Technologies: Python, Django, JavaScript, React, jQuery, C#, ASP.NET, Go, CSS, HTML5, SQL/PSQL, Selenium, Bash, Docker/Docker Compose, Salesforce Marketing Cloud, PostUp, HubSpot automation and integration, ABBYY Vantage, Microsoft Power Automate and Power Apps.
I love consulting on projects and technical problems that people are facing, so even if you don't end up hiring me, let's at least meet and chat about what you're working on and see if there's anything I can do to help. I'm happy to offer a free initial consultation, so you've got nothing to lose but time, and I guarantee that I won't waste yours.
Technologies: Python, Django, JavaScript, React, jQuery, C#, ASP.NET, Go, CSS, HTML5, SQL/PSQL, Selenium, Bash, Docker/Docker Compose, Salesforce Marketing Cloud, PostUp, HubSpot automation and integration, ABBYY Vantage, Microsoft Power Automate and Power Apps.
I love consulting on projects and technical problems that people are facing, so even if you don't end up hiring me, let's at least meet and chat about what you're working on and see if there's anything I can do to help. I'm happy to offer a free initial consultation, so you've got nothing to lose but time, and I guarantee that I won't waste yours.
Technologies: Python, Django, JavaScript, React, jQuery, C#, ASP.NET, Go, CSS, HTML5, SQL/PSQL, Selenium, Bash, Docker/Docker Compose, Salesforce Marketing Cloud, PostUp, HubSpot automation and integration, ABBYY Vantage, Microsoft Power Automate and Power Apps.
I love consulting on projects and technical problems that people are facing, so even if you don't end up hiring me, let's at least meet and chat about what you're working on and see if there's anything I can do to help. I'm happy to offer a free initial consultation, so you've got nothing to lose but time, and I guarantee that I won't waste yours.
I have over 15 years of software development experience and 10 years of solution architecture experience. I have experience architecting solutions for both AWS and GCP.
I am interested in both a full time position and freelance projects. I'm also a quick learner, so if there's a technology that I don't already have experience with I'd love the opportunity to expand my knowledge and jump in and help wherever I can.
Technologies: Python, Django, JavaScript, React, jQuery, C#, ASP.NET, Go, CSS, HTML5, SQL/PSQL, Selenium, Bash, Docker/Docker Compose, Salesforce Marketing Cloud, PostUp, HubSpot automation and integration, ABBYY Vantage, Microsoft Power Automate and Power Apps.
I love consulting on projects and technical problems that people are facing, so even if you don't end up hiring me, let's at least meet and chat about what you're working on and see if there's anything I can do to help. I'm happy to offer a free initial consultation, so you've got nothing to lose but time, and I guarantee that I won't waste yours.
I have over 15 years of software development experience and 10 years of solution architecture experience. I have experience architecting solutions for both AWS and GCP.
I am interested in both a full time position and freelance projects. I'm also a quick learner, so if there's a technology that I don't already have experience with I'd love the opportunity to expand my knowledge and jump in and help wherever I can.
I didn't buy this, I inherited it from my dad, but now that I have one, if it broke I would immediately go replace it, and that's a nice DeWALT cordless drill combo, with two batteries and a charging station. In the past I have always had cheaper cordless drills, because spending $150+ on a cordless drill seemed kinda silly, but I use this thing all the time, everywhere, for all sorts of stuff.
Would definitely recommend for anyone that does more than the bare minimum. Or anyone that only does the bare minimum but has some cash to spare.
The gap in reliability, quality and functionality between the little Ikea drill or $50 Black and Decker and even a low end Dewalt is _huge_. The gap between that and a $300+ drill is _mostly_ in longevity and its ability to stand up to sustained abuse.
Keep an eye out around father's day. There's pretty consistently sales on tools, or at least some sort of deal. I picked up tools up on fathers day a while back and it was was on sale _and_ included two extra free batteries. The batteries charge quickly enough that I've never been able to run them down before the other could charge.
I fought with cheap power tools for years before I finally bit the bullet and I regret not doing it sooner.
When I bought my house I went deep into battery powered tools (Ryobi, but I think its all similar). I have 2-3 drills and 2 impact drivers. It is really nice to not need to change bits often, and with my ADHD having a few sitting around in the room where I'm actively doing heavier work is nice too. Lots of batteries, handful of other tools from them.
Having multiple of some seemed very silly, but it really is so useful!
They should have just called it (Microsoft) Code. If they can use Word, Access, and Excel as product names, surely they could get away with just calling their world-class editor "Code".
I second your recommendation, I'm a sucker for a sleek editor with a great plugin architecture.
I used to work for a company that had a big security hole that would allow you to log in as any user as long as you knew the user's UUID (I know, right?) I logged a ticket and raised the issue up the flagpole to let folks know that if someone slipped in some code (we ran a lot of third party javascript) to harvest UUIDs, they could fairly trivially log in as an admin and do some serious damage. The issue sat for months (MONTHS!) until finally a user complained about some non-https content being loaded on our login page, which sparked a whole security review, and gave me an opportunity to bring additional attention to my ticket, which finally got fixed.
