All of Christian R.'s fellow employees were so overloaded with criticality-1 tasks like replacing icons, fixing spelling mistakes and such that their company decided that it would be prudent to outsource new work to Experts. Management reasoned that choosing highly trained experts would ensure that the job would be done right the first time. The solution would be cost effective, efficient and make them look wise.

One particular new task was to enable two devices to be paired. This would be accomplished by having one device display a number. The user would enter the number on the other device: the two devices would be paired and the user would be logged in on both devices. Underneath the covers, both devices talked to a common server. Once paired, the devices could talk to each other (through the server).

The Experts' first attempt had the displaying device generate a random number and store it in a database via a web service call; without validation, checking, or even a sniff-test. Once the device had generated and displayed a number, you could store any number you wanted in the database.

After a lot of explanations as to why this might not be prudent, and many, many concrete suggestions, the Experts changed course and decided to do it on the server.

When one device starts the process, it sends a truly unique device-id to the server. The Experts decided to create a truly unique random number to make a seed (details not relevant) and give it to the function that would generate the key. The length of the truly unique random key is always 6 digits and may not start with a zero:

this.generateKey = function(seed, len) {
    var start = Math.abs(Math.floor((Math.random()*seed.length)+1)-len);
    var key = seed.substring(start, start+len);
    var random = "";
    var i = 0;
    while (i<key.length) {
        var a = Math.floor(Math.PI * parseInt(key.charAt(i), 10)).toString();
        a = a.charAt(Math.floor((Math.random()*a.length)));
        random += a;
        i++;
    }
    if(random.length < len) {
        random = (Math.floor((Math.random()*9)+1)) + random;
    }
    return random;
};

The user must then enter the 6 digit key on the device to be paired. The key is then saved in the database, and is used for all subsequent communication between the devices. The Experts deemed this process safe enough. After all, 900,000 possible keys is more than anyone would ever need, right?

However, in order for this feat of engineering to work, each key pairing number was only allowed once in the database. Just to be safe, in the DB, this was trivially enforced with a unique constraint.

Unfortunately, this implementation led to numerous duplicate keys being generated. Thus, when the server generated a not-so-unique number and tried to save it, the insert simply failed and the server would grind to a halt, throwing the SQL error back to the user. Of course, all the other devices that were communicating through the server were massively affected by their common link going into limbo. Needed tasks weren't initiated. Tasks that needed to be shut down just kept going. Automated queries between devices went unanswered. Commands were not honored. Havoc of all sorts was wrought as machines no longer obeyed the commands of their masters.

Christian wisely chose not to execute the application and give it control. Management was informed that the Experts were providing less-than-stellar solutions and that delays were advancing more than the project. Needless to say, the Experts were advised that this was unacceptable. They quickly made a fix and sent the patch file. Here are the relevant lines they changed:

  - var a = Math.floor(Math.PI * parseInt(key.charAt(i), 10)).toString();
  + var a = Math.floor((Math.random() * Math.PI) * parseInt(key.charAt(i), 10)).toString();

While Christian might not have the extensive and expansive knowledge of the Experts, he suspected that their solution might not quite do it. Now all he had to do was to convince management that their decision to choose outside Experts may have been less wise than they had envisioned.

Maybe they should try this.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!