- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hey give them some credit, they implemented localized labels (most of them) and took care of cursor switching. I know this is a bucket of crap but they spayed some Chanel 5 around it.
Admin
The real WTF is t the hard coded master password! They are already doing auth against LDAP! how hard to would it have been to go the tiny extra mile to test for group membership in SOMETHING_app_owners or similar or even and this would still be pretty bad in terms of audit trail a shared administrative account?
Right now if someone leaves the organization, changes job roles with in it. They have rebuild and redeploy the Application or accept the fact the "super secret secure master password" inst a secret anymore? Anyone want to guess based on this 'standard' of authentication practice, as to if they have the CI/CD process push button enough that a redeploy to change a password like this is painless and quick and safe?
Admin
Oh, this reminds me of a health record application I once worked on. It supported multiple authentication methods: basic username/password (salted and hashed, thank you), LDAP, some government keycard thingie, and a bunch of others. These were all somewhat competently implemented.
Then there was the integration part for another health record application, that needed to transfer data to our application. The other application could not be altered in any way. All it was able to do, was to launch another application with set parameters. So the way "authentication" was done, was by reading the username from the command-line. And nothing else. If you just gave a username as a command-line parameter, the software would 100 % trust that information, log you in, write the username into legally mandated log files, and into all edited patient records.
We knew it was a bad solution, the developers of the other application knew it was a bad solution, and both parties knew not to even think about it, if the customer was nearby.
Admin
If it helps anybody, then yes. Stick to VB.NET to make sure the damn thing works.
And then use ICSharpCode off gitbub or your standard MS Store in Visual Studio to convert to C#. Based on Roslyn. Works like a dream, with a few soggy patches.
Admin
Solid programming: if you're in an exception handler, assume the user speaks French!
Admin
YIkes
At least it should be possible to write clear tests around it thou- oh no, wait a minute, it doesn't actually return anything, it does a bunch of UI stuff :(
Admin
Someone should have told the original developers not only that it is super easy to disassmble IL Code even obfuscated (cough ILSpy cough) but also that this isn't even required. You just have to use any ordinare tool (ProcessExplorer comes to mind) to list the string table of the executable or process and voila, you have all string literals including the master password right there :-)
Admin
I was reading the comments on one of these articles from a week or two ago and ran into someone quoting a quote from some guy saying that the C programming language was a virus that infected all systems etc. Basically some ancient rant from some computer scientist that disliked C due to its impurity compared to assembly.
But now I can't find the post or quote. Does anyone know what I am talking about and can you provide the quote for me?
Thank you.
Admin
Oh come on. They probably made the master password 123456. That's basically secure, because nobody would believe they'd be THAT far off track.
Admin
The true power move is to have the master password and admin username both be blank. As in nothing. An empty string. That way no matter how much you try and brute force it you can newer succeed.
Admin
There is IL2Cpp, that would at least make code reading harder
Admin
We used to use 123456 as the password for app versions installed by the developer, which never contained anything requiring any security. Connected to dev servers only anyway. Then someone observed that six space characters are quicker to type, especially on an iPhone keyboard.
Then we noticed that an iPhone password Textfeld (replaces every character with a bullet) gets slightly confused when your password is all space characters. Just slightly.
Admin
Lét's jûst hòpé tħæt System.Text.Encoding.ASCII.GetString() wørkś ín Fränče ąs ịt dòeſ ěvёrýwherè ełsẽ.
Admin
I would definitely try this if I owned an iPhone. Can someone tell what it does that goes that poorly?
Admin
https://curtsinger.cs.grinnell.edu/teaching/2021S2/CSC213/files/worse_is_better.pdf
They weren't complaining about the language. They were talking about why they were so good for users.