My first, and probably last, attempt at security programming was back in the 80ies, on a Spectravideo. I remember spending some hours on the program, and I had an if-clause to check for a password, and if the password was wrong, obviously the program needed to be protected… so I deleted it from memory…

Some BASIC along the line of:

1820 IF password <> "******" THEN NEW

…of course, after some hours of programming I’d forgotten the password… and forgotten that I didn’t knew it so I typed in the wrong one and off my program went…

…did I save it to cassette before I tested it. Nope. Did I learn the cassette equivalent of the “ctrl-s”-reflex. Yup!

Does this in any way resemble modern security programming? In my experience? It is as if nothing has happened since the 80ies. In fact, I’m fairly certain there are systems out there that will format c: if you fail to type in the right password too many times.

Or like moron Azure DevOps. What happens if you try to view a page you don’t have access to? Yup, you get a 404 error (as in page does not exist, not a 403=you don’t have access). They’re even helpful enough to tell you so. You know, so no one will know that the page do in fact exist. If they don’t have access. How many people spend how many hours bug hunting that one? Do we bill Microsoft? Ah, no, they’re billing us, right…

format azuredevops:

It seems that if it’s about security and doing the wrong thing makes something explode and burn, some security manager somewhere will have mental, or not so mental, orgasms… But I guess usable security systems will be hacked because the users will be too comfortable using them… right…?

Header image by MKFI – Own work, Public Domain, Link