I've worked for companies like that. Sometimes it happens. They don't have the time or money to invest in writing all new software.
I'm still writing web apps that have to support IE 6 due to a partner using an older version of Developer Studio where the embedded browser widget renders as IE6. They don't have the money to re-tool and rewrite it all, and we have to support them...
Don't have a choice. I don't have hundreds of dollars for new copies of Windows, and the time to spend days reinstalling all the apps for everyone in the house...
Load all patches, install a good antivirus, have a second or third one that you run occasionally manually (not all anti-virus packages get everything), use an updated chrome or Firefox browser. For Firefox, I'd suggest using noscript and web of trust as well. Keep Java in medium or high security mode, only go to reputable sites, and only enable JavaScript when needed.
The company should be sued, not the developers. Its usually company management that tells the developers what to code, gives them too tight a deadline, changes requirements mid-stream, and prioritizes fixes and defects based on the percieve
d cost vs. benefits. (i.e. how much a lawsuit costs vs. the cost of fixing it) Usually the poor developers are struggling to keep up, and most aren't trained in security... Most are barely trained, as the companies want to get people cheap. Its really the companies fault.. This coming from a developer with 20 years of professional experience in companies large and small...
Having implemented OAuth1.0 and 2.0 services for communicating with various platforms, I was amazed at the lack of any security in Oauth 2.0. As mentioned by others, it completely relies on SSL/TLS, which is itself somewhat broken. From what I have gathered, it's simpler. That's about it. Actually, I prefer OAuth 1.0 and have modeled many of my own APIs after it.
But, it wasn't removing the copy protection, and it wasn't sharing outside of the home... so I think this finding is BS... Still, it doesn't keep us from building our own. It's very simple, actually...
At least there are other countries out there that have the will and the means. The US doesn't have to be the biggest and best any longer, and won't be for much longer anyway... China, India, and who knows who else will be out there long before we go back... Pretty soon, all the big announcements, advancements, etc. will be coming from them. Who knows, maybe one day we will be humbly asking China if they'll take us along, or let us spend time on their moon base.
In almost 20 years as a developer, I've noticed that the best means of obtaining a promotion and pay increase has been to change companies. This also seems constant between small companies and fortune 500 companies...
that's why I wrote a security framework that runs over HTTP and Ajax but is, as far as I can tell with my testing so far, as secure as HTTPS... with no need for expensive certs... It doesn't give you the nice blue / green address bar or the lock icon, but it's very secure when used properly.
Decided not to go the patent route with this project, with all the changes and uncertainty in the patent landscape here in the US... but I would still like to get something out of all of my work and effort... so... I'm willing to give it to a few small companies for free as beta testers (with some consulting services) if they want to do an NDA... also, if there are any security experts out there who want a look-see... just send me an email... NDA there too... I'm going the trade-secret and copyright route on this, but hopefully it'll pay off. Anyone interested, let me know... (check email address on my profile)
If you want to run on different platforms, my choice would be Java and Eclipse SWT... you have a platform dependent library to send out with your app, but your app code itself is platform independent.
Well, I've got a year to see. If I don't get anything in that time, I've already planned on releasing it as FOSS. Who knows, maybe a company will see it, like it, and buy the rights.
Oh, and I already do consulting. Have been for years.
That's the key part that led to the patent app. and no, it doesn't use https or prayer. And... the basic principal can be applied to other applications and protocols as well. Once I get the latest version of this library tested, optimized, and done, I'm going to start writing other apps that use the basic protocol, starting with FTP, POP3, and Telnet.
Sorry I can't get more into it here, but I am waiting on the patent for the base protocol first.
That's taken into account. I spent many months working through that. Again, that was a key factor in the initial design of the initialization protocol.
