|
sergio_ykz wrote: infallible validation using Javascript
var pope = new Pope();
pope.setExCathedraMode(true);
var inquisition = pope.createInquisition();
var result = inquisition.interrogate($("form"));
if (result.isHeretical)
pope.excommunicate($("form"));
pope.setExCathedraMode(false);
|
|
|
|
|
|
On the other hand, it makes it easier to go back to the original someday. :p
|
|
|
|
|
I have often written a change request with the expectation that it will get switched back to the original when the user realizes that it isn't really what they want. However, I comment out the old line(s) and and new code, not try to shove a square peg into a round hole.
Just because the code works, it doesn't mean that it is good code.
|
|
|
|
|
sergio_ykz wrote: They start coding and stop thinking? Yeah, they still don't get all that multithreading stuff.
Greetings - Jacek
|
|
|
|
|
Maybe they were thinking of the Mayan calendar. Pretty soon DateTime.Now will not parse.
|
|
|
|
|
This[^] VS 2010 issue had been finally fixed and shipped with a SP1.
Horror: Someone had revealed it...
At least it was found in commentaries...
Greetings - Jacek
|
|
|
|
|
But what was even worse, they had to release a hot fix for SP1 as it caused more issues than it fixed !!
#VisualStudio2010WorstEver
|
|
|
|
|
... and all of them are "important"
Ah, by the way, I do not agree that VS 2010 is worst ever. Actually, I like it more than all previous releases, because blah blah etc..
Greetings - Jacek
|
|
|
|
|
|
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too.
The largest Dutch ISP has not yet learnt how to securely store a password.
No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^].
Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell
|
|
|
|
|
Recently, I stopped using online money transferring for the same reason, I am very poor to loose money over their stupidity.
|
|
|
|
|
Eddy Vluggen wrote: they claim that they're "encrypting passwords" in UTF-8
|
|
|
|
|
And here I was thinking encryption involved some magical "keys" and whatnot. Good to know that it's not all that complicated.
|
|
|
|
|
Wow, I'm impressed. Brand new encrypting technology - UTF8 But it's not strong enough (like Latin1 as well). I strongly recommend to use something like UTF32. You know, additional 24 bits make it harder to decrypt. Or they could just use Japanese or Arabic characters. This will mislead an intermediate european or american hacker.
|
|
|
|
|
UTF-8: Unexpected Technical Fault-8
|
|
|
|
|
There is no icon large enough to represent my feelings about this one. A professional hosting company should not be making that mistake.
|
|
|
|
|
But perhaps one of their clueless drones in support?
I'm invincible, I can't be vinced
|
|
|
|
|
Stats would say that only 500 addresses and passwords are "in the open", with the hackers claiming that they stole 16Gb worth of data.
News said that 225000 people (out of 2 million) have changed their password "already".
..damn, we're fast acting people 'ere, with all our modern technologies
Bastard Programmer from Hell
|
|
|
|
|
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
|
|
|
|
|
This isn't actually as much of an epic fail as it appears, since users will presumably change their password immediately upon receiving the letter, so interceptors can only use the password for maybe a day. Considering they've already been hacked in plain text, that's not so bad.
It is stupid and symptomatic of a complete failure of security policy, definitely, and pretty shameful. But, imo, not as bad as storing the passwords in plain text in the first place.
|
|
|
|
|
This is a after a password change, not a password reset.
They send you a letter every time you change your password, not only the first time.
And one of the passwords is also used for account management, so this is really bad in my opinion.
|
|
|
|
|
Oh, okay, then I retract my comment, heh. I assumed this was something they'd sent as a one off in response to the hacking. That is spectacularly stupid, so much so that I hadn't even considered it as a possibility for what you meant.
|
|
|
|
|
The place I used to work at would send out the protected product and the unlock code in separate mailings for security sake.
Management decided to do a major update that required sending out new product and unlock codes. They came to us saying they had already designed the custom mailing package that would include both in one. We tried in vain to convince them that the only time product and unlock codes came within 5 feet of each other in normal production would be only if the person carrying the product happened to be walking past the person carrying the unlock letters. There was no mechanism in place to tie them together and it had purposely been designed that way for security reasons.
But the new packing material had already been ordered and was on the way so we had to come up with something. Heaven forbid management making a mistake of not seeing how and why things were the way before they went off and committed to doing something that violated all the security mechanisms that had been put in place to protect the product.
|
|
|
|
|
The fact that the password can be retrieved even 1 millisecond after it is set indicates a complete lack of knowledge on secure data storage. Snail mail, e-mail, it's outrageous that the password can be sent at all.
I am NOT AT ALL concerned about UTF8 being used, but I am concerned about HOW it is used. The fact that "secure" measures were implemented immediately after the hack was found indicates there aren't secure measures available, period.
Say “password” is your password. (I know, it's really bad that it is an allowed password.)
You type password on your SSL site, the public key encrypts it and sends what looks like garbage on the net across to the service, the private key the service knows decrypts it back to password. It then sends “280938dkl;sideruos,xa]s[04938udkj.fhwsyJFLGJDK09sjdklkeru.xx” as the (bogus example of an) encryption key to the database. “password” is never stored anywhere.
The service and the database are on a private internet connection, so the key is never exposed. UTF8 is used to define the key. You don't need to even store the encryption key, but if you don't, when the customer forgets his password, all his data is lost forever.
So, on his account table, you store the encryption key as an encrypted field using a “secure” company password
It takes time to set up that kind of secure process if it isn't in place. The fact they “fixed” it so quickly means they don't plan on really fixing it, ever.
|
|
|
|