Re^5: RFC: Algorithm::CouponCode

Let me tell it as a story: Once upon a time in the early days of computers a government department chooses a particular mechanism for generating and testing the validity of codes it generates and publishes. It still uses the legacy system in question because noone broke it yet. Lo and behold someone else (you) has accidentally used the same method but is providing it on an online facility that can be brute forced whereas the government system is not available online and cannot be brute forced. How the story continues from here is up to you and the offended government department if they find out.

One world, one people

Comment on Re^5: RFC: Algorithm::CouponCode

Replies are listed 'Best First'.
Re^6: RFC: Algorithm::CouponCode by Anonymous Monk on Apr 28, 2011 at 21:00 UTC
Let me tell it as a story: Once upon a time on Perlmonks there was a software developer who told a story. The story wasn't based on fact but, rather, constructed a straw man for the software developer to argue against. It was all very interesting but, as it bore no relation to reality, not really very applicable.	[reply]
Re^7: RFC: Algorithm::CouponCode by anonymized user 468275 (Curate) on Apr 29, 2011 at 10:16 UTC
In that case I am closing this discussion. Update: I just noticed that you are not the OP. So having no stake in the situation and nothing to potentially lose (unlike the OP) you can be as irresponsible with your comments as you like. Especially being anonymous. So who cares? One world, one people	[reply]
Re^8: RFC: Algorithm::CouponCode by morfran (Initiate) on May 04, 2011 at 03:43 UTC
In all honesty, I don't see how an anonymous post is more lacking in relevance than a veiled argument. I actually wrote the above anonymous post, sorry, I hadn't realised I wasn't logged in. I really don't see how you think that this compromises the security of the application in question. A person applies for access and is sent a code by post. They can only do anything with that code if they are the owner of the email address which the request was made with and they received the code in the post. There is basically no possibility of anyone guessing both pieces of information; it's not even any more plausible that someone having taken control of the email address could then guess the correct code. Note that it's not _any_ valid code, it's _that_ valid code that is required. After that, they can associate a login token with their account to use it to log in. Worst case, if someone stole my email address and intercepted my post, they could attach their login to my account until I complained of all these injustices. So who cares?	[reply]
Re^9: RFC: Algorithm::CouponCode by anonymized user 468275 (Curate) on May 06, 2011 at 11:19 UTC
Re^10: RFC: Algorithm::CouponCode by grantm (Parson) on May 09, 2011 at 01:07 UTC