Friday 29th May, 2009
MySpace store users original passwords in clear-text, and return them by email on request. Enough said really. FAIL.
For reference purposes, there are better ways to do this:
One step better: don’t return the original password (potentially revealing additional information to an attacker), just create a generated one or a one-off link that allows a new one to be created by the user.
Two steps better: don’t store the original password at all, store a one-way hash instead, that way even an attacker who compromises the DB can’t see it (assuming you do it right).
Monday 18th May, 2009
This morning I read yet another article about why people failed to predict the recent economic turbulence. What baffles me most about it is that I, and many others, knew exactly what was going to happen long before it did. I think the real reason most people failed to predict the crash was that they were blinded by the false security of the herd.
All the classic signs of a bubble were in place:
- Rapidly increasing asset values
- Commercial purchases based on future asset gains rather than realistic inc0me (i.e. rent was not increasing along with house prices)
- The inability of intelligent people to comprehend prices going down (it sounds nuts now, but I heard this opinion so many times my skepticism gland was bled dry and red raw)
The last point is particularly pertinent I think. When participants in a market cannot accept that market prices go both up and down then you know that you’re looking at hysteria at work. All of this is described quite clearly in many books on the subject including Bubbles and How to Survive Them, by John Calverley (Chief Economist & Strategist at American Express) which described the problem long before it happened.
The tenuous tech link
Sometimes it’s hard to go against the grain, like the fund managers fired from their jobs during the Dot Com boom because they sensibly realised that tech stocks were overvalued and pulled their clients out (it’s ironic that “Cassandra” is used to put down those that predict disasters, since Cassandra’s predictions were spot-on).
In the same vein I think it’s sometimes hard to speak out against current trends in terms of development processes, or common wisdom. There are some development teams where criticism of Agile or Scrum would earn you a slow death, bound with CAT45 cable and locked in a server cage. I’ve been at the receiving end of group-think like this myself; I was once reprimanded and sidelined for being generally a bit too quick to suggest open source tools to Microsoft-centric developers. The spread of knowledge is sometimes uncomfortable.
It’s an uphill struggle but for technologists, just as for economists, we have to try and push back against our instinct for the herd-mentality.