Comment On The 160 Million Euro Session

Foist!

Ah, I see the WTF; the 97th digit is off by one.

It's a 714-byte session identifier that's unique enough to represent all sessions across all websites across all the Ineternets across all galaxies throughout all of time ... four times over.

Maybe they were burned badly by Y2K.

It reminds me of a base-64 encoded picture.

That's not a WTF... that's just coding for the future. The world population, it is a multiplying.

i've worked on Accenture engagments and this does not surprise me in the least...  they probably billed out some new college grads fresh from accenture "bootcamp" at 500/hr for that crap....

Maybe it's supposed to be something similar to ASP.NET's Viewstate.

Is that really just the session ID?  It might be the session ID plus a lot more data too!

It actually looks like, with all those strings of 0's followed by chunks of characters, that this "session id" is being used to store some data about the session. 

Now that would be a WTF.


(I love it when the captcha is 'enterprise')

Don't you see?

That's your total IRS record right there in the session !

Very nice if they want to employ you :P

In the next $100 million phase they will be implementing gzip compression for URLs.

 

They don't want to be outgunned when the 1-yottabyte disk comes standard on new computers.

This stuff used to piss me off...Why in gods name would someone choose a "unique" identfier of such uniqueness? 32 characters of hex was enough to make me grit my teeth. These days, I don't worry about it. I've seen so much worse crap lying around, if someone's worst problem is that they think they're going to need more than 1.1579208923731619542357098500869e+77 unique identifiers, more power to 'em.

Hi, you can't imagine how mouch people are unemployed in germany.
We need this state of uniqueness *g*

Yeah, I don't even see the code. I just see blondes, brunettes, and redheads.

Heh.  I can't even get their website to come up.

Looking closer at the URL, I'm very curious what the stuff after the underscore  signifies (maybe it's some sort of partial salt?)

Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.



There are about 10^78 atoms in the universe, so if every atom in the
universe created a session every second, that site won't run out of
sessions for 10^1641 seconds, which is about 10^1635 years.



That's the kind of Enterprise-class engineering I'd expect in a $165M site.

I see an underscore in there towards the end. Then all the hex letters magically jump to upper case. Definatly other information stored in there.

Also I viewed source on the website. I noticed that one of these crazy session URLs actually had 1 GET data as well. So my 'spot the WTF' is that the session is storing data as well as the URL with GETs. I think the extra money was to add the features of sending data through cookies and POST as well! Now that's enterprisey!

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

That's using the old noodle!

That's not a session id, it is a uuencoded JPG of Bill Gates!

I was half-expecting a circle to appear in that, made entirely from 1s and 0s.



(joke for Sagan fans)

Heh! That cracks me up.

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

Where is "berufe_cluster" embedded?

Suck My Lisp:

Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.



There are about 10^78 atoms in the universe, so if every atom in the
universe created a session every second, that site won't run out of
sessions for 10^1641 seconds, which is about 10^1635 years.



That's the kind of Enterprise-class engineering I'd expect in a $165M site.

Well, they'd be remiss if they forgot to consider those persons needing to log on after the heat death of the universe.

Unemployment? That's because they outsourced this ArbeitsDoppelGang to USA.

What frightens me much more than that absolutely unique identifier is this tabindex="600"!

here ->  6265727566655f636c7573746572

emurphy:

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

Where is "berufe_cluster" embedded?

errr   here -> 6265727566655f636c7573746572

Now this may not be as bad as it looks, actually.

Privacy laws in Germany are very strict, and so I am quite sure that there are some formal rules about using (or not using) cookies in the construction of this site, as well as about long-term server-side storage of a user's private (and potentially sensitive) data. This means that using the URL to encode a user's personal data may be the only viable option. (The URL looks like an encoded record of data followed by an underscore and some "real" session ID.)

This strange design "requirement" may also be one of the reasons why this (otherwise incredibly poorly done) web site starts to lose sessions once you use more than one window or more than one tab at a time in a multi-tab capable browser. (Skipping through the job list -- which appears to be flooded with bogus job offers entered by private temp-employment agencies -- over a slow Internet connection using only the browser's "back" button is sure to drive you nuts before even getting to the first serious offer. But then, this is supposed to be your new full-time job anyway...)

Anonymous:

What frightens me much more than that absolutely unique identifier is this tabindex="600"!

