In 2008, Boston’s transit authority sued to stop MIT hackers from presenting at the Defcon hacker conference on how to get free subway rides. Today, four teens picked up where they left off.
It doesn’t surprise me, the vendor probably thinks they’re Agile, their team delivered a Minimum Viable Product and then their Management sold it. Security was always meant to be in a future Sprint.
If that model works for web services, it ought to work for anything, right?
Agile, their team delivered a Minimum Viable Product
I guess that’s kind of what got me into this mess.
They have some shitty web application where you’re supposed to log times your kids will be in daycare. I logged in, looked around - and told the wife she can chose to log times herself, or tell daycare to do it themselves. I’m paid to deal with broken shit in my main job, I’m not doing that for free in my spare time.
At that point I assumed the web app was some prototype their intern had thrown together for the sales pitch, and they were now desperately trying to get it functional - to my surprise I later learned that it was an older product, with quite a few customers already.
Few weeks later wife came back upset from kindergarten over an argument about missing times - which forced me to actually deal with that dungheap, and prompted me to have a closer look at other components, like the android app they’re using on their phones as well. There’s a lot of stupid beginners mistakes in all components - not necessarily exploitable, but I also didn’t really check as in my opinion the tag thing would be sufficient to have this taken out of use.
It doesn’t surprise me, the vendor probably thinks they’re Agile, their team delivered a Minimum Viable Product and then their Management sold it. Security was always meant to be in a future Sprint.
If that model works for web services, it ought to work for anything, right?
Merriam Webster defines “agile (technology)” as “synonym for trash”.
I guess that’s kind of what got me into this mess.
They have some shitty web application where you’re supposed to log times your kids will be in daycare. I logged in, looked around - and told the wife she can chose to log times herself, or tell daycare to do it themselves. I’m paid to deal with broken shit in my main job, I’m not doing that for free in my spare time.
At that point I assumed the web app was some prototype their intern had thrown together for the sales pitch, and they were now desperately trying to get it functional - to my surprise I later learned that it was an older product, with quite a few customers already.
Few weeks later wife came back upset from kindergarten over an argument about missing times - which forced me to actually deal with that dungheap, and prompted me to have a closer look at other components, like the android app they’re using on their phones as well. There’s a lot of stupid beginners mistakes in all components - not necessarily exploitable, but I also didn’t really check as in my opinion the tag thing would be sufficient to have this taken out of use.