Proud Security Misfeatures



  • An interesting read:

    Some excerpts (warning: spoilers):

    when somebody@X sent an e-mail to the outside world, the ad by X got attached to the e-mail. When someone else (@some-other-provider) replied, the original e-mail (including the ad) was by default copied into the reply. When this reply reached X, it was treated as spam because of the ad in it (despite the fact that this very ad was appended by X itself). As a result, most of the replies (like 80-90% of them) were put into a ‘Spam’ folder by X.


    One thing nobody realised for a while is that the system with the least possible amount of chargebacks is the system which rejects all transactions outright; the market of protection systems was moving full-speed to this bright zero-chargeback future (at the cost of no transactions going through)


    if the user mistyped her expiry date (for example, typed “11/16” instead of the correct “10/16”), and then got to the processor, and got rejected, she wasn’t able to make a transaction with a correct “10/16” expiration date with this processor, ever



  • The most of the supposed solutions presented at the bottom are the real :wtf: here.

    don’t allow your natural excitement about your invention to carry you away. Stay calm, and be ready to accept criticism.

    Except the first and third examples were deployed before criticism was solicited, and the second simply didn't ask and just assumed their definition of success was correct. These developers need to get stakeholder input first.

    discuss the feature with BAs (if any), or with a manager (which he did, but not in sufficient details)

    I hear lots of great stories about "BAs", and this sounds like advice coming from a BA ("I know all! Always come to me for input first, young one...". In reality, no matter who you defer to for advice, corner cases will be lost and forgotten. Yes, get input from others, but that is nowhere near sufficient to be confident in a proposed solution.

    discuss the feature internally with fellow team members (which he didn’t)

    Again, fellow team members may or may not help. Try "stakeholders" instead of "internal team" or "BAs", which would include end users in these examples.

    discuss the feature with merchants, including us (...)

    Getting warmer...

    avoid being too proud of your invented feature, until it has been shown
    to work properly...

    Getting input will prevent you from wasting time on misfeatures, testing will help weed out forgotten requirements. I would call this point the only real answer in the end. Deploy new features in phases, or apply it to a small set of cases first. Duh!

    Alternatively, deploy the new feature has a "warning" system in parallel to the current checks, and then after a sufficient amount of time compare the the new and old approaches. Build regular reports, dive into some specific cases where new and old disagree, and fine-tune as necessary. This is pretty much SOP at the security-related jobs that I've been at.


  • Discourse touched me in a no-no place

    @quijibo said:

    These developers need to get stakeholder input first.

    If I could walk with the animalsstakeholders, talk with the animalsusers,
    Grunt and squeak and squawk with the animalsmanagement,
    And they could talk to me!



  • @quijibo said:

    These developers need to get stakeholder input first.

    Calling Buffy Summers...



  • That's an interesting website.


  • Winner of the 2016 Presidential Election

    <input name="password" type="password" autocomplete="off">
    

    Most annoying "security" misfeature ever.

    Bonus points for disallowing copy&paste



  • That's useful in one and only one case: when a website includes a way of changing your password on your profile page. Without autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.


  • Winner of the 2016 Presidential Election

    You actually managed to find a use case for that crap. That deserves some kind of award, I guess...


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Without autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.

    It's relatively common to make the password-change be a separate page that has somewhat more elevated security requirements to view (i.e., needs to have logged in with a password this session, instead of relying on some remember-me mechanism). It also avoids silly accidents.



  • @ben_lubar said:

    Without autocomplete="off", every time you'd edit any field in your profile, you'd get an error about the passwords not matching.

    This used to be an actual problem in some MMOs I played. They fixed it eventually.



  • The Guild Wars 2 launcher has a "remember password" checkbox that does absolutely nothing.



  • That's just cruel



  • Actually, if the wiki is to be believed, it makes clicking the "log in" button without entering a password use your previously entered password. With no visual indication that a password has been saved.

    Huh. TIL.



  • That's just stupid

    (obligatory Loose response)

    All "remember me" should do, is leave a cookie that acts like you didn't log out i.e you don't need to click the "log in" button. Yes I know you can just "not" log out, but in the old days the server had no way of knowing if you were still connected.



  • @ben_lubar said:

    The Guild Wars 2 launcher has a "remember password" checkbox that does absolutely nothing.

    I can top that; the login page for the support portal for one software vendor I have to deal with at work has a "remember my email" checkbox which also does absolutely nothing, so I have to type my email address in every time.



  • How do you propose a MMORPG implements a "remember me" feature in that way?



  • Oh fuck!

    I don't

    Nor do I propose to offer one

    What do you want a "remember me" tick box do?

    And are your expectations within the norm?

    If it is not, do you seek to change what is the norm to suit your purpose?

    ...snip

    snip...
    Are "remember me"" tick boxes one of those technologies that should be gracefully retired before they start drooling and peeing themselves and being otherwise embarrassing to the younger tech that keep visiting because they hope for a @mention in the will?


  • Discourse touched me in a no-no place

    @ben_lubar said:

    How do you propose a MMORPG implements a "remember me" feature in that way?

    If it's started via a client-side launcher, perhaps it could simply remember your password. WoW (ok, the Battle.Net launcher) and Minecraft are both capable of doing that.



  • Re-read what @loose was saying. To make it easier, I'll paraphrase it here:

    @loose said:

    Instead of a "remember me" checkbox, the server simply shouldn't keep any state about your session and you should just stay logged in.

    Now think about what that would mean for a MMORPG.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Now think about what that would mean for a MMORPG.

    Yes, as described, that doesn't make any sense. OTOH, as I said, I don't see why having a client remember your password is a big deal, general security concerns notwithstanding.



  • Maybe you didn't see this post:

    @ben_lubar said:

    Actually, if the wiki is to be believed, it makes clicking the "log in" button without entering a password use your previously entered password. With no visual indication that a password has been saved.

    Huh. TIL.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Maybe you didn't see this post:

    Maybe you didn't see the post where I mentioned WoW.

    WoW actually will not remember your password. The BNet launcher (at least in some versions) will, though.

    Minecraft uses some kind of token where you only have to log in once, unless you log in to another computer. Then it gives you a bad dialog where it says you have a token and you can log in without typing in your password, but that doesn't actually work.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.