174
linuxxx
7y

Another one, teach secure programming for fucks sake! This always happened at my study:

Me: so you're teaching the students doing mysql queries with php, why not teach them PDO/prepared statements by default? Then they'll know how to securely run queries from the start!
Teachers: nah, we just want to go with the basics for now!

Me: why not teach the students hashing through secure algorithms instead of always using md5?
Teacher: nah, we just want to make sure they know the basics :)

For fucks fucking sake, take your fucking responsibilities.

Comments
  • 26
    Teaching the proper stuff is too much of a hassel and most teaches I've encountered don't even know what the proper way to do is. They only know the one basic "example" way to do it.
  • 6
    (My)SQL should be its own course imho.
    Using it in PHP, they should get a security course too.
    I'm also pro on PDO instead of mysqli_* (with a flashback to how it shouldn't be done, and why)
  • 2
  • 3
    That's going to be an interesting conversation
  • 6
    Thank you for bringing it up! I mentioned it shortly in my rant but it is frightening how little some of my (professional school for application developer) classmates know about the subject.

    I have the luck to work with our security and penetration testers a lot. They really support my interest in those fields and let me contribute.

    With that knowledge in mind it drives me crazy to see how careless some of my colleagues are and I agree with you 100% that the educational institutions should do more to prevent this
  • 1
    That's something I've been saying for years. We would do the world a big favor of every CS student was forced to do a security course at some point. Although it's better at my university than you described it, I really don't get why a large university can't add a mandatory security course to the curriculum...
  • 4
    You gotta love this one.

    Out teacher only showed us how to use prepared statements in php. So far so good.

    Assignment: note keeper with a rest api. Authentication? Send that username and password in plain text as parameters. EVERY. FUCKING. TIME.
  • 3
    I stopped counting how often I read some blog post showcasing the easy example with a handwave comment that one ought to implement property safety measures.

    So it's not just teachers, it's endemic in our industry.
  • 2
    @Awlex yeah, but you really can't expect student projects to be super good with security. What should be done imo is not take points from them, but give them guidance how they would do it securely.
  • 3
    At my school you can take an optional security course which doesn't teach you a lot about actual secure programming. Instead it focuses on offensive and defensive security like penetration testing and monitoring which i found way more useful than what actual secure programming lessons the main course had. Knowing the perspective and tools of an attacker can really help you as a programmer.
  • 1
    @coolenaab It definitely can! But if you can't produce secure applications, you'll get hacked way easier so it's a very important thing to learn imo
  • 2
    @theCalcaholic Oh I've never been to uni haha, I think our educational system works differently than yours :)
  • 1
    You literally replace md5 with sha512 or whatever the fuck you want to use. It's literally the same result but a fuck load more secure.
  • 2
    @c3ypt1c Depending on if you don't need to revert it back to its original state, I'd use bcrypt or scrypt any day of the week
  • 1
    But it's the the point of a hash to be one directional?
  • 0
    @aaxa (I forgot to mention in last comment)
  • 2
    @c3ypt1c You're correct, and there's a very good reason why bcrypt and scrypt was made and is now widely popular.
    It's a disgrace to call md5 a hash function when you consider how many flaws it has.

    Where I work we're almost exclusively using bcrypt for hashing.
  • 3
    They're supposed to start with the basics. I agree security should be taught as well as making reusable code and optimized SQLs among other things. But taught from the start? I don't think so. Learn the basics first
  • 1
    @LrdShaper found the teacher 😂
  • 0
    Why do people hate mysqli so much? If you are using only MySQL, its still better to use its intended driver rather than a general SQL driver...
  • 0
    @mahoraz Probably because they aren't used to it and would need to learn it...
  • 0
    Well the teacher must spark the interest not teach you everything.

    I mean when i started uni php 5.2 was the thing... 3 years later not anymore.

    Do i dare tell about JAVA? Which changed versions but the year started with the old version?

    At this point employers know that CS is just a diploma and in my country at least they stopped caring. More than that if you have experience and took some courses(extra that are free webinars, etc) you are way better than diploma.

    University is such a fail of education. Its stupid to think what you taught in year 1 will still be appliable in year 3.

    But they should make the courses by how industry works... But Microsoft and Oracle "donations" are too sweet to pass.
  • 0
    @curlyDev That's why you shouldn't be taught 'programming' at university, but rather programming concepts, how to build, judge and proof algorithms, protocols, etc. and so on.

    There is no programming diploma at university, at least where I live. It's called computer science for a reason.
  • 0
    @theCalcaholic
    Its not CS more of a System Engineer.

    Teaching those still is useless.
    Agile is popular now... University still teach in monolith way.

