[cipherpunk]

But of course. Preaching to the choir.

Management made the decision that my trivial change to eliminate replay attacks was "too much effort". I am inclined to agree, since even with such a change the effort required to circumvent their entire so-called security is minimal.

Next quarter they're introducing e-commerce solutions. Dear god.

[nitrogen]

One might argue that, if an unnamed company's e-commerce solution would put a lot of people at risk, and an unnamed engineer can prove it, that unnamed engineer has an ethical obligation to discreetly report the vulnerability first to the unnamed company, then to successively more influential and more public venues (e.g. consumer protection groups, security research groups, etc.), until the company responds.

[tptacek]

One might argue that such a course of action will simply get the engineer pointlessly fired.