It's CIO magazine. Anything IBM says is gold, since most CIO's, and the companies they work for don't realize that they haven't been invited to this party.
"Designing security in" is not enough to guarantee security. You also need to have good programmers. I wouldn't be surprised if the average web 2.0 app had better security than IBM's enterprise imitations thereof, simply because the guys writing it were so much smarter.
Reddit stored passwords in plaintext for a year... you can't make such assumptions. There are likely smart guys working for IBM, as well. I think avoiding bureacracy, not having dozens of people work on the same code, and being able to release to the public a small app with little code and little publicity and grow from there is what helps startups.
Reddit stored passwords in plaintext not because they were stupid, but because they thought they were being user-friendly. Spez knew all about hashing passwords, but the price of hashing passwords is that you cant't email a user their old password, you can only give them a link to reset it. In a comment after the plaintext password scandal broke, spez indicated that he considered this to be enough of an annoyance to be worth avoiding. Besides, nobody will actually use an important password for a social news site, right? ;-)
IMNSHO they made the wrong choice, and I think they'd agree now. But it wasn't because they were stupid or ignorant. They made a judgment call, and it turned out their users disagreed. It's not easy servicing a consumer website with hundreds of thousands of users: no matter what you do, somebody will be pissed off.
Besides, at least they weren't like GreatestJournal.com, which not only stored their passwords in cleartext and used an open-source (LiveJournal) codebase, but left their database server exposed to the Internet. My friend did a simple "SELECT username, password FROM user" and ended up with 65K passwords.
At least twice you say that they weren't stupid or ignorant, as if I said that they were. :)
My post was clear-as-daylight a counter-example to Paul's statement, not an attack on Reddit.
You can even see my second sentence said, "there are likely smart guys working for IBM, _as well_." But, now people are going to think I hate Reddit or YCombinator because I disagreed with PG...
No, I don't believe so, at least not until after the scandal broke.
It's trivial to find out though, for any website - do a "Forgot password" retrieval, and if they send you the password itself, it's stored in cleartext. If they send you a link to reset it, it's hashed.
IIRC, Reddit, MySpace, all LiveJournal clones, and IMDB all store in plaintext. Drupal installations hash them.
You're assuming IBM programmers don't make stupid mistakes like storing plain text passwords or leaving gaping XSS holes. That's not a safe assumption at all.
I don't think what Reddit did was that bad either. The odds were that they'd fail and no one would have cared that they had plain text passwords. I think startups generally have much better programmers, but their work is so geared towards speed that security comes second. That probably just means the level of security vs IBM is a draw.
BTW. MySpace seems to still store plain text passwords. Try the "forgot my password" feature.
"You're assuming IBM programmers don't make stupid mistakes"
No; my whole point was that, that's right, we don't know who's making more stupid mistakes, one way or the other.
"I think startups generally have much better programmers, but their work is so geared towards speed that security comes second. That probably just means the level of security vs IBM is a draw."
That's exactly why I disagreed with PG, because it's probably a draw.
Large companies have built in processes for security, which slows down their software development, but also ensures better security than someone hacking together a site from scratch as quickly as possible.
Most of us hackers are jack of all trades, focusing on web design, databases, business logic, and security. It is difficult to be an expert in all areas while simultaneously focusing on speed of release. Just because a company has security experts doesn't guarantee secure software (Microsoft), but in many cases it does help.