Possibly, but time will tell. I've been working on this for 2 years now. I've got some close friends who are long time software experts looking at it. I would love it if I could find some security experts who would review it free, or low cost. In the mean-time, I have been reading every security book I can find. And, like I do with all of my other software testing, I have been going through it looking for different ways to "hack" it and then going back and tweaking the design.
well. I've put a LOT of hours into this, and I would really like to reap some benefit from it... I do FOSS from time to time, and I've put some things out there over the years, but this one is one I'd like to get something back out of...
I have trusted peers checking my work currently. I am looking for some security experts (and in the mean time, I'm reading all of the security books I can get) that will do it at no or minimal cost.
That's the "secret sauce" so to speak of the library. Like I mentioned in a previous post, I have been working with other expert software developers (who are close friends of mine) on code reviews, in-house testing, etc. I don't have the money for expert security people yet, but I am working on other avenues on testing the security of the protocol. I've been working on this library for the past 2 years...
I am looking forward to that. Unfortunately, as a one man shop, I don't have the money to pay experts. I am offering free licenses to the library (with the applicable NDA) for the first 20 or so medium size businesses that want to give it a trial run. I am also working with the company that I work for (my day job) to see if they will sponsor the testing / trial of the software with some of their clients. Additionally, I have many software professionals as friends whom I have asked to do code reviews and in-house trials.
One more nail in the coffin... (See http://nearlyperfectsoftware.com/secureajax.html for other hacks). Good thing I'm working on a protocol and libraries / utilities that can be used to replace it for all of my work, and my clients... Starting with a secure ajax framework, then on to things like POP, IMAP, SMTP, FTP, Telnet, etc. Should be cool once I get them all done.
They will be "looking at" China developing a space program, as well as India.
Like it said in the Tom Lehrer song... "And I'm learning Chinese, says Verner Van Braun"...
It seems that like everything else in this country, we're outsourcing our space program to China and India... Go Figure
Slashdot Mirror
This is why we can't have nice things. Companies won't audit themselves, and they get bent out of shape if others do it for them...
I pray, in the name of developers everywhere, that Google wins. If not, our industry is screwed!
I've worked for companies like that. Sometimes it happens. They don't have the time or money to invest in writing all new software. I'm still writing web apps that have to support IE 6 due to a partner using an older version of Developer Studio where the embedded browser widget renders as IE6. They don't have the money to re-tool and rewrite it all, and we have to support them...
Don't have a choice. I don't have hundreds of dollars for new copies of Windows, and the time to spend days reinstalling all the apps for everyone in the house...
I do that anyway when I get a machine or when I upgrade it.
Load all patches, install a good antivirus, have a second or third one that you run occasionally manually (not all anti-virus packages get everything), use an updated chrome or Firefox browser. For Firefox, I'd suggest using noscript and web of trust as well. Keep Java in medium or high security mode, only go to reputable sites, and only enable JavaScript when needed.
Obviously, this person has no clue as to how the internet, or software works...
Sounds like most of the projects at my last job. As well as some at my current.
The company should be sued, not the developers. Its usually company management that tells the developers what to code, gives them too tight a deadline, changes requirements mid-stream, and prioritizes fixes and defects based on the percieve d cost vs. benefits. (i.e. how much a lawsuit costs vs. the cost of fixing it) Usually the poor developers are struggling to keep up, and most aren't trained in security... Most are barely trained, as the companies want to get people cheap. Its really the companies fault.. This coming from a developer with 20 years of professional experience in companies large and small...
Having implemented OAuth1.0 and 2.0 services for communicating with various platforms, I was amazed at the lack of any security in Oauth 2.0. As mentioned by others, it completely relies on SSL/TLS, which is itself somewhat broken. From what I have gathered, it's simpler. That's about it. Actually, I prefer OAuth 1.0 and have modeled many of my own APIs after it.
But, it wasn't removing the copy protection, and it wasn't sharing outside of the home... so I think this finding is BS... Still, it doesn't keep us from building our own. It's very simple, actually...
