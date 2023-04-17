17/04/23/038219 story
posted by Fnord666 on Sunday April 23, @08:33PM
Submitted via IRC for TheMightyBuzzard
Researchers have checked 64,000+ GitHub projects, and found 117 vulnerabilities introduced through the use of code from popular programming tutorials.
Things like this are why I would never hire a professional programmer without an online portfolio of source code to check for Blatant Stupidity.
Source: https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/
(Score: 2, Interesting) by Anonymous Coward on Sunday April 23, @08:34PM
I remember it like it was yesterday.
I was interviewing for a job, and the interviewer asked, "Do you participate in Stack Overflow?"
I said, "No. I read manuals, because the answers on Stack Overflow are wrong."
I didn't get the job.
(Score: 1, Insightful) by Ethanol-fueled on Sunday April 23, @09:01PM
The people who write the datasheets aren't the guys who design the IC's.
Let that sink in for a bit before your new design explodes or fails at temperature.
(Score: 1, Insightful) by Anonymous Coward on Sunday April 23, @09:14PM
It's like you're suggesting professionals never test anything. Yes, errata exist. No, upvoted rumors passed around by idiots on a social site are not substitutes for documentation.
(Score: 3, Insightful) by Ethanol-fueled on Sunday April 23, @09:51PM
They don't test anything. Okay, they test the bare minimum of what they must and cobble things together in barely workable condition and worry about the problems later.
That being said, I never started that the Stack Overflow approach was rigorous, but it would be a hell of a lot more tolerable if they nuked all those "How do I use for loop, plz do my homework" questions from orbit.
It would be nice if there were something a little more like Microwaves 101 [microwaves101.com] for coding.
(Score: 2) by kaszz on Monday April 24, @02:30AM
Which is why you test a design before going into real production. And why there are a lots of evaluation cards.
(Score: 1) by Ethanol-fueled on Monday April 24, @03:30AM
Which is why your defective designs are offlloaded into everybody else in the organization, and when you get called on the carpet to fix your shit, you further offload your work onto others inside and outside the organization.
There's a reason why people who have to work with "engineers" hate them. For a population who had to pass Calc III, partial differential equations, and dynamics' you guys are awfully retarded.
(Score: 2) by kaszz on Monday April 24, @08:29AM
Usually these kind of engineers has to fix their own shit until it works. Seems you experienced other types.
(Score: 0) by Anonymous Coward on Monday April 24, @12:51AM
Maybe because you hadn't corrected the answers? They asked if you "participated". It's easy to be sure you're right if you never engage with the people you think are wrong
(Score: 1, Informative) by Anonymous Coward on Monday April 24, @05:23AM
When an interviewer asks about Stack Overflow, it means they don't want skilled applicants. They want monkeys who copy-and-paste the trending answers from Stack Overflow. The question exists to determine whether the monkey is properly trendy.
(Score: 2) by VLM on Monday April 24, @01:07PM
Or they're trying to do e-peen compensation measurements where the applicant with the most "good boy points" obviously spends too much time Fing off online, and the applicant with the fewest "good boy points" might be too stupid, so we'll hire the guy in the middle, who coincidentally happens to be the VPs son. Or all manner of retcon will occur with the eventual outcome that the previously pre-selected young white male of proper parentage is hired.
Or another part they're hoping for is if they have a previously pre-selected winner, which they probably do, they're hoping you'll provide enough social media accounts to find you calling someone a big poopie head and thus you're unemployable, or mention you attend the "wrong" church, or voted for the "wrong" guy so they could never hire you, removing a roadblock to the pre-selected winner.
(Score: 0) by Anonymous Coward on Monday April 24, @08:02PM
Or they want to get a quick read on how you conduct yourself in technical conversations. Just because you keep saying something is "trendy" doesn't make it useless. It's just a more easily indexed form of the stuff we've always used. If you're so sure everyone else's answers are wrong but you don't put yours out there, how does that help? And if you can't do it without acting like a prick then the people interviewing you might not want to employ you. Not that it should always be a deal breaker, but some places just aren't looking for pricks.
