The Daily WTF: Curious Perversions in Information Technology

Insecurity Assessment

by Alex Papadimoulis in Feature Articles on 2006-04-28

One popular way of finding security holes within an application is to hire a company to perform a thorough security assessment. Generally speaking, these companies do a fantastic job: they know the common weak points and can provide helpful remedies to developers otherwise not trained on security. A little while back, a consultant ("Steve") working at one such company wrote in to share his experiences on one of the more interesting assessments he and his colleagues performed.

This particular client (a brokerage/trader firm) was the only one where their standard assessment procedure did not work. Instead of isolating which web pages had security holes, they set out on a much more difficult task: finding out which ones didn't. Following is a sampling of what they were up against:

66 comments - Last comment @ 2006-05-02

The Bug is in the Details

by Alex Papadimoulis in Feature Articles on 2006-04-27

There's nothing like D[eployment]-day when it comes to finding out how good your code really is. No matter how good your error handling is, no matter how well you've done internal testing, those persistent users can find a bug hiding in any corner. But that didn't bother Sridhar T -- he was confident that his team built a system that would "wow" the customer and that any bugs found would be minor in light of the big picture. He didn't quite expect the exact opposite reaction after deploying a mid-sized, four-module, thirty-six screen project ...

Sridhar,

325 comments - Last comment @ 2011-12-18

Functional Multiplication

by Alex Papadimoulis in Feature Articles on 2006-04-26

A lot of ideas look really good on paper but end up working really bad in reality. It takes a really special idea to look really bad on paper and actually turn out to work really good -- and today is just not a special enough day to feature one of those ideas. Instead, we'll get to see what usually happens when a really bad idea is implemented.

The story is cliché by now -- highly-paid consultants come in, build a system, bill well over their estimate, and leave a half-working mess for the employees to clean up. One of the more interesting bad ideas the consultants had was to use only integers to store all non-textual data. The "Dollars" column, despite it's name, really stored pennies and the "Sale Date" column really stored the year number multiplied by 10,000 plus the month number multiplied by 100 plus the day number (e.g. today would be 20,060,426). This, as you might imagine, leads to incredibly obnoxious code required for nearly every operation, such as the addition of a fifteen percent fee on a "dollar" amount ...

183 comments - Last comment @ 2006-05-15

Functional Encryption

by Alex Papadimoulis in Feature Articles on 2006-04-25

Richard's company builds, hosts, and maintains a variety of small- and mid-sized web-based applications for their clients. Recently, one of their clients asked Richard to help audit a fraudulent transaction, which meant that Richard needed to dig through the code to see how to decrypt bank account numbers stored in the database. The search led him to H88493247329(), the method responsible for encrypting customer data. After spending a minute to add linebreaks and rename the variables, Richard asked his coworker why he obfuscated the code. His coworker scoffed, you should always encrypt your encryption functions -- it's completely insecure otherwise

101 comments - Last comment @ 2008-09-24

More Dynamic-er Than Yours

by Alex Papadimoulis in Feature Articles on 2006-04-24

When Stephan Jennewein was asked to make a client's site work with FireFox, he didn't think it'd be a big deal. The site was fairly small (15-20 pages), had no dynamic content, and used only a bit of DHTML in the site navigation. Just a few CSS tweaks and some JavaScript hacking, and viola!, FireFox compatability. At least, that was the theory.

Despite having static content, the site used a doubly-dynamic method of presenting the data. Every page on the site (well, except for a few), looked exactly like this (well, for the most part), only named differently:

107 comments - Last comment @ 2006-04-27

The Inner-Platform Effect

by Alex Papadimoulis in Feature Articles on 2006-04-21

I'm sure that a lot of you have may heard about "antipatterns." They're more or less the converse of "software design patterns" in that they describe a frequently repeated problem in designing a commonly-occurring solution. I've observed quite of a few of these antipatterns in the real world, but noticed that one particularly egregious (though, thankfully, rare) antipattern wasn't documented: I call it the Inner-Platform Effect.

The Inner-Platform Effect is a result of designing a system to be so customizable that it ends becoming a poor replica of the platform it was designed with. This "customization" of this dynamic inner-platform becomes so complicated that only a programmer (and not the end user) is able to modify it.

