back to article Freelance devs: Oh, you wanted the app to be secure? The job spec didn't mention that

Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all. Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user …

  1. b0llchit Silver badge
    Holmes

    Quality

    It shows again that you need experience to provide good things and that does not come cheap. The entry-barrier is seemingly low in programming, but that does not mean you can program. It takes a lot of knowledge and experience.

    Time to let the "everybody must learn to code" meme die like the dodo.

    1. Yet Another Anonymous coward Silver badge

      Re: Quality

      Same could be said for everyone learning to read/write. Writing great novels is hard and if you don't want lots of J Archer books around you should stick to hiring Saul Belos.

      The purpose of everyone learning to program isn't to have millions of low skilled app developers - it's so that people know to laugh when politicians claim that banning hashtags will stop terrorists.

      1. Eddy Ito

        Re: Quality

        What? Wait! I thought hashtags stopped tear-wrists.

    2. Anonymous Coward
      Anonymous Coward

      Re: Quality

      Paula is Brilliant

      1. RichardB

        Re: Quality

        Yeah she got all the beans.

      2. Michael Wojcik Silver badge

        Re: Quality

        Jeez. It's "Brillant". Only one "i". That's half the joke.

    3. J27

      Yeah...

      I think everyone learning to code is a great idea. Say you make it a mandatory first-year high school course. Then students will get an idea if they're interested in a technology career and if they are they can keep going in the later years of high school and into college, university or whatever they call the appropriate post-secondary institution in your country.

      Now the idea that everyone can be good at coding without talent or experience, that's ridiculous, but we need to be more inclusive otherwise the shortage of developers just gets worse and worse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yeah...

        "I think everyone learning to code is a great idea. Say you make it a mandatory first-year high school course. Then students will get an idea if they're interested in a technology career and if they are they can keep going in the later years of high school and into college, university or whatever they call the appropriate post-secondary institution in your country."

        Not a good idea, if presented like this.

        There are hundreds or thousands of "technology careers", including some of the most demanding and interesting ones that have little or nothing to do with coding, any more than a business career requires receptionist skills.

        Architects, a dozen kinds of engineers, chemists, physicists, geologists, oil industry workers, aircraft mechanics, pilots, materials science specialists....

        You really don't want someone to dodge a career in engineering because they don't like coding.

      2. LucreLout

        Re: Yeah...

        Now the idea that everyone can be good at coding without talent or experience, that's ridiculous, but we need to be more inclusive otherwise the shortage of developers just gets worse and worse.

        A shortage of developers is infintely preferable to a field full of talentless inexperienced fools pretending they're developers.

        Sorry, but inclusivity, however important that may be to you, doesn't extend to fields requiring professional competence (which only comes through experience), and for very good reasons. Do you want the "inclusive" brain surgeon, or the talented experienced one? Do you want the inclusive pilot, or the talented and experienced one? So it goes.

        1. 's water music

          Re: Yeah...

          Sorry, but inclusivity, however important that may be to you, doesn't extend to fields requiring professional competence (which only comes through experience), and for very good reasons. Do you want the "inclusive" brain surgeon, or the talented experienced one?

          Ay, there's the rub. For your discrimination must be applied strictly on professional competence and not on culturally similar to the existing cohort and competent enough. My answer is I would rather have the best possible surgeon, not the good enough, right school/family one.

          1. Ian Michael Gumby
            Boffin

            @'s water Re: Yeah...

            As someone you'd call a 'brain surgeon' or a really senior specialist in a different field...

            Most jobs in IT don't require a 'brain surgeon'.

            Do you see surgeons carrying around bed pans?

            Or inserting IVs or checking on IVs and administering drugs?

            Or filling prescriptions... (yeah robots do that now)

            Or running the patient thru X-Ray or for their MRI?

            The point is that there are a lot of roles that need to be filled where you don't need to be a brain surgeon.

            Take in point all the pseudo 'boffins' who are in to AI and ML. How many of them could roll their own Docker container ? Or could write a device driver?

            1. Anonymous Coward
              Anonymous Coward

              Re: @'s water Yeah...

              Yeah, but checking the code, or walkthroughs are non-existent these days.

              With 95% unchecked code - what could possibly go wrong

      3. Flywheel

        Re: Yeah...

        make it a mandatory first-year high school course

        I'm almost with you on this one, but you forgot the Dilbert module in which you now have coding skills, but you haven't encountered the reasoning(?) and demands of the PHB.

    4. JSIM

      Re: Quality

      I wonder how those re-purposed Kentucky coal miners would have done.

      No, not really.