(Score: 0) by Anonymous Coward on Monday April 24, @04:59PM
Well, if that (or something equivalent in tone) was the answer you gave, I can understand why you didn't get the job. What is your qualification worth if you poison the work atmosphere, thereby reducing the productivity of everyone in your vicinity?
(Score: 0) by Anonymous Coward on Monday April 24, @06:39PM
(Emulating AC) The answer is that all antisocial nerds will be sent to the gas chamber because the rich won't fund universal basic income. The worth is one Greyhound bus ticket to the nearest gas chamber location.
(Score: 0, Troll) by Anonymous Coward on Sunday April 23, @08:39PM
1. You can't know the source code was written by the applicant.
2. You just want applicants to link you to free code you can steal because you're too lazy to look for it yourself.
Submitter is Blatant Stupidity incarnate.
(Score: 0) by Anonymous Coward on Sunday April 23, @08:47PM
Well, if we had UBI, all code could be open, and I'd even consider the MIT and BSD licenses.
Reply to This
(Score: -1, Flamebait) by Anonymous Coward on Sunday April 23, @09:10PM
Yes let's have a Basic Income modeled after the charmed life of Dick Bathroom Stall-Man. If the unwashed Leader of the Free Software World deserves 15 unearned honorary doctorates and a genius grant, then ShitHub can pay a living wage to every coder. Mobilize all the Vulture Capitalists to fund ShitHub instead of funding startups. When everybody works directly for ShitHub then there won't be any need for companies anymore. The world will benefit from the innovative productive activity of super genius coders everywhere. And the best part is government never has to become involved. ShitHub is private enterprise and ShitHub already represents the entirety of the software industry. All that needs to happen is to centralize all the money into ShitHub.
Reply to This
(Score: 1) by Ethanol-fueled on Sunday April 23, @08:51PM
Why steal code from a repo when you could just go to the site and view the source?
(Score: 0) by Anonymous Coward on Sunday April 23, @09:09PM
1. You can't know the source code was written by the applicant.
Which is why you need to test them as well. Lazy, short-sighted employers employers hire terrible candidates.
(Score: 0) by Anonymous Coward on Sunday April 23, @10:22PM
I have a portfolio of source code, but it's not on github, so it doesn't exist.
My code is in downloadable tarballs, but nobody knows how to open tarballs, so it doesn't exist.
According to everyone, I must never have written a line of code in my life.
(Score: -1, Troll) by Anonymous Coward on Sunday April 23, @10:41PM
Balderdash! Michael David Crowford put all of his best work into tarballs, and MDC is the highest paid software guy around these parts. He's so popular with the skills and the can-do attitude that he doesn't even have to upload his fine work to GitHub. Other people put his work on GitHub for him. That's how popular he is, MDC has to fight off recruiters with a stick. If you want people to know you exist, you have to advertise yourself everywhere all the time constantly. Don't be a loser, be popular! Just like Michael David Crowford.
(Score: -1, Troll) by Anonymous Coward on Sunday April 23, @11:08PM
That's what you think. The truth is Eris Blastar is MDC's feminist superhero alter ego. She sprung from his mind when MDC first saw Leighton Meester on television and he developed a secret fantasy family in which he was her father. Eris Blastar owns all of the work that Michael David Crawford doesn't want to admit he has done himself.
(Score: 0) by Anonymous Coward on Monday April 24, @05:29AM
I find your Eris Blaster theory intriguing, but Crawford doesn't have multiple personalities, do I?
(Score: -1, Flamebait) by Anonymous Coward on Sunday April 23, @08:54PM
https://github.com/TheMightyBuzzard
232 contributions in the last year
Only 232?? What the fuck is wrong with you, Niggery?
Why the Wimpy fucking Buzzard ain't gaming the fucking system like a real rockstar coder?
Shit, you got no excuse!
https://github.com/avinassh/rockstar [github.com]
Get your fucking ShitHub profile pimped out, stupid black ass cocksucker!!!
