Don't worry, we won't be returning to WTF University this entire week; just today so that I may share one of Jim Roalef's many experiences in the Student Information Systems department at WTFU. Jim worked for Tom, the full-time Lead Programmer, who lorded it over his student subordinates. Tom believed that, despite only having a solid year of experience outside of his eighteen years at WTFU, he was The Chosen One, responsible for introducing "his students" into the Real World. To give you an idea of Tom's Rule, consider the following.

Ideally, technical debates are resoled when one side provides a comprehensive set of arguments and data that shows that their conclusion/implementation is best. Usually, "real world" time constraints get in the way and the debate ends with, "no, trust me; I've been doing this sort of thing for ten years and have found that this is the best way." In WTFU's Student Information Systems department, all technical discussions are quickly resolved with Tom's famous words: "they pay me a *lot* of money to do this sort of thing; I know what I'm doing."

So, one day, while Jim was in between projects, Tom asked him to do some testing on the new graduate school application system. It had recently "gone live" and Tom still had some money left over in the budget to do testing. Jim was somewhat familiar with the project, as Tom had been working on it for over a year and would occasionally get input confirmation that his ideas were correct on technical issues. After spending a few hours going through the system as a "typical applicant", Jim had a simple list of bugs; nothing major, just a few annoyances such as typos that needed to be fixed.

That's when Jim discovered a rather large security hole. The system stored highly-confidential personal records, such as transcripts, recommendation letters, and GRE scores, in PDF files. When the registration office received these records in the mail, they were scanned, uploaded to the system and then shredded. The PDFs were then made accessible to the applicants so they could verify the correct documents were received. Jim had noticed that the URLs for these documents had a very simple pattern:

http://gradapp.wtfu.edu/appdocs/234.pdf
(234 is the sequential DocumentID)

Naturally, access to these documents was not restricted in any way. Simply changing the document ID would bring up a transcript, test score, etc., of another applicant. Upon noticing this, Jim ran into Tom's office and showed him that he could access the records of any student who had applied to grad school in the last six months. Tom asked what Jim thought they should do.

Jim's response was to "shut down the system immediately, move all the PDF files to an inaccessible directory and write a quick ASP script or ISAPI filter to control access to the files." He even offered to do it, working however many hours were necessary, until the serious security issue was fixed.

Tom response, "Well, you were only able to access them because you're familiar with the technical details of the system. No one else would ever be able to actually figure that out on their own. But, go ahead and work on those other issues you found."

Jim continued working in the department, under Tom, for another year or so as he finished his undergraduate studies. He decided to continue his studies at WTFU in the graduate level, but elected not to use the electronic application system when applying.

Tom found out about this pretty quickly, as Jim was the only application who requested the "manual" process, and asked why. Not wanting to be confrontational, Jim simply replied that he didn't what anyone to think that he may have tampered with his own application, as he was "familiar with the technical details of the system".

Though he stopped working for Tom after he became a graduate student, Jim heard through the grapevine that, despite Tom's vehement objects, WTFU recently purchased a new grad school application system. It turned out that Tom was very skeptical that it could provide the same features that his system did.