You mean like carrying a smart phone?

The NSA could also be getting duplicate copies of customer certs issued by CAs in order to play MITM.

Presumably you mean certificates using NSA-generated key pairs, but that are otherwise identical to the "customer certs".

winning the day. Didn't work our so well for Corel did it? Or Novel? Or Sun?

I assume you meant Novell.

Yeah, you're few good programmers will make better code, but my 100 code monkeys will make more of it.

Novell isn't really a good example. Starting in the late 90's, they began laying off employees in the states and replacing them with cheap labor in Bangalore. That didn't work out so well.

Especially telling was a blog post by then-CTO Jeff Jaffe sometime around 2008, where he talked about the superior quality of Novell's software. Only problem was that quality had been steadily declining for the past ten or so years. The comments section was full of Novell customers telling the CTO that he was full of shit.

Jaffe was fired (er, resigned) a year or so later, so that blog post is long-gone. Fortunately, the wayback machine has a copy.

The story yesterday said that they were having a problem with certificate validation. The routine they were using to validate certificate expiration must not have been able to handle the leap year. I wonder what non-standard API they were using to process the expiration date. That reminds me of another article that I read yesterday.

With RSA doing the keyfill at point of manufacture, the customer just needs to load the seed file for the entire batch onto their authentication server and then hand out the token

Don't forget that the tokens also expire every couple of years. If it customers were able to load a new seed themselves, then they wouldn't need to purchase new ones as often.

Interesting article, especially this little snippet:

re: surprise at lack of QA or automated unit tests — “most engineers are capable of writing bug-free code. it’s just that they don’t have an incentive to do so at most companies. when there’s a QA department, it’s easy to just throw it over to them to find the errors.” [EDIT: please note that this was subjective opinion, I chose to include it in this post because of the stark contrast that this draws with standard development practice at other companies]

This guy's obviously fresh out of college. It would be interesting to hear from someone with a little more real-world experience.

But what exactly is that process? The QA process can vary widely from company to company and product to product.

There are several factors that can influence the quality of QA:

How important is the product to the team/company/manager and middle-managers involved?

Is the QA team responsible for more than one product? If so, which product is given the most priority?

Is the QA team staffed to adequately test each product assigned to them?

What is the individual skill and experience level of each team member? Does anyone on the team have experience finding and testing for security vulnerabilities?

Does the company actually have a qualified "in house security specialist"? How involved is he/she in the product design and QA process? Such a specialist should review and approve both the initial product design and the test plan.

How much testing goes into each release? IE: Does the team perform a full regression (re-executing the entire test plan, which can take weeks or months), or do they focus their efforts only around the new features that were added, potentially missing bugs that may arise due to an unanticipated affects that new features might have on other components in the system?

Commercial software companies often ship products with serious security flaws, in spite of the reasons you listed. Some products receive through testing and others don't. It doesn't matter much whether or not the product is a commercial offering.