

IBM's response to Web 2.0 start-ups: We're Safer - cglynch
http://www.cio.com/article/133000/IBM_s_Web_._Sales_Pitch_We_re_Safer
With innovative web-based start-ups changing the business model for how software is delivered, IBM tries to play its cards by playing up its emphasis on security. 
======
run4yourlives
It's CIO magazine. Anything IBM says is gold, since most CIO's, and the
companies they work for don't realize that they haven't been invited to this
party.

------
pg
"Designing security in" is not enough to guarantee security. You also need to
have good programmers. I wouldn't be surprised if the average web 2.0 app had
better security than IBM's enterprise imitations thereof, simply because the
guys writing it were so much smarter.

~~~
vlad
Reddit stored passwords in plaintext for a year... you can't make such
assumptions. There are likely smart guys working for IBM, as well. I think
avoiding bureacracy, not having dozens of people work on the same code, and
being able to release to the public a small app with little code and little
publicity and grow from there is what helps startups.

~~~
nostrademons
Reddit stored passwords in plaintext not because they were stupid, but because
they thought they were being user-friendly. Spez knew all about hashing
passwords, but the price of hashing passwords is that you cant't email a user
their old password, you can only give them a link to reset it. In a comment
after the plaintext password scandal broke, spez indicated that he considered
this to be enough of an annoyance to be worth avoiding. Besides, nobody will
actually use an important password for a social news site, right? ;-)

IMNSHO they made the wrong choice, and I think they'd agree now. But it wasn't
because they were stupid or ignorant. They made a judgment call, and it turned
out their users disagreed. It's not easy servicing a consumer website with
hundreds of thousands of users: no matter what you do, _somebody_ will be
pissed off.

Besides, at least they weren't like GreatestJournal.com, which not only stored
their passwords in cleartext and used an open-source (LiveJournal) codebase,
but _left their database server exposed to the Internet_. My friend did a
simple "SELECT username, password FROM user" and ended up with 65K passwords.

~~~
Goladus
Did reddit disclose that the pwd was being stored plain-text?

If they had, it probably wouldn't have bothered people much.

~~~
nostrademons
No, I don't believe so, at least not until after the scandal broke.

It's trivial to find out though, for any website - do a "Forgot password"
retrieval, and if they send you the password itself, it's stored in cleartext.
If they send you a link to reset it, it's hashed.

IIRC, Reddit, MySpace, all LiveJournal clones, and IMDB all store in
plaintext. Drupal installations hash them.

------
dpapathanasiou
It's just marketing by F.U.D.
(<http://en.wikipedia.org/wiki/Fear%2C_uncertainty_and_doubt>).

If you ever try selling to a corporation (especially as a startup), you'll
come across it all the time.

------
Goladus
Part of the problem is that "Web 2.0" still doesn't really mean anything.

When that article says Web 2.0, it vaguely means any web application developed
by a small company in the past year or two.

------
mynameishere
Security is boring. If there's one thing that big companies do right, it is
boring.

------
ph0rque
If this is true, then all IBM needs to do is buy more web2.0 websites.

