler.

Re:Java is in and of itself bad advice

[Darinbob]

You need more than C. I have a lot of C programmers, and most are terrible at software. That's because they're self-taught EE or science types, they understand the low level details but are extremely lousy at higher level abstractions. Ie, they find it difficult to see the big picture of a large software project, they can't make code that other people can maintain or even decipher, and so forth. Their coding skills seem sto be a mixutre of knowing the syntax and combining with a few key rules of thumb.

That said, those that start with a very high level language usuallly have the same problem just with a different view at it. They still only have a few key rules of thumb, this time applied to the few frameworks or libraries that they understand; their code is so chock full of abstraction layers that no one else understands any of it or is capable of make small modifications safely. They think they understand the big picture only because they've labelled it as "BigPictureInstanceFactory".

Somewhere in there are some key skills that are very rare. If you miss those skills you will be lousy at programming in any language or paradigm.

Re:Java is in and of itself bad advice

[Darinbob]

I think some of the problem is that there is an army of people out there intent on spreading the word that you don't need to learn how to drive on snow and ice, and who will scoff at anyone who does this regularly. They treat driving on snow and ice as akin to climbing Mount Everest. Their solution to anything difficult is to first find the right library or framework that already does it for you. It sort of implicitly assumes that mere mortals don't write these frameworks, in the same way that mere mortals don't climb Mount Everest.

But instead of just saying "that's beyond my abilities" they are teaching others that it's beyond their abilities as well.

Re:Java is in and of itself bad advice

[El+Cubano]

Want to learn to program? Start with C. You can expand to whatever you want after that, but you have to master C first.

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

In an upper division undergraduate CompSci/CompEng course that I teach, I always tell the students, "spent more time reading code than writing code, being able to read code is more important and valuable to a programmer than being able to write code." I have has several students disagree strongly with that assertion. However, I use the example of learning a foreign language.

I know that programming and human language are different. However, I think that the same principle of learning the language structure (e.g., grammar, syntax, etc.) in order to first master reading holds for both sorts of languages. That is, one does not claim to be proficient in Spanish, French, or Japanese based on being able to speak it but not read it.

I was a terrible programmer for a very long time and what finally made the difference for me was to learn how to really read code. Once I had mastered that, I feel like I improved by leaps and bounds. I really wish that reading code had been emphasized as a core programming skill more when I was in school.

Re: Java is in and of itself bad advice

if u just teech C you don't gotta deal with all that faggotry

Re:Java is in and of itself bad advice

I was a terrible programmer for a very long time and what finally made the difference for me was to learn how to really read code. Once I had mastered that, I feel like I improved by leaps and bounds

Except that most programmers are terrible and so is their code. Very rarely have I read code written by somebody else that I truly admired. Granted, I'm a bit of a perfectionist when it comes to my coding, but Jesus would it hurt people to write code that doesn't fold like a cheap tent at the first edge case or curveball? Writing code that satisfies the specification exactly and nothing else is the sort that makes others who come after you curse you for leaving them a big mess to clean up. Other tradesman take pride in their craft and workmanship, but so many programmers don't. It's a shame really, but that's what's out there these days.

Stack Exchange already bad along w/Java security

[Seven+Spirals]

FTFY

Re:Java is in and of itself bad advice

[dgatwood]

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

You must live in an area that doesn't get much snow or ice if that made you change your mind. Where I come from (Tennessee), we got a bad snowstorm one or two times a year, and if you didn't want to be trapped in a house with no power, no phone, and no heat, you had better be prepared to drive in snow and ice. Most people I know from back home had their first driving experience—often even before getting their learners' permits and learning to drive on actual streets—by going to some large, wide-open parking lot for some random not-open business and learning how cars behave in the worst conditions.

This has multiple purposes. For one, it makes you appreciate how treacherous driving can be, so you're more careful from then on. For another, you understand exactly how your car behaves in terms of sliding under various amounts of throttle, various amounts of turning, etc. Then, every time you drive a new car in rain, you use those same techniques to quickly learn how much centrifugal force causes the car to start spinning, and you make d**n sure you never come close to exceeding that. People not learning how to drive in snow and ice are the reason we have so many people carelessly spinning their cars around backwards and having wrecks every time there's a light rain in northern California.

