You suggest code reviews to catch these kind of problems, but I’m willing to but 99.9% of code reviewers would not catch this issue (assuming the code reviewer doesn’t follow this blog).
(earlier posted this comment to wrong post)
I am surprised you didn’t find this example:
http://support.microsoft.com/kb/317535
huh?
@All of the Ivory Tower crew, as TwitOfTheMonth named them:
If you are into flaming, my opinion is that comments are not the correct place.
However if you still need to fullfil your thirst for arguments, may be the Monty Python can answer you, as flaming is not welcomed here:
http://www.davidpbrown.co.uk/jokes/monty-python-arguement.html (no offense meant, please read this with sufficient humor).
It’s true, Meredith DOES have a fetish for 18th century dandy fops!
There is a perfect solution to get rid of this bathroom wall of code. First create a question and answer website. Then, people will have to vote on the answer to make sure that only the correct solution gets flagged…
“Why is it called a GREP”
Comes from the really early UNIX days. Get Regular Expression Print.
“The onus is on us, as a team, to vet every line of code at the time it is contributed, and constantly peer review each other’s code”
Ideally that would be the situation. Peer review everything.
What do you do when you are in a situation where you are working on a project that, when asked at the beginning, you estimated would take 9 months and management tells you that you only have 5 months starting 2 weeks ago? And in addition to the time constraint, the clients are scrutinizing every little cost and are just waiting to freak out all over the place.
Oh well, I guess it’s the old hurry up and code because you are going to need a lot of time to debug…
Blind trust in valgrind - the Debian OpenSSL vulnerability
I think Jon’s point is that code absorbed from a living open source project is a much nicer bathroom. A random code snippet from a random website is certainly a dive bar sort of bathroom…
…and if you cut ‘n’ pasted the code it is now yours to maintain and fix, whereas the Debian OpenSSL vulnerability was fixed, as a library, soon after the problem was discovered, recompile with the new library and it’s fixed…and you can be as sure as far as is possible that a lot of people have checked it better than you could …
Surely if you ran that regular expression on the whole internet then this article’s regex would look like:
s/Mode = CipherMode.CBC/Mode = CipherMode.CBC/g
Off subject:
Riding brakeless is the biggest trend in bmx nowadays. I’m sure the shoe companies love it.
“The onus is on us…”
This is an interesting phrase.
Oh Noes. Someone wrote something on the internet
… and it’s wrong!!
Seriously, if someone copies that code without RTFA, they deserve whatever they get. If they need to be protected from that, they should not be programming, and should live in a nerf universe.
Kudos Jeff for having the cajones to admit that you fkd up, and doing so in such a public way. It does happen to human beings, and programmers (open source included) too.
To paraphrase and mangle together a few different quotes:
Good judgment comes from experience. Experience comes from bad judgment.
The person who never made a mistake never learned a thing.
Just try to suck less every day.
If you want to prevent dumb copypasta, at least change your code snippet to an image so it can’t be copied.
Changing it to an image won’t prevent people from using it, it will just take them longer. Use no code from the internet without first reviewing and understanding it.
@Tech Introvert: Yes she does!
I added automatic commenting functionality to Snip-It Pro, a code organizer program I created to manage code snippets after Jeff’s last post, the modest proposal for copy paste code reuse. This way at least with the snippets you and your team use, you’ll have some way of tracking (either by guid or reference url).
I released the new verson a few days ago.
http://www.snipitpro.com/
Couldn’t you use StackOverflow’s software to create www.BathroomWallOfCode.com, and then a user could add their piece of code and others could comment on it or wikiEdit it or vote it up/down. You could tag it C# Encryption and then people who know things about encryption could poke holes in this code. Perhaps then you could have notifications when the code has been updated.
What do you think?
You don’t have enough on the go right now do you? 
Peer review is one thing, testing your own damn code is another!
What’s the point in coding anything if you don’t check it actually works?
As long as you test the features and they work, if it works why bother reviewing every single line of code (unless you don’t test properly).
Um, because it will need to be maintained. To make sure that while it may “work”, it doesn’t do so in the worst possible way. Mutual growth. …
I think the whole point is being missed here. Two-way hashing (encryption / decryption) is only valid in scenarios where you need two way communication (for instance data in transit). Authentication is purely one way. Hence the more secure method of storing an authentication token is one-way hashing http://en.wikipedia.org/wiki/One-way_hash with a salt (for instance data at rest which can be recreated).
Consider the several use cases:
- User creates password (this use case they will never, ever need to see their created password again). The value that is stored in the database is the one-way hash
- User needs to log in (this again never states that the user or the system needs to know the password, just the generated one-way hash and whether the hash matches or not). The user types in the password to authenticate, which is convertted to the one-way hash and compared to the hash value in the database.
- User needs to reset their password (this final scenario still does not require the system or the user to decrypt the password hash, you just make them go through what ever hoops needed to reset the password, and you overwrite the hash). The user types in a new password which is hashed + salted and put in the database in that format.
The key here is that the hash is built in such a way that it cannot be decrypted. That is by design. Anything data that you store at rest, that you consider any level of restricted access, that can be recreated and compared, should be stored in a one-way hash.
Also, as Jon Galloway stated, the bad code is still floating around on the internet. Since you cannot change the internet, you should change how you view any code you see on the internet. I personally view all code I find on the internet as a good foundation to build my design around, but beyond that is subject to much scrutiny.
You make very valid points about the code reviewing process. I am a very strong proponent of that on a development team. In my mind, snippets should only be used if the developer who used it can provide evidence that they can recreate the snippet on paper and away from the internet (maybe a bit harsh, but yes that is what I believe).
(Sorry if this post sounded critical, that was not it’s intent. Let’s face it though, you will always sound critical on things that you are passionate about and therefore criticism should be expected).