    5. Ian Michael Gumby
      Boffin

      @ Bollchit Re: Quality

      While I agree with you... did you happen to read that the bulk of even the higher paid group was not statistically significant?

      Now there are flaws in the test.

      Most good freelancers don't use freelance.com to find work. (They have a good network of friends and clients. )

      Second most could not speak English well.

      I mean the test caught up a bunch of posers who lied about their ability and charged an arm and a leg while googling code examples without knowing what they were.

      It gives this industry a bad name.

      And yes, just 'learn to code' is BS. Sure there's a lot of jobs in IT where you don't need to be a serious hard core zen coder or deeply skilled. But unfortunately too many posers want the big bucks and are willing to lie to get it. Caveat Emptor.

      I am violently in agreement with you, but still far too many posers in our field.

    6. Robert Helpmann??
      Thumb Up

      Re: Quality

      Time to let the "everybody must learn to code" meme die like the dodo.

      So we should isolate the perpetuators of the idea from the rest of the world and hunt them down while siccing pigs, dogs and rats on their progeny? Seems reasonable to me.

  2. Ken Moorhouse Silver badge

    €100 (~$112) or €200 (~$225)

    Anyone who has the ability to code-in the relevant security will ponder whether it is worth getting out of bed for.

    Specifying "security" is difficult. "How long would you want your application to be secure for?" If the answer is "in perpetuity" then the charges for including patches to keep abreast of that impossible requirement would need to be incremental and ongoing, rather than capable of being factored in at the outset..

    1. big_D Silver badge

      Re: €100 (~$112) or €200 (~$225)

      The average for (experienced) Java developers over here, according to Gulp, is around 83€ at the moment. In places like Munich, you might be able to get up to 150€.

      1. Steve Button Silver badge

        Re: €100 (~$112) or €200 (~$225)

        Per hour? But this is to do the whole job, right? And I don't think you could write something like that in one hour.

        1. big_D Silver badge

          Re: €100 (~$112) or €200 (~$225)

          Aha, my bad, looking at the price and 2 to 5 days, I assumed that was an hourly rate. Re-reading after your comment, yes, it looks like that was the price for the complete job, so no wonder the results weren't worth anything.

      2. Joe W Silver badge

        Re: €100 (~$112) or €200 (~$225)

        Plus: show me a developer in Munich who is not fluent in English...

        Also: Those 83€, for how many hours is that? They offered that for the final system, as I understand the article. If it takes you more than a working day to do this then you are below minimum pay - and as somebody else commented above - you are to be considered "unskilled labour". I would not let somebody plan a house (statics and stuff involved, cabling, water (in and out)) who has no training in that. Why should they be able to deliver a safe (secure) solution for something else?

      3. djcsdy

        Re: €100 (~$112) or €200 (~$225)

        €83 is about the average pay _per hour_.

        In the study they paid €100 or €200 _in total_. Which for five days work is about 6% of the going rate.

    2. J27

      Re: €100 (~$112) or €200 (~$225)

      As someone who does this sort of thing professionally, €200 would not even get my attention. A contract that small isn't worth my time. That's €5/hour over 5 days, that's McDonalds money. The effort of dealing with the client alone isn't even worth it. The methodology of this study is pretty flawed because they hired "professional" developers were were probably equivalently trained (or less) than their student group.

      1. LucreLout

        Re: €100 (~$112) or €200 (~$225)

        The methodology of this study is pretty flawed because they hired "professional" developers were were probably equivalently trained (or less) than their student group.

        Indeed. The study should more properly have concluded that if you use cheap offshore developers, you're going to get rubbish in terms of your code. If the merchantability of your product is of any importance to you at all, then the choice is obvious: onshore staff, with at least some senior devs (as in experience measured in decades rather than an uptitled millennial).

        1. Lusty

          Re: €100 (~$112) or €200 (~$225)

          "the choice is obvious: onshore staff"

          And to which shore are you referring? Presumably you're being racist towards India, so what should a company in Mumbai do? You seem pretty down on the idea of offshoring, so are they just destined to use poor resources in your system?

          Offshoring is not the problem. Quality control is the problem. One is xenophobic propaganda and the other is a genuine concern for the business output. Other countries can do things cheaper, that's a real thing. It's not because they aren't educated, nor is it because they don't know what they are doing. It's because things cost less where they live. If the people in YOUR country can't be arsed to QA the results then that's on you.

          1. LucreLout

            Re: €100 (~$112) or €200 (~$225)

            Presumably you're being racist towards India

            Given that's your first conclusion, presumably you are judging me by your own world view and it is you who are the racist. A great many of my current teams are from India, which does rather blow out of the water you erroneous and tired use of the race card.

