|
|
|
|
|
|
by technion
1988 days ago
|
|
|
> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought. I don't think people give credit for just how deep this actually does cut. On one project I worked on, which stored obscenely sensitive information, their product manager gave a speech about password security and told us he had a better algorithm than bcrypt. You couldn't explain why this was a bad idea - he wasn't taking feedback. When it landed, I found the botched the algorithm so this "sql injection detection code" basically changed every character to a ' mark. You just needed the right number in a password and it would always match.
So I logged a bug, used it to push that they just use bcrypt, I got a big story about how he knows exactly what he was doing and he would fix the bug. It was "fixed" for a few days. Apparently what happened was, the developer didn't know how to use git properly and copied an older file on top the repo and brought the bug back. After it was known, disclosed, and every one was told it was fixed.
The algorithm turned out to only handle a-z, and every other character was left in place. So I went though this again. Same speech about incredibly great design. They could have easily snuck a backdoor in because I never looked at 90% of the code, but this ongoing nonsense was 100% Hanlon's razor. |
|
|