Java Coders Are Getting Bad Security Advice From Stack Overflow

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

Look at the time investments.

[Mal-2]

You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)

Re:Look at the time investments.

[AmiMoJo]

Stack Exchange has gone the same way as Wikipedia. Most of the interesting stuff was handled long ago so there is now few interesting questions left, and content is decaying and becoming out of date because no-one can be bothered to keep it current.

To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.

Throw in a poor interface and harsh treatment of new users and the site is doomed to become a mostly static archive of bad advice. There are better communities on some of the Stack Overflow sites, but they will eventually get the same way unless things change.

Re:Look at the time investments.

[johannesg]

...harsh treatment of new users...

I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

Re:

[truedfx]

Please link to one of your copied answers, even if it's been deleted. From my experience, although not all sites on the SE network treat plagiarism equally severely, SO is one of the better ones in this regard.

Re:

[Darinbob]

"I'm sorry, you can't flag this post until you earn 374 more credits."

Re:

[hcs_$reboot]

To be fair SO is still the best place to find valuable coding tips. Some snobbish Java pros criticize SO for not answering the way those big Java books are written. A 20 lines answer is not sophisticated enough... well it might actually help a lot someone. The level of an answer corresponds to that of the question. A beginner question will likely get an answer for a beginner (not necessarily written by a beginner). As for the obsolete answers, it seems the search engines gives preferably a newer answer - th

Re:

[jeremyp]

Yeah, that's bollocks. When I do authenticate user java site:stackoverflow.com [google.co.uk], it's not until the third link that I get and answer that looks anything like "store the password in plaintext" and it was on an Android question, where the accepted answer said "use shared preferences". I don't know enough about Android to say whether it is right or wrong, my gut feeling is "wrong".

Re:

[BlackPignouf]

It's true, long gone are the days of getting 1000 upvotes for telling that the result of "1 / 2" is 0, not 0.5.

Still, I started regularly writing answers on SO less than a year ago. I got more than 30000 points, got a golden Ruby badge and I'm close to getting it for Python. After that, I'll finally be able to write some productive code again :D

Re:

[mrbester]

If the template is "when you think a question is a duplicate, don't bother checking, just mark it and move on to the next. Don't link to the duplicate, the loser noob should have found it themselves" or "Don't answer a simple question if you can just respond with derision of the language (programming or textual, doesn't matter, but bonus points for both)" or "downvoting to oblivion an answer that, whilst correct, you don't agree with, either by tone, implementation or just because it's Wednesday and you're

Re:

[Darinbob]

Rules such as "All C questions must be answered in the form only suitable for C++", or "For a question about a programming language, always give an answer from the Visual Studio manual in preference to a language's official published standard."

Re:

[Darinbob]

And yet the rules have resulted in extremely low quality answers, many of which are utterly wrong and unable to be corrected according to the rules. Stack overflow has become a cesspool of bad advice; albeit a cesspool with a set of rigid rules.

It's a bit like the US Congress, only without the high minded sense of cooperation, duty, and high mindedness that Congress has.

Re:

[dgatwood]

It's a bit like the US Congress, only without the high minded sense of cooperation, duty, and high mindedness that Congress has.

*blink*. *blink*.

It's a miracle! Darinbob—in a coma since the Reagan administration—just woke up and posted on Slashdot!

Re:

[Swave An deBwoner]

In a way that's correct though. The question is in fact a duplicate. The answer however is different now.

Re:

[dgatwood]

This is why I make sure to actually read the existing answer(s) before flagging something as a duplicate. If there's no currently valid answer, I just write an answer. If somebody wants to take the time later to flag it as a duplicate and merge it with the other question, fine, but in the grand scheme of things, it is better *not* to do so. After all, the old, no-longer-valid answer will likely continue to be the highest-ranked answer for that old question, barring a miracle, but a new answer could beco

Re: Look at the time investments.

[ljw1004]

The best way to TRULY understand something is to teach it to someone. I've observed in my field C# that the top stack overflow answered are indeed the real experts - indeed some of them were on the C# team itself and others were given awards for the quality of their help.