            Calling someone a racist when they're not is worse than being a racist yourself. You should check your bias and moderate your behaviour.

            You seem pretty down on the idea of offshoring

            Well, yes, because it doesn't work. I've dealt with offshore teams for the past 15 to 20 years, and the quality of staff available is always far below what is available onshore (UK). Why would anyone capable of doing an internationally sought after role wish to earn 1/20th as much and live in a country which is a mix of thrid & first world, when they could go to a modern nation and earn much much more?

            Offshoring is not the problem. Quality control is the problem.

            You've confused yourself. The quality isn't available offshore because those people that were capable have already been onshore here themselves. You can't quality control your way out of an absence of quality resource.

            Other countries can do things cheaper, that's a real thing. It's not because they aren't educated, nor is it because they don't know what they are doing. It's because things cost less where they live.

            Cheaper != better. Usually just the opposite. If you think a degree from an rural polly in India is the same as a degree from a western university, then I can only conclude you're ignorant of the situation. The problem is very much that they don't know what they are doing. You're not helping yourself to pretend otherwise, and you're not being honest. The good devs have the same cost of living as I do, because they're sat at the same bank of desks in the same city.

            1. Anonymous Coward
              Anonymous Coward

              Re: €100 (~$112) or €200 (~$225)

              "Why would anyone capable of doing an internationally sought after role wish to earn 1/20th as much and live in a country which is a mix of thrid & first world, when they could go to a modern nation and earn much much more?"

              Right now? I'd do pretty much anything to get out of the UK! India is looking pretty good to be honest.

      2. unimaginative
        FAIL

        Re: €100 (~$112) or €200 (~$225)

        Exactly my reaction. I would simply turn down a contact that small for exactly those reasons, even if it did not involve real effort (which this does if you do it properly).

        If approached to do this I would reply that they do not need to do this, but what they do need to do is pick a library or framework that provides this and I would help them do that for a fee.

        If some naive enough not to know that already is "developing a social networking site" they probably think:

        1. They can build a Facebook clone for a thousand quid.

        2. Thinks people will actually abandon Facebook or Twitter to use their site

        So it will attract developers who do not mind getting involved in a project that is certain to fail.

    3. pavel.petrman

      Re: €100 (~$112) or €200 (~$225)

      I know I wouldn't get out of bed for €200 in my first year of university even then and that was long time ago (though admittedly the Euro was already around then). I don't remember anyone from software engineering raising an eyebrow for this sort of money. Of course there were students in other fields happily assembling the coloured sponges McDonald's likes to call fast food. Which makes me wonder what field were the contractors from. And the students. I know I would be kicked out of a project review and laughed at badly if I turned up with anything like what the article describes as standard level of performance regarding security, and the school I went for was by no means a top one.

    4. Michael Wojcik Silver badge

      Re: €100 (~$112) or €200 (~$225)

      Specifying "security" is difficult. "How long would you want your application to be secure for?"

      The duration requirement is unnecessary. "Would you like your application to be secure?" is already a meaningless question, outside the context of a threat model and a set of metrics against it.

  3. 45RPM Silver badge

    When hiring students fresh out of university I find that they invariably can’t code in C, and that they have only a passing familiarity with simple concepts like modulo arithmetic or prime numbers. This will, of course, hinder any attempt at developing a secure cryptographic algorithm. Nevertheless, I like hiring people from this group because they’re keen and eager - and, whilst I can’t teach enthusiasm, I can teach whatever their big-business sponsored degrees omitted.

    Recent years have seen a worrying degree of freetardism creeping in to senior management. They can download apps for free so software can’t be worth much. And if software isn’t worth much then software developers can’t be worth paying very much either - they argue that it’s unskilled labour and all of a sudden it’s a race to the bottom. Which is all very demoralising - so is it any wonder that experienced developers do the bare minimum? They aren’t really motivated to do any more. A pox on senior managers in software development if they aren’t actually software developers themselves.

    1. jimmy-o

      Developers on a system like this don't have to, and shouldn't, be developing a cryptographic algorithm at the level of the actual arithmetic. They should use a proven library or framework. Many problems come when a developer is trying to be cute and tries to "roll their own" security. No developer should be developing a cryptographic algorithm for a production system unless they are an expert and it's being peer reviewed.

      1. el kabong

        You don't have to write one but you must know how they work

        Don't trust anyone, or else...

      2. Doctor Syntax Silver badge

        "Developers on a system like this don't have to, and shouldn't, be developing a cryptographic algorithm at the level of the actual arithmetic."

