I'm not arguing that obfuscation and anti-debug techniques are sufficient; I'm arguing that they aren't completely useless. Take whatever other security measures make sense and then turn on obfuscation and anti-debug on top of that just to dissuade "casual" (read: lazy) attackers.
I've banked online for a while now and have never had any sort of JS based attack. Ran XP for a long time and OS X for the past couple years. Firefox on both platforms.
If you're capable of inserting code to intercept credentials and email them somewhere then why can't you just excise the jail break detection code? Seems like this probably isn't the sort of attack jailbreak detection is designed to prevent. I'm instead imagining a scenario where a user's OS has been modified w/o his or her knowledge in such a way that it snoops on legitimate unmodified apps. Maybe the user bought the device used from "some guy at the car wash". He then proceeds to install his banking app. If the app doesn't detect the jail break and happily runs as normal then the user gets snooped on by the modified OS code. If the app instead detects the jail break and exits immediately then the snoop code never gets the chance to do its thing.
If I handed you my phone w/ the app loaded and me logged in there's still not much damage you could do. You could transfer money between my accounts. You could deposit checks into my accounts. You could potentially pay my bills if I had payees already configured. (Typically you can't configure new payees via the app.) So you could inconvenience me, but you couldn't take any of my money for yourself or even get my full account number(s) since those are masked prior to being sent to mobile clients. Certainly your poring over my transaction history would be an invasion of privacy, but that's not quite the same as having one's money sent to a bank account in Siberia.
My employer is considering offering our customers (banks) the option of turning on code in our apps that attempts to detect a jail broken devices and causes the app not to run. Our customers are all small, regional outfits, though; probably not big enough to merit much outrage.
If you and your buddy are being chased by a bear you don't have to outrun the bear; you just have to outrun your buddy. Which is to say sometimes it's helpful to make it a sufficiently big PITA for a malicious party to hack your app relative to the effort required to hack someone else's. Someone who really wants to rob me will get past my locked door, but I still lock the doors to my house.
I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.
I'm envisioning someone who believes in young earth creationism but isn't familiar with Ken Ham. Post-debate they're a big fan of Ken Ham for fighting the good fight. Ken Ham's profile is raised. Maybe Ken Ham's organization gets some new financial contributors. Etc. Whereas previously they were just "someone who believes in young earth creationism in the abstract" maybe the debate energizes them to the point that they become an activist, lobbying school boards, state boards of education, etc. Of course, everything I've said about young-earther's and Ham also applies to evolutionists and Nye, so maybe it's a wash after all. Both men increase their sphere of influence among those who are already ideologically predisposed to their point of view.
How do you figure? My contention is that there are people who are ideologically predisposed to agree with Ham for whom a cogent presentation of the facts will not be convincing but who are not yet familiar with Ham or his work. The debate, to the extent it's publicized, will generate publicity for Ham and potentially expose some of these folks to him for the first time.
If Nye wants to minimize Ham's influence then debating him is probably not the right approach to take. It serves to increase Ham's popularity among the set of folks that's already ideologically in line with his position. I may be wrong, but I don't see many folks who are "on the fence" both 1) watching the debate and 2) being swayed by it. If anyone is swayed by it then it will most likely be due to the two mens' "tone" rather than the actual facts they present during the debate. If Nye comes off looking smug, shrill and/or hostile to religion in general (as opposed to merely hostile to Ham's interpretation) then he may end up having the opposite effect of what he'd prefer.
I don't grant that all those guys would adopt your model of rationalism if they were teleported through time and space into the modern day and given time to absorb the scientific advances of the last four hundred years. In other words, I think most of them would persist in their "dumbness". In fact we don't have to wonder, because there are still brilliant people doing scienc-y stuff who nevertheless insist on a set of beliefs you find patently irrational. Which means they're "dumb", per your definition.
You can make a cogent argument modern theists hold beliefs that are irrational and, in fact, false. However, I don't think you can credibly argue they're all "dumb". At least, not given the commonly understood meaning of that word. I might accept "psychologically unstable in a way that necessitates, as a defense mechanism, they ascribe meaning to what is otherwise meaningless". But that's not the same as "dumb".
