In my experience software with years of development has no fewer bugs that a new project if the people working on the project are good and it is not rushed.

Often software needs a rewrite every few years just so the current developers are 100% comfortable with every aspect of the code. If you have a huge legacy application it can often be more prone to bugs as the code becomes so convoluted, and often new developers to the project are scared to refactor crap out as some of the crap is important and it takes a horrible process of trial and error before you know what can be removed.

It might generate crypt style hashes, but it will not ever use MD5. It always uses Bcrypt at present until something better comes along. You should have read the link you posted more closely.

There are probably ways you can screw it over though so it doesn't add any security, but the defaults are pretty secure and the php manual steers you toward not changing them unless you know what you are doing.

Your right, but I have the advantage that all my code is peer reviewed nowadays and we also get free pen tests and advice from a really top notch security team who are world leaders in this stuff. That does mean that if I screw up this sort of stuff it is generally noticed and I then have to fix it, that certainly helps raise your game.

I explicitly mentioned the password_hash function in recent versions of PHP. This does the heavy lifting for you, including generating a random salt as best it can.

What in PHP used MD5? The password_hash stuff has only been in PHP since 5.5 and only ever used bcrypt. Previously some PHP developers might have used MD5, but there was nothing built in to PHP that purported to hash passwords, it was left to developers to role that own and they often did it badly. That is not the same as saying that PHP "used" MD5 for hashing passwords though.

As a php developer who works for a security company we generally do what the pen testers advise us to in regard to hashing passwords. Currently that is to use the password hash function in the latest versions of PHP.

Maybe the reason us dumb old web developers do not have your amazing knowledge at our disposal is because NOT hashing passwords is not exactly a recommended practice by any real security company.

Where I used to work we had a pretty crappy legacy product which did not hash the passwords in the DB. This was because the customer liked the fact that the system would mail out passwords if the user forgot them instead of making them reset it. When they got pen testing companies to test this product the pen testers always noticed this process and correctly deduced that the passwords were not hashed. This was then always raised as something that should be fixed, of course the customer always ignored this defect, they would make us fix anything else that was raised though.

We went through several pen tests over the years I worked there, by a few different companies, nobody thought have the passwords stored in plain text was a good idea. The fact that you think it a good idea suggests to me that either:

A) You are either some amazing outlier security guy miles ahead of everyone else on the planet.
B) You know fuck all

I reckon B

Oh what a surprise, the fucking moron mod crew disagree.

I have never seen a set of traffic lights on a 70mph dual carriage way. Usually they have a reduced speed limit to 40 or 50 in the run up to the lights. Actually a hell of a lot of dual carriageways have a limit much lower than 70 even though that is the standard national speed limit for them.

And very few motorways have traffic light on the main bit of road where you can do 70mph. On the exit slip road you should actually be stationary or nearly stationary when you get to where the lights are so you can give way to traffic already on the roundabout.

The reason you are not supposed to run red lights, ever, is because if you could not stop in the UK then you must have been exceeding the speed limit in the approach. The duration of the amber light is tuned with this in mind.

The truth is that very few speed limit signs are hidden in the manner you describe. Lets be honest, the vast majority of the time us drivers exceed the speed limit we do so knowing we are doing it, we just do not think we will get caught. We know what the speed limit is on most roads we drive down, we just sometimes push them as we are in a hurry. We are probably driving in a generally safe manner, we are just doing it too quickly.

The thing is though, speed limits do exist for a reason. They are there to force us to account for the unknown: children running into the road, morons pulling out of side streets and not looking, us getting a blowout due to something to small to see in the road. The chances of these things happening are all pretty minuscule but since we all drive everywhere so much these small odds multiple so it always happens to someone in the end and the fallout can be catastrophic and expensive for the city to clean up afterwards.

Speed limits are also actually a way of us being more flexible with other driving rules, like paying attention to where you are going. Sometimes people do some really stupid crap on the roads. Like trying to find a CD to put on and veering on to the wrong side of the road, answering the phone in our pocket that is awkward to get to, looking at maps, turning round and shouting at the kids in the back, this list could go on for ever. As it is we can do this with a certain degree of impunity as the worst that would happen is we wrote off our car and someone else's the vast majority of the time. If everyone could drive everywhere as fast as they liked the police would have to be far more ruthless at enforcing other aspects of the traffic laws, maybe even down to banning persistant offenders until they got the message.