        I doubt they were expected to. OTOH they should have known that they should be using an existing one and should have done so.

    2. ratfox
      Devil

      This will, of course, hinder any attempt at developing a secure cryptographic algorithm.

      In general, the rule on how to program your own encryption is: Don't. Even for experts, this is hard.

      1. Charles 9

        But how does this josh with "Don't Trust Anyone" and "If You Want Something Done Right..."

        1. RobertFoster

          For "If You Want Something Done Right...", see "Not invented here".

          "Don't [absolutely] trust any*one*". Use established and widely used crypto libraries, and you'll be giving an appropriate level of trust to the aggregate of worldwide security researchers.

          Also, "All aphorisms should be taken with a pinch of salt" :)

    3. 45RPM Silver badge

      Ratfox and JimmyO. Sorry. Yes, absolutely correct - never reinvent the wheel if you don’t have to, and leave cryptography for the experts. My point, ineptly made, is that to use these tools and to care enough to look for the good ones, you need to have at least a passing familiarity with the subject and the motivation to do so.

      Have a thumbs up each for making an essential point and my apologies for my poor wording.

      1. AdamWill

        what the...a gracious apology and correction?!

        "Have a thumbs up each for making an essential point and my apologies for my poor wording."

        You must be new to this "internet" thing, huh? That's not how it works at all. If someone points out you're wrong, the generally-accepted internet code of best practice next step is to get them brigaded on Twitter and, ideally, fired from their job and hounded out of their home. Do better next time, kay?

    4. Warm Braw

      Software developers can’t be worth paying very much

      The problem is that we're paying them to reinvent solutions to problems that have already been solved.

      If you were having a house built in the past, there would have been skilled tradesmen on the site handcrafting window frames, staircases, roof trusses and so forth. These days you get them pre-made and the scale of production means that they individually cost much less and meet higher performance standards.

      Noone should actually need to implement a password-based security system. There are far too many of them out there already and they're mostly terrible. We need a few that actually work, are supported and can easily be integrated with other components.

      You can blame managers for failing to appreciate the true life-cycle cost of software and therefore being unwilling to buy software components that have an ongoing support cost, but you can't blame them for balking at the cost of reinventing the wheel - knowing they'll get one with a permanently flat tire.

      1. doublelayer Silver badge

        Re: Software developers can’t be worth paying very much

        That really depends on the system it's being put into. There are plenty of systems that properly hash a password, sanitize the input, and so on, but they don't simply plug in to a codebase with a function call. You have to know enough to integrate them with your database and connect the frontend to them. That's not a big job--it can be completed in a day or two. Still, we aren't suffering for a lack of good "hash and salt this password" libraries but for people who know to use them. Similarly, it is not hard to write these libraries. The issue with people who reimplement this in a few hours is not that they mess up or build something insecure, but that many others don't bother dealing with the security.

        1. Michael Wojcik Silver badge

          Re: Software developers can’t be worth paying very much

          Also, best practices change fairly frequently. Ten years ago, SHA-1 and some construction using a salt was widely considered "good enough"; but cryptographers had warned for years about issues with various ad hoc constructions, and MD5 and unsalted hashes were still widely used. So "industry best practice" varied widely and often didn't agree with current research.

          Five years ago, a fairly standard piece of advice was to use PBKDF2, bcrypt, or scrypt, but the implementer had to pay attention to parameterization (inner hash, number of iterations), and experts (as in that article) were recommending increasing the number of iterations annually, so it wasn't a case of implement, test, and forget. Also, support for changing parameters means additional logic in the verification process - keeping parameter metadata, automatically migrating verifiers.

          Today, the best practice is probably Argon2 with an appropriate parameter set. But determining parameters based on your threat model isn't trivial (particularly for resource-sensitive use cases), and they may require periodic increases just as with older PBKDFs.

          Those aspects, as much as the integration challenges, make it difficult to create a one-size-fits-all password-verification component.

    5. Anonymous Coward
      Anonymous Coward

      When hiring students fresh out of university I find that they invariably can’t code in C, and that they have only a passing familiarity with simple concepts like modulo arithmetic or prime numbers. This will, of course, hinder any attempt at developing a secure cryptographic algorithm. Nevertheless, I like hiring people from this group because they’re keen and eager - and, whilst I can’t teach enthusiasm, I can teach whatever their big-business sponsored degrees omitted.

      ---------------------------------------------------------------------------------------------------------------

      If all you need is coders, perhaps.

      If you want a much deeper understanding then there are very few individuals capable of teaching everything one should know.