Learning C is much the same.

IMO, Java's biggest problem is that object-oriented programming is a terrible way to start learning programming, because it doesn't map very well onto the way humans think about the world. By and large, people think procedurally, not OOPy, not functionally. Yet instructors are forced to introduce concepts like classes and methods really early in Java classes—long before the students actually understand these concepts—because the students have to use classes and methods to do even the most basic things like printing "Hello, world." And unfortunately, C++ has the same problem unless you teach it like C.

I've concluded that schools really should start with a purely procedural language for teaching the basics of programming, not an OO language. Then, move on to data structures—still in a procedural language—for the second class. Finally, teach OOP as the third class. By that point, you can tell them that a class is a glorified struct with syntactic sugar and that methods are glorified function pointers with syntactic sugar. You can also easily explain how to think in an object-oriented fashion and organize code in an object-oriented fashion, because the students have enough grounding in the basics of programming to make that logical leap. And if you do it right, you can also be subtly encouraging OO-like design even within the procedural code, so that objects become natural extensions of things like "static", rather than being a completely foreign concept.

Re:Java is in and of itself bad advice

[dgatwood]

Except that most programmers are terrible and so is their code. Very rarely have I read code written by somebody else that I truly admired.

Well, yeah, but you didn't get to that point by not reading their code. You got there by looking at bad code, understanding it, and concluding that it was bad. If you had never seen bad code before, how would you recognize it when you saw it?

Re:Java is in and of itself bad advice

[dgatwood]

That said, those that start with a very high level language usuallly have the same problem just with a different view at it. They still only have a few key rules of thumb, this time applied to the few frameworks or libraries that they understand; their code is so chock full of abstraction layers that no one else understands any of it or is capable of make small modifications safely. They think they understand the big picture only because they've labelled it as "BigPictureInstanceFactory".

That's easily solved. Just introduce dependency injection. Then, even your expert programmers will be unable to understand the big picture, and everyone will be equally confused.

Java security...

[stooo]

>> ...The researchers concentrated on posts relevant to Java security ...

Java security. Those two words simply do not belong together.
It should be syntaxically forbidden to write them side by side.

Re:Java security...

Explain please. And try to do it without referring to the Java web plugin, the only significant source of security issues and a thing that nobody has used in a decade. Or, is it just that you don't know what the fuck you are talking about?

Re:Java is in and of itself bad advice

[Xyrus]

Ever see how secure a student level C program is?

It's not the language. If you aren't taught basic security concepts you're not going to write secure code regardless of the language. Worse if the language gives you a rocket launcher to blow your own foot off with (like C).

Secure programming isn't something you take one class on to become an expert in, anymore than taking a single course on building a safe makes you capable of building a crack-proof safe. Secure application development is not something you just "pick up". It requires study, resources, and effort. You know, things a number of companies just aren't willing to pay for.

Re: Java is in and of itself bad advice

[Junta]

It depends upon the application.

In an HMAC, PBKDF, etc application, MD5 is still safe practically speaking, but it's easier to avoid raised eyebrows to move on to SHA2 than to explain that. In these scenarios, a has collision isn't going to help.

If you are using the hash as a validation of something else (md5sum of a file, md5 fingerprint of a certificate), that is meaningfully risky, since has collision is the means of breaking it and that is the weakness in the algorithm.

Re: Java is in and of itself bad advice

[Junta]

In the realm of password cracking a well-salted MD5 hash, it's only 10x quicker to crunch through md5 than an equivalent sha256. If it were a truly random string needing brute force, we are still talking about a million years for a cluster of a thousand nodes with 8x gtx 1080s each to crack a *single* PB-KDF with 1,000 rounds. For a dictionary attack, both methods would fall in short order.

The real weakness in MD5 is in applications that rely on attacker not being able to know a collision, such as md5sums and such.

Of course, no reason to bother to do MD5, easier to just always do SHA2, but in the interest of being accurate about the risk...

Re: Java is in and of itself bad advice

[Junta]

If your password would fail in an offline attack, it doesn't matter what hash algorithm was used. It's only a 10-fold difference in cracking speed, which for a good password is the difference of 10 million versus a million years, and for a bad password the difference between a minute and 10 minutes.