Re:

[Anonymous Coward]

StackExchange is a mob democracy, not a meritocracy. People don't up-vote something because it's correct, they vote it because they think they can understand it.

One such situation is burned into my mind and about when I stopped participating on StackExchange. I had a question about C#, to which I got several people saying what they thought was intuitive, but I said that flew in the face of the definition of the interface. I asked the question on MSDN, got an answer from the lead dev of the .Net framework

Re:

[Darinbob]

It's a bit like Yelp. The overwhelming urge to pretend to be a serious critic and post nonsense immediately. Is anyone spending a few days to research a correct answer and provide legitimate references to back it up, or do they just have a rush to get an answer in sooner and thus get more points?

I see answers that have no resemblance to the actual questions. The reason the questions are usually asked is because they're not simple questions that can be answered with a quick google search. And yet the peop

Java security...

[stooo]

>> ...The researchers concentrated on posts relevant to Java security ...

Java security. Those two words simply do not belong together.
It should be syntaxically forbidden to write them side by side.

Re:

[dgatwood]

And let's face it. If the question is about security, you do NOT want to get your answer from stack overflow, slashdot, reddit, facebook or any other source of crowd sourced prognostications. If you have to ask the question, you should not be touching the security code and should leave it to the experts on staff; if you don't have such experts, then try to get some; if you can't get one, then change jobs.

There are way too many one-person coding shops for that to be a realistic recommendation. Just saying.

No way!

[Anonymous Coward]

News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.

Re:

[hey!]

This of course is an enormous issue: people imprint on the first solution to a problem they understand.

But I think more to the point here is Java's long struggle with overengineered frameworks and libraries. They tend to have a "designed by a committee" feel, and impose significant cognitive load on learners. Add to that first-solution-imprinting, and it's a recipe for trouble.

Ulitmately, though, this is no new thing. There have always been a small number of people who produce elegant, quality code and a

Re:

[Bite The Pillow]

It's more than that. The answer to "how do I get past this error" is usually a code hack, such as turning off CRL checking. With no explanation on the impact, or a need to solve it another way.

I find great advice for solving problems on a disconnected system, but very rarely the obvious caveats. And this is but one example of the kinds of answers that aren't just simplified, but flat out wrong. You need to solve it a different way.

Stackoverflow is popular, but PITA

[Anonymous Coward]

I thought I would try and help people out on Stackoverflow.

I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.

I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA

A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer

Re:

[hcs_$reboot]

Well, you don't seem to be a dev anyway.

> I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces

There is a button to indent a selection and display that as code.... what's wrong with that? (the rest is text)

> I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer

Many new users don't know how to behave, and spam with c

Re:

[tepples]

Many new users don't know how to behave, and spam with comments. You need a few reputation points to comment... that's easy to get.

if you have no life beyond stackoverlfow.

It takes 50 points (five answer upvotes) to earn comment privileges, and an accepted answer is worth 15 (an upvote and a half). Does making two upvoted, accepted answers imply "no life beyond Stack Overflow"?

Re:

[dgatwood]

Arguably, being unable to comment on your own answers is a bug, regardless of reputation....

Re:

[stephanruby]

You probably won't see these comments since you've posted anonymously:
1. You can highlight multiple lines of code at the same time and press the code bracket button to indent.
2. You can edit an answer to answer a comment. This is not perfect, but the no-comment rule for new accounts is to combat spam
3. Yes, there are anal people on there. If you find something that works better, do let me know

Re:

[Darinbob]

This is why if feels so wrong. Any idiot can answer, but you have to grind the point before you can comment. Newcomers will be confused and likely look at the answers first. But over time even the commenters have become clueless, so you can't trust the comments either anymore. The only way to use it is to not trust it; read all the answers and comments, if it feels off then follow the "related questions" instead, and soon you may be at an older question answered back when people who actually knew things

Re:

[hcs_$reboot]

Stackoverflow's help does not mention the button

Of course because we're not in 1982 anymore, when you see a bunch of buttons, hover the mouse over the button and it'll tell you what it does.

Re:

[hcs_$reboot]

You're developing directly on your iphone 5??