      In my experience a good computer science degree needs four years of university algebra, three years of calculus, numerical analysis, statistics (not the one for general science students!), computability, recursive function theory, some more math, ten computer courses from machine architecture to designing languages and writing compilers, and operating systems, not counting math overlap courses like numerical analysis, exposure to ten or so very different computer languages, from assembler to advanced specialized languages like LISP or APL, including at least one C-like language, some courses from outside one's area of specialization, and then more optional enhancements like more advanced statistics, topology, and so on.

      On that scale, the CompSci graduate is more like an architect/engineer and a coder is a carpenter/brick-layer. There is no reason to expect someone with a good computer science education to be particularly experienced or adept with one of the commercially popular languages du jour.

      On the other hand, they should be fully aware of the basic mathematical underpinnings of computational encryption methods, and their common weaknesses and pitfalls.

      1. AdamWill

        "There is no reason to expect someone with a good computer science education to be particularly experienced or adept with one of the commercially popular languages du jour."

        Or know how to write a good comment, or properly license a project, or write good or indeed any documentation, or do versioning or releasing properly, or...

        computer science graduates: often the worst people to find running an actual software project. :P

  4. jake Silver badge

    $112 to code a site security system?

    Get back to me when all y'all have a more realistic view of costs in the real world. Or, better yet, don't bother. I don't feel a need to be working for somebody who has to ask if you get what you pay for.

    1. big_D Silver badge

      Re: $112 to code a site security system?

      That seems to be slightly above average for freelance Java developers over here, according to Gulp.

      I guess it very much depends on where you live. Probably in Munich, possibly Frankfurt or Berlin, you'll get upto 150€, but most places are 83€ or less. It probably also depends on whether it is a huge multinational or SME that is footing the bill.

      1. jake Silver badge

        Re: $112 to code a site security system?

        Re-read the article. It wasn't $112 per hour, it was per job.

        1. big_D Silver badge

          Re: $112 to code a site security system?

          Yep, see my reply above. I misread / made the wrong assumption.

          1. jake Silver badge
            Pint

            Re: $112 to code a site security system?

            No worries. This round's on me.

    2. macjules

      Re: $112 to code a site security system?

      If you are a relatively new Java developer in, say, India then you are going to benefit quite substantially from 1) the experience and 2) the money. €112 is close to 9000 Rs and for 2 to 3 days work that is close to the equivalent of earning over £1000 in the UK.

  5. Graham Dawson Silver badge

    >freelancer.com

    Well there's your problem.

    1. big_D Silver badge

      Very probably.

      I knocked up a quick database for internal work and the first thing I did was slap in an SHA-256 hash on the password. As it was only for an internal database that should never be exposed to the Internet, I decided SHA-256 was adequate.

      1. Nolveys

        Add salt to improve the flavour.

        1. big_D Silver badge

          Naturally, there was a salt included.

      2. sqlrob

        Why???

        A call to bcrypt is just as easy to write as a call to SHA-256. Why even bother with a shortcut like that?

        1. big_D Silver badge

          Re: Why???

          Because SHA256 was a system call and BCrypt required rooting around an additional library and ensuring it worked reliably. SHA256 was easier and "good enough" for an internal system.

    2. Nolveys

      Beat me to it. freelancer.com is a scam and the chances of getting anyone who knows what they are doing through it is about nil.

  6. Anonymous Coward
    Anonymous Coward

    Predictable

    They seem to have offered peanuts and got a bunch of code monkeys. Not really surprising.

    What would be more interesting and informative would be a study where they offer a reasonable amount for freelancers to produce a specification or high-level design of what they would do to meet the security requirements.

    Then we'd have an idea of how good freelancers can be.

    1. Yet Another Anonymous coward Silver badge

      Re: Predictable

      They offered £20M to Crapita and got a worse solution, it was more secure in that it never went live.

  7. This post has been deleted by its author

  8. Chris G

    The devil is in the details

    Regardless of whether you want an outside loo built or a piece of code, if you don't specify all elements don't assume you are going to get them.

    When hiring any freelancer or contractor, you need to know what they can do and have references, if you don't understand that you have no business hiring anyone.

    Can't say I think much of the quality of research.

    1. Joe W Silver badge

      Re: The devil is in the details

      Well.... depends: if they would push this for any high impact journal you would be right in doubting. If they consider this to be a rather quick exploratory study to be published somewhere quite less prestigeous, then sure, why not do it? This fits the current "must pubish as much as possible" fad, which leads to a marked decrease in average (mean, median, whatever) article quality, and to research results being split up into three or five papers. If a PhD candidate has to publish three papers at least this is a very obvious reaction (not that I either condone or like that development).