No reason to use it of course, and it's easier for people to just do SHA2 rather than keep track of whether the meangingful weaknesses (collisions) of md5 matter for your app or not (unless it is unsalted, and unsalted hash of a password *would* be vulnerable to md5's weakness especially, but also opens up the door to rainbow tables regardless of the hash, so not worth much debate there).

Re: Java is in and of itself bad advice

[F.Ultra]

The difference in bruteforce speed between MD5 and SHA2 is way more than 10-fold, it's 2^128-fold (for the standard SHA2-256) and that is ignoring the known collision attacks in MD5.

Re: Java is in and of itself bad advice

[Lothsahn]

If you're worried about offline attacks, you should use bcrypt.

To answer the GP's post: 1) MD5 is vulnerable to certain padding attacks. For instance, Microsoft had a cryptographically signed binary hacked by a dedicated attacker to hijack windows update. Basically, someone created an executable with a virus payload that resolved to the same MD5 signature as the original package. That's BAD. https://www.theregister.co.uk/...

MD5 is vulnerable to what's called a "length extension attack": https://en.wikipedia.org/wiki/...

This means that, in certain cases, you CAN make MD5 secure by doing very special things around how MD5 is used. But you have to know exactly what you're doing and SHA2 is really better anyway. So just use SHA2...

2) SHA1 is has recently had vulnerabilities to the same types of usage. Do not use SHA1 or MD5 for cryptographically signing things. Keep in mind, it's still REALLY difficult to create a SHA1 collision, but engineers at Google did it. https://thehackernews.com/2017...

3) SHA2/3 are still looking secure. It's reasonably expected that if you sign something with SHA2 or SHA3, that someone will not be able to create a different binary/payload as you can with SHA1/MD5.

4) NONE of the above should be used to secure a password/credit card/secure info database. MD5, SHA/1/2/3. For a password database, the worry is someone will hack the DB and extract the information. For this, you should use scrypt or bcrypt (possibly with a salt and/or pepper). This is because the hacker will have the information offline and plenty of time and resources to hack it. In this case, the attacker is trying to brute force the database (by trying every password), with a limited set of (likely) passwords.

For 1-3, you want something that can verify the hash as quickly as possible. For usecase #4, you want an algorithm that takes a long time to verify the hash. This is because a brute force's success rate is dependent on how fast you can try all of the possibilities. If you have 1000 possible passwords and each attempt takes 1ms, then you can try every possible password in 1 second. If each attempt takes 500ms, then this will take 500 seconds.

For this, scrypt/bcrypt has a difficulty algorithm that scales. You basically decide how hard it is to verify a password based on the computational resources at your disposal and how long it should take a user to login. In an application I work on, hash computation actually takes a majority of the login time for the application.

In short:
1) Use Sha2/3 to sign packages, binaries, or transmissions
2) Use scrypt or bcrypt to encrypt data against offline attacks. Pick a difficulty strength as high as you can tolerate.
3) Use MD5 or SHA1 only as a non-cryptographic checksum (did my file get corrupted by a bit flip?--not is someone attacking me)
4) If you use MD5 to sign packages, binaries or transmissions, cracking your encryption will be relatively easy.
5) If you use SHA1 to sign packages, binaries, or transmissions, cracking your encryption will be possible for dedicated hackers.

Re: Java is in and of itself bad advice

[Lothsahn]

This is not true. SHA2 is only ~15% slower than MD5 at verifying a hash for small data inputs (typical for password bruteforcing). Use bcrypt/scrypt instead.
DO NOT secure a password/cc/sensitive info DB with MD5 or SHA1/2/3.

See this:
http://automationrhapsody.com/...

And my post here:
https://developers.slashdot.or...

Re: Java is in and of itself bad advice

[Lothsahn]

Dear heavens. MD5 and SHA2 are of equivalent difficulty to use in most cases. Just use SHA2 instead. It's safer and nearly as fast.

There's like--almost no reason--to implement new code with MD5--unless you're on small embedded platforms that don't support it or something.
/rant

Re:Java is in and of itself bad advice

[Lothsahn]

Funny. I work in a shop of 50 java developers (some of which had other programming backgrounds, many of which did not), and they're all great developers and I'd love to work with any of them in any future job.