Re:

[tepples]

With the strict "App Store only" execution privilege model of the iPhone 7 and iPad Pro, how do you test your "small snippets of code" before submitting them through the Stack Exchange app? Do you lease a server somewhere and then SSH into that to test them?

Re:

[tepples]

Users of the Stack Exchange application for Android can long-press buttons to see what they do without activating them.

Re:

[jeremyp]

When you answer a question, you get an edit box with some buttons at the top. The first one is a bold "B". Guess what that does. Then there'a an italic I, guess what that does. Then there's an icon that looks like two links of a chain. Guess what that's for. Then there's a double quote mark. Guess what that's for. Then there is a button with two braces {}. You'll never guess what that is for, unless, off course you program in a C-like language or you hover the mouse over it to see the tool tip.

Also, Stacko

Unlike GitHub, Stack Overflow doesn't have ```

[tepples]

Also, Stackoverflow users a formatting syntax called "markdown". It's the same as Github.

In this case, no, it isn't the same as GitHub. GitHub recognizes several extensions to Markdown that Stack Exchange does not, such as the triple-backtick for code blocks as an alternative to the four-space indent.

Re:

[Darinbob]

Add a link to the markdown info page. Many people browse with noscript, which makes some of these blog/forum oriented sites extremely vague (and no, they do not all use the same mark up/down syntax and the syntax will likely change in a couple of years anyway).

Java is very secure

[Anonymous Coward]

Java is [garbage collecting ] very s [gc] e [gc] [gc] cure.

The garbage collection [gc] algorithm [gc] [gc][gc] ensures that [gc] [gc][gc] you never know [gc] [gc][gc] when it will [gc] [gc] [gc] crash and [gc] [gc] can't explot [gc] [gc] [gc] common stack [gc] [gc] [gc] pointer [gc] [gc] [gc] bugs.

Also, since java is slow [gc] [gc] [gc]thats another security feature [gc] [gc].

fast programs crash [gc] [gc] too fast [gc] [gc]. Making exploits [gc] [gc][gc] trivial [gc] [gc].

All operating systems should [gc] [

Re:

[jeremyp]

WordPerfect 5.1?

Reminds me of Michael Scott in "The Office"

[mykepredko]

When he asks for the YouTube people to come in and film him.

You can hope for good advice but in the long run when it comes to security features, you have to know who you are talking to, what their qualifications are and make sure they're there to support you down the road - which means you are going to pay them. "Gr8CdrGrl427" on Stack Overflow might have an interesting approach as to how to position and code a slider control but taking security advice from them is simply dumb - the worst case is they're m

Lazy Apathetic Enterprise Coders

[Anonymous Coward]

Coders today are completely lazy, don't give a fuck about doing anything other than writing code and meeting goals. Management didn't tell them to do it? They don't fuckin' do it. I grew up developing web sites and web apps and learned security the hard way ...getting fucking rooted dozens of times! when I started doing development for money I had to make sure someone couldn't just bypass security controls and hack the customer's sites and when they did, you bet your ass i had to FIX IT. It should be obviou

Re:

[Antique Geekmeister]

> Now your typical enterprise may have third party security assessment and penetration testing - which is OK, but most of the time it's testing well-known exploits.

They're typically not allowed, by the company paying them, to probe for the most dangerous vulnerabilities. Passwords sent via github, VPN's that open full access to unencrypted services from poorly secured internal networks, permanent root credentials embedded in source code,and other issues abound.

I've recently been forced to cope with a sof

Leave out the words "Java" and "security"

[Antique Geekmeister]

Many of the Stackoverflow first answers are very poor, as are many followups from people who don't sanitize their inprts. The problem is aggravated for Java, where error reporting is often very poor and where programmers have been taught with object oriented principles to pay no attention to the rest of the system: it's considered outside the scope of their immediate task.

I do find Stackoverflow useful: there are often extremely useful hooks to start from, and it's well worth thanking the community by follo

Re:

[Darinbob]

Yup, I rarely find quality answers on stack overflow, but I do find links to other sources of information that lead to good answers.

Bad Advice from Stackoverflow?

