- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Now that is some Enterprise-ready code.
Admin
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."
If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Admin
Wow, Some intern, and some auditor!
Admin
Perhaps we should do like yesterday and write our own story endings.
Santosh figured he could endure one more question before he simply had to go. Go, as in leave the room. Or, as in, well, go.
The auditor seemed to be a mind reader...
Have you considered what will happen under high pressure situations?
Some transactions are so urgent they can't wait for delays like this, wouldn't you agree?
What is your defense against overflow conditions?
You seem to understand setters and getters, but do you have any experience with wetters?
Admin
So the real WTF is not going to the lavatory immediately before the code review? That's Meeting 101.
Admin
It reminds me of a novel I read some time ago (can't remember what, might have been Michael Moorcock) where it was pointed out that the protagonist was fairly desperate to void his bladder. And that was the last time the matter was mentioned. For the whole of the rest of the book your legs were crossed for the poor guy.
Admin
Admin
Admin
Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.
Admin
The real WTF is that this actually seemed to work... And the unexpected twist is that the auditor wasn't a WTF. Totally caught me by surprise.
[edit: are there any other cases at all where someone posts their own WTFs?]
Admin
First rule of audit inspection is let auditor find thing for herself. Don't dig yourself in hole or put axe on your own foot.
Admin
TRTWF is the SQL injection.
Admin
Suddenly the president's sick daughter walked in.
"But we thought you died!" exclaimed the Auditor.
"I did" she replied.
Suddenly there was piss everwhere.
Admin
Correct as great swami always say - He who can hold bladder for longest time will win argument. That is why women win most arguments.
Admin
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security. And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.
And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.
It's cargo-cult logic.
Admin
requestQueue.take() is non-blocking and will not wait for something to be in the queue. It seems it will fail as soon as there are no requests waiting. Since it catches and logs the exception and continues in the while(true) loop, this function will run at 100%, working at logging as many errors as possible, until there is a new request to handle.
Admin
There is one PWC company in India that come and run script against your database so auditor don't want to have to ask useless question like that one.
Admin
Except requestQueue.take() IS blocking, just as it says in the article. So what I described was only hypthetically true, also known as false.
Admin
I will await the continuation of this story tomorrow when we add the next setup that wasn't concluded.
seriously, if no one else does it tomorrow, I'll do it myself.
Admin
So we conclude that TRWTF is the object-oriented programming terminology of SmallTalk (or maybe SmallTalk itself, not sure).
In ST, you see, the terminology is that one object sends a (named) message to another, possibly with parameters, and the other handles the message by dispatching the parameters to a matching-named method.
Other languages, like C++, say, dispense with all that and merely invoke the method directly (or via a hidden method pointer in the case of overrideable methods called against pointers or references).
This last brings me to an interesting and slightly non-obvious question: in what circumstances are virtual methods of C++ objects called directly without passing via the dispatch process?
Answers on a postcard...
Admin
Admin
Captcha: ideo, as in "don't give away any ideo before knowing what's happening".
Admin
He didn't post his own WTF. Snoofle (author) is the auditor.
Edit: oh well, snoofle beat me to it
Admin
So, fire the guy? Why just tell him he's doing good to his face and then mock him on the internet?
Admin
Santosh was obviously from India and "cheap" labour for this company.
I guess they get what they paid for.
Most companies wouldn't realize their mistakes by outsourcing development to third world countries where the "senior" developers are actually interns like this clown. They would find out once the software was deployed to production and their maintenence costs (being handled by the same outsourcing company) are 10 times would they should have been.
So much for saving money.
Admin
How about if the hashes (especially salted ones) are compromised instead of the passwords themselves?
As for what I think on the topic, I prefer a large password size and no cycle to a <10 char password with rotation.
Admin
That's where I keep getting all these stories!
Admin
Note to self: try to avoid working for snoofle. Secondary note: if you fail to avoid this, keep your code clean.
Note to snoofle: warn the boss about constructive dismissal.
Admin
I don't find anything wrong with the code.
Admin
I love that the articles are being refactored ... Brillant!
Admin
There are auditors and then there are auditors.
I work for an organization that has to be accredited. We just switched accrediting organizations, from one here in the U.S. to one out of Europe.
We were warned they might drop by our office, which is...not centralized. We get that warning every time the auditors are in town and someone said something about that "never having happened" before and I responded that, with auditors out of Europe, they were likely to audit (as in doing real work) which meant: "Who knows where they'll show up?"
Then someone else spoke up, saying that was right, because, "The auditors already visited a [remote supply warehouse where no auditor has EVER visited before]." And not only that, but the auditors discovered an omission at that warehouse that has been omitted for 20 years...and made the organization fix it.
See, some auditors are lazy, and ask lame questions like, "How come you don't change your password enough?" Other auditors are not afraid of work and will actually visit remote places, or tear apart your code and expose every drop of poor quality to the light of day.
But that doesn't mean you should be afraid of good auditors (except at the IRS). Good auditors are there to find deficiencies and show you how to do better, and you should be afraid only if you have an aversion to doing better.
Quite a few WTF's related here could stand a review--and exposure--by a good auditor. (Wait...that means...good heavens we ARE auditors!)
Admin
Yes the biggest problem with the education system is its stress on individual effort. There is nothing more upsetting than to find that a recent grad spent a week working on a problem which is already solved in your code base. Homework is for school, not the real world. Ask before you do things on your own.
Admin
Admin
Admin
+1
Admin
Anyone who claims to be in the security field and can't take you through an informed discussion of various risks, attacks, defenses and their relative ranking doesn't deserve a nickel of their pay. "Checklist" auditors need to start following janitors around, or something.
Admin
Yes I can google it. I'm looking for less than 234,521,754 pages of answers.
Admin
After that, I resigned in disgrace and felt obligated to commit ritual suicide. My family in India starved when the money stopped coming in, but it's OK because it gave the family living in the adjacent cardboard box some fresh protein to eat.
I thought I was doing great! I mean, the code compiled. Do you have any idea how much effort I put into getting just that far?
Admin
Admin
[1] It isn't actually guaranteed that these two characteristics are both present. Either may be present without the other. If I had to choose one for a colleague to be (i.e. smart XOR competent), I'd prefer competent-but-not-not-stellar-brains to smart-but-sloppy.
Admin
Upsetting because you could have avoided it by asking for their status each day.
Admin
Admin
Protip: every time you have to say this, it means your joke failed.
Admin
Nagesh got a +1?
Admin
Admin
Password validation algorithms force password generation algorithms. Here's mine:
Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers
Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)
Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)
Insert the separator sequence between the two phonetics
When password change time comes, use the next two letters in "the word", and the same separator characters.
Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.
Admin
Admin
It's pretty secure as I can't even remember them unless I'm looking at a keyboard, but trivial to type. And even when I tell someone what the current password is, they invariably get it wrong.
The best part is all you have to remember is the starting character and which way to zig-zag.
Admin
That means that if you do somehow get the password, the average time in which it is useful is half the forced password change time, assuming that when you get it is independent from when the change happens. (such as by keystroke logging)
Admin
Carry on.