(Score: 1, Flamebait) by The Mighty Buzzard on Monday April 24, @04:28PM
That's prairie nigger, thank you very much.
Believing a caricature of someone means you are an asshole that would rather signal virtue than understand people.
(Score: 5, Insightful) by Snotnose on Sunday April 23, @10:12PM
They're tutorials FFS. How many examples in K&R checked for buffer overruns, or NULL pointers?
A tutorial shows the basics of how things are done. A tutorial that shows everything that can go wrong is not a tutorial (unless it's a tutorial on what can go wrong). If you copy and paste tutorial code into working software without also googling about what can go wrong with this code snippet you are an idiot.
(Score: 0) by Anonymous Coward on Sunday April 23, @10:15PM
The getline function did. Unforunately the ANSI people were stupid and gave us gets instead.
(Score: 0) by Anonymous Coward on Sunday April 23, @10:45PM
Or your PHB cut your allocated coding time to almost nothing and won't take "it's not ready" for an answer.
(Score: 2) by kaszz on Sunday April 23, @11:21PM
PHB demands, PHB gets what he asked for. He and his customers shall be happy! ;-)
So the question becomes how to detect corporations with these kinds of management. Oracle and Microsoft seems at least to be two examples.
(Score: 1, Insightful) by Anonymous Coward on Sunday April 23, @10:55PM
There's a difference between "A tutorial that shows everything that can go wrong is not a tutorial" and the crap they show in these tutorials.
- no mention of security awareness or even input validation.
- using deprecated mysql calls (not using mysqli or PDO).
- concatenating unsanitized user input directly into the SQL string (not even using the deprecated mysql_real_escape_string() to make a half-assed effort).
- not using parameterized queries.
- I could go on but their code has already been hacked by now.
Creating a very similar, but secure, basic tutorial isn't that much more work. Even W3Schools gets it right and their tutorials are not all that complicated.
I agree that copy & paste coding is a bad idea, but it is so common that I expect it will live in infamy inside countless IoT devices.
(Score: 2) by VLM on Monday April 24, @01:20PM
A tutorial that shows everything that can go wrong is not a tutorial
In the simpler, older days, that's how a lot of assembly language opcodes were documented, and some other languages too.
Something I always liked about assembly was an architecture that didn't suck, tended to fully document almost all opcodes in one page or less. Usually the outliers were the more exotic floating point ops especially I/O-type format conversion ops, and interrupt control in CPUs with more elaborate interrupt systems or more elaborate stack systems.
As things get more complicated, and lower IQ people became programmers, docs quality dropped until the standards are so low its "wrong" to be good now.
(Score: 0) by Anonymous Coward on Monday April 24, @12:56AM
Well, there you go, the article need say no more....
(Score: 2) by tibman on Monday April 24, @02:05AM (9 children)
Oh, you have a programming language that prevents vulnerabilities? do tell
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Scruffy Beard 2 on Monday April 24, @02:22AM
Ada may come close. but a skilled programmer can disable most of the anti-foot shooting stuff.
(I have not tried it myself, but it is supposed to support things like design by contract.)
(Score: 2) by kaszz on Monday April 24, @02:34AM
The funny thing is that Universities coach students into programming languages with extensive anti-foot-shooting-protections which usually also has protections against productivity.. But somehow advanced maths is alright without any shoot away your brains protection because well.. doh!?
(Score: 1) by Scruffy Beard 2 on Monday April 24, @02:52AM
Not sure I get your point.
(Score: 2) by kaszz on Monday April 24, @08:25AM
Hard typed languages with memory protection etc. Hinders the user from doing mistakes, at least some of them because the teachers won't trust students to not make mistakes. While in maths there are no protections but then magically students are trusted to make mistakes. Usually bad ones too.
My point is, if a person can handle STEM maths at a university, they can handle coding too without protection mechanism. It's all about thinking through your actions and some bookkeeping.
