Jeff Atwood wrote a passionate blog entry about Craigslist and the demise of the Personals section (amongst others) now that Evil forces have taken over with the help of ever more sophisticated tools and creative solutions. Wouldn't you agree such is the natural result of the open approach used by Craigslist? Anyone can post an ad. If they had not taken this approach Craigslist would not have been so successful. Lowering the bar for getting your classifieds in meant getting more ads, because everybody could do it, without having to sign away their life. Just like tourist destinations attract pickpockets (and loose women?), open high-traffic websites attract spammers.
Craigslist was a great idea. A great idea that became more than just an idea, it actually got implemented. Maybe the implementation was not perfect by today's standards but it worked and has paid the bills for over thirteen years! A proper threat-modeling session in the early days would surely have brought these issues to light, and business-need would have overruled security/abuse. Unfortunately this business model might have seen its' longest days by now.
Nowadays such openness is no longer feasible. Spammers and crackers are abusing the system every which way they can for personal gain forcing our software solutions to be able to handle every known attack angle and mitigate the future ones as much as possible. Any programmer that takes himself seriously should invest in getting properly educated on the security aspects of programming. Not just because he should create solid code, but because sooner or later it will become a liability. Everybody with a little knack for logic and the ability to use google can cut and paste together a piece of software. Creativity and innovation flourishes! But... would you send your kids out on the road in an innovative car with no brakes? I think not!
When you make a living writing business software there is a constant struggle between getting things done, and getting them done right. Being able to get things done right generally means you already need to know how to do them right because there is no time to search the web all day for the perfect solution, that deadline is approaching fast. What's worse, you might not even be aware there is a problem with the chosen implementation. If you are a contractor, do you invest in your security education, or do you focus on getting up to speed on the latest fizz-buzzwords? If you are a wage-slave, does your company invest in your education, or are you merely a mindless implementer of business requirements? Do you invest in yourself?
Invest in yourself!
How do I invest in myself? Personally I still prefer a good book over online reading. The author of a book has put an effort into putting together a cohesive set of information to help you advance. When you randomly pull a single chapter out of a book you generally miss context or concepts. Browsing the web is like pulling a subtract of a chapter out of a giant book and all the other related information goes wasted on you. You get a quick answer to a specific detail to a problem, but never get to grasp the whole problem. When I do decide to stick with using the free online resources I make sure I do my research properly; Follow links, make sure I get the context. Granted, most bloggers/authors on the web put a lot of effort into their content, slowly weaving a never-ending book online, but that is not the same as having a book covering a specific topic. :) (Some day we might all go the way of the Kindle, but I prefer the feeling of a solid paper book.)
In the end we are all responsible for the solutions we produce, so next time you get to implement a great idea make sure you (know how to) do some threat-modeling first (online, book). That shortcut you were about to take might have changed the fate of the planet!