See, that's what I mean. You've redefined "dumb" to mean "doesn't rely on rational thought and scientific inquiry on this particular question". That seems like an arbitrarily specific definition. Copernicus, Brahe, Napier, Bacon, Kepler, Mersenne, Descartes, Pascal, Boyle, Leibniz, Newton, Euler, Bernoulli, etc.? All "dumb". You, however, are presumably not dumb. Unlike that moron Euler.
I'm not sure that word means what you think it means. For example, I'm pretty sure there are folks that are demonstrably more intelligent than you (or me, for that matter) yet who nevertheless reject evolution. Are they "dumb"? Or have you redefined dumb to be "not 100% rational"?
I have no use for employers who lack basic logic and/or are over-reliant on hyperbole to make a point. "Rejects evolution" does not imply "can't pass 5th grade science". Not least of which because someone who rejects evolution can likely still figure out the answer he's expected to give and just parrot back that answer.
Also, to anticipate one possible retort: my having written the above doesn't imply that I'm one who rejects evolution.
how would you suggest doing that for a social media startup? Pay employees by total lines of code written?
Employee B frequently misses deadlines based on his own scoping of the task. Employee A rarely does.
Employee B's code is frequently the cause of serious production bugs. Employee A's code rarely is.
Employee A often suggests solutions in technical meetings that are superior to what was currently being discussed. Employee B rarely does.
Employee A is capable of quickly diagnosing and repairing code defects with little assistance. Employee B is rarely able to do this.
It takes Employee A one week to implement code that performs a certain task. It takes Employee B two weeks to implement code that performs a nearly identical task.
Neither of those two things ("gross violation of privacy" and "is being used by criminals") necessarily implies that it is not "working out well for you". Perhaps the system creates benefits that (in some peoples' minds) outweigh those two negatives.
That comparison already happens, only people make up the numbers in their heads. If my team lead is a shmuck then his being a shmuck is doubly irritating because I assume he's making way more than I am. In Buffer's model I know exactly how much more than me he is or isn't making. It seems like, from a psychological perspective, the formula is the key. You can be sure nobody is making more than his or her raw "stats" dictate. Nobody is being compensated at an "especially" high level because of perceived (yet illusory) productivity.
What I see as the downside of this system is the incentives it creates. For one, if you're someone who's highly talented and productive yet don't have a lot of experience you're not going to want to work at Buffer because your lack of experience will have a direct, negative impact on your salary. You'd be better off at another company that at least attempts to tie salary to productivity. The fact that buffer's formula includes seniority also means you can have two employees with the exact same job, experience and productivity, and one will make more than the other purely because he's been with the company longer. That might piss some people off. On the one hand it motivates current employees to stay with the company because they know they're in line for automatic raises. On the other hand, it creates an incentive for Buffer to lay off employees with seniority when they can be replaced by equally productive new employees that are "cheaper" by virtue of their lack of seniority.
Not to be snarky...but what I'm hearing from you is this: "Ruby and Python occupy the same niche and there's no compelling reason to prefer Ruby over Python". This seems to jive with what the guy said who you were responding to: "Ruby adds nothing to the existing languages". If the only language that existed were C then I'd say that guy is full of shit because in that case Ruby would clearly "add something to the existing languages". But, given Python's existence, he kind of has a point. Python is more widely supported, has a larger base of developers, is generally thought to be a better "thought out" language in terms of design, and is well-suited to solving the same sort of problems Ruby is well-suited to solving.
Out of curiosity, excluding Rails, why would one prefer to use Ruby over...say...Python? Is there an area in which Ruby is widely regarded to be superior?
It's not a matter of training. Let me give an actual example. Meet Joe.
Joe's official title is "enterprise architect" of a 25 person start-up with a mobile offering. He designed and wrote the back-end system that supports the company's apps. He also designed the database that sits behind that back-end system. Since the earliest days of the company he's manged equipment purchasing.
