Comment On Biltmore Can't Log In

Woo! PIN code as timeout, who'd have thought of that?!?

I think it would have been funny if the boss spoke only in third person.

"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"

TRWTF is this:
"four-digit PIN number"
It's PIN, not PIN number.

dtfinch:

Fixed it:
function getTimeOut()
{
return 1000+(int)$_POST['pin_number'];
}

That's assuming getTimeOut isn't actually used for PIN validation somewhere . . .

WhiskeyJack:

I think it would have been funny if the boss spoke only in third person.

"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"

Biltmore is getting very upset! That is some 1337 (elite) code right there!

Using a user-supplied password as a session timeout limit in seconds? I have a feeling that 2008 is going to be a good year for the Daily WTF... We're definitely starting it off well.

I hope Biltmore got the memo about the cover sheets.

I suspected the PIN was being stored in a numeric field. It's a number right? The fact that his PIN was 0010 confirmed that fact for me. Then it turns out I was completely wrong.

I wonder if they could enhance the system to have a 5 digit PIN. Then he could make it 12345 and synchronize with his luggage combination.

Aidan:

TRWTF is this:
"four-digit PIN number"
It's PIN, not PIN number.

Personal Identification Number Number.

In other words, the amount of identification numbers you need.

I wonder if they were the TPS reports...?

TRWTF is this:
"four-digit PIN number"
It's PIN, not PIN number.

Personal Identification Number Number.
In other words, the amount of identification numbers you need.

Hehe. I work in telecoms. In my code dealing with call statistics, I have variables like $numnums which is, of course, the number of phone numbers dialled in a given time period.

WhiskeyJack:

I think it would have been funny if the boss spoke only in third person.

"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"

Just as code always contains feline references, it must always contain cultural references.

1. "Biltmore wants his preciousssssss. Nasty PINses! PINSes want to hurt Biltmore!"

2. "Fix it for Biltmore you will! Beware of the power of the dark PINs you must!"

3. "It is a truth universally acknowledged, that a director in possession of a Monday, is in want of a PIN."

Welbog:

Using a user-supplied password as a session timeout limit in seconds? I have a feeling that 2008 is going to be a good year for the Daily WTF... We're definitely starting it off well.

This WTF must be a paraphrase from BOFH. I'm too lazy to dig it up, but I'm pretty sure of it.

Mr. Bean:

TRWTF is this:
"four-digit PIN number"
It's PIN, not PIN number.

Personal Identification Number Number.
In other words, the amount of identification numbers you need.

Hehe. I work in telecoms. In my code dealing with call statistics, I have variables like $numnums which is, of course, the number of phone numbers dialled in a given time period.

My personal favorite is $numnuts. Which would be the number of php monkeys using crappy variable names.

Aidan:

TRWTF is this:
"four-digit PIN number"
It's PIN, not PIN number.

Welcome to language.

Aidan:

It's PIN, not PIN number.

This is a case of the RAS syndrome.

oh my god this is so funny. love this site

Chancy:

dtfinch:

Fixed it:
function getTimeOut(){ return 1000+(int)$_POST['pin_number']; }

That's assuming getTimeOut isn't actually used for PIN validation somewhere . . .

That'd be significantly evil. I suppose it just goes to show that you should never trust function names; they're out to get you, after all.

Hah, that's a WTF :)

GreyWolf:

WhiskeyJack:

I think it would have been funny if the boss spoke only in third person.

"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"

Just as code always contains feline references, it must always contain cultural references.

1. "Biltmore wants his preciousssssss. Nasty PINses! PINSes want to hurt Biltmore!"

2. "Fix it for Biltmore you will! Beware of the power of the dark PINs you must!"

3. "It is a truth universally acknowledged, that a director in possession of a Monday, is in want of a PIN."

This comment has just made my day, nay, my entire week!
Thanks - I haven't had to wipe this much coffee from my screen/keyboard in a very long time.

I also suspected some integer conversion code to strip the leading zeroes - a common kind of bug in processing numbers that aren't actually numbers in the mathematical sense of the word-, but this isn't just a programming glitch, it's pure insanity. And it's so freaking arbitrary. Why use the PIN and not, let's say, the digit sum of the ZIP code multiplied by the surface temperature of the spot on the Moon that faces the Earth in Fahrenheit? Sure, you couldn't log in at all whenever the latter drops to or below 0°F, but using the absolute value function or the Kelvin scale would easily fix this problem. Maybe instead of using the digit sum of the ZIP code, you could use a database of crime hot spots. So someone who logs in from the New York subway will have to reauthenticate more often than someone accessing the system from his ranch in Colorado. It all makes terribly much sense if you think about it. :-)

Well at least its in seconds, not milliseconds :) I wonder why a hard coded 15 minutes was not enough? Or 15 minutes since last request? I duno, I guess typing in 15*60 is harder than 'pin_number'...

The new PIN is so l33t!

