ya, he pretty much hit the nail on the head.
I want to make it clear, I don't think the developers are incompetent. I just think they tried to tackle a very complicated problem with a set of software tools designed to help with quickly implementing ideas.
These are guys:
1) without much experience in the field (something I don't blame them for).
2) trying to come up with an alternative to a dominant platform (something I don't blame them for).
3) using a automated build environment without knowing what it hides / covers up (something I want to blame them for but can't).
4) who never asked anyone with security experience for help, or never listened to the response (something I do blame them for).
4a) because anyone worth their chops should have said 'you don't know enough, get someone who does/let me help'.
Security (especially when you are dealing with other peoples personal information) is not a simple thing. It's complicated, nuanced, deep, and you are dealing with hostile entities with far too much time on their hands.
In order to get it right you have to understand how your own system works (#3), and what the vulnerabilities are of each layer.
You need to assume that any input you get from a different layer of your system might have been compromised, that any and every user you have is Greater Internet Fuckwad who wants nothing more than to screw with you or other users.
When you assume that everyone is out to abuse your system, you tend to build things that compartmentalize the damage that can be done. You trust, but validate, inputs and returns.
You make assumptions about things, but understand what those assumptions are, and how they can interact with other assumption elsewhere.
I know I don't know enough about it. I'm certain that I am in the 'conscious incompetence' group when it comes to the majority of security systems.
And it pains me to see such a promising project attempt to add on security like spackle over gaps in their foundation.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy
I want to make it clear, I don't think the developers are incompetent. I just think they tried to tackle a very complicated problem with a set of software tools designed to help with quickly implementing ideas.
These are guys:
1) without much experience in the field (something I don't blame them for).
2) trying to come up with an alternative to a dominant platform (something I don't blame them for).
3) using a automated build environment without knowing what it hides / covers up (something I want to blame them for but can't).
4) who never asked anyone with security experience for help, or never listened to the response (something I do blame them for).
4a) because anyone worth their chops should have said 'you don't know enough, get someone who does/let me help'.
Security (especially when you are dealing with other peoples personal information) is not a simple thing. It's complicated, nuanced, deep, and you are dealing with hostile entities with far too much time on their hands.
In order to get it right you have to understand how your own system works (#3), and what the vulnerabilities are of each layer.
You need to assume that any input you get from a different layer of your system might have been compromised, that any and every user you have is Greater Internet Fuckwad who wants nothing more than to screw with you or other users.
When you assume that everyone is out to abuse your system, you tend to build things that compartmentalize the damage that can be done. You trust, but validate, inputs and returns.
You make assumptions about things, but understand what those assumptions are, and how they can interact with other assumption elsewhere.
I know I don't know enough about it. I'm certain that I am in the 'conscious incompetence' group when it comes to the majority of security systems.
And it pains me to see such a promising project attempt to add on security like spackle over gaps in their foundation.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy