With RSA doing the keyfill at point of manufacture, the customer just needs to load the seed file for the entire batch onto their authentication server and then hand out the token
Don't forget that the tokens also expire every couple of years. If it customers were able to load a new seed themselves, then they wouldn't need to purchase new ones as often.
re: surprise at lack of QA or automated unit tests — “most engineers are capable of writing bug-free code. it’s just that they don’t have an incentive to do so at most companies. when there’s a QA department, it’s easy to just throw it over to them to find the errors.” [EDIT: please note that this was subjective opinion, I chose to include it in this post because of the stark contrast that this draws with standard development practice at other companies]
This guy's obviously fresh out of college. It would be interesting to hear from someone with a little more real-world experience.
If it were, say, a private company producing this product, wouldn't they have subjected it to the normal quality control processes in software companies...
But what exactly is that process? The QA process can vary widely from company to company and product to product.
There are several factors that can influence the quality of QA:
How important is the product to the team/company/manager and middle-managers involved?
Is the QA team responsible for more than one product? If so, which product is given the most priority?
Is the QA team staffed to adequately test each product assigned to them?
What is the individual skill and experience level of each team member? Does anyone on the team have experience finding and testing for security vulnerabilities?
Does the company actually have a qualified "in house security specialist"? How involved is he/she in the product design and QA process? Such a specialist should review and approve both the initial product design and the test plan.
How much testing goes into each release? IE: Does the team perform a full regression (re-executing the entire test plan, which can take weeks or months), or do they focus their efforts only around the new features that were added, potentially missing bugs that may arise due to an unanticipated affects that new features might have on other components in the system?
Commercial software companies often ship products with serious security flaws, in spite of the reasons you listed. Some products receive through testing and others don't. It doesn't matter much whether or not the product is a commercial offering.
"The usable limit for semiconductor process technology will be reached when chip process geometries shrink to be smaller than 20 nanometers (nm), to 18nm nodes," explains Len Jelinek, director and chief analyst for semiconductor manufacturing at iSuppli in a new report. "At those nodes, the industry will start getting to the point where semiconductor manufacturing tools are too expensive to depreciate with volume production, i.e., their costs will be so high, that the value of their lifetime productivity can never justify it," he adds.
Which area will maintain such a high rate of improvement as microprocessors succumb to economic reality?
Intel CPUs are not defective, they just act that way. -- Henry Spencer