      And an authentification system without the most basic level of security (don't store the passwords in plain... among others) is a failure. I do not think that this has to be specified, quite like if you build a house the load bearing walls should be strong enough and you sort of expect that the house (or the outhouse, in your example) has a roof...

      1. Chris G

        Re: The devil is in the details

        You may expect a bog in a garden to have a roof but you definitely have to specify what the roof will be built from, plus flat, pitched, ridged etc. Perhaps ordering a building is more complicated than a piece of code.

        1. katrinab Silver badge

          Re: The devil is in the details

          If you go to Portaloo, they would ask you to select one of their standard premanufactured designs.

  9. Blockchain commentard

    The programmers claimed to have worked in Java for at least a year. Yep, sounds like the BS on my CV.

    Copied from the internet. Yep, sounds like my modus operandi.

    Used freelancer.com. Nope, never been desperate enough to sell my soul.

  10. KBeee
    Joke

    Great name

    Nothing to do with the study, but anybody with the name Emanuel von Zezschwitz should really be in a secret lair under a volcano

  11. Velv
    Facepalm

    Requirements

    OK, so the study proves the blindingly obvious - if you haven't written down good requirements then you're not necessarily going to get back what you really wanted.

    And experience is what you get when you didn't get what you really wanted.

    1. Doctor Syntax Silver badge

      Re: Requirements

      "OK, so the study proves the blindingly obvious - if you haven't written down good requirements then you're not necessarily going to get back what you really wanted."

      OTOH if you're providing a professional freelance service and you're given a clearly deficient spec then you should raise the issue with the client.

      It's true someone who hires in a specialist may be doing so simply because they haven't the capacity to take on the extra work-load. But you can't be sure of that. They may be hiring a specialist because they don't know what they need. Yes, we all know that in that case they should start by hiring someone who can advise them but they don't know that either. It's up to whoever they took on to tell them that the spec isn't appropriate to the job and if the client insists on it being done badly don't take it on.

    2. doublelayer Silver badge

      Re: Requirements

      Some things are too obvious to have to specify. For example, "the code must finish within our lifetimes", shouldn't have to be stated. "The code should compile", "the code should not alter files in random places", "the code should not develop sentience and a desire to kill", we don't need to say these things. Similarly, if I ask for an authentication system, the default is that I want a security mechanism. I would need to specify something like 2FA capability or specific mechanisms for recovery, but a system that uses plain text storage or base64 as an "encryption" algorithm is not a valid solution.

      1. Charles 9

        Re: Requirements

        "Some things are too obvious to have to specify."

        I've learned the hard way that nothing is as obvious as you think it to me. Even such assumptions as you describe may not cross your programmer's mind. So two words spring to mind:

        NEVER ASSUME.

  12. PM from Hell
    Mushroom

    Who on earth would use Freelancer.com for this task

    If I was asked to manage a project like this I would insist on the right to interview all hires, any social media site has a huge attack horizon and will end up containing sensitive data, the idea of just outsourcing any of the internet facing security code or infrastructure design to 'some bloke off the internet' appals me, Whilst I might be open to using Computer Science students there would need to be a properly experienced lead dev in place to provide mentoring, skills transfer and Quality Assurance roles.

    One warning about this approach is that it is not cheaper than employing experienced developers unless the engagement is going to be at least 6 months. If this is a quick and dirty implementation I would build a team from existing, proven contacts whop could hit the ground running, the $112 would pay for one hour of one of these dev's time, I can deliver it quick and secure or slower but lower cost and secure but not cheap. Don't forget that the level of fines available in case of a data breach in the UK can reach hundreds of thousands of pounds.

    The other worry about anyone who would even consider this approach would be that they would almost certainly use a cloud based service and assume that the infrastructure was also secure by default. I wouldn't consider starting development work until the architectural design had been produced and signed off by a web security specialist I knew and trusted.

    1. MJB7

      Re: Who on earth would use Freelancer.com for this task

      "the level of fines available in case of a data breach in the UK can reach hundreds of thousands of pounds."

      You underestimate by at least four orders of magnitude. The maximum fine for a GDPR violation is 4% of world-wide turnover. Google turns over more than $150,000,000,000 p/a. That could be a four BILLION pound fine. (To be fair to Google, I am pretty sure they know how to do authentication securely.)

  13. Anonymous Coward
    Coat

    Unemployable developers

    All they seem to have found out is that developers so bad they will take $200 to do a 5 day job are about as good as the students.

    Which figures.

    Mine's the one with the PBKDF2 in the pocket.

