Personal attacks are not allowed on HN. We ban accounts that do this, so please don't do it again.
Unfortunately, your comment history has plenty of uncivil and unsubstantive comments. It also has some really good ones, so we aren't banning you, but if you keep doing this, we'll have to, so please fix it.
It's not like Tavis is creating these bugs. He's merely pointing out that the emperor has no clothes. Quite a socially awkward situation for town folk who've been living as if the clothes are wonderful.
Additionally, in general and as is the case here, the bugs aren't in some nice kid's hobby project. It's not like he's pointing out that grandma's blog has XSS vulnerabilities. These are security products, which often seem like snake oil instead. If anything we need more stigma against people and products who claim strong security but turn out to be shams, providing only security theater.
Some things just need much more expertise to do than others. You wouldn't want a hobbyist designing your local nuclear reactor, nor performing your heart surgery. Similar standards should be in place for computer security. Accepting security systems that were hacked together like another CMS will lead to our digital lives being on a foundation of straw.
I don't think I'd call them a 'sham'. They're not advertising something they don't do. I think they do everything that they say they do[1]. If this was a case where someone was able to get plaintext passwords from lastpass's server, you'd be right.
The first thing I think people should realize is that there are vulnerabilities in every software, and addressing that fact goes a long way. I doubt that they weren't following standards, and they do have a good track record of security although they get flak for being a extension based password manager (which is a very bad idea, something I've come to realize not long ago. I think it was at the time of lastpass's last vulnerability[2])
If you don't mind, I'm interested in know what you'd consider products with 'strong security'?
LastPass has a bit to go until I'd call them a sham. I was talking in general. There have been much worse examples before.
Yes there are vulnerabilities in every software. Even if your code is perfect the compiler will generate bugged code. Even if you fix that, the CPU still has bugs. These are certainly hard problems. However there's a difference between a subtle bug caused by a typo and complete lack of understanding of fundamentals. [1]
As for what products I consider having strong security, the crypto part of the Go standard library is good. Among large projects Chrome is good. Neither of them are perfect.
--
[1] I especially like the case of CryptoCat, a chat program that generated random crypto keys by concatenating strings of digits. https://tobtu.com/decryptocat.php
>> There is a concept called an "unreliable narrator." Tavis has a documented track record of poor interpersonal behavior. It's time that people stopped focusing exclusively on the quality of his discoveries and started to ask if his behavior is one we want to implement.
I have seen many security bugs reported by Tavis show up here on HN. I haven't seen Tavis behave poorly in either explaining these issues or reviewing the fixes. On the contrary, his comments in the issue discussions have almost always given a benefit of doubt to the product and its developers when it comes to the way they have handled the security issues.
Tavis has a documented track record of poor interpersonal behavior. It's time that people stopped focusing exclusively on the quality of his discoveries and started to ask if his behavior is one we want to implement.
Given what he does, the quality of his discoveries are really the only important thing. Do you really think that "form over function" is important in the context of what he does?