But yes, a solid background in assembly or C to understand what the processor is doing really helps.

Re: Java is in and of itself bad advice

[Darinbob]

I'm not approving of MD5. I'm saying that if someone uses MD5 out of laziness or ignorance, then they better be on an application or system where there is no need for security. If anyone read that who uses MD5 then they should be shamed into doing something else.

On the other hand, I can barely understand how anyone dumb enough to use MD5 gets put into a position where they get to make critical security choices. Except... startups or other companies who think it's a waste of money to deal with security; if their goal is to get bought out quickly then quality is an unnecessary speedbump in their fantasy.

Re:Java is in and of itself bad advice

Any good programmer can reverse engineer how a blackbox is implemented by thinking about the characteristics of the box. Simple load-testing and monitoring resources will tell you almost everything you need to know. Before I even use a library, I first think about the problem I'm trying to solve. Only then can I decide if the black-box is doing what I need done.

Re:Java is in and of itself bad advice

[zieroh]

I tried starting with Basic, but it made little sense to me. I then tried C, but I couldn't quite grasp it, but I did like the syntax. Then I tried ASM, and it was perfect. Around the age of 8, I gave C another shot, and it suddenly made sense because I understood ASM.

ASM will certainly give you much better insight into what's happening under the hood, so I mostly agree with this.

Re:Stackoverflow: how not to help

[zieroh]

This is a web site, made by web developers. Criticizing web developers is childish and pointless.

Speaking of pointless, your statement is orthogonal to the discussion. The fact that this is a website has nothing whatsoever to do with the claim that web developers, are, on the whole, lousy programmers.

Re:Stackoverflow: how not to help

[zieroh]

This is a web site, made by web developers. Criticizing web developers is childish and pointless.

Take two: The quality of slashdot does far more to reinforce my point than it does yours.

Re:Java is in and of itself bad advice

[zieroh]

One could argue the exact opposite: by spending more time on teaching students exactly how variables are stored in memory, you would have less time to teach students about all of the other security issues involved in writing software.

And yet, as the rate of Java-trained college grads has gone up, security vulnerabilities have skyrocketed. Correlation is not causation, but the graph doesn't do a lot to support your argument, either.

Re:Java is in and of itself bad advice

[zieroh]

So like, safe guess is that you have no idea what is CSRF, how cryptographic hash algorithms differ or what it is certificate validation. Hint: they have zero to do with where variables are store, how they are accessed, language you use nor anything else similar.

I'm not Khyber, but I'll answer anyway: Yes, I know what those things are. And though they are important to security, they are not the mechanism by which most security vulnerabilities occur. Ever heard of a buffer overrun? Neither have most Java programmers. All the certificates in the world aren't going to make a damn bit of difference if an attacker can inject code into a running process by taking advantage of a rookie mistake.

Re: Java is in and of itself bad advice

[Junta]

The challenge in the industry is that the most innocuous thing can become a critical security decision.

This is one of the big failings of the status quo, companies have a 'security' team that is somehow on the hook for *everyone else's* code, explictly responsible for a small chunk of formally recognized 'security' related code, while any one left naive about security could botch it for everyone without anyone even realizing the security team should pay attention to it.

Re: Java is in and of itself bad advice

[Junta]

Here's a benchmark showing hashcat performance, note that md5 is roughly 10 times more than sha-256.
https://gist.github.com/epixoi...

Now maybe you are thinking of cheap single-pass md5 versus some sort of practice incorporating a pb-kdf or similar scheme., but in terms of hash performance, they aren't that far from each other.

Or maybe you are mistaking the hash length for how many guesses are needed. In AES-128 versus AES-256, it is indeed 2**128 more because the unknown key is known to be 256 bit versus 128 bit, but in a crypted password context, the password is the unknown to test against.

Collision attacks only mean something to unsalted password hashes (which are just terrible) and signature verification. It doesn't mean anything for HMAC or HMAC based things like PB-KDF which should be employed if any normal crypto hash is used.

TANSTAAFL

[eric_harris_76]

At that price, you want quality, too?