  14. OhDearyMe

    Paid peanuts - got monkeys

    For that money what do you expect - you get the least work that could possibly fulfil the requirements. Then if you suddenly realise you needed security you get to pay more for it, because you were a cheapskate in the first place.

    Get the requirements right. Get the payment to fit the requirements. Then you might get a decent job done.

  15. Anonymous Coward
    Anonymous Coward

    Did anyone from the group out source it to India?

  16. SVV

    Further study?

    They suggested a further study might be needed to see whether "you get what you pay for"?

    Why? This study has already proved for the millionth time that if you pay peanuts you get monkeys.

    So, you researched whether hiring devs from freelancer.com, who "said" they'd been programming in Java "for at least one year", most of whom were not fluent in English, and would accept a 100 buck fee for the entire work, which was a critical part of a security setup, and you discovered that they weren't very good at it?

    A more apt question is how much was spent on this research? Has the peanut / monkey theory never been formally proved before in any previous academic study? I doubt it, therefore you got nothing for what you paid for.

    1. Vincent Ballard

      Re: Further study?

      The follow-up study would be to see whether if you pay real cash you still get monkeys.

  17. Kubla Cant

    You get what you ask for

    Did the requirements statement specify security? If so, what were the acceptance criteria? Were they met or not?

    Any experience developer knows that exceeding requirements isn't really as good an idea as it seems. It can be the cause of confusion in acceptance testing, and subsequent arguments when your Rolls-Royce solution gets bounced back because they only wanted a VW. This is especially true when the job's being done on a tight budget - plenty of comments here point out that the rate for this job was absurdly low.

    It sounds like this study was conducted by a bunch of academics with little knowledge of how software development works in the real world.

    1. Doctor Syntax Silver badge

      Re: You get what you ask for

      "Any experience developer knows that exceeding requirements isn't really as good an idea as it seems."

      They should also know that taking on a job without adequate requirements also isn't a good idea.

      1. 's water music
        Paris Hilton

        Re: You get what you ask for

        They should also know that taking on a job without adequate requirements also isn't a good idea

        sometimes you have bills to pay and so long as the customer leaves the money on the dresser first...

        ask an expert-->

  18. Charlie Clark Silver badge

    Bigger issue - how do you vet programmers?

    The article makes it clear that websites like freelancer do absolutely no checking of the people they list. But, how do you vet remote developers?

    1. Anonymous Coward
      Anonymous Coward

      Re: Bigger issue - how do you vet programmers?

      > how do you vet remote developers?

      Beforehand? You don't... you can only see the quality (or lack thereof) of their code when they write (or steal) it.

      > Most were not fluent in English

      I have noticed that English fluency and code sophistication go hand-in-hand. People that don't bother to speak English also don't bother to comment, indent code properly, or perform procedures like code reviews and merge checks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bigger issue - how do you vet programmers?

        "I have noticed that English fluency and code sophistication go hand-in-hand. People that don't bother to speak English also don't bother to comment, indent code properly, or perform procedures like code reviews and merge checks."

        fuck your racism

        I have worked with devs from around the world, and it's nothing to do with "English fluency".

  19. andy 103
    Boffin

    misunderstood that encryption, hashing and encoding are different things.

    "The boffins also found many of the freelancers misunderstood that encryption, hashing and encoding are different things."

    Go on then, what's the difference?

    In the context of the application (without having the full details in front of me) I can't imagine anyone would have considered this - at best - beyond: take a plaintext password, hash it, and then store it. Encoding will essentially be whatever the environment's default encoding is, plus some consideration for the storage, such as a particular database platform or disk storage option.

    If you're talking about encryption of the storage medium of hashed passwords, or encryption in transmission (HTTPS for example), why would you assume a developer - particularly one being paid €100 - would even give a toss about this? If the Job Spec doesn't mention it then you shouldn't expect them to be going above and beyond to deliver something better than "at least the application isn't generating/storing plain text passwords".

    If anything this exercise highlights the problem of clients expecting the earth, even when they themselves haven't specified their own requirements properly. Often proportional to what (little) they are offering in renumeration for implementing such things!

    1. Killfalcon Silver badge

      Re: misunderstood that encryption, hashing and encoding are different things.

      It's simple at the core:

      Encryption is reversible - meant to be undone. You encrypt things that need to be read by both parties.

      Hashing is one way. You hash things that only one party needs to know (such as passwords).

      Generally speaking with Hashing you hash a new input and see if it matches previous hashes. It's how duplicate images are detected, f'rex: turn the entire jpg file into a 256 character hash, and it's trivial to find matching items and very unlikely to be coincidence.