At least there are other countries out there that have the will and the means. The US doesn't have to be the biggest and best any longer, and won't be for much longer anyway... China, India, and who knows who else will be out there long before we go back... Pretty soon, all the big announcements, advancements, etc. will be coming from them. Who knows, maybe one day we will be humbly asking China if they'll take us along, or let us spend time on their moon base.
This is why I refuse to fly, and will not take my family on a vacation where we would have to.
In almost 20 years as a developer, I've noticed that the best means of obtaining a promotion and pay increase has been to change companies. This also seems constant between small companies and fortune 500 companies...
that's why I wrote a security framework that runs over HTTP and Ajax but is, as far as I can tell with my testing so far, as secure as HTTPS... with no need for expensive certs... It doesn't give you the nice blue / green address bar or the lock icon, but it's very secure when used properly. Decided not to go the patent route with this project, with all the changes and uncertainty in the patent landscape here in the US... but I would still like to get something out of all of my work and effort... so... I'm willing to give it to a few small companies for free as beta testers (with some consulting services) if they want to do an NDA... also, if there are any security experts out there who want a look-see... just send me an email... NDA there too... I'm going the trade-secret and copyright route on this, but hopefully it'll pay off. Anyone interested, let me know... (check email address on my profile)
If you want to run on different platforms, my choice would be Java and Eclipse SWT... you have a platform dependent library to send out with your app, but your app code itself is platform independent.
Well, I've got a year to see. If I don't get anything in that time, I've already planned on releasing it as FOSS. Who knows, maybe a company will see it, like it, and buy the rights. Oh, and I already do consulting. Have been for years.
That's the key part that led to the patent app. and no, it doesn't use https or prayer. And... the basic principal can be applied to other applications and protocols as well. Once I get the latest version of this library tested, optimized, and done, I'm going to start writing other apps that use the basic protocol, starting with FTP, POP3, and Telnet. Sorry I can't get more into it here, but I am waiting on the patent for the base protocol first.
That's taken into account. I spent many months working through that. Again, that was a key factor in the initial design of the initialization protocol.
Possibly, but time will tell. I've been working on this for 2 years now. I've got some close friends who are long time software experts looking at it. I would love it if I could find some security experts who would review it free, or low cost. In the mean-time, I have been reading every security book I can find. And, like I do with all of my other software testing, I have been going through it looking for different ways to "hack" it and then going back and tweaking the design.
well. I've put a LOT of hours into this, and I would really like to reap some benefit from it... I do FOSS from time to time, and I've put some things out there over the years, but this one is one I'd like to get something back out of... I have trusted peers checking my work currently. I am looking for some security experts (and in the mean time, I'm reading all of the security books I can get) that will do it at no or minimal cost.
That's the "secret sauce" so to speak of the library. Like I mentioned in a previous post, I have been working with other expert software developers (who are close friends of mine) on code reviews, in-house testing, etc. I don't have the money for expert security people yet, but I am working on other avenues on testing the security of the protocol. I've been working on this library for the past 2 years...
I am looking forward to that. Unfortunately, as a one man shop, I don't have the money to pay experts. I am offering free licenses to the library (with the applicable NDA) for the first 20 or so medium size businesses that want to give it a trial run. I am also working with the company that I work for (my day job) to see if they will sponsor the testing / trial of the software with some of their clients. Additionally, I have many software professionals as friends whom I have asked to do code reviews and in-house trials.
One more nail in the coffin... (See http://nearlyperfectsoftware.com/secureajax.html for other hacks). Good thing I'm working on a protocol and libraries / utilities that can be used to replace it for all of my work, and my clients... Starting with a secure ajax framework, then on to things like POP, IMAP, SMTP, FTP, Telnet, etc. Should be cool once I get them all done.
They will be "looking at" China developing a space program, as well as India. Like it said in the Tom Lehrer song... "And I'm learning Chinese, says Verner Van Braun"... It seems that like everything else in this country, we're outsourcing our space program to China and India... Go Figure