[tylersoze]

Well I never!

Canoncial example of a Stackoverflow exchange:

Answer: Why in the world would you want to do that? Here do this

Answer:

#1 upvote:

#2 upvote:

#4 or #5 most upvoted:

further down:

Stackoverflow is the best for people that sort of know what the answer should be and can separate the wheat from the chaff.

I often point to this on as a good canonical example. https://stackoverflow.com/ques... [stackoverflow.com]

Re:

[tylersoze]

Eh I should have preview my posted, tags got eaten:
Answer: Why in the world would you want to do that? Here do this (unhelpful thing that doesn't answer this question)

Answer: (Complete wrong buggy implementation)

#1 upvote: (Answer that technically works but completely pedestrian, not generalized, etc)

#2 upvote: (mostly the same as #1, but with an added glaring bug)

#4 or #5 most upvoted: (probably the right answer)

further down: (a number of technically correct but a completely stupid ways to solve the proble

Re:

[Darinbob]

That example is good. The whole question is wrong, Stack Overflow shouldn't be a site for brand new programmers. Spend some time learning the language before you ask how to do something that anyone with one month's experience can do. In the early days of Stack Overflow the questions were very interesting questions, about subtleties in a language, mysterious problems to overcome, and so forth. Now the questions are "help me do my homework!"

Automated fallacy

[istartedi]

If poor answers are floating to the top because of reputation, then Stack Overflow has effectively automated argument from authority [wikiquote.org].

This is not too surprising. Automating fallacy is probably easy. Automating security is likely to be hard. Trust me. I'm an expert on this.

OK, but why are they on SO? What did we do wrong?

[Wrath0fb0b]

So, I agree with all the haterade at SO and all the things it does wrong and stuff. But let's take a moment of reflection and see if maybe we as a community also did something wrong.

My opinion is that it's a total lack of actually useful documentation. And by that I mean there's almost always documentation, but it's at a level of specificity that makes it totally useless.

By way of analogy, imagine getting into an airplane and there's tons of man pages for each instrument like "The throttle control the amount of forward thrust generated by the engines. It has three auto-throttle modes for speed, trim and power, you can enable those modes by setting the auto-throttle switch to the ON position and adjusting the rotary dial to the desired mode. The power mode cannot be used while the autopilot for level is set."

And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

Re:

[GlennC]

And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

That's because the general assumption, in this case, is that the reader already knows how to fly planes in general, and only needs the specifics for this model.

Of course, given the number of coders whose training consisted solely of rote memorization, this assumption is provably wrong. That leads to the sorry state the IT industry is in now, and why I'm very glad I'm training to get my CDL and drive a truck.

Yeah but

[SCVonSteroids]

They're Java coders. Easily replaced.

Well, of course they are

[Chris Mattern]

You always get bad advice from Stack Overflow.

blah blah blah

[Reverend Green]

By far the hardest part of security is getting companies to care about it.

Calling BS

[pooh666]

First off, I hate fucking Java. Second, the data may be correct, but the conclusion is out of reality. The reason this is an issue and the up votes go for the easiest not most secure answer, is 1. Human nature, 2. Companies don't give a flying fuck about security. If a "business" leader in a ecom org can't even be bothered to learn a single thing about how a web page even works, then they certainly don't really understand the impact of a few coding side steps and no budget will be allocated DAY TO DAY,

Revisiting old questions

[Miamicanes]

One big problem SO has is reconciling old questions with "best" answers that might no longer be the best -- or even still RELEVANT.

Suppose that someone posted a message to SO in 2012 asking how to hide the mouse pointer arrow that appears if the user connects a bluetooth or USB mouse to the device when their app (say, an OpenGL ES game) is in the foreground.

Five years ago, the correct and concise answer would have been, "You can't".

Today, the proper answer would be, "You can't do it unless the device has An

Re:Stackoverflow: how not to help

[Fly Swatter]

If people simply hired web developers, most web hacking shit would be gone over fucking night.

Thanks for the chuckle.

Smart the OP posed as AC.

[mykepredko]

Yeah seriously - This is a case where using AC tag is warranted.