    They dont keep up. Or most of them surely don't.

    They could teach OOP. But 3 years of oop? I mean there are few algorithms worth teaching.

    I never ever used a quicksort(6+ year programmer). Or a bubble sort.

    Used recursive once... Once. I heard about it learned in 30 minutes.

    More and more problems appear as a language specific stuff or system specific. You are way more valuable knowing security or flaws of a certain language than recursive or quicksort...

    And again: Practice, Practice, Practice and more Practice.

    Most "general knoweldge" isn't valuable. You need to know how to use it... But you can't if you don't practice.

    Again... University is just for degree, learn what suits you well and sell yourself.
  • 0
    @curlyDev Are you serious? Recursion is super important for all sorts of tasks. I had TDD, OOP, Functional programming, Pair programming, machine learning basics, Databases, etc. at university - all things I require on a regular basis for my projects.

    Still, if you just want to create simple apps, there's really no need to study CS - at least in my country there are apprenticeships which are specifically designed for getting you prepared for that kind of job.
  • 0
    @theCalcaholic you need all of that at current job?

    Whats the bus factor? One?

    There are more than one job in IT. But all require the same "degree". Automation Engineer(thats whats called in my country), front end developers, sql developers, system analyst etc.

    You can put your finger on just a couple of situation where recursion is needed. And untreated it can grow big and nasty. I have been working in embedded systems and recursion was a big no no, or you had to be sure that it stops or doesn't grow more than it should.

    TDD isn't learned in university. Not everywhere at least. And again not all companies are loving new ideas.

    In the end you have 3 years of stuff that you probably not use.

    I rather see making it friendlier and usable by the 80% than to be an "elite" where only 20% uses the knoweldge.

    We had 8 courses over the span of 2 years of Advanced Math just so 20% of uses it.... 70% of my class is in web development. Surely they need that abstract algebra...
  • 0
    @curlyDev These jobs do NOT all require the same degree. At least where I live there are 4 major categories of CS/programming/etc degrees (resulting in 6 different, relevant degrees in total) which allow you to work in software development (not counting older types of degrees like diploma which aren't offered at many universities nowadays):

    - Apprenticeship: That's a 3-year educational degree which usually involves working in the very job you are learning at a company with 1-2 days school lessons per week (night as well be segregated into blocks).

    - BSc. in CS or one of many related subjects at a 'Hochschule' (maybe roughly comparable to USA colleges): It's usually 3.5 years with academic courses and practical classes and projects. Compared to universities, Hochschulen offer smaller classes, a lot more practical exercises, etc. You actually learn how to code there. Bsc is usually a very broad education where you learn the basics of many fields, but without a lot of specialization.
  • 0
    - MSc. in CS or similar at a 'Hochschule': Usually a 1.5-year education on top of Bsc. which offers specialization for a certain field within CS. Again, the characteristics of 'Hochschulen', which I described above, apply.

    - Bsc. in CS or similar at a university: Very similar to the Bsc. at a 'Hochschule', however it's usually only 3 years and covers less practical exercises, but a lot more theoretical and mathematical courses - also you often have more choice when choosing courses and are required to self-teach many things (like proper programming).

    - MSc. in CS or similar at a university: Usually 2 years of specialization on top of a BSc degree. The same characteristics of universities described above apply.

    - Dr. in CS or similar: A degree which requires you to do some kind of research project for usually 3-5 years (but can also be longer) and requires a Msc degree (or comparable.
  • 0
    Apprenticeship, BSc and MSc enable you to work in software development. Different positions require you to have different degrees. But an MSc on university and especially a Dr also enable you to work in academic positions. People with Dr are also often employed in research positions in companies. If you notice that you don't require a lot of tge things you learned in your education, you're probably underpaid and could work in a more (technically) challenging job.
  • 1
    @theCalcaholic my country:
    3 years college, 2 years master, 2 years a doctor.

    3 years is for everyone almost(4 years in some special cases like medicine)

    Only the Degree matters nothing else. Either you made 3 years or not.

    This is the same in UK,Italy,France, Denmark, probably half Europe? Didn't check.

    I work for an international company (a rather big one) which has 3 or 4 development hubs in my country.

    So your country is better but not everywhere is the same but it requires the same things....

    Universities are country level. What i would like is international level... But it will never happen).

    Thats the issue...
  • 0
    @curlyDev I see...

    What do you mean with "Universities are country level. What i would like is international level"?

    For some subjects (including CS) you can easily apply in a different country than you made your degree, for others that's not possible (for more or less good reasons).

    Obviously you can't expect to have your degree in law acknowledged in a different country with different laws. But for CS or engineering you usually can (potentially with a small practical/course).
Add Comment