"software developers"

The BBQ Pit
1

A story popped up on Ars recently about a vulnerability in an image compression tool. A thing that takes uploads and reduces them from, whatever, you upload a 20megapixel RAW file and it squeezes it to, like, a few hundred Kb so that it can be served out without chewing up bandwidth. Apparently, by embedding a source url that is trailed by a semicolon, terminal commands following the semicolon could be caused to run, allowing the server to be commandeered.

So, what the ever-loving-fuck???

What is wrong with these dumbshits? Why in the hell do they expose a simple embedded url to the terminal? To save twenty minutes of coding? That they will end up having to write anyway? Because there is a one in a million chance that someone will discover their sloppiness – across an internet will hundreds of millions of users?

Do these “developers” even have the slightest idea what they are doing?

In 1980, we (the public) had very small computers that required a lot of tricks and short-cuts to be functional. One computer of today has more processing power than was available to everyone combined 35 years ago, we no longer need to rely on super-elegant code to make them function well – in fact, that kind of code is worse on a bigger machine. And yet, those old habits seem to persist.

Most of the exploits that plague us are due to bad coding. Buffer overflows? Who the fuck puts a buffer on the call stack. That shit should have been gone before it even started. The notorious malformed IIS command that caused a predicable crash, allowing the sender to take control of the server? That is inexcusable. A bad command should be failed-out by the parser, not cause a crash.

Then there are JavaScripts that can directly root a nice, tight iOS device, dangerous Office scripting and worms that can crawl out of pdfs, for fuck sake: what the hell is going on that scripts have to run deeply enough in the system that they become a broad attack surface?

Microsoft tried to fix the lump of havarti that was Windows XP, but it is not clear that they have succeeded. Apparently, decades of poor coding hygiene have never been fully overcome, but now Windows is a pain in the ass to use, at least off the shelf (days of tinkering and adapting may help, I had not the patience to find out).

Sorry, but IT is broken. This is the most prominent example of when the “invisible hand” of the market has wrapped itself into a fist, eager to pound on us all. If ever there was a need for regulation, the software development community desperately needs to have their asses kicked and their dirty laundry (source code) aired out for all to see. This bullshit just has to stop.

2

I take it you’re an open source guy?

A lot of our problems are due to Windows users surfing the web logged into their admin account.

3

Yes who would have thought that making a complex system that is impervious to clever human attack forever could be so difficult?

Sent from my Lenovo K50-t3s using Tapatalk

4

Proprietary code is a failure. GNU/GPL is a failure. The BSD license is a failure. They all function after a fashion, but the coding is not adequately designed for its application. Linux is a mess.

Even SSL has been compromised, for fuck sake,
More than 11 million websites and e-mail services protected by the transport layer security protocolare vulnerable to a newly discovered, low-cost attack that decrypts sensitive communications in a matter of hours and in some cases almost immediately …

It looks to me like we tried to reach too far too quickly and let market forces drive the advance. As I see it, there is just too much profitability pressure on developers, with no oversight. At the very least, we should have a UL-type auditing firm to examine and vet code before it can be released in beta.

Oh look, I just opened a window and it bloomed out with a swooshy sound effect. That fixes everything.

5

Licenses aren’t software, and there’s nothing wrong with the licenses anyway. You seem deeply confused.

6

This is the Unix Way. You script things with terminal commands. You string together small programs. It’s a social convention and a force of habit.

Unfortunately, dumb shit vs force of habit and social convention, is no contest.

7

What exactly is stopping modern devs from writing clean, efficient code? Just because they can screw up doesn’t mean they have to.

8

If Microsoft were a country its GDP would be larger than two-thirds of the countries in the world, ahead of Ukraine though still slightly behind Hungary and Morocco. Morocco needs to spend some of its limited funds on F-16 fighter jets, but Microsoft, protected by the U.S. nuclear umbrella, can spend the money on useless animations.

I was on a Silicon Valley factory floor 40 years ago when the San Jose Mercury-News came to photograph an 8-Megabyte system, the largest amount of RAM that had ever been placed into a single cabinet! (Yes, that’s Megabyte with an M.) These days don’t even try to run Chrome and Firefox simultaneously with less than 1 Gigabyte — your machine will thrash.

Open Source as a solution to reduce software bloat and unreliability? Go back to North Korea, you friggin’ communist!

9

You are. You demand to have newer better software yesterday and you won’t pay any more for it.

10

I love software developers! I also think it’s perfectly awesome that you can get a Computer Science degree at most US universities without taking a single security course. Isn’t that wonderful? And Agile? Fast, fast, fast! Get it into production and fix it later! Terrific!

At this point maybe I should point out that I make my living responding to data breaches. You go, developers!

11

Well, there’s the solution right there. If people who write viruses and worms and malware knew that–wherever in the world they were–there was a non-zero chance that a Microsoft Corporation drone (or an Apple Inc. drone, natch) was going to launch a missile up their ass, there would be a considerable deterrent effect.