It protects the original poster the shame in being labeled a frickin' moron.

Re:

[zieroh]

If people simply hired web developers, most web hacking shit would be gone over fucking night.

No. Just no. The only thing worse than Java programmers are web developers.

Claims that Slashdot should have been NNTP

[tepples]

This is a web site, made by web developers.

A few hardline anti-JavaScript users I've run into are under the impression that Slashdot ought to have been an NNTP site viewed through a news reader, not a website viewed through a web browser. They tolerate web-based discussion forums, though they would prefer a discussion-specific protocol.

Re:Java is in and of itself bad advice

[Junta]

Not really the fault of the language....

Of course the secure 'solutions' should take note that something is deeply wrong with how they go about providing secure options when this happens so much.

People don't do this because they like being insecure, they do it because it's easier.

Disabling CSRF is popular because it's *generally* implemented in a pain-in-the-ass way. Not only in a pain in the ass way, but it seems every five seconds another framework comes up with a slightly different approach to CSRF that isn't any better or worse than the myriad of approaches already. One massive improvement on that front in general would be to disable all that crap if no referrer is set at all, which would solve 99% of the situations where people feel compelled to weaken CSRF protection (non-browser automation).

There are two accepted approaches for TLS if you are note doing things for internet sites: Maintain a convoluted CA setup or if you can't bring yourself to do that, well, disabling it is the only other easy way provided. In my software I tend to provide option of treating TLS software similar to ssh known hosts if CA verification is not an issue, and users are never bothered, until something does go awry.

Using obsolete communication protocols and hashes is generally the consequence of having to interact with data or equipment or older setups. Sure some of it is just people got taught that specific way once upon a time directly addressing low level crypto functions, but a lot is intentional. Of course this is a problem that propagates, new interface to old setup uses old protocol, new thing to talk to new thing, well might as well use old protocol there.

Re:Java is in and of itself bad advice

[zieroh]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.

Re:

[Dragonslicer]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

How is that relevant to cryptographic hash algorithms, CSRF, certificate validation, or encrypted communication protocols? One could argue the exact opposite: by spending more time on teaching students exactly how variables are stored in memory, you would have less time to teach students about all of the other security issues involved in writing software.

Re:

[Khyber]

"by spending more time on teaching students exactly how variables are stored in memory, you would have less time to teach students about all of the other security issues involved in writing software."

Most of the problems that exist in code are PRECISELY because people don't know where shit is stored, or how it is accessed. Solid fundamentals means solid and informed coding practice. Java is not a solid fundamental for people to start with.

Re:Java is in and of itself bad advice

[Darinbob]

There are two ways to view programming, both of which are very important to understand. There is an abstract model view of programming, and that's what Java could be good at. Except that something like Scheme is ever better at this. This is supposed to be a high level view of what what algorithms actually are as a concept, rather than the implementation details at a machine level.

But you also need the low level view, how things actually get done. If your only model of a program is a bunch of magical black box operators that all take 0 time and space, you can't think well about the problem. Big-Oh notation is meaningless if you don't know what you're measuring. Missing this knowledge is a major hindrance, and yet so many don't realize they have this flaw.

You certainly won't be any good at even basic security without having both an abstract and a concrete model.

Re:

[Xyrus]

Ever see how secure a student level C program is?

It's not the language. If you aren't taught basic security concepts you're not going to write secure code regardless of the language. Worse if the language gives you a rocket launcher to blow your own foot off with (like C).

Secure programming isn't something you take one class on to become an expert in, anymore than taking a single course on building a safe makes you capable of building a crack-proof safe. Secure application development is not something you j

Re:

[Junta]

Yeah, I will confess to not knowing your specific scenario, but I too was faced with a language/library set that had a terrible TLS implementation. I subclassed the plain http class to provide my own tls handling because I know precisely what happens using the default scheme.

This of course drew incredulous response from a security architect that worked on a similar product, saying that I was running a terrible risk by authenticating certificates ssh-style rather than with a CA. I then asked if that concer

Re: Java is in and of itself bad advice

[F.Ultra]

With MD5 you can have all the salt of the great oceans and the password would still be easily deducted in an offline attack (which hash you use does not matter in an online attack which is what you describef, heck you could even go with plaintext).