126 comments - Last comment @ 2018-07-05

Outsourced Property Value

by Alex Papadimoulis in Feature Articles on 2006-04-20

When it comes to outsourcing software development, I hear quite a few complaints. And not just from the whiney Slashdotters griping about why they can't find jobs, but from real people -- people who have actually worked through it. The number one issue seems to be value: for what they're paying, they're just not getting enough good code. But this isn't certainly always the case.

Take Tommy, for example, who was astonished by not only the sheer amount of code produced by their outsourcing partner, but the attention paid to detail. Now I suppose that one might argue that, in a strongly-typed language such as C#, validating that a Boolean is only true or false is unnecessary, but one should consider that doing so increases the lines of code. That, in turn, lowers the cost per line of code. And that, in turn, creates a better value. And who doesn't like value?

153 comments - Last comment @ 2006-05-12

Mentors, the Freshmaker

by Alex Papadimoulis in Feature Articles on 2006-04-19

A few years back, Chris Roberts started his foray into the world of computer programming and, as every newbie should, Chris found a mentor to help get him going. Chris' mentor was generous enough to show him a brand-new project that he had just completed for one of his clients: an ASP-based website to display and maintain listings and reviews of restaurants in a local metropolitan area.

Though Chris was new to programming, he wasn't new to common sense and some of the things his mentor did just didn't make sense. But Chris didn’t question it and just figured that's just how things are programmed. A month or so later, after the client entered in a few hundred reviews from their magazine archives, they client requested that the layout of the reviews be changed. They were all minor changes, such as the header font needed to be bigger and left aligned.

106 comments - Last comment @ 2007-05-07

Let's Accessorize

by Alex Papadimoulis in Feature Articles on 2006-04-18

Property accessors are a pretty useful addition to Object Oriented Programming; they allow for class designers to restrict and abstract what would normally be simple values by using "getter" and "setter" logic. Though properties normally just expose a private variable, sometimes it's helpful to include a bit of additional logic of some sort. Russ noticed that the designers of the "Contact" class he was using didn't quite understand the "a bit" part ...

144 comments - Last comment @ 2006-09-03

The Stored ÜberProcedure

by Alex Papadimoulis in Feature Articles on 2006-04-17

Though they take a bit more time to develop upfront, using database stored procedures are definitely the way to go for most information systems. They provide a looser coupling to the "data layer" by limiting the points of entry and offer stronger cohesion by breaking operations into reusable functionality. That said, I'm guessing that Jon's predecessor was continually reminded with "you should put that in a stored procedure" but didn't quite understand that he could create more than one of them ...

154 comments - Last comment @ 2006-04-25

The Enterprise Rules Engine

by Alex Papadimoulis in Feature Articles on 2006-04-14

With .NET being the next new thing, a lot of companies have been taking the opportunity to revamp and overhaul their existing applications. Today I'll tell a small part of the story of one such organization (a large retail company) who decided to redesign a large portion of their COM-based order-fulfillment system that had been built using the last new thing, Windows DNA.

One of the lessons learned from the years spent building the existing applications was that complex systems with a lot of business rules require a lot of programming code. Unfortunately, the takeaway from that lesson was not that it was essential to organize such code so that it's easier to maintain, but that they should instead invent some way to write a lot of code without hard-coding their code. This is where the Enterprise Rules Engine came in.

94 comments - Last comment @ 2016-08-02

The Long Road to Validation

by Alex Papadimoulis in Feature Articles on 2006-04-13

If you haven't learned firsthand, data validation is a pretty tricky thing to do in Javascript. There is no built in isDate() function, so you pretty much has to rely on your Google searching skills to find some validation code. Or, look in some Javascript book. Or, in the worse case scenario, actually write some yourself. But thankfully, there's a much more elegant solution to this and most other problems: WebServices.

This way, as the anonymous submitter discovered in a system he was maintaining, you can simply make a call over Ethernet to make a call over IP to make a call over TCP to make a call over HTTP to make a call over XML to make a call to IIS to call the .NET Runtime which calls the VisualBasic runtime to run it's built-in IsDate function.

106 comments - Last comment @ 2006-11-02

Client-side PHP

by Alex Papadimoulis in Feature Articles on 2006-04-12

The introduction of the XMLHttpRequest component (*) opened the doorway for a new breed of "fancy schmancy" web applications like Flickr, GMail, etc. This, in turn, spawned an entire sub-industry and a new series of buzzwords seemingly based on the names of household cleaning chemicals. It even incremented the current version of the Internet to 2.0.

