My money is on incompetence, as this was obviously something people could find by just looking. IMO incompetence is worse because while intent can be fixed pretty fast if needed, incompetence cannot.
It is also a pretty good indicator for the sad state of practical IT when a security element (!) does not even manage to get something as basic as certificate verification right.
Incompetence is also worse because there is an unknowable number of problems like this. At least with intent, someone somewhere has an exact list of what has been compromised. With incompetence, systems are compromised and no one knows until it's too late.
Incompetence or malicious intent? (Score:3)
My money is on incompetence, as this was obviously something people could find by just looking. IMO incompetence is worse because while intent can be fixed pretty fast if needed, incompetence cannot.
It is also a pretty good indicator for the sad state of practical IT when a security element (!) does not even manage to get something as basic as certificate verification right.
Re: (Score:3)
Re: Incompetence or malicious intent? (Score:2)
What do you want to bet an outsourced or h1b1 employee with no experience implemented this as a cost saving measure.
Talented security professionals are expensive