Sometimes I actually think this might be a better idea, then I catch myself doing some of the stupid crap I describe :)

It depends. If you made the expiration date something like 50 years then people could certainly retire.

It is worth remembering that the vast majority of the top 1% were born into tons of money, they have just got richer during their lifetime.

I was watching the UK version of the apprentice the other day and it occurred to me that at least Alan Sugar made all his own money. Donald Trump from the US show was born rich, then just leveraged his daddys cash to make more cash in the same line of work. He did not even need to set up a business as he was just given one to play around with.

Ok, you can say that these people did well not to lose all their cash but that is not really much of an achievement if you are born with more money than you will ever need in your own lifetime anyway. You can afford to take risks that most people cannot over and over again until one of them pays off.

It is this inherited money that skews the system so massively.

Progressive taxes are ones where they affect the more the richer you are. Regressive taxes are ones that affect you more the poorer you are.

There is a ton of debate about how you figure out which is which though :)

The biggest reason for keeping drivers on the train for the forseeable future is to cope with when things go wrong. When the DLR goes wrong someone just drives to the nearest station then walk a few yards (all the stations are really close together) and then sorts it out. With the underground that is not possible due to the way the tunnels and the way the two electrifies rails make walking down them impossible, when something goes wrong you get stuck under ground unless the driver can get you to the nearest station.

I am sure we will see driver less trains eventually, but that is still along way off as the infrastructure needs serious improvement before then. A decent, modern digital signalling system not reliant on a poxy third rail than can be screwed up by a coke can landing on it will be needed first. Eventually TFL will actually spend enough cash to sort things like this out, but that is decades away.

Until we get rid of the train driver though, they are seriously overpaid for the job they do. It will require a serious influx of cash though to hasten there demise, and they have TFL over a barrel with their current pay deal.

Sounds like you work for a crap employer. Most companies nowadays recognise that developers are far more productive with at least 2 monitors. Where I work we all have 2 dell monitors attached to a laptop docking station for our company issue laptop so we can actually use 3 screens if you don't mind one being smaller than the other two.

Why? Personally I try and avoid working unpaid hours from home, if it was part of my job requirement then I would want the company to buy be the necessary gear.

I don't mind the off bit of being on call to reboot servers and such, but that hardly requires anything more than a laptop screen.

Then why look at this card at all? You must be able to get something FAR cheaper if all you want is 2d real estate for software development. Wouldn't 2 or 3 cheaper cards be a far better purchase, even if you needed to buy a new motherboard to support it.

Ifr they were listening they would fix this crap. The problem though is that the stuff he points out all seems like the sort of horrible boring drivel that most devs hate fixing. they want to work on new features that are fun to implement, not digging through tons of other peoples code and all you see at the end is a few dialog boxes not being displayed when they don't make sense to.

This is one of the reasons why commercial software generally does this sort of thing much better, because you can assign this bug to someone then tell them their bonus depends on it getting fixed this sprint.

Doing that with unpaid devs is more tricky :)

The US subsidizes its own farming industry in order to enable it to compete with the third world where people work for peanuts. Europe does the same.

This whole argument seems to be based around the idea that systemd is trying to do something that you do not want: make bootup a more efficient process as more things can be started in parallel. Ok, the trade off is that solving this is a complex problem so it does introduce more complexity.

The question is though, at what point would a system boot too slowly to force you to start acknowledging that this is an issue?

Linux boots have been getting slower and slower for as long as I can remember even though the hardware is getting faster. When it starts taking closer to 2 or 3 minutes to boot to a working desktop would you ever acknowledge that this problem needs fixing? I have a feeling that most people who are against this sort of work simply never reboot their machine so would be happy with it taking 5 or 10 minutes to boot, the problem though is the most people do seem to care about this, especially people who use linux desktops and do not want it to look like something 20 years old.

In my case, I have to cold boot my PC at least once everyday because I use full disk encryption mandated by my employer. That means i also have to do a full shut down if I am out and about and putting it back in my bag. Every time I stop using it, it needs a full shutdown so the encryption key is definitely out of memory. So for me, a faster boot is useful and saves me time.

I do not want to sacrifice a working system to obtain that, but I do want people to look at how they can solve this problem, even if it results in something slightly more complicated. All software and hardware has been getting more complicated as they hardware has become more powerful. Once upon a time nobody cared about multitasking, now any OS without it would be useless on the average PC. Surely enabling multitasking as early on in the boot process for as much as possible is actually a good thing now most PC's have 4 or more cores.