12

Ah, I see from eschereal’s second post that this is a pitting of software developers * in general*.

What luck that all the software required to do this pitting worked flawlessly and seamlessly.

Anyway, it’s like this: developers generally don’t get to choose how to apportion their time. They have short deadlines to get all the features in, and little time to work on security.
Meanwhile hackers have unlimited time to tap all of a complex system for weaknesses. It’s actually a tribute to the standard of most programmers that exploits are not found more often.

If this means you then divert your rage at the employers, bear in mind that the vast majority of people using their software; 99.99% or maybe 100%, will be people trying to use this software for it’s designed function. Obviously you want to focus on them, not the boogieman.
Imagine if we could not sell microwaves until we figured out a way to make it impossible to microwave puppies (yes, I went there).

But things are improving. How many smartphones are out there? And what significant breaches of security have there been?

13

Yeah, my overtime and pay differential the past few weeks has been fueled by a data breach. Hurrah developers AND hackers!

14

Is there a way around that? I have Windows 10 and don’t know how to set up a second account. Worse, a lot of my software might not work if I’m not in the admin account. Sigh

15

Yes, because a freely developed plugin by people in their spare time has a bug in a rarely used part of the software, it means that everyone in the software world is stupid.

What’s even weirder is that you’ve done this Pit thread before, and it didn’t go well for you. Why in the world would you do it again?

16

That was not me, whoever started whichever thread you are referring to.

17

My first thought was that this was more a pitting of Microsoft than of “software developers”, but on second thought far too many companies have been contaminated with the Microsoft culture of software [non-]reliability (the benchmark of “good enough” – even when it means “not very good at all”) and coding laziness leading to bloat (why does it take more memory than we ever imagined a computer could ever have just to view a document or open a browser?). Adobe being a prime example, inflicting on us the security failings of Flash and the awesome bloat of Acrobat. It seems that the farther back you go in the history of computing, the more you find both software ingenuity in creating efficiencies and in reliability, both probably related to the cost of the hardware. But there were also corporate cultures like the engineering purity at DEC that no longer exist today.

Not me. I never asked for Windows Vista, 8, or 10. I see nothing in Office that has gotten any better since Office 2003, and many things that are far worse. Actually with a few obscure exceptions, I see nothing that has improved in Office for most users since Office XP. And I certainly never asked for a perfectly simple piece of utility software to fail to run because Microsoft’s fucking “framework” is out of date, and the fucking “framework” can’t be updated because the fucking framework isn’t supported on my current version of the fucking operating system. And all I want to do is file my fucking tax return. The main utility of the software is that it adds up numbers for me on an interactive form. Not rocket science.

The problem isn’t people demanding “newer, better software”. The problem is Microsoft needing to continue to make money from a failing business model.

18

Actually, this kind of attack was possible on mainframes.

There is a long history of “security by ignorance” - maybe no one will ever stumble on to it.

With only a few hundred people allowed on the system, and only a handful with authorization to run anything in native mode, you could live with the risk.

With a few million users, several thousand of which are actively LOOKING for such points of entry, you can’t do that.

“If contractors built houses the way programmers built systems, the first termite would destroy civilization”.

That quip goes back to at least 1974.

The sad part: There were some security features available - making every field available in all modes (read, create, change, delete) made development quick and easy.

In the early days of midi-size machines, the hunt was on for an operating system which could make them usable for real life application (they were dirt cheap compared to a mainframe). Unix was considered, and considered, but rejected because of all the trap doors in it.

They may or may not have found all the KNOWN trap doors, but they certainly did not bring it up to the level of MVS.

But, damn! they are cheap and cute! I wonder if the massive data centers Google et al operate could maybe have been built on MVS.

(here’s a cuticism: the IBM mainframes had 24-bit addressablity. It was expanded to 32-bit, but the system had to be specifically told to use the expanded addressibility.)

19

In 1970 or so I had a friend who had fun exploiting weaknesses in IBM 360 macros which let you get into supervisor mode. He never hurt anything, just printed out a message showing he was there, and then leaving.
In 1972 I took a class which covered what a disaster software development was, with tons of articles on failed projects.
Remember when Reagan’s SSI was considered impossible partially because no one could write software that complex?
By any reasonable standard our whole computing environment should have collapsed already. Given the complexity of the environment and time and money pressure, we are doing pretty good.
Plus, what percentage of breaches could have been detected if anyone had bothered to look at the logs, or could have been prevented if some stupid luser didn’t give his password out?
BTW, any microprocessor out there has a nice long list of uncorrected bugs also. It would be nice to be perfect, wouldn’t it?

20

I don’t do security but my opinion about “implement it now and fix it later” is exactly the same. Mind you, I can see where it makes sense from a Finance point of view (on the consulting firm’s side, that is): fixing it always takes more work than doing it right the first time, so hey, more billing!