Joe, despite his title, is not a very good developer. He has a CS background but is admittedly not good at the "theory stuff". He is a self-taught ruby programmer. The server code is an utter mess. Absolutely no awareness of object-oriented design, even in situations that cry out for o.o.p. No use of or even knowledge of exceptions. I did some work for the server team I wrote some code that used exceptions and he didn't even know they were part of the language. Twice Joe has deleted important data "by accident" on production systems ("rm -rf"). Moreover, Joe likes to insert himself into situations outside his official responsibility. For instance, he one asked the app team to slip an unplanned feature into a release because it would be a big deal to one of "his customers". He's not a product guy. He's not an account manager. He shouldn't have "special customers" for whom he's doing special favors. Joe is also the choke point for all hardware purchases. The app team has a requirement (and verbal permission from the CTO) to upgrade its antiquated build environment. There is a hard deadline for this imposed by Apple. App team's plan is to construct a parallel build environment on new hardware then use it as a drop-in replacement for the legacy system. However, this requires Joe to actually buy the hardware. It's not a priority for him, though, so he's not doing anything. At one point he wanted to buy one of the new Mac Pro's and use it as the build machine. App team member pointed out that the Mac Pro's won't even be available until after our deadline has passed. This was news to Joe. The most likely outcome is for the deadline to come and go and the build machine to not be updated, creating a scenario in which the company is unable to produce new app store builds. Joe is also in danger of driving a couple of female employes to quit because of some borderline-inappropriate comments Joe made and the subtly patronizing way in which he interacts with women.
We have a defect tracking system. The process is supposed to be that new tickets get assigned to a team lead who triages them and metes them out to someone on his or her team. Joe is the lead for the server team. Tickets assigned to Joe, however, are often not looked at for weeks. Even if they are, and are resolved, Joe never updates the ticket in the defect-tracking system so the creator has no idea it's been resolved. If you want Joe to do something you have to go to his office and sit in his lap because there's always something more urgent he's working on.
In my opinion, the things Joe does that negatively impact the company's bottom line are not going to be fixed by "training".
We can imagine the current U.S. citizenry falling on a bell curve in terms of productivity. Let's say the median person a "100". The question is this: does bringing in a bunch of 130+ folks from abroad help or hurt the median citizen? Bringing in the 130+ guys will for sure raise the average productivity of the workforce. The 100 guy might be displaced by a 110 guy who was displaced by a 120 guy who was displaced by one of the incoming 130 guys. The 100 guy will take a job formerly held by a 90 guy. So on and so forth. This then argues for the necessity of economic / tax policy designed to create a way for lower-tier folks to do "something" to earn a paycheck and be productive in some form or fashion. Admittedly the current situation in the U.S. isn't very good in this regard.
Slashdot Mirror
I'm not arguing that obfuscation and anti-debug techniques are sufficient; I'm arguing that they aren't completely useless. Take whatever other security measures make sense and then turn on obfuscation and anti-debug on top of that just to dissuade "casual" (read: lazy) attackers.
But I make great smores!
I've banked online for a while now and have never had any sort of JS based attack. Ran XP for a long time and OS X for the past couple years. Firefox on both platforms.
If you're capable of inserting code to intercept credentials and email them somewhere then why can't you just excise the jail break detection code? Seems like this probably isn't the sort of attack jailbreak detection is designed to prevent. I'm instead imagining a scenario where a user's OS has been modified w/o his or her knowledge in such a way that it snoops on legitimate unmodified apps. Maybe the user bought the device used from "some guy at the car wash". He then proceeds to install his banking app. If the app doesn't detect the jail break and happily runs as normal then the user gets snooped on by the modified OS code. If the app instead detects the jail break and exits immediately then the snoop code never gets the chance to do its thing.
If I handed you my phone w/ the app loaded and me logged in there's still not much damage you could do. You could transfer money between my accounts. You could deposit checks into my accounts. You could potentially pay my bills if I had payees already configured. (Typically you can't configure new payees via the app.) So you could inconvenience me, but you couldn't take any of my money for yourself or even get my full account number(s) since those are masked prior to being sent to mobile clients. Certainly your poring over my transaction history would be an invasion of privacy, but that's not quite the same as having one's money sent to a bank account in Siberia.
My employer is considering offering our customers (banks) the option of turning on code in our apps that attempts to detect a jail broken devices and causes the app not to run. Our customers are all small, regional outfits, though; probably not big enough to merit much outrage.
If you and your buddy are being chased by a bear you don't have to outrun the bear; you just have to outrun your buddy. Which is to say sometimes it's helpful to make it a sufficiently big PITA for a malicious party to hack your app relative to the effort required to hack someone else's. Someone who really wants to rob me will get past my locked door, but I still lock the doors to my house.
I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.
