Forget peer review; try some TDD. Then if your pasted method didn’t work, you would’ve known it.
Also, if you publish code on the Internet, publish the unit tests alongside it.
Perhaps… but the blog post name was “Why isn’t my encryption… encrypting”, that I believe is a big enough hint to not copy the code. There is still the responsibility on the person copying/pasting the code.
“Forget peer review; try some TDD. Then if your pasted method didn’t work, you would’ve known it.”
Kevin, how can you write a test that captures the knowledge of a cryptography expert? How is a unit test going to know which ciphers are trivial to crack and which are state of the art? You need cryptography experts to review your design choices.
"repeating the broken code"
Clinton, if someone is stupid enough to copy and paste without reading the entire article then they’re too dumb to get security right anyhow. You can’t copy paste expertise, despite how often code monkeys try. 
You plagiarized and then realized (thanks to your wonderful readers) that the function (which you supposedly wrote) is not working as it should.
And now you are embarrassed, because you of all people should have been able to figure it out.
Hence you wrote this piece of (shit) blog post trying to convince your readers otherwise, trashing your goddamn philosophy upon us.
You are just covering up man.
Own up, take responsibility.
And you should have never plagiarized in the first place.
I am so disgusted by this (you of all people should be a responsible mature programmer) that I tore my ticket to your StackOverflow Dev Days - that’s $10 I am not seeing again.
This sounds like a great feature for Stack Overflow: a place to post helpful code snippets (or perhaps this is already evolving now?). There are many code snippet repositories out there now, but the Stack Overflow model would have the added benefit of:
-
Bubbling the best snippets for a particular issue to the top.
-
Being a wiki, so that others can refine and improve snippets.
+1 for including snippets of incorrect code as images…maybe with a big water-mark that says “[FAIL]” or similar.
Copying code without understanding or testing it is a symptom of laziness or time-pressure. Lazy or time-poor people will most likely just search for dodgy code elsewhere rather than transcribe YOUR dodgy code.
What library would the crowd suggest for a .Net developer who prefers to let the experts do what they do?
EntLib?
Bouncy Castle?
“Why is it called a GREP”
Comes from the really early UNIX days. Get Regular Expression Print.
Nope. That’s just an Urban Legend.
Ken Thompson created the grep command at the request of Douglas McIlroy who needed a way to examine multiple dictionary files for a speech synthesis program he was working on back in 1973.
McIlroy was examining multiple dictionary files and was using the old “ed” Unix editor. The “ed” editor was not a visual editor. Instead, there was an internal pointer that pointed to a line (but didn’t necessarily display the line). You could add lines, delete lines, or use the substitute command to edit the lines.
One command in ed was the “g” or “global” command. It allowed you to operate on all lines in the file at once. Another command was the “p” or “print” command that printed the lines. If you combined them as “g/re/p”, you would find all lines that contained the regular expressions “re” and print them out.
The problem is that “ed” operated on one file at a time, and that was slowing down McIlroy’s work since he had to examine multiple files. Thus, Thompson took the parts of the “ed” code he needed, allowed it to operate on multiple files at once, and called it “grep” after “g/re/p”.
I’m glad Jeff finally addressed the ‘use an open source library’ point, although I fear it won’t really sink in. Jeff, this is the second high-profile occurrence of you screwing up code and creating security holes because a) you don’t really know what you’re doing and b) you’re trying to do it yourself.
I get the impression that your reluctance to use high-quality, open, peer-reviewed code stems from your addiction to Windows programming. I can hardly blame you for having to write code yourself - Windows just doesn’t offer a powerful development environment, so open-source has hardly thrived ‘there’ - but you might want to check out some of the free alternatives if you want to prevent a repeat of this embarrassment.
@Nathan and Derrick
Oh, I don’t know. You could run these and look for repeated blocks in the output:
Encrypt("try some different" +
"00000000000000000000000000000000",
key, true).Base64ToHex();
Encrypt("salts" +
"00000000000000000000000000000000",
key, true).Base64ToHex();
My point was, though, that if you’re copying code from the Internet, try to get the unit tests with it. They’ll tell you what it does, and you can compare that with your requirements. Otherwise, write the tests yourself. (Of course, cryptography requirements might be more difficult to quantify and codify in tests than most.)
grep is “Global regular expression print”. The original grep was a specialization of the (pre-Unix, teletype era) editor “ed”, where “/foo/p” prints the next line matching the regular expression “/foo/”, but “g/foo/p” prints all lines matching the regular expression “/foo/”. See “Software Tools” by Kernighan and Plauger.
I have a completely unsubstantiated hunch that it was also a pun on “grope” - as in “groping in the dark”.
@steve & everybody else asking Jeff to make websites…
Please, stop that. If he listens to you and makes another site, then we won’t get blog posts for like months at a time. Just stop it. 
If only we could find some way to legitimately nest the offending code in tags.
Too steal a cheesy quote, there is a difference between knowing the path and walking the path. Jeff doesn’t claim to be an expert, and sometimes non-experts make mistakes (who am I kidding, experts screw up too, just like all those people who thought MD4 was good enough, and those that slobbered over MD5, and some day we’ll mock 3DES and whatever replaces it).
@Clinton Pierce:
Grow up. Take responsibility for your own reading. If you don’t read the whole article, who can you blame?
Jeff uses the tools he uses. Pointing out that I could own a Chevy Corvette isn’t helpful when I can only afford a Geo Metro. Unless you’re offering to cover the cost difference. Until then the rest of us use the tools we can to do what we can.
@All of the Ivory Tower crew:
Get a grip. Most of us have deadlines and we make the choices we make because of the situation we’re in. Frequently we know there is a better way to do it, but can’t expend the resources required to develop or integrate that solution. There is a difference between a Computer Scientist and a Computer Programmer, apparently one that you’ve overlooked. Jeff isn’t a Ph.D. busily whipping his grad students to publish his rehashed theories. He has a job and family and he (theoretically) does the best he can. If you’d like to have a protracted debate over the degree to which I ought to normalize a database or how much performance I can squeeze out by in-lining a function, that’s fine, but I get paid to produce, not to theorize. Stop bustin’ Jeff’s chops because you’d do thing differently because, in fact, you AREN’T doing it.
Sheesh.
So we might not have grep-the-internet commands yet, but we do have services like sharedcopy and friends, which teach us that comments should not be tied to the page, they should be free! I can edit the page with my sharedcopy edit button, and other users can see those changes, so the only question at hand is how to standardize such things to make them more accessible.
@MW: “Blind trust in valgrind - the Debian OpenSSL vulnerability”
Blind trust in unowned / uninitialized memory, a generic OpenSSL vulnerability. A secure system would clear stack memory on return, destroying entropy that it’s trying to fold in. Debian screwed up, but OpenSSL does need to fix it.
Hear, hear. Somebody (who shall remain nameless) on our team managed to introduce some 3ncrypt10n code into our software, with the private key as a constant string IN the source code (strings.exe, anyone?).
This person was above peer review for political reasons, but I managed to find this unacceptable nugget in the subversion log one day and fix the problem.
@everyone missing my point about grep
Thansk for some interesting historical tales.
However, as far as I know, there is version/variant of grep that does replaces. Go figure
Sheesh. I should proofread my comments -
s/Thansk/Thanks/
s/there is version/there is no version/