It is probably an attempt to make sure that the menu is the last item to receive focus when navigating by keyboard.

I personally find it very frustrating when keyboard navigation jumps all over the place.

Hey, don't blame us, after they outsourced it to us we outsourced it to India!

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

I'll take a guess that they are attempting to prevent session hijacking.

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

More (but much less significant):
F
M
PMC
VB!
W3no7?k,

It definitely looks like it's more than a session ID. Data is definitely stored in there...

I went to the site, and the only thing that changes in that session id is everything after the underscore. For me, the text there converted to "oi*JW8G".

Sounds like more psychological warfare on the angst-ridden unemployed who would commit acts of defiance against their corporo-political gods. Obviously nobody would challenge that sort of security because there is no way they could. Right on!

Wait, isn't a "Federal Labor Office's" job to find ways to give unemployed people money for doing basically nothing under the guise of being gainfully employed so everyone can pretend it's not a handout?  If so, I'd say this was the most successful software project there has ever been.

With all the illegal immigrants coming to Germany and trying to get benefits they need a larger number than the number of sub-atomic particles in the solar system.

I suspect the poster who thought that the URL encodes the state of the system in some way is correct.  I don't think I'll try hacking the system however when the system is owned by a major government. 

Anonymous:

Some of the strings embedded:

...
/tomcat4_poa

...

VB
Borland

Just incase they forget what compiler they were using.

Anonymous:

Some of the strings embedded:

IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland

Hah. Looks like they're using Borland Enterprise Server and screwed up their pointers somewhere. What you're seeing there is most likely some contents of the stack at some point, with the crap after the underscore being the real session id. There's probably a security hole there somehow as well.

Anonymous:

i've worked on Accenture engagments and this does not surprise me in the least...  they probably billed out some new college grads fresh from accenture "bootcamp" at 500/hr for that crap....

..and what's worse is that they probably billed that and built the app at their Bangalore location. My experience with Accenture was that they were an army of partners and partners-in-training, with no one left to do the actual work. "Let's schedule a meeting to discuss the next meeting regarding meetings"

Oy.

/tomcat4_poa  ....

"poa" always smells like CORBA.

65M? What the hell? I recently talked with a few of the biggest companies that will host/install their prebuilt employment portals for you and most charge about $30k. I can understand charging more for a custom application, but seriously, for that much money you could practically write the app, os, db and webserver to run it on!

...
/tomcat4_poa

...

VB
Borland

----

Are they mixing visual basic, and tomcat/jsp??? WTF???

RyanD:

65M? What the hell? I recently talked with a few of the biggest companies that will host/install their prebuilt employment portals for you and most charge about $30k. I can understand charging more for a custom application, but seriously, for that much money you could practically write the app, os, db and webserver to run it on!

well, 65M was the first estimate. IIRC, the project was stopped short before reaching the 200M mark. Go figure...

IDL:http/ReqProcessor:1.0

$
 s0202021ëFMPMCIDL:http/ReqProcessor:1.0  berufe_cluster
/tomcat4_poaVIS
VIS







 !p

"@g



g


 UserRealm
VB!
Borland
g



Ê“0öæósö¾Á˜

...wtf.

http://nickciske.com/tools/hex.php

I see signs of VB, tomcat/jsp, CORBA, and some random Borland language in there. I'm guessing that that's the reason it's so expensive.

I suspect that session id is not just the id of the session, but has encoded into it some clustering/routing/failover information. I don't think WebLogic does this, but I believe WebSphere or maybe one of the older app servers does.  Unless Indenture is in the habit of rolling their own application server, this is probably due to their choice of app server rather than a specific design or coding issue.

Bad daily WTF! Bad!

Wrap up an Initialisation Vector, AES encrypted data plus a HMAC in a hex encoding and you will end up with something like this.  I'm not saying that's what they've done, but there are valid reasons for using a 200-odd digit session ID.

Tapestry tends to encode a lot of stuff into URLs (or hidden form fields), but is nice enough to compress/encrypt/MIME encode it.  That looks like a bunch of hex digits including a lot of nulls.  Not pretty.

Remember what Accenture was called before the big "cool-one-word" (COW) name changes started happening during the dot-bomb era?

You guessed it:

ANDERSEN CONSULTING.

And yes, Andersen consultants were (and still are) some of the most expensive college kids you can bring on.  It's still very much a fraternitiy atmosphere there.