It's unfortunate, but the companies have basically made this market a viable option for white-hats looking to solve security issues. It helps protect them against being sued, and they also get money to boot.
We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.
This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.
The average user doesn't have the know-how to do that. Normal users freak out if they see that they have to accept a certificate - to them, it means their computer is about to burst into flames and hacker ninjas are going to come through the window and steal their credit cards. Also, there still isn't anything stopping one of the few CAs you created exceptions for from being tampered with.
"This is Anonymous"
"That wasn't Anonymous, just someone claiming to be!"
"Anon here, don't listen to them, they are not Anonymous"...and so on into infinity. Anonymous can be anyone, and can be an individual or group. There is no one single "Anonymous", hence the name. Unless they're blowing up a van on the news. That's Anonymous.
The idea of shorter password intervals is to prevent against guessing attacks, and attempts to crack the password. In reality, it would normally take much more than 30 days to crack a good password that is encrypted well, but unfortunately, too often those two requirements aren't met.
I would say that this COULD reduce security to an Android level on a case-by-case basic, but since it isn't nearly as widespread, it isn't the wild west yet.
So, what you're saying is that you could just 'forget' to include some details in order to bypass them finding anything suspicious? I imagine that some inspectors would find issues, and others wouldn't. If you submitted a few applications, I imagine you could get away with injecting something malicious.
That being said, at least there is an app review process...
Unfortunately, just clicking the checkbox counts as accepting.
EULAs are meant to cover the company's ass in every possible way, so they're pretty painful sounding. Everything written in the EULA isn't necessarily something that will happen.
Slashdot Mirror
It's unfortunate, but the companies have basically made this market a viable option for white-hats looking to solve security issues. It helps protect them against being sued, and they also get money to boot.
We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.
This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.
Yeah, but, it isn't cool to talk about those security problems. Only Microsoft ones.
The average user doesn't have the know-how to do that. Normal users freak out if they see that they have to accept a certificate - to them, it means their computer is about to burst into flames and hacker ninjas are going to come through the window and steal their credit cards. Also, there still isn't anything stopping one of the few CAs you created exceptions for from being tampered with.
"This is Anonymous" "That wasn't Anonymous, just someone claiming to be!" "Anon here, don't listen to them, they are not Anonymous" ...and so on into infinity. Anonymous can be anyone, and can be an individual or group. There is no one single "Anonymous", hence the name. Unless they're blowing up a van on the news. That's Anonymous.
The idea of shorter password intervals is to prevent against guessing attacks, and attempts to crack the password. In reality, it would normally take much more than 30 days to crack a good password that is encrypted well, but unfortunately, too often those two requirements aren't met.
I would say that this COULD reduce security to an Android level on a case-by-case basic, but since it isn't nearly as widespread, it isn't the wild west yet.
So, what you're saying is that you could just 'forget' to include some details in order to bypass them finding anything suspicious? I imagine that some inspectors would find issues, and others wouldn't. If you submitted a few applications, I imagine you could get away with injecting something malicious. That being said, at least there is an app review process...
People seem unaware of the fact that email is sent in plaintext. They figure since you log in to get it, it must be secure!
Unfortunately, just clicking the checkbox counts as accepting. EULAs are meant to cover the company's ass in every possible way, so they're pretty painful sounding. Everything written in the EULA isn't necessarily something that will happen.