414141. I know I'm not alone out there =]

I'm curious. To people who have purchased bitly, why? I feel like setting it up would take as long as writing your own. My very first web project I ever did was to write a url shortener and it took me less than an afternoon. A good engineer I'm sure could do it in less than an hour.

For the price, what does it get you?

What's sad is that not even wrong security was in place here. They didn't even try. There was NO XSS prevention.

<script>javascript</script> is the first payload you try when looking for the stupidest XSS you can find....

Apparently it was only activated if you included an emoticon (<3) in your tweet, possibly following the closing script tag.

Any UTF8 char actually 💩

Some services will ignore security entirely at first, because it doesn't directly contribute to getting a viable product to market quickly (obviously, users will use an insecure site or app so long as they don't know how insecure it is). Then when the app becomes viable, they will continue to ignore security because it doesn't directly contribute to growth. Security becomes part of the nebulous "optimization" stage which is pushed somewhere down the road - and at some point the application becomes so complex that security isn't deemed worth the effort or the money.

I'm not saying that's what happened here, and depending on the language and platform you're using, xss can be a difficult problem to solve. But it does seem to be a common trait to disregard security until you have to apologize for it.

As someone who has only just entered the `real world', I found it so incredibly odd that people's employers very often get involved in these internet dealings by firing someone because they use a sexist/racist/whatever-ist slur.

To people out there. If you are going to talk about somewhat controversial topics, the ``my opinions are my own'' you put on your twitter probably isn't enough protection.

Even if you don't indicate your employer explicitly on a social media profile, its not hard to track someone down via a personal website/LinkedIn, etc.

This actually starts before steroids were invented.

What's a native client do if Google still stores all your emails, receives all your email's, etc. It's not like once you read the email in your client Google forgets it ever saw the email.....

A native client has advantages over a browser extension. For mobile devices, there isn't much choice except to use a native client for email. But that would mean open sourcing the client, if that's how you read the cleartext.

Google needs a few more pieces, like Web-of-trust facilitates by social connections and real time communication, but this is a good first step.

I'm seeking work to freelance as a security consultant on short engagements or small projects. Because of this my going rate is quite low.

I specialize in webapp security, cryptography, android security, and love PHP (developers nightmare is a hackers dream).

Contact me at my profile's email address

Your profile has no email address. The email field doesn't show publicly, so it needs to also be in about field.

Ah thanks I never realized.

I'm a recent grad with my MS in CS. I mostly focus on information security and cryptography. I want to know everything about the two subjects.

I'm about to start working at a SaaS startup security company.

This is like....seriously one of the worst documents I've ever read.

There are pros and cons to both closed source and open source. Open source is nice because the community can audit the code and see for themselves, but closed-source is nice because a company generally has the resources to maintain and build software correctly.

Both of these are hypothetical, however. We've seen tons of vulnerabilities from both. IMHO Open Source works a lot better on paper but once projects get very large auditing them is really hard...which definitely cuts down on the amount of eyes looking at them.

>>closed-source is nice because a company generally has the resources to maintain and build software correctly.

These two things are orthogonal, IMHO.

My post is "on paper". In reality, projects are squeezed for nickels and dimes.

My point is that while open-source should be better, right now it seems that everything is equally not good enough.