(Score: 2) by Scruffy Beard 2 on Monday April 24, @02:00PM
I guess I disagree then. If there is one things computer are good at, but humans aren't, it is bookkeeping.
The Computing science professors want to focus (at least in introductory classes) on the concepts they are teaching, rather than book-keeping.
Not sure of the hard distinction you are making between CS and Math either. But in general, software has more complexity than one person can comprehend.
(Score: 2) by kaszz on Monday April 24, @02:23PM
Bookkeeping is to have a handler setup before you call a timer alarm or open the graphics driver before you try to draw some lines etc. Keeping plain variables in order just requires one to think first, and then code.
(Score: 3, Touché) by Nerdfest on Monday April 24, @02:36AM
No language *prevents* vulnerabilities (well, some prevent some types), but PHP seems to actively *encourage* them.
(Score: 2) by kaszz on Monday April 24, @09:53AM
Some languages also seems to attract the lower end genepool like flies to shit ;)
(Score: 2) by bob_super on Tuesday April 25, @06:47PM
Java is the most obsessed about types and other safe behaviors language I code.
But I'm much happier in Verilog, where they arguably should add a cheering section in the compiler, to grade the originality of dumb mistakes allowed by letting you do just about anything...
(Score: 2) by bradley13 on Monday April 24, @05:59AM

Everyone is somebody else's weirdo.
I understand your point, but consider: Some programmers don't have time and/or interest to maintain a lot of open-source code just for the fun of it. Maintaining a lot of "perfect" code (and perfect by whose standard) is a lot of effort.
Everyone is somebody else's weirdo.
(Score: 2) by The Mighty Buzzard on Monday April 24, @04:32PM

Believing a caricature of someone means you are an asshole that would rather signal virtue than understand people.
Believing a caricature of someone means you are an asshole that would rather signal virtue than understand people.
(Score: 2) by VLM on Monday April 24, @01:34PM
Security vulns are a small subset of the bigger set of "not how we do things here, today".
Kind like there are places that use Perl, and there are places that use Modern Perl with perlcritic, and they don't really have that much in common culturally or even visually in the code. You can write and run 1997 Perl code, just not here.
Another analogy is in the 90 or maybe 80s Walnut Creek CDrom (wonder whatever happened to them?) used to sell a cdrom kit of some NASA software since the 50s and it was fun to read but was basically all "scientist code" consisting of interesting stuff surrounded by "not how we do things here, today".
The problem with cut and paste stuff off the internet is the internet is old so finding a Perl CGI guide from '97 is actually not as useful as you might think today. Technically yes you can cut and paste that, but ...
Maybe a standard SN car analogy is by the miracle of big hammers and drills and duct tape, you can technically repair a car by going to a junk yard and pulling a part off some random junker and then beat it to fit any other car such as the one you're trying to repair, but thats more labor intensive than doing it the right way in the long run, and its no longer considered acceptable professional behavior. Now as an art piece or showing off your craftsman skill thats OK, but its not cool to work that way at least 99.9% of the time for a little old lady needing a new spark plug or your boss assigning you to fix the work truck. There will be rare, weird exceptions. Emphasis on rare.
(Score: 2) by LoRdTAW on Monday April 24, @07:49PM
https://en.wikipedia.org/wiki/Walnut_Creek_CDROM [wikipedia.org]
Sort answer: the internet killed the cdrom star. If I dig deep enough, I am sure I can find a cd or two from them. Downloaded many a megabyte from ftp.cdrom.com. They used to proudly boast of the specs for their mighty FreeBSD powered ftp server. Something like a quad Pentium 3 Xeon with 4GB RAM. Thanks for that trip down memory lane.
(Score: 2) by darkfeline on Tuesday April 25, @03:26AM
This study was done for PHP repositories. In other words, this is not news. PHP practically encourages you to format strings using user input and use their broken password hashing implementations.
Friends let friends enable ECMAscript to hide personal quirks, like using code tags everywhere. https://git.io/vX9DP
