So while some poor designs and lazy developers made some bad decisions… I think it’s still probably better than the alternative of passing around user+password/token.
Without being provocative for the sake of being provocative - can I ask why? As a contractor it’s fairly common to have a portfolio of past work; this case is very applicable as ‘past work’ in the world of netsec, it’s pretty much his CV.
I don’t mind, and I don’t feel such a question is “provocative” in the least - Lobste.rs is a great place to discuss these kinds of topics. I’ll keep this short.
First, I understand that for anyone in the software business (or creative arts, or I guess anywhere productive), a portfolio is a necessity. I have nothing against this, and I encourage it.
Second, my objection is the way the author did more than simply mention that he does this type of thing for a living, and/or link to his professional homepage. The tone was snarky and boastful. The last three blocks read “It would be cheaper to have just hired me… You should hire people like me AND use bounties… I’d love to help [this link is fine by me]… Love donating? Send me money.”
Also, given that the blog serves as a piece of his portfolio, listing his triumphs and demonstrating work ethic… Why is his portfolio deviating from that purpose and “pitching” him, and how much cheaper he would’ve been? Let the work speak for itself, I say. (Again, a link back to his professional homepage is perfectly acceptable.)
To put this in terms of a CV: Would you really include in your CV’s “past work” section “Gee if they’d just hired me outright, they would’ve saved so much money!” ? That seems ludicrous to me.
(I apologize, it took a fair bit of rambling for me to distill a concise point.)
I wonder what percentage of Homakov’s vulnerability findings are due to OAuth. Enough that I won’t implement it in any of my applications, at least.
What do you mean by “due to Oauth”? Intrinsic to the protocol design? Or the specific implementations?
Both.
Clever reply/answer ;)
So while some poor designs and lazy developers made some bad decisions… I think it’s still probably better than the alternative of passing around user+password/token.
Altogether, an interesting writeup. But really didn’t care for the way he ended it with [what amounted to] a sales pitch for his services.
Without being provocative for the sake of being provocative - can I ask why? As a contractor it’s fairly common to have a portfolio of past work; this case is very applicable as ‘past work’ in the world of netsec, it’s pretty much his CV.
I don’t mind, and I don’t feel such a question is “provocative” in the least - Lobste.rs is a great place to discuss these kinds of topics. I’ll keep this short.
First, I understand that for anyone in the software business (or creative arts, or I guess anywhere productive), a portfolio is a necessity. I have nothing against this, and I encourage it.
Second, my objection is the way the author did more than simply mention that he does this type of thing for a living, and/or link to his professional homepage. The tone was snarky and boastful. The last three blocks read “It would be cheaper to have just hired me… You should hire people like me AND use bounties… I’d love to help [this link is fine by me]… Love donating? Send me money.”
Third, I said I’d keep this short.
Also, given that the blog serves as a piece of his portfolio, listing his triumphs and demonstrating work ethic… Why is his portfolio deviating from that purpose and “pitching” him, and how much cheaper he would’ve been? Let the work speak for itself, I say. (Again, a link back to his professional homepage is perfectly acceptable.)
To put this in terms of a CV: Would you really include in your CV’s “past work” section “Gee if they’d just hired me outright, they would’ve saved so much money!” ? That seems ludicrous to me.
(I apologize, it took a fair bit of rambling for me to distill a concise point.)
Then you’re on the same page as me and likely prefer modesty.