Proud Security Misfeatures
-
An interesting read:
Invented a Security Feature and Is Very Proud of It!
Sometimes we are inventing new features. What is important is to avoid being carried away and to think about subtle implications.
Some excerpts (warning: spoilers):
when somebody@X sent an e-mail to the outside world, the ad by X got attached to the e-mail. When someone else (@some-other-provider) replied, the original e-mail (including the ad) was by default copied into the reply. When this reply reached X, it was treated as spam because of the ad in it (despite the fact that this very ad was appended by X itself). As a result, most of the replies (like 80-90% of them) were put into a ‘Spam’ folder by X.
One thing nobody realised for a while is that the system with the least possible amount of chargebacks is the system which rejects all transactions outright; the market of protection systems was moving full-speed to this bright zero-chargeback future (at the cost of no transactions going through)
if the user mistyped her expiry date (for example, typed “11/16” instead of the correct “10/16”), and then got to the processor, and got rejected, she wasn’t able to make a transaction with a correct “10/16” expiration date with this processor, ever
-
The most of the supposed solutions presented at the bottom are the real
here.don’t allow your natural excitement about your invention to carry you away. Stay calm, and be ready to accept criticism.
Except the first and third examples were deployed before criticism was solicited, and the second simply didn't ask and just assumed their definition of success was correct. These developers need to get stakeholder input first.
discuss the feature with BAs (if any), or with a manager (which he did, but not in sufficient details)
I hear lots of great stories about "BAs", and this sounds like advice coming from a BA ("I know all! Always come to me for input first, young one...". In reality, no matter who you defer to for advice, corner cases will be lost and forgotten. Yes, get input from others, but that is nowhere near sufficient to be confident in a proposed solution.
discuss the feature internally with fellow team members (which he didn’t)
Again, fellow team members may or may not help. Try "stakeholders" instead of "internal team" or "BAs", which would include end users in these examples.
discuss the feature with merchants, including us (...)
Getting warmer...
avoid being too proud of your invented feature, until it has been shown
to work properly...Getting input will prevent you from wasting time on misfeatures, testing will help weed out forgotten requirements. I would call this point the only real answer in the end. Deploy new features in phases, or apply it to a small set of cases first. Duh!
Alternatively, deploy the new feature has a "warning" system in parallel to the current checks, and then after a sufficient amount of time compare the the new and old approaches. Build regular reports, dive into some specific cases where new and old disagree, and fine-tune as necessary. This is pretty much SOP at the security-related jobs that I've been at.
-
These developers need to get stakeholder input first.
If I could walk with the
animalsstakeholders, talk with theanimalsusers,
Grunt and squeak and squawk with theanimalsmanagement,
And they could talk to me!
-
-
That's an interesting website.
-
<input name="password" type="password" autocomplete="off">Most annoying "security" misfeature ever.
Bonus points for disallowing copy&paste
-
That's useful in one and only one case: when a website includes a way of changing your password on your profile page. Without
autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.
-
You actually managed to find a use case for that crap. That deserves some kind of award, I guess...
-
Without autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.
It's relatively common to make the password-change be a separate page that has somewhat more elevated security requirements to view (i.e., needs to have logged in with a password this session, instead of relying on some remember-me mechanism). It also avoids silly accidents.
-
Without autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.
This used to be an actual problem in some MMOs I played. They fixed it eventually.
-
The Guild Wars 2 launcher has a "remember password" checkbox that does absolutely nothing.
-
That's just cruel
-
Actually, if the wiki is to be believed, it makes clicking the "log in" button without entering a password use your previously entered password. With no visual indication that a password has been saved.
Huh. TIL.
-
That's just stupid
(obligatory Loose response)
All "remember me" should do, is leave a cookie that acts like you didn't log out i.e you don't need to click the "log in" button. Yes I know you can just "not" log out, but in the old days the server had no way of knowing if you were still connected.
-
The Guild Wars 2 launcher has a "remember password" checkbox that does absolutely nothing.
I can top that; the login page for the support portal for one software vendor I have to deal with at work has a "remember my email" checkbox which also does absolutely nothing, so I have to type my email address in every time.
-
How do you propose a MMORPG implements a "remember me" feature in that way?
-
Oh fuck!
I don't
Nor do I propose to offer one
What do you want a "remember me" tick box do?
And are your expectations within the norm?
If it is not, do you seek to change what is the norm to suit your purpose?
...snip
snip...
Are "remember me"" tick boxes one of those technologies that should be gracefully retired before they start drooling and peeing themselves and being otherwise embarrassing to the younger tech that keep visiting because they hope for a @mention in the will?
-
How do you propose a MMORPG implements a "remember me" feature in that way?
If it's started via a client-side launcher, perhaps it could simply remember your password. WoW (ok, the Battle.Net launcher) and Minecraft are both capable of doing that.
-
Re-read what @loose was saying. To make it easier, I'll paraphrase it here:
@loose said:
Instead of a "remember me" checkbox, the server simply shouldn't keep any state about your session and you should just stay logged in.
Now think about what that would mean for a MMORPG.
-
Now think about what that would mean for a MMORPG.
Yes, as described, that doesn't make any sense. OTOH, as I said, I don't see why having a client remember your password is a big deal, general security concerns notwithstanding.
-
Maybe you didn't see this post:
Actually, if the wiki is to be believed, it makes clicking the "log in" button without entering a password use your previously entered password. With no visual indication that a password has been saved.
Huh. TIL.
-
Maybe you didn't see this post:
Maybe you didn't see the post where I mentioned WoW.
WoW actually will not remember your password. The BNet launcher (at least in some versions) will, though.
Minecraft uses some kind of token where you only have to log in once, unless you log in to another computer. Then it gives you a bad dialog where it says you have a token and you can log in without typing in your password, but that doesn't actually work.