That said, it should come as no surprise that this Borax-technology has also empowered "certain programmers" to create new perversions in information technology never imagined before. Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I'll leave it to your immagination as to what the server-side looks like ...

179 comments - Last comment @ 2013-08-07

Orable Generated Code

by Alex Papadimoulis in Feature Articles on 2006-04-11

Every now and then, someone sends me some code that was outputted from some code generation tool. Sure, it's bad, but what can you expect? I mean, I'm not an anti-robotian or anything, but c'mon, machines generating code?

But no less, after seeing that Erich "ammoQ" Kitzmüller sent in from Oracle's SQLDeveloper, I thought I'd make an exception. Following was the PL/SQL code generated when Erich went to add the DATE column "FIREDATE" to the SCOTT.EMP table ...

117 comments - Last comment @ 2024-05-25

It Depends on Your Definition of True

by Alex Papadimoulis in Feature Articles on 2006-04-10

Justin Buist was browsing through some code in his company's ERP system and saw something that piqued his interest ...

108 comments - Last comment @ 2006-11-27

Pop-up Potpourri: Tax Time Edition

by Alex Papadimoulis in Pop-up Potpourri on 2006-04-07

For many more, check out the previous post from the series ... Pop-up Potpourri: Octopurri

When it comes to Digital Rights Management, some software requires that you enter a license key code from the CD case to verify that you own it. Other software verifies the license with Internet Activation. TaxCut's License Verification program, as Kyle Trauberman noticed, just asks nicely ...

109 comments - Last comment @ 2006-12-18

Time for a tblHoliday

by Alex Papadimoulis in Feature Articles on 2006-04-06

For most, the New Year is great occasion: not only is it kicked off with a big bash, but it's so easy to trick yourself in feeling like you have a "clean slate", setting all sorts of great goals and resolutions, and just all-around feeling good. But for some programmers, like Dave Sussman, it's not so joyous of an occasion; each change of the year is like a mini-Y2K. These programmers are the guys who get to maintain systems with comments like ...

150 comments - Last comment @ 2011-06-14

The 160 Million Euro Session

by Alex Papadimoulis in Feature Articles on 2006-04-05

German readers may be familiar with the story of Arbeitsagentur.de, the official website of the Bundesagentur für Arbeit (Federal Labour Office). It's a fairly typical "big business" story: government wants a job portal website, large consulting company (Accenture) bids €65.5M, government accepts, consultants start it but say they need another €100M to complete it, government becomes outraged, news stories are written (like this one), and eventually a horribly slow low-functionality website gets built.

But there's something I just can't wrap my mind around with stories like this. Why do people get outraged with a job portal website costing 160,000,000+ euros? Don't they realize how much enterprise is bundled with a price like that? Can't they understand that the slowness and poor usability is key part of enterpriseness and, that this is actually a good thing?

147 comments - Last comment @ 2023-11-21

Refactoring to the Max

by Alex Papadimoulis in Feature Articles on 2006-04-04

As a consultant, one of Maarten De Cock's responsibilities is to analyze his client's code, identify where the developers could use improvement, and train them on how to write higher-quality code. Most of the developers that Maarten works with get it: they take in the techniques, apply them, and go back to improve the existing code. Others, not so much.

Following is the refactoring done by a group of developers Maarten that worked with. They seem to have mastered method extraction and code reuse, they really struggle with understanding where to apply it. The eight places where the authorization logic exists probably would have been a better place to start ...

150 comments - Last comment @ 2006-04-13

Search-dot-Bomb

by Alex Papadimoulis in Feature Articles on 2006-04-03

We've all heard the stories of spectacular failure from the dot-com bubble a few years back. Spectacular failure, however, wasn't limited to just the big names like Kozmo.com, WebVan, eToys, Pets.com, etc. Rob "Scruffy" Rescorla has the pleasure of working at a smaller dot-com that managed to only get a few million dollars in start up capital ...

Many years ago, I landed a job as a programmer with a search engine/directory company. It seemed like a great idea at the time. Soon, everyone would have free access to the Internet (thanks to the people at FreeInternet.com, NetZero, etc), and they'd want a reliable and trusted way to find things on it. That's where my employer came in.

121 comments - Last comment @ 2006-04-12

Recent Articles