Re:

[Junta]

If your password would fail in an offline attack, it doesn't matter what hash algorithm was used. It's only a 10-fold difference in cracking speed, which for a good password is the difference of 10 million versus a million years, and for a bad password the difference between a minute and 10 minutes.

No reason to use it of course, and it's easier for people to just do SHA2 rather than keep track of whether the meangingful weaknesses (collisions) of md5 matter for your app or not (unless it is unsalted, and u

Re:

[F.Ultra]

The difference in bruteforce speed between MD5 and SHA2 is way more than 10-fold, it's 2^128-fold (for the standard SHA2-256) and that is ignoring the known collision attacks in MD5.

Re:

[Lothsahn]

This is not true. SHA2 is only ~15% slower than MD5 at verifying a hash for small data inputs (typical for password bruteforcing). Use bcrypt/scrypt instead.
DO NOT secure a password/cc/sensitive info DB with MD5 or SHA1/2/3.

See this:
http://automationrhapsody.com/... [automationrhapsody.com]

And my post here:
https://developers.slashdot.or... [slashdot.org]

Re:

[Lothsahn]

If you're worried about offline attacks, you should use bcrypt.

To answer the GP's post: 1) MD5 is vulnerable to certain padding attacks. For instance, Microsoft had a cryptographically signed binary hacked by a dedicated attacker to hijack windows update. Basically, someone created an executable with a virus payload that resolved to the same MD5 signature as the original package. That's BAD. https://www.theregister.co.uk/... [theregister.co.uk]

MD5 is vulnerable to what's called a "length extension attack": https://en. [wikipedia.org]

Re:

[Darinbob]

There are brute force attempts, and smart brute force attempts. Defending against a brute force attack from your kid sister is easy compared to defedning against a brute force attack from the school bully. The quality of security you have depends upon the value of what you're protecting.

If you don't care about what happens if someone breaks your system, then MD5 is fine and it doesn't hurt much of you ask stack overflow for advice. If your company can be put out of business if your back office data can be

Re:

[Junta]

In the realm of password cracking a well-salted MD5 hash, it's only 10x quicker to crunch through md5 than an equivalent sha256. If it were a truly random string needing brute force, we are still talking about a million years for a cluster of a thousand nodes with 8x gtx 1080s each to crack a *single* PB-KDF with 1,000 rounds. For a dictionary attack, both methods would fall in short order.

The real weakness in MD5 is in applications that rely on attacker not being able to know a collision, such as md5sums

Re:

[Junta]

It depends upon the application.

In an HMAC, PBKDF, etc application, MD5 is still safe practically speaking, but it's easier to avoid raised eyebrows to move on to SHA2 than to explain that. In these scenarios, a has collision isn't going to help.

If you are using the hash as a validation of something else (md5sum of a file, md5 fingerprint of a certificate), that is meaningfully risky, since has collision is the means of breaking it and that is the weakness in the algorithm.

Re:

[zieroh]

I'm a veteran of the software industry (3 decades, now) and regularly screen, interview, and hire software engineers -- mostly college grads, some with a few years of experience in the industry. I can tell you with absolute certainty that Java programmers -- those who primarily learned Java in college -- are easily the worst programmers I encounter while hiring. And to date, I haven't hired a single one of them, even though I've talked to and interviewed countless numbers of them.

Want to learn to program? S

Re:

[Dragonslicer]

I'm a veteran of the software industry (3 decades, now) and regularly screen, interview, and hire software engineers -- mostly college grads, some with a few years of experience in the industry. I can tell you with absolute certainty that Java programmers -- those who primarily learned Java in college -- are easily the worst programmers I encounter while hiring.

Then you aren't trying to hire software engineers, you're trying to hire programmers.

Re:

[Bender0x7D1]

Want to learn to program? Start with C. You can expand to whatever you want after that, but you have to master C first.

