Latest: buggy behaviour of parent:: in PHP 5.3.3

Content with Style

Web Technique

Security: Even the simple stuff is hard it seems!

by Pascal Opitz on August 14 2007, 08:23

So I am reading about the bug in IE that puts your FTP details into the comments plaintext ...

And I must say, it makes me chuckle. A while ago one of my friends sent a bulk mail to all of his contacts, containing an FTP link that he dragged from the address bar of IE into the mail in outlook. Needless to say that this contained username, password and host.

A comment about maybe changing the password or so was shrugged off, and when I demonstrated how fast the index.html was changed into a page stating that one should think about security, he was asking me to change it back … but still couldn’t be bothered to change the password.

What I want to say with this little story is, that even just the very concept of basic security measures doesn’t really touch the average folk. They are completely oblivious of the world around them being able to exploit private data or damaging their business.

Even worse, that, on various occasions when asking for what kind of authentication I should implement and pointing out that the chosen one is really bad, I have been told off for “overcomplicating things” and there were ovious security issues in the final application that I wasn’t allowed to fix, because the client was not being expected to be able to remember a different password to his own username.

I think it sometimes is a matter of responsibility for developers to protect people from themselves, making username/password combinations like myname/myname impossible, etc.


  • haha,
    yeah, that’s another problem filed under “who is on my side” in a team, or, that’s at least my experience. If the person handling the client doesn’t follow the idea of security, then he won’t flag it up with the client, either.

    I feel the solution lies somewhere else, though. Even I get tired of 5 million passwords, man, I can hardly remember all the pin numbers for different accounts of online banking and credit or debit cards. And then, if you call support because something is broken, they ask you for your telephone banking password. Now, you can either write it down, reduce the numbers by using the same number for several cards, or develop some kind of concept that will help you remember all this.

    Or you could save all of that in your keychain or browser, but then someone steals your laptop while you were logged in or something stupid.

    That’s what many people feel confronted with, and they just give up, and stop using “reasonable” passwords altogether.

    What’s your concept for a usual scenario, let’s say, a debit card, a credit card, 2 or 3 online bank accounts, a mobile phone and half a dozen of protected websites at a time?

    by Matthias Willerich on August 15 2007, 11:08 - #

  • I was once asked to implement an ecommerce system for a site, but they didn’t want to shell out for a merchant account with a payment processor – instead they asked to just have the credit card details emailed to them (unencrypted) so they could process the sale in their shop instead!

    by Matthew Pennell on August 16 2007, 08:12 - #

  • Oh, I had that, too.
    In the end the email was pgp encrypted, but I still feel that there’s too many things that could go wrong. Sometimes their mailserver acted up, and emails bounced back… that was always a nice one for their customers.
    Some shop owners are really pushing to do that, because they have the accounting and order procedures with the physical shop in place, and they don’t have the mental capacity to add an online shop system to that. But because it’s the magic internet, where magically tons of sales appear, they go nuts like kids in a toystore.

    by Matthias on August 18 2007, 04:30 - #

  • I have to sympathise deeply with all of the above. One of the worst ones for me, was finding out that one of my customers was using his own main server to look at dodgy stuff on the Internet – when we got to it, it was riddled with spyware and malware and less than 48hrs away from falling over.

    You can give customers security policies to abide by and put measures in place to protect them, you can also penalise them financially by charging them for time you have to spend fixing security issues they have caused, but actually getting them to appreciate how much it matters and getting them to behave accordingly – that’s more difficult.

    by Chris Boswell (Leeds UK) on November 26 2007, 05:03 - #

Leave your comment

Comments are moderated.
Tags allowed: a, strong, em, code, ul, ol, li, q, blockquote, br, p