Club PA 2.0 has arrived! If you'd like to access some extra PA content and help support the forums, check it out at patreon.com/ClubPA
The image size limit has been raised to 1mb! Anything larger than that should be linked to. This is a HARD limit, please do not abuse it.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!
Years ago I worked for a small start up, and while running through a manual tests on the product installer. I discovered that if you set the user password to “a” (a single, lowercase a) then logged into the service, your password wasn’t actually “a” but something different. I couldn’t tell what the actual password was without access to the database, which was far beyond my pay grade.
This had the potential for all sorts of security problems. If the hashing algorithm for storing passwords was unpredictable, it could mean tons of misery for our users. Worst case it could mean that there is some sort of “master key” floating out there, waiting for some diligent hacker to discover.
I logged the bug and the dev it was assigned to told me to check out the new build of the installer and run my test again. I did as asked and got the same results. Then he came to my desk to see me reproduce the bug. I did as asked and got the same results. Then he checked out another build on his machine and tried to reproduce the bug. He got the same results as well.
In my mind, this was a show stopper. In his mind this could be fixed by requiring the installer to require a minimum of six characters for the password. There was no mention of possible flaws in the hashing algorithm in any of the architecture discussions that I was privy to.
Security vulnerabilities are basically just software bugs. Software bugs get out into the wild because they weren’t caught in QA. Sometimes QAs catch security flaws but they get shouted down by devs. Think about that next time you enter your credit card number for a subscription to a game.
Fitocracy: Join us in the SE++ group!
XBox LIVE: Bogestrom | Destiny