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

So, after reevaluating, I decided we should throw out the "Programming 1 & 2" paradigm that so many schools use. Instead, I would like to see:

Programming 1 (in Java or Py

Re:

[Darinbob]

I think some of the problem is that there is an army of people out there intent on spreading the word that you don't need to learn how to drive on snow and ice, and who will scoff at anyone who does this regularly. They treat driving on snow and ice as akin to climbing Mount Everest. Their solution to anything difficult is to first find the right library or framework that already does it for you. It sort of implicitly assumes that mere mortals don't write these frameworks, in the same way that mere mortals

Re:

[El Cubano]

Want to learn to program? Start with C. You can expand to whatever you want after that, but you have to master C first.

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

In an upper division undergraduate CompSci/CompEng course that I teach, I always tell the students, "spent more time reading code than writing code, being able to read code is more important and valuable to a programmer than being able to write code." I have has several students disagree strongly with that assertion. However, I use the example of learning a foreign language.

I know that programming and human language are different. However, I think that the same principle of learning the languag

Re:

[dgatwood]

Except that most programmers are terrible and so is their code. Very rarely have I read code written by somebody else that I truly admired.

Well, yeah, but you didn't get to that point by not reading their code. You got there by looking at bad code, understanding it, and concluding that it was bad. If you had never seen bad code before, how would you recognize it when you saw it?

Re:

[dgatwood]

I used to say this a lot; however, I was given an analogy that made me change my mind. When we teach people to drive, we don't make them learn on snow and ice. So why should we make them do that with programming?

You must live in an area that doesn't get much snow or ice if that made you change your mind. Where I come from (Tennessee), we got a bad snowstorm one or two times a year, and if you didn't want to be trapped in a house with no power, no phone, and no heat, you had better be prepared to drive in s

Re:

[Darinbob]

You need more than C. I have a lot of C programmers, and most are terrible at software. That's because they're self-taught EE or science types, they understand the low level details but are extremely lousy at higher level abstractions. Ie, they find it difficult to see the big picture of a large software project, they can't make code that other people can maintain or even decipher, and so forth. Their coding skills seem sto be a mixutre of knowing the syntax and combining with a few key rules of thumb.

Th

Re:

[dgatwood]

That said, those that start with a very high level language usuallly have the same problem just with a different view at it. They still only have a few key rules of thumb, this time applied to the few frameworks or libraries that they understand; their code is so chock full of abstraction layers that no one else understands any of it or is capable of make small modifications safely. They think they understand the big picture only because they've labelled it as "BigPictureInstanceFactory".

That's easily solve

Re:

[zieroh]

If stack overflow supported nested comments, these "security experts" could post corrections for the insecure code, kinda like how you can correct someone on slashdot. It's pretty stupid to not support nested comments in 2017 (and not the tiny font remarks SO currently uses that make them unsuitable for code).

I've actually studied this at length, and even read a few treatises on the subject. Short answer: nope. Nested comments pretty much suck.

Nested conversations (like those here on slashdot) don't actually make conversations better. They just splinter the conversation into a thousand shards, each of them relatively short, and rarely on topic. They also promote shitty quoting habits and make it difficult to pick up a conversation where you left off without re-reading the whole damn thing.

Flat, linear comments t

Re: Java is in and of itself bad advice

[Ronin Developer]

You have heard the screaming goat, right? Thatâ(TM)s not pleasure.

Honestly, getting back to the story....a language for which advice is riddled with security holes should scare the crap out of you? Imagine hiring one of these so-called experts. Your business would be in jeopardy because they donâ(TM)t know what they donâ(TM)t know.

Re:

[Junta]

Perhaps offtopic maybe. The scenario here is indicative of general programmer behavior: easy and functional without looking at the consequences.

The annoyance of runtimes and vulnerabilities in those runtimes are a distinct phenomenon. In fact, I'd say that Java's experience is a good example of the problems of shipping language runtime with your app, which can extend to static linking and providing 'appliance' virtual machines or containers. The lazy mindset that infects java app deployment to cause th

Re:

[hcs_$reboot]

within 10 minutes the whole filesystem would be 777

Beware that would remove some 's' bits as well ... thus making the system more secure (in that it has less usable features...)

