Results 1 to 15 of 15

Thread: Forum Sites Harmful?

  1. #1

    Thread Starter
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Forum Sites Harmful?

    This was interesting:

    Stack Overflow Considered Harmful?

    The results of the team's analysis are alarming: 15.4% of the 1.3 million Android applications analyzed in the study contained security-related code snippets from Stack Overflow. Out of these 97.9% contained at least one insecure code snippet.
    We are seeing a lot more dubious code posting here lately as well. There are the cases that clearly violate the member usage terms here, and then you have other things a bit tougher to manage through moderation.

    Weird things like writing code as "droppers" or even more dubious techniques like code injection instead of using proper deployment techniques. Then you have the promotion of closed source libraries that admit to containing open-source code without clear evidence of proper licensing.

    I'm not sure what can really be done without a change in terms of use followed up by members reporting threads containing dicey code and advice. Even so moderation usually results in such threads merely being locked rather than expunged, leaving the problem thread naked to the world for use. Given a few days the culprits often return and try working the same line of abuse with slightly more clever social engineering language to forestall thread closing.

    Maybe it'll take a few lawsuits shutting down sites before anyone takes notice.

  2. #2
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: Forum Sites Harmful?

    Yeah, that would put an end to people posting code, for the most part. A real chilling effect in general.

    When you ask for code on a public forum, you get what you pay for. It may be that what you get is worth more than you paid....but it may not. Anybody who writes security code, or uses security code, without understanding what they are doing....may have a future with Target, Yahoo, Experian...or darn near anywhere.
    My usual boring signature: Nothing

  3. #3
    Fanatic Member 2kaud's Avatar
    Join Date
    May 2014
    Location
    England
    Posts
    996

    Re: Forum Sites Harmful?

    People who take code from anywhere and re-use it themselves need to be responsible. If they use posted 'dicey' code without understanding it IMO I blame the people who use it, not the people who post it. Who runs these forums IMO cannot reasonably be expected to be held responsible for the quality - or otherwise - of the posted code. It's a case of 'user beware'.

    Licensing issues are different. Here the poster has to have the right to post any code (good or 'dubious') and if not public domain then the terms of the licence under which the code is posted should be made clear as part of the post.
    All advice is offered in good faith only. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  4. #4
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,302

    Re: Forum Sites Harmful?

    It's all very well saying that 97.7% of 15.4% of Android apps contained insecure code that came from SO but it depends what you're comparing it to. Without SO and the like, what proportion of Android apps would then contain insecure code? Would it be better? Maybe, maybe not. The existence of sites like SO and VBF lower the degree of difficulty to getting into programming and that means that more people can do it. Where a lack of aptitude or effort would have prevented some previously, they can now whip something up fairly easily. There's a parallel here with VB6, where it made developing Windows applications easier and thus many who didn't previously have the aptitude or diligence to program then could and such people are more likely to do the wrong thing, either through ignorance or laziness.

  5. #5

    Thread Starter
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: Forum Sites Harmful?

    Maybe the best that can be done is for members spotting trouble spots to make "advisory" posts in such threads. When a bad practice has been presented... call it out saying why caution is advised.

  6. #6
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,532

    Re: Forum Sites Harmful?

    That works fine here, where discussion is usually encouraged... SO hasn't historically tried to be a discussion but a reference site... and with up/down voting, the cautionary posts get down voted and relegated to the bottom where no one scrolls and eventually lost.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  7. #7
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: Forum Sites Harmful?

    I feel like discussion here almost always goes sour when you show up to inform OP and responders that a solution has bad practices. OP usually gets upset because "good solutions" are usually harder than "bad solutions", and sometimes the responder gets hostile because "*huff* I use this all the time and it works, you're one of those high-falutin' architecture astronauts."

    I'm not just talking about my actual pet architecture astronomy projects. I swear I've seen "I don't need to store salted hashes, this is just an internal app and I'm not a real developer anyway" at least twice in the last 30 days.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

  8. #8
    PowerPoster PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Pontypool, Wales
    Posts
    2,458

    Re: Forum Sites Harmful?

    Anyone who says "I don't need to store salted hashes" when dealing with passwords doesn't then need to say "I'm not a real developer" it is pretty much implied.

  9. #9
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: Forum Sites Harmful?

    Mmmmm....salted hash.
    My usual boring signature: Nothing

  10. #10
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,302

    Re: Forum Sites Harmful?

    Quote Originally Posted by Shaggy Hiker View Post
    Mmmmm....salted hash.
    That explains a great deal.

  11. #11
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: Forum Sites Harmful?

    Yeah, but that's one of the stupider things about our field.

    If you're remodeling your house and want to redo your kitchen, you'd be daft to look around for someone to do the wiring that says, "I'm not a real electrician".

    But when people are trying to get systems written on which they'll build their businesses, they're more than happy to take some random someone with a handful of VBA tricks and promote them to "developer".

    Either way I can't fathom how it's a forum's fault these people follow those practices. The code you write is your responsibility and it's your job to make sure it does what it says and does it properly. I'm willing to bet if we put a lawyer to the task, they'd tell us StackOverflow's code absolves them of responsibility and stresses that votes are user opinions, not site recommendations.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

  12. #12

    Thread Starter
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: Forum Sites Harmful?

    So maybe the liability falls on employers who allow access to the Internet? I'm not sure how that's an answer, and blocking forums sites is like playing whack-a-mole.

    So that leaves the liability on the employer who doesn't hire good staff and have peer review processes in place to ensure quality. Like that's going to happen.

  13. #13
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: Forum Sites Harmful?

    It may be unlikely, but it is ultimately the case. If the developer is paid by the company, and the developer makes use of code without understanding it, and that code fails, it's not really all that much different from anybody else who screws up on the job. They can try to blame somebody else, but it is ultimately their mistake.
    My usual boring signature: Nothing

  14. #14
    Fanatic Member 2kaud's Avatar
    Join Date
    May 2014
    Location
    England
    Posts
    996

    Re: Forum Sites Harmful?

    Quote Originally Posted by Shaggy Hiker View Post
    It may be unlikely, but it is ultimately the case. If the developer is paid by the company, and the developer makes use of code without understanding it, and that code fails, it's not really all that much different from anybody else who screws up on the job. They can try to blame somebody else, but it is ultimately their mistake.
    Yes.
    All advice is offered in good faith only. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  15. #15
    You don't want to know.
    Join Date
    Aug 2010
    Posts
    4,578

    Re: Forum Sites Harmful?

    Equifax shows us if you write bad security code, you are going to take the fall for the company and the people who hired you will get a bonus as they jump off the sinking ship, then all of the people below "executive" lose their job and know exactly who you were.

    I bet that guy is going to have a hard time shopping his resume. I'd probably erase "Equifax" and pretend I was unemployed.
    This answer is wrong. You should be using TableAdapter and Dictionaries instead.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width