Seems like the programmer was trying to teach people a lesson about very low PINs. Most crackers would try to brute-force your PIN from zero (after trying the obvious stuff like 1337 etc.)

A hard-coded timeout? Why, magic numbers are grounds for termination here!

This is great WTF because I don't understand at all what the programmer was attempting to do. (This is not said at all in sarcasm, I am truly stumped).

function getForumTimeOut(){

	return $_REQUEST['ArticleId'];

}

I'm going to guess that originally the PIN's were assigned, not chosen, and were used as a kludge method of setting different session lengths for different users.

But what if the PIN isn't set? Fixed:

function getTimeOut()

{

  $pin_number=$_POST['pin_number'];

  if (isset($pin_number)) {

    $old_pin = $pin_number;

  }



  $new_pin=1000+(int)$_POST['pin_number'];

  if (! isset($new_pin) )

  {

    $new_pin=1000;

  }

  else

  {

    $new_pin=1000+(int)$_POST['pin_number'];

  }



  return $new_pin;



  $_POST['pin_number']=$old_pin;



}

WhiskeyJack:

I think it would have been funny if the boss spoke only in third person.

"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"

This had me laughing out loud!
Thank you for the first chuckle of 2008 :D

Why not just :

function getTimeOut()
{
return 2000;
}

Why on earth would the timeout depend on the password? That makes no sense at all... someone was smoking something when they wrote that function.

Hmm, I just realised that my solution doesn't cover "what if GetTimeout is used for PIN validation?"... well how about $_SESSION("difference_between_timeout_and_real_PIN") which is set to 1000 by GetTimeout() ?

????
function getTimeOut()
{
return 1500;
}

apetrov87:

Seems like the programmer was trying to teach people a lesson about very low PINs. Most crackers would try to brute-force your PIN from zero (after trying the obvious stuff like 1337 etc.)

Yes, but why would anyone associate too low of a magnitude of the arithmetic value of their PIN to their, in technical terms, "broken computer".

Is this not just a perversion of password life being a function of password complexity? You know, the ONLY way to crack such a PIN is to start at 0001 and go up from there(0000 is, of course, reserved for super geniuses).

Me Biltmore. Biltmore want reports. Biltmore SMASH!

Priceless stuff, what a start to the year!

dtfinch:

Fixed it:
function getTimeOut()
{
return 1000+(int)$_POST['pin_number'];
}

Without seeing the full codebase, you can't be sure that it's a valid fix :)

Am I reading this right? It looks like the code is setting the timeout to the user's PIN?

You crazy PHP monkeys, in ASP.NET, we just leak an arbitrary amount of memory knowing exactly how long until the leak forces the application pool to recycle.

Then once it does, all the sessions are cleared.

:)

Chancy:

dtfinch:

Fixed it:
function getTimeOut()
{
return 1000+(int)$_POST['pin_number'];
}

That's assuming getTimeOut isn't actually used for PIN validation somewhere . . .

You're assuming quite a bit there, aren't you?

The moment I saw his PIN I was ready to bet that the problem was leading zeros...

And I am still not convinced that this SetTimeout stuff is authentic... seems kinda too big a WTF to be TRWTF.
More likely the submitter just couldn't figure out what the problem was, and made up some nonsense to submit it instead :p

David reset Biltmore's PIN number to 1337 ...

I hope Biltmore's reports don't take longer than 22 minutes 17 seconds to run, or Biltmore will start whining again.

Someone help me out here...

1. Gollum

2. Yoda

3. ???

sweavo:

But what if the PIN isn't set? Fixed:

function getTimeOut()

{

  $pin_number=$_POST['pin_number'];

  if (isset($pin_number)) {

    $old_pin = $pin_number;

  }



  $new_pin=1000+(int)$_POST['pin_number'];

  if (! isset($new_pin) )

  {

    $new_pin=1000;

  }

  else

  {

    $new_pin=1000+(int)$_POST['pin_number'];

  }



  return $new_pin;



  $_POST['pin_number']=$old_pin;



}

#

WTF?

sweavo:

But what if the PIN isn't set? Fixed:

function getTimeOut()

{

  $pin_number=$_POST['pin_number'];

  if (isset($pin_number)) {

    $old_pin = $pin_number;

  }



  $new_pin=1000+(int)$_POST['pin_number'];

  if (! isset($new_pin) )

  {

    $new_pin=1000;

  }

  else

  {

    $new_pin=1000+(int)$_POST['pin_number'];

  }



  return $new_pin;



  $_POST['pin_number']=$old_pin;



}

I was starting on a reply where I wanted to correct the errors and bugs in your function, but I realized that it is probably just bait ;-)

Kluge Doctor:

Someone help me out here...

1. Gollum

2. Yoda

3. ???

Pride and Prejudice, I believe.

That's some badass intution right there... how did he make the link between "timeout" and "pin"? Or did I miss something?