Re:

[swilver]

Jeez, hire some real developers. I have no sympathy for companies that hire the cheapest monkeys they can find that can utter the required resume keywords in an intelligible way.

Hiring people with 10+ years of experience in multiple languages and systems, even though far more expensive will save money in the long run. The savings on maintenance, security and extensibility alone will easily pay itself back, not to mention they'll build better, more scalable solutions, and do it in less time and with less l

Re:

[CanadianMacFan]

When meeting the new CIO he called everyone in the web development group (comprised of project managers, developers, graphic artists, etc) a bunch of interchangeable cogs and meant it as a compliment. He couldn't see why everyone was upset by the remark.

Re:

[hcs_$reboot]

Russia is actually advanced in computer science and doesn't use Java.

Re:

[jeremyp]

Stackoverflow is specifically a Q&A site. It's not for discussion but answering questions. Don't criticise it for not being something it is not meant to be.

Re:

[tepples]

you're competing against an accepted answer - which is not the same thing as a "best" or "correct" answer.

So perhaps the real problem is how to make it more obvious to readers that the good answer has twice the upvotes of the accepted answer.

Re:

[Junta]

I think there's room for "I've looked at rust, it might be a good idea, but not to the extent it is hyped".

I will concur that I see too many folks saying roughly "oh yeah, Java/Javascript/(etc.) are so much less secure than rust". Those people obviously don't understand *why* rust has the claims about security and/or really piss poor understanding of other languages. It also implies a huge misunderstanding about security in general, that a language design can fix the most usual offenders nowadays (it's ge

Re:

[humankind]

It annoys me that "competent programmers" are those that are supposedly always researching newer technologies.

The fact remains that the core of everything software-related is still operating on 40+ year old technology that is time-tested and proven reliable and secure.

Every time someone tosses out a new API, SDK, or programming language, I cringe. Most of the time those systems provide a false sense of security.

Re:

[emag]

How would you rate "Rust? Heard of it. Has some interesting concepts, but I haven't had the time to really look into it myself yet"? Because, that's where I'm coming from. I want to look at both Rust and Go, but between work and real life, it's probably not going to happen until I manufacture a real reason to do so...

Re: I trust advice from people who dislike Rust.

[Anonymous Coward]

Jesus F Christ on a stick! Think, man, think!

There's a reason there are so few java based root exploits!

Because who in their right mind would give a java app root permissions?

Re:

[swilver]

Root exploits are nasty because the program hacked isn't running as root...

If it only it was so easy to simply not run anyhing as root...

Re:

[Anonymous Coward]

Of course Rust code isn't often exploited. Nothing important has actually ever been written in Rust! It's damn near impossible to exploit software that doesn't actually exist.

It's excusable that there are holes in some C code. Much of this code was pioneering, and didn't have the hindsight of experience when it was being written. A lot of C code actually predates the widespread use of networking.

Of course, many people and organizations what would have used C in the past now use Modern C++. While Modern C++

Re:

[guruevi]

Almost every *real* program out there in the wild is also found in C/C++ code. Even Java, Python and Rust is in the end written in C/C++ and they also have had their exploits. You can program securely in C/C++, you can program insecurely in Java, you can have efficient code in C/C++, you can't have efficient code in Java/Rust/Python.

Whether your application crashes and gives root or allows full access to the data, it doesn't matter in the end how you do it if you need unauthorized access to the data.

Re:

[phantomfive]

The most common security exploits are XSS or sql injection. It's not easy to exploit a buffer overflow on a modern OS because of protections like ASLR, so truly exploitable remote exploits based on buffer overflows are relatively rare.

They do get a lot of attention though because things like OpenSSL are used on almost every website.

Re:

[nasch]

PowerPoint is Turing complete, we should just use that.

Re:

[guruevi]

I've learned that, and this is especially so in Java, that you can start with a simplified framework but without a doubt at some point you'll be stuck on a complicated piece and you need a more complicated framework.

This is the same for any framework, whether it be C or Java or PHP, at some point you need to get out of the 'simple' and into the 'hard' and the framework becomes 2 or 3 or 5 full-stack frameworks.