This kind of crap is out there, and people don't give it the attention it deserves until they get bitten in the ass. Thankfully, my company didn't get bitten, but if we had, it could have been very bad, and the fact that the issue was called to people's attention and they didn't do anything about it would have made it look that much worse.
UUIDs aren't exactly guessable, any hole which lets someone "slip in some code" is way more serious than a persistent login token.
It's not great to have a non-revocable login token, but a "UUID that lets anyone log in as you" is how a lot of API access tokens work, which is why they usually have a mechanism where you can regenerate them if you know they are compromised.
I don't disagree with your premise that "a lot of crap is out there" though. Working in small to medium enterprises (SMEs) really opens your eyes about the real level of security of most sites.
Yes, a suitably random and therefore 'unguessable' secret is, fundamentally, the underpinning for auth systems, and some of those secrets utilize UUIDs.
No to the idea that these are comparable. Those are not -user identifiers-. A user identifier, vs a 'secret', require different perspectives in how they're treated, in API, in UI, etc.
For -any- sort of security model you figure out what bits of data must be kept secret, vs what bits of data should be treated as 'known'. A user identifier should always falls into the latter camp, a password or other credential falls into the former.
You said it yourself, "usually have a mechanism to regenerate them if you know they are compromised" - you really, REALLY don't want to have to regenerate your user identifiers if they leak out; that's almost invariably going to involve a great deal of complexity, breakages, regressions, etc. You're effectively changing the primary key of every entry in every database you have that this user exists in. Better to just not make them required to be kept secret for your security model. And even -that- assumes that they were -meant- to be secret; no developer is going to assume that about user identifiers, so you better have made that explicit to everyone who ever touched the code, or you just introduced a bunch of avoidable security holes.
Why didn't you fix it? (I don't mean this harshly, just curious.)
Ultimately, this kind of stuff is something IMO a professional programmer should just do. It's irresponsible to let stuff like this go and you should do whatever it takes to make management understand. In a healthy organization it shouldn't even be questioned by management, you just tell them you found a security issue that will cost the company billions and has to be fixed immediately. In an unhealthy organization, maybe you just slip this into some other work without telling management.
Not to sound patronizing, but you've clearly never worked in a large enterprise.
Teams are siloed. Code is siloed. The deployment process is siloed. Etc.
Do I know where the code lives? If I do, do I -have access to the code-? Write, as well as read? Will my checking in code trigger a huge change review process that will cause people to yell at me for touching code I'm not in charge of? Will my checked in code be picked up as part of what goes to prod? If not, do I have a way to get the code into that process? Etc.
Very few companies of that scale are just a "check the code out, fix it, create a pull request, and watch it work its way into prod".
Not even a large enterprise, just anywhere there's any sort of formal process. Very, very few companies outside a startup with a single product+handful of employees are able to just make code changes like that all willy nilly. Especially to something as sensitive as authentication.
It's like saying "why didn't the NASA engineers just fix the o-rings on the Space Shuttle Challenger? After all, they knew there was problems with them and people's lives were ask risk." They did what they could, which was this: http://www.lettersofnote.com/2009/10/result-would-be-catastr...
Well, you can have a formal process that allows contributions from anyone, which is what I was trying to allude to with "watch it work its way into prod". But I agree, generally speaking if you have a formal process, and you're not on the team, and/or can't convince a product owner of the need, there is no way to get it done.
I worked at Garmin previously which is definitely a big company. On my team I don't think I'd have had trouble convincing management that it needs to be done or otherwise been able to sneak it into other work. I'm concerned that as a profession we're too accepting of "well management won't let me do it" even when the consequences are high. To me it feels like designing a bridge that will collapse and kill people just because your manager said to.
Great question, and in the end it comes down to politics and team siloing. A large corporation with a lot of projects and priorities, and no single Security person to raise the issue with. At the time I wasn't in a position to Just Do It and then tell everyone "Hey, this needed to be done, I got it done, now I need a QA resource to test it and then we need to deploy it to prod" without some backlash from multiple source (my boss, the team that owned the product, etc).
Now (and given everything that's happened in the industry in recent years) I would definitely push more, and maybe fix it on my own, but at the time I just shook my head, and sent follow-up emails every few months to try to keep visibility on the issue.
At large companies with politics and bureaucracies you can't really just come in and create a PR for a bug you've found like you'd do in a smaller shop or a startup.
If the code is not responsibility of you (your team / department) all you can do is create work requests / JIRA tickets for people/team responsible for the code.
You wouldn't even have access to the repository or dev/test environments for the affected system most likely.
And it might just sit there for months until it eventually gets picked up and fixed. Or it will never be fixed.
Résumé/CV: https://www.ransomsoft.com/resume/
Email: markransomjr <&> gmail.com
Technologies: Python, Django, JavaScript, React, jQuery, C#, ASP.NET, Go, CSS, HTML5, SQL/PSQL, Selenium, Bash, Docker/Docker Compose, Salesforce Marketing Cloud, PostUp, HubSpot automation and integration, ABBYY Vantage, Microsoft Power Automate and Power Apps.
I love consulting on projects and technical problems that people are facing, so even if you don't end up hiring me, let's at least meet and chat about what you're working on and see if there's anything I can do to help. I'm happy to offer a free initial consultation, so you've got nothing to lose but time, and I guarantee that I won't waste yours.