What if one bad actor does it not initially do that, but only after the app has enough users, with a random upgrade? Not that _you_ would do that, of course. But it makes sense that people are wary about where they trust their TOTPs.
Some time ago people were locked out of their TOTPs because some guy bought their app from its creator and turned it into ransomware having them pay to not lose their codes.
Yeah that's all of open source. Only thing that would separate this from any other open source totp app is how popular it got OR if that open source app was funded by a for profit company like bitwarden is.
You mean everything without a big name attached. Being open source doesn't play into it. (Except that it gives you the theoretical option to verify and build it yourself, or to get it from a trusted third party who did.)
It's just a lot of downside for almost no upside, cool idea though. Maybe it can be repurposed for some kind of rng app, like a dice app for dungeons and dragons or stuff like that.
I know you’re implying the js specifically but using svg rendering as an attack vector was where the name “operation triangulation” came from with the recent high profile exploit.
They would draw a triangle and then hash the result to get a detailed bowser fingerprint of the victims machine.
Really liked Jon talking about the importance of experience in development. I just wanted to add that it’s also important to consider experience on the system. Even the most talented developers will need time to find their feet if they’ve only worked with a system for a few months.
So don’t treat developers as replaceable resources! If you fire an experienced team because you found some cheaper bums on seats elsewhere, you’ll usually pay the price!
The problem is that all too often do customers think they know what they want but actually have NFC what they need.
Unless there is a constructive dialogue between the people who build it and the people that want it, it will end disastrously. Just think of all the failed white elephant projects that get “negotiated” on the golf course.
Until there’s an acceptance that being agile isn’t just something developers do but has to be adopted by the whole org, it’s not going to work. I know it sounds a bit dreamy but I’ve worked in big orgs that did agile rather well, so it is possible…
When it comes to money, the person footing the bill will get pushy rather fast. So I am curious how such a process works closer to the business side of the project, even in a big org
I used to work in banks where you had teams of architects create high level design (HLD) docs that get turned over to the design team to produce low level designs (LLD) that the get turned over to developers how are meant to write the code, then to be turned over to the testing team. With massive handover meetings at every stage and forests of paper for milestone documentation that had to be signed off.
Never had my soul be destroyed as completely and I seen such a massive waste of time and money.
