Experienced developers know all about security :sigh:
-
The current cast of idiots, no - but the last crowd... When I worked for this bunch of simpletons (in the pre-HMV/Waterstones days: http://en.wikipedia.org/wiki/Ottakar's[^] They had an "online ordering" system powered by Access '97, called 'Snowy'. One day 'Snowy' bit the bullet, and muggins here was called in to sort out the mess. Unfortunately I was unable to save the 'wonderous' GUI end of the application, however I did walk away with the data aspect of the system... ...and what a system! Hundreds of un-normalized tables, no relationships, only a passing attempt at primary keys... and thousands of plain text user details received over the web (which I later found out were sent via email from the website to the "Internet" Dept, including, but not limited to: passwords, personal info such as date of birth and security confirmation questions and credit card details - including expiry dates! I burned the entire shooting match to CD - I still have it somewhere :)
martin_hughes wrote:
...and what a system! Hundreds of un-normalized tables, no relationships, only a passing attempt at primary keys... and thousands of plain text user details received over the web (which I later found out were sent via email from the website to the "Internet" Dept, including, but not limited to: passwords, personal info such as date of birth and security confirmation questions and credit card details - including expiry dates!
:omg: :wtf: You didn't happen to save the coloring books, did you? I mean what other documentation could they have had?
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007 -
martin_hughes wrote:
...and what a system! Hundreds of un-normalized tables, no relationships, only a passing attempt at primary keys... and thousands of plain text user details received over the web (which I later found out were sent via email from the website to the "Internet" Dept, including, but not limited to: passwords, personal info such as date of birth and security confirmation questions and credit card details - including expiry dates!
:omg: :wtf: You didn't happen to save the coloring books, did you? I mean what other documentation could they have had?
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007Sadly not - but I did liberate a (new, untouched) copy of E-Commerce for Dummies from the IT & Communication Manager's office :)
-
Sadly not - but I did liberate a (new, untouched) copy of E-Commerce for Dummies from the IT & Communication Manager's office :)
Apparently they were too embarassed to read it. Nor have they watched the News either, bringing up all kinds of credit card fiascos in the last 5 years. Management - what do we pay them for again? ;P
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007 -
Security? Security? `Security' isn't a dirty word, Blackadder. `Crevice' is a dirty word, but `security' isn't. Where I work there are several chiefs, but only one indian - namely me. Now these "chiefs" are all highly "experienced", so clearly what I suggest is completely without merit. Such as when I suggested that Application Security and User Permissions should be handled in the Application, and not left to the Database's role management, this was rebutted with "in all the applications I've ever worked on, that approach has never been successful". And when I suggested that the Application should have one, limited!, user account/role in the Database, this was laughed off, and in went the developer creating a seperate database account for each and every user. And then, when I was reaching the end of my tether, I suggested that password security was absolutely critical, I was later surprised to find in the registry, under the application's settings a Key containing connections. Further investigation showed that each connection contained the user name and PLAIN TEXT password for each user, including the Administrator. And not just an Application Administrator, but a fully fledged SQL Server 2005 Administrator. :sigh::-D:laugh:;P
-
This very dangerous for you, because such chiefs are running your company into trouble. :(( "Get Away while you can" :mad:
Greetings from Germany
Too true - but the comedy value of things going horrible wrong all the time is worth it :)
-
Pete O`Hanlon wrote:
password to be password
or password to be sa :-D or password to be 'blank' :-D:-D
Vasudevan Deepak Kumar Personal Homepage Tech Gossips
:laugh::laugh:
Regards, Satips.:rose: Don't walk in front of me, I may not follow; Don't walk behind me, I may not lead; Walk beside me, and just be my friend. - Albert Camus
-
Too true - but the comedy value of things going horrible wrong all the time is worth it :)
-
Pete O`Hanlon wrote:
password to be password
or password to be sa :-D or password to be 'blank' :-D:-D
Vasudevan Deepak Kumar Personal Homepage Tech Gossips
Might as well just sticky-note the password to the front of the server and e-mail it to the whole company...
-
Might as well just sticky-note the password to the front of the server and e-mail it to the whole company...
May as well keep the key to the front door under the door mat, too :rolleyes:
"Any sort of work in VB6 is bound to provide several WTF moments." - Christian Graus
-
Security? Security? `Security' isn't a dirty word, Blackadder. `Crevice' is a dirty word, but `security' isn't. Where I work there are several chiefs, but only one indian - namely me. Now these "chiefs" are all highly "experienced", so clearly what I suggest is completely without merit. Such as when I suggested that Application Security and User Permissions should be handled in the Application, and not left to the Database's role management, this was rebutted with "in all the applications I've ever worked on, that approach has never been successful". And when I suggested that the Application should have one, limited!, user account/role in the Database, this was laughed off, and in went the developer creating a seperate database account for each and every user. And then, when I was reaching the end of my tether, I suggested that password security was absolutely critical, I was later surprised to find in the registry, under the application's settings a Key containing connections. Further investigation showed that each connection contained the user name and PLAIN TEXT password for each user, including the Administrator. And not just an Application Administrator, but a fully fledged SQL Server 2005 Administrator. :sigh::-D:laugh:;P