I'm envisioning someone who believes in young earth creationism but isn't familiar with Ken Ham. Post-debate they're a big fan of Ken Ham for fighting the good fight. Ken Ham's profile is raised. Maybe Ken Ham's organization gets some new financial contributors. Etc. Whereas previously they were just "someone who believes in young earth creationism in the abstract" maybe the debate energizes them to the point that they become an activist, lobbying school boards, state boards of education, etc. Of course, everything I've said about young-earther's and Ham also applies to evolutionists and Nye, so maybe it's a wash after all. Both men increase their sphere of influence among those who are already ideologically predisposed to their point of view.
How do you figure? My contention is that there are people who are ideologically predisposed to agree with Ham for whom a cogent presentation of the facts will not be convincing but who are not yet familiar with Ham or his work. The debate, to the extent it's publicized, will generate publicity for Ham and potentially expose some of these folks to him for the first time.
If Nye wants to minimize Ham's influence then debating him is probably not the right approach to take. It serves to increase Ham's popularity among the set of folks that's already ideologically in line with his position. I may be wrong, but I don't see many folks who are "on the fence" both 1) watching the debate and 2) being swayed by it. If anyone is swayed by it then it will most likely be due to the two mens' "tone" rather than the actual facts they present during the debate. If Nye comes off looking smug, shrill and/or hostile to religion in general (as opposed to merely hostile to Ham's interpretation) then he may end up having the opposite effect of what he'd prefer.
I don't grant that all those guys would adopt your model of rationalism if they were teleported through time and space into the modern day and given time to absorb the scientific advances of the last four hundred years. In other words, I think most of them would persist in their "dumbness". In fact we don't have to wonder, because there are still brilliant people doing scienc-y stuff who nevertheless insist on a set of beliefs you find patently irrational. Which means they're "dumb", per your definition.
You can make a cogent argument modern theists hold beliefs that are irrational and, in fact, false. However, I don't think you can credibly argue they're all "dumb". At least, not given the commonly understood meaning of that word. I might accept "psychologically unstable in a way that necessitates, as a defense mechanism, they ascribe meaning to what is otherwise meaningless". But that's not the same as "dumb".
See, that's what I mean. You've redefined "dumb" to mean "doesn't rely on rational thought and scientific inquiry on this particular question". That seems like an arbitrarily specific definition. Copernicus, Brahe, Napier, Bacon, Kepler, Mersenne, Descartes, Pascal, Boyle, Leibniz, Newton, Euler, Bernoulli, etc.? All "dumb". You, however, are presumably not dumb. Unlike that moron Euler.
I'm not sure that word means what you think it means. For example, I'm pretty sure there are folks that are demonstrably more intelligent than you (or me, for that matter) yet who nevertheless reject evolution. Are they "dumb"? Or have you redefined dumb to be "not 100% rational"?
I have no use for employers who lack basic logic and/or are over-reliant on hyperbole to make a point. "Rejects evolution" does not imply "can't pass 5th grade science". Not least of which because someone who rejects evolution can likely still figure out the answer he's expected to give and just parrot back that answer.
Also, to anticipate one possible retort: my having written the above doesn't imply that I'm one who rejects evolution.
USB Sticks Used in Robbery of a Convenience Store
If seniority is part of the formula then that should create an automatic yearly pay raise.
Employee B frequently misses deadlines based on his own scoping of the task. Employee A rarely does.
Employee B's code is frequently the cause of serious production bugs. Employee A's code rarely is.
Employee A often suggests solutions in technical meetings that are superior to what was currently being discussed. Employee B rarely does.
Employee A is capable of quickly diagnosing and repairing code defects with little assistance. Employee B is rarely able to do this.
It takes Employee A one week to implement code that performs a certain task. It takes Employee B two weeks to implement code that performs a nearly identical task.
etc..
Neither of those two things ("gross violation of privacy" and "is being used by criminals") necessarily implies that it is not "working out well for you". Perhaps the system creates benefits that (in some peoples' minds) outweigh those two negatives.
That comparison already happens, only people make up the numbers in their heads. If my team lead is a shmuck then his being a shmuck is doubly irritating because I assume he's making way more than I am. In Buffer's model I know exactly how much more than me he is or isn't making. It seems like, from a psychological perspective, the formula is the key. You can be sure nobody is making more than his or her raw "stats" dictate. Nobody is being compensated at an "especially" high level because of perceived (yet illusory) productivity.