Re:Stackoverflow: how not to help

[Billly+Gates]

If people simply hired web developers, most web hacking shit would be gone over fucking night.

Thanks for the chuckle.

Sure it can be done one week with a single programmer. Ask the marketing manager who is the only one allowed to scope the requirements.

Re: Java is in and of itself bad advice

[F.Ultra]

of course we are talking about properly implemented hashed passwords databases with salts etc and not just a hash of the password!

Re: Java is in and of itself bad advice

[F.Ultra]

Why are you implying that we would be talking about a plain hash of a password without any type of salt or constructs (like bcrypt/scrypt)?

Re: Java is in and of itself bad advice

[Junta]

In that case, collision attacks should be ignored in this context, since they have no meaning in the face of a salt.

Hashes per second is the metric that matters. If you use MD5 in a PB-KDF of 1000 passes or a SH256 in a PB-KDF of 1000 passes, either way each guess is 1,000 hash calculations, and the key space is identical (the passwords).

Re:Java is in and of itself bad advice

[david_thornley]

Security experts can leave comments on answers, and if people like the comments they drift up to be the first comment under the answer. They can leave full answers and point to them in the comments. This isn't a structural SO problem.

Re:Java is in and of itself bad advice

[david_thornley]

Also, Stack Overflow is not intended to facilitate conversations. It's intended to help good answers and comments be in obvious places.

Re:Java is in and of itself bad advice

[ConceptJunkie]

You are probably not typical of people who start programming as a kid, but I bet you got the fundamentals down better than people start with a higher level language. I started with BASIC in high-school, and in college, most of my software development classes used Pascal (this was the mid-80s). My first professional software development job in 1987 was using C++. I started C++ about 5 years later and have used it for the great majority of time since then. I use Python for side projects, but I still love C++.

The biggest problem I find in other developers is that the code they develop is often way more complex than it needs to be, often to the point where it's almost incomprehensible, even if what it's doing is relatively simple. Often it's a lack of knowledge of the capabilities of stuff like STL, but often it's just, I don't know, not thinking things through, or just not caring. I think laziness is probably the biggest problem in software development.

Defensive programming takes more effort, and it usually takes more thought to write something simple, because you need to design it first instead of just diving in. Creating meaningful and consistent names is probably the most bang-for-the-buck thing you can do when writing software, but very few people do it. Copy-and-paste coding is epidemic, and it causes nothing but pain in the long run. Correcting all these things doesn't always take a whole lot of expertise, but it does require effort and discipline, and those are usually what's lacking.

Re:Java is in and of itself bad advice

[ConceptJunkie]

Actually, I really wish I could have taught my kids to drive stick. They're good drivers, but we didn't have a manual transmission car when they started driving, so they don't know how. I think learning to drive stick is analogous to learning to program with C. You can do fine without it, but I think you'll do better with it, and have skills that other people will lack.

Of course, it's been close to 30 years since someone who couldn't drive stick asked me to drive something for them, so maybe it's just an obsolete skill.

Re: Java is in and of itself bad advice

[F.Ultra]

Yes sorry about that, don't know what I was thinking about. Sometimes I forget that people keep using short passwords (since I use a password manager I always make sure that my passwords have 256-bit entropy).

Re:OK, but why are they on SO? What did we do wron

[Wrath0fb0b]

That's because the general assumption, in this case, is that the reader already knows how to fly planes in general, and only needs the specifics for this model.

Indeed. And software documentation should assume that the reader already knows how to use a computer in general and only needs the specifics for this particular piece of software.

Take a look at the git book for example. First, it does assume that the reader knows what files are, how files are arranged in a filesystem, how to use a command line. Then it actually explains at high but not abstract level how git actually works. Then it goes through examples of using it. Only last does it provide a reference/glossary type documentation for looking up the detailed syntax of each and every little command.

To be more concrete, not even the most capable and savvy computer person who has never heard of git will be able to understand this sentence:

git fetch
Fetch branches and/or tags (collectively, "refs") from one or more other repositories, along with the objects necessary to complete their histories." (although this is there).

If you've never heard of git before, it's just bloody meaningless. No matter how much general knowledge you have, even if you've used CVS and SVN before . . .