- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
C:\TempFiles\DeleteThisFrist.txt
Admin
Are we sure this was not an offshored development for Elbonians to remotely "diagnose" problems later (whistles nonchalantly whilst exiting left)
Admin
I wonder if there was another web app with debug code to create DeleteThisFile.txt and create a back door?
Admin
The function GetReplacementUser returns an empty string if there is NO Replacement user.... The calling code would be much more interesting... should be something link if (!IsNullOrEmpty(replacement)) current = replacement..... but I bet the conditional is not there...
Admin
User replacement is ironically what happened in many industries including software where previous users were replaced with new ones.
Admin
My guess is that the developer who wrote this function wasn't completely incompetent, but was incompetent enough to be dangerous. Not completely incompetent, because they recognized that there was a security problem with the user impersonation, but incompetent enough to think that security-by-obscurity was the correct solution to the problem.
Admin
Seriously... Is not ALL security actually "security-by-obscurity"... We put a physical lock and key because lock picking skills (for a given grade of lock are "obscure"... Most key (PGP et. al.) are because the right value is obscured by 10^xxx incorrect ones, and it takes time to weed them out - but quantum can remove that "obscurity".
Admin
This example is missing something critical to make the negative result of String.Empty a WTF:
The method is private, so it is in this class called either isolated from the rest of the code or only a part of a public/protected method. To get a full picture and judge the return value, we would need to know what is going on in the calling method.
Admin
Im not sure that the vbnet link in the article does what Remi thinks it does.
Admin
I got two files, FeatureConfig.h and DebugConfig.h. There are hacked debug features, but controlled from the DebugConfig header file. Nothing undocumented. And everything written cleanly and carefully.
For example, if I got a bug report that users with forty character names have display problems, there would be a property “displayName” and that could be affected by DebugConfig.h - but I can guarantee it would only affect the display, not any functionality.
Admin
I'd agree "security by obscurity" isn't necessary the bogeyman some make it out to be - if enough effort is made to ensure that reverse engineering the algorithms used takes longer than the amount of time they're being used for, it can still be justified. That includes hard coded keys. But too many times software with a long lifetime (5+ years) unrealistically relies on the fact that nobody will bother to do that reverse engineering in that time - even though once it's done that software is no almost certainly no longer secure. Certainly copyright/ license protection for many games used to rely on that principle (it typically took me less than a day to disable it for most ones that I could be bothered with!).
Admin
Surely he should have restored the allowlist file of users. Someone must have deleted it by mistake
Admin
"I frequently write bad code. I mean, we all do, but I frequently write bad code with full knowledge that it's bad, because I first want to test out an idea. Or, I want to inject some additional behavior just for one run, because I'm trying to debug something."
I wouldn't call that bad code. It's only bad if you commit that to production knowing that you'll never refactor it.
Admin
Relying on the fact that most people will be unable to pick a lock isn't security by obscurity. Security by obscurity would be hiding the key under the door mat and assuming nobody will look for it there.