Security sucks.
There, I said it. Security issues are the bane of our existence.
I keep running into scenarios where the root cause of a problem is, someone doesn't trust someone else.
That someone else is someone the first person fundamentally MUST trust, because without that trust, they might as well pack it in and go home.
"I don't trust my developer, so don't give him privileges on the server - just let him upload his code." (...code that takes people's credit card information and DOES WHATEVER HE WANTS WITH IT!)
"Help us be PCI compliant" (...what matters is that we pass these tests, not that our server is secure.)
I just got an email with some dude's entire firewall configuration. He's trying to figure out if it's secure or not... and he just mailed it to an ENTIRE LIST of people - thousands, possibly, any number of whom might inadvertently be saving their email in some sort of insecure manner such that anyone on the planet could read it.
The dilemma? How to DISCUSS security with the community, to help determine and implement best practices, without revealing your weaknesses.
Welcome to the 21st century. If you don't want something to be known to the entire universe, don't decrypt it.