What I see as the downside of this system is the incentives it creates. For one, if you're someone who's highly talented and productive yet don't have a lot of experience you're not going to want to work at Buffer because your lack of experience will have a direct, negative impact on your salary. You'd be better off at another company that at least attempts to tie salary to productivity. The fact that buffer's formula includes seniority also means you can have two employees with the exact same job, experience and productivity, and one will make more than the other purely because he's been with the company longer. That might piss some people off. On the one hand it motivates current employees to stay with the company because they know they're in line for automatic raises. On the other hand, it creates an incentive for Buffer to lay off employees with seniority when they can be replaced by equally productive new employees that are "cheaper" by virtue of their lack of seniority.
Not to be snarky...but what I'm hearing from you is this: "Ruby and Python occupy the same niche and there's no compelling reason to prefer Ruby over Python". This seems to jive with what the guy said who you were responding to: "Ruby adds nothing to the existing languages". If the only language that existed were C then I'd say that guy is full of shit because in that case Ruby would clearly "add something to the existing languages". But, given Python's existence, he kind of has a point. Python is more widely supported, has a larger base of developers, is generally thought to be a better "thought out" language in terms of design, and is well-suited to solving the same sort of problems Ruby is well-suited to solving.
Out of curiosity, excluding Rails, why would one prefer to use Ruby over...say...Python? Is there an area in which Ruby is widely regarded to be superior?
It's not a matter of training. Let me give an actual example. Meet Joe.
Joe's official title is "enterprise architect" of a 25 person start-up with a mobile offering. He designed and wrote the back-end system that supports the company's apps. He also designed the database that sits behind that back-end system. Since the earliest days of the company he's manged equipment purchasing.
Joe, despite his title, is not a very good developer. He has a CS background but is admittedly not good at the "theory stuff". He is a self-taught ruby programmer. The server code is an utter mess. Absolutely no awareness of object-oriented design, even in situations that cry out for o.o.p. No use of or even knowledge of exceptions. I did some work for the server team I wrote some code that used exceptions and he didn't even know they were part of the language. Twice Joe has deleted important data "by accident" on production systems ("rm -rf"). Moreover, Joe likes to insert himself into situations outside his official responsibility. For instance, he one asked the app team to slip an unplanned feature into a release because it would be a big deal to one of "his customers". He's not a product guy. He's not an account manager. He shouldn't have "special customers" for whom he's doing special favors. Joe is also the choke point for all hardware purchases. The app team has a requirement (and verbal permission from the CTO) to upgrade its antiquated build environment. There is a hard deadline for this imposed by Apple. App team's plan is to construct a parallel build environment on new hardware then use it as a drop-in replacement for the legacy system. However, this requires Joe to actually buy the hardware. It's not a priority for him, though, so he's not doing anything. At one point he wanted to buy one of the new Mac Pro's and use it as the build machine. App team member pointed out that the Mac Pro's won't even be available until after our deadline has passed. This was news to Joe. The most likely outcome is for the deadline to come and go and the build machine to not be updated, creating a scenario in which the company is unable to produce new app store builds. Joe is also in danger of driving a couple of female employes to quit because of some borderline-inappropriate comments Joe made and the subtly patronizing way in which he interacts with women.
We have a defect tracking system. The process is supposed to be that new tickets get assigned to a team lead who triages them and metes them out to someone on his or her team. Joe is the lead for the server team. Tickets assigned to Joe, however, are often not looked at for weeks. Even if they are, and are resolved, Joe never updates the ticket in the defect-tracking system so the creator has no idea it's been resolved. If you want Joe to do something you have to go to his office and sit in his lap because there's always something more urgent he's working on.
In my opinion, the things Joe does that negatively impact the company's bottom line are not going to be fixed by "training".
We can imagine the current U.S. citizenry falling on a bell curve in terms of productivity. Let's say the median person a "100". The question is this: does bringing in a bunch of 130+ folks from abroad help or hurt the median citizen? Bringing in the 130+ guys will for sure raise the average productivity of the workforce. The 100 guy might be displaced by a 110 guy who was displaced by a 120 guy who was displaced by one of the incoming 130 guys. The 100 guy will take a job formerly held by a 90 guy. So on and so forth. This then argues for the necessity of economic / tax policy designed to create a way for lower-tier folks to do "something" to earn a paycheck and be productive in some form or fashion. Admittedly the current situation in the U.S. isn't very good in this regard.
What is your attitude toward coworkers who don't know what they're doing? Or do you dispute that such people exist?