I started to write a post, then realised I’ve already written it several times before, with the most coherent of them here.
So instead I’m going to change it up a little and tell a story.
I’m a generalist, and as you will know it’s really hard to be good at everything, so clearly there are some things I’m “not so good at”. Like most people, I use Google a lot, and my Google-fu is strong.
A couple of weeks ago we did a security scan of an existing system, which revealed some security flaws. It was a non-Oracle product, so I didn’t have a recipe to follow and I started Googling for solutions. The product in question is very popular, and there were lots of responses to my Google search, with most of the top results coming from Stack Exchange (Stack Overflow). Happy days I thought, as the Stack Exchange sites is effectively peer-reviewed, in that the correct answers are usually up-voted.
I looked at the first few different threads and people were saying the same thing. The highest up-voted answer on each thread gave a very direct and simple parameter value to solve the issue I had, so I was happy…
I followed the advice, set the parameter, restarted the service and tested. It didn’t do what everyone claimed it would. Armed with the parameter name, I searched the product documentation, and clearly the parameter didn’t do what the Stack Exchange answers said it did.
That seemed very odd, so I assumed these must be answers that were correct for an old version of the product. I checked the docs for previous versions. Same result. After reading the docs I found the real answer, implemented it, tested it and it worked.
What is really worrying about this is the answers on several threads on Stack Exchange were wrong. Those incorrect answers had been up-voted by lots of people, which suggests they agreed with the answer, even though these solutions could *never* have worked. So this seems to indicate one of two things to me.
- People read the answer, it sounded plausible, which it did, so they up-voted it without trying it.
- People had actually used this solution, thought it was the right solution and up-voted it, but clearly never tested their system or they would have seen it didn’t work and they still have the same security flaw.
One of the things I say in that post linked above is.
“Remember, even when you have built up a list of trusted sources, you should still constantly test what they say. Everyone can make mistakes.”
That’s really important because the internet is full of great information, but it’s also full of bullshit. Being able to tell the difference is really important, and the only way to do that is to test it, or do further research if it’s something you can’t test for yourself…