      In overly simplified security context: I type my username and password. Client side those get encrypted and sent to the server so no-one in the middle knows what I typed. The password is then decrypted, hashed using the same algorithm as when my account was setup so that if I typed the same string, it gets the same hash and matches - and the server never stores my unhashed password, and the client can't be reverse engineered into giving up the hash function.

      (broadly. There are many subtle variations in how this can be done, naturally)

      1. Charlie Clark Silver badge

        Re: misunderstood that encryption, hashing and encoding are different things.

        While the difference between encryption and hashing can be clearly defined, encoding and encryption are synonyms, even though if in practice encoding is generally used to refer to the character set. In the example provided, the encoding is done with a known public key and mechanism, but the principles are the same.

        One issue is that the customer probably has no understanding of the processes and so won't necessarily ask for a secure system. So it is reasonable to expect developers at least to ask or suggest that encryption be used. Except you can't expect that on a piece-rate system where price and speed are sole determinants.

  20. d3vy

    To be fair the upper limit $225 (Approx £170) would pay for around half a days time for a freelancer/contractor with *average* skill.

    Whats happened here is they have put up a job on freelancer.com with a budget that barley covers the time needed to read and understand the spec and set up a dev environment.. any half decent/experience developers will have looked at it, laughed (or been annoyed) and not bothered bidding for the work. The only people willing to work for that rate are either shit, desperate or in some cases you can get lucky and get a decent dev in a part of the world where the cost of living makes these low paid jobs manageable.

  21. d3vy

    "The boffins also found many of the freelancers misunderstood that encryption, hashing and encoding are different things."

    Thats actually quite a common provisional/Phone interview question - at least in my experience and allows you to weed out the devs who have no idea what they are talking about - you would be surprised how many think that Hashing and Encrypting are the same thing. Not so many confuse Encoding with Encryption but then I have also seen production systems sending "encrypted" data about over plain HTTP - it was just base64 encoded strings... so obviously some devs do struggle with this too.

  22. Doctor Syntax Silver badge

    It's not so much getting what you paid for, it's more a case of if you don't pay some reasonable minimum you get even less than you paid for. I'm not sure is that was what they sere setting out to demonstrate, that they genuinely didn't know what a sensible rate should have been or they simply didn't have a budget to offer sensible rates. If it was an add-on to a project testing students then the last might well have been the case.

  23. Anonymous Coward
    Anonymous Coward

    Java lol

    Lol java devs be like, not fair, who hacked my stuff? Rest of world be literally like, yo Mr Ponderous, yo app has more open holes than all the Kardashians at a party in Dubai, try a grownup's language, and java devs be like, waaaaah want mommy or at least an anonymous shim proxy interface to her!

  24. HmmmYes

    Firther studies found that a a radnom person, picked up in Greggs, cannot secure an internet box.

    This is daft.

    Another sign thata lot of academics are just morons.

  25. Anonymous IV
    Thumb Up

    Compulsory ending to all research papers

    "They suggested further study might be warranted".

  26. Missing Semicolon Silver badge

    Students

    Presumably, at $200 for the whole job you don't get "professionals" you get students. If not English-as-first-language, IIT students?

  27. FrankAlphaXII

    Working as a continuity and emergency management contractor I can tell you no matter how good any professional is, devs included, if its not specified and outlined, its not getting done, that likely takes extra work/extra time and nobody rides for free. Plus, there may be a reason for why they didn't ask for it. It might be a stupid reason but its still not worth giving away your time and labor when it very well might just aggravate the client since it wasn't something they asked for. Maybe they're regulated and have to have things done a certain way (PCI, SOX, HIPAA, Title 13, EO 13526) or have security measures that you don't have need to know for that they'll add later.

    None of this is to defend shitty practices, bad code, or bad QA, but when you're not told it needs to be done and you're getting paid a pittance even if you think its utterly stupid to not do whatever, it probably won't get done unless you run into the world's dumbest freelancer.

    Academics publishing papers, who are universally seeking tenure (which is about the antithesis of temporary or freelance work), are probably the absolute fucking last people I'd ask about anything to do with a freelance job or the gig economy.

  28. Joe Montana

    Security not wanted?

    I've encountered situations where developers provided a secure password storage method, only to be told to take it out again.

    In some cases they wanted the plaintext password so it could be sent to users who forgot it, while in others they needed the plaintext to implement another misguided "security features" like only requesting specific characters from the password.

    1. Baldrickk
      Coffee/keyboard

      Re: Security not wanted?

      Ewww

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like