On 16 September 2015 at 08:23, Tim Peters
Fundamentally, I just don't see the sense in saying that someone who does their own seeding deserves whatever they get, while someone who uses an inappropriate generator in a security context should be saved from themself. I know, I read all the posts about why I'm wrong. I just don't buy it. There's no real substitute for understanding what you're doing, regardless of field. Yes, incompetence can cause great damage. But I'm not sure it does the world a real favor to possibly help a programmer incompetent to do a task keep working in the field a little longer. This isn't the only damage they can cause, and the longer they keep working in an area they don't understand the more damage they can do. The alternative? Learn how to use frickin' SystemRandom. It's not hard. Or get work for which they are competent.
Because that's never how these things go. You usually don't write a password generator that uses a non-CS PRNG in a security context, get discovered in the short term, and fired/reprimanded/whatever. Instead, one of the following things happens: - you get code review from a reviewer who knows the problem space and spots the problem. It gets fixed, you get educated, you're better prepared for the field. - you get code review from a reviewer who knows the problem space but *doesn't* spot the problem because Python isn't their first language. It doesn't get fixed and no-one notices for ten years until the problem is exploited, but you left the company 8 years ago and are now Head of Security Engineering at CoolStartupInc. - you don't get code review, or your reviewer is no better informed on this topic than you are. The problem doesn't get fixed and no-one notices ever because your program isn't exploited, or is only exploited in ways you never find out about because the rest of your security process sucked too, but you never find out about this. This is the ongoing problem with incompetence when it comes to security: the feedback loop is long and the negative event fires rarely, so most programmers never experience it. Most engineers have *never* experienced a security vulnerability in their own project, let alone had one exploited. Thus, most engineers never get the negative feedback loop that tells them that they don't know enough to do the work they're doing. Look at all the people who get this wrong. Consider haveibeenpwned.com for a minute. They list a fraction of the website databases that have been exposed due to security errors. At last count, that list includes (I removed more than half for the sake of length): - Adobe - Ashley Madison - Snapchat - Gawker - NextGenUpdate - Yandex - Forbes - Stratfor - Domino's - Yahoo - Telecom Regulatory Authority of India - Vodafone - Sony - HackingTeam - Bell - Minecraft Forum - UN Internet Governance Forum - Tesco Are you telling me that every engineer responsible for these is not working in the industry any more? I doubt it. In fact, I think most of these places can't even account for which engineer is responsible, and if they can odds are good they left long before the problem was exploited. So you're right, there is no real substitute for knowing what you're doing. But we cannot prevent programmers who don't know this stuff from writing the code that does it. We don't get to set the bar. We cannot throw GoReadABookOrTwo exceptions when inexperienced programmers type random.random, much as we would like too. With that said, we *can* construct an environment where a programmer has to have actually tried to hurt themselves. They have to have taken the gun off the desk, loaded it, disabled the safety, pointed it at their foot, and pulled the trigger. At that point we can say that we took all reasonable precautions to stop you doing what you did and you did it anyway: that's entirely on you. If you disable the safety settings, then frankly you are taking on the mantle of an expert: you are claiming you knew more than the person who developed the system, and if you don't then the consequences are on you. But if you use the defaults then you're just doing the most obvious thing, and from my perspective that should not be a punishable offence.