- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Just a side effect of acronym ignorance - people know what a "PIN" is without knowing what PIN stands for.
Admin
The real WTF is that you keep using the phrase "PIN number". I don't think it means what you think it means...
Admin
Welcome to TheDail^H^H^H^H^H^H^HWorseThan^H^H^H^H^H^H^H^H^HTheDailyWTF!
Admin
I wonder if I'm right when I say "I think I've seen this happen before".
#1 GetTimeout() isn't supposed to return a specific value, just one large enough to not timeout for a while
#2 GetTimeout() is used by the authentication code as a means of obtaining the PIN without giving away the fact that it is, in fact, getting the PIN: a bit of obscurity as security.
So changing it to add a thousand (or anything else) would indeed break the login.
Admin
If you make the timeout not constant, but rather changing on a case-by-case basis, you give less information to a potential attacker, thereby greatly increasing security! It's called, uh, encapsulation. I think...
Admin
Troubleshooting code in 8 parts:
My PIN works, his doesn't; set my PIN to his -> Initially works -> Subsequently stops working in a short period of time -> Timeout value? -> Look for $_SESSION['TIMEOUT'] in code -> Find timeout set to output of function -> Find function -> Discover previous developer is an asshatFin.
Admin
Wow what a great trick, i'm inspired!
int orderNumber = getOrderNumber(); int orderQuantity = getOrderQuantity();
public int getOrderQuantity() { return customer.age; }
Now I don't need to implement a quantity dropdown!
Admin
Ah, good point. I missed the part where he saw that the code stopped working in a short period of time.
That'll teach me to skip critical reading classes...
Admin
Given the original setup of the PIN being the user's timeout, nothing would be out of bounds in terms of assumptions about THIS code.
Admin
pin_number = 9999 ?
Admin
grumble grumble PIN == Personal Identification Number. "PIN Number" is redundant! It's as annoying as signs that say "ATM Machine"
Edit: Oops, looks like some other people already mentioned that pet peeve of mine.
Admin
Admin
Here are my guesses why this code was written.
The developer wanted to be able to quickly test the timeout functionality by creating a test user with a low-valued PIN.
The developer didn't want to live with the policy of timeouts every hour so he put in a back door.
Admin
I can't quite decide if this is a WTF or a totally epic code hack.
Admin
Admin
This guy is so weak for not changing the code
Admin
I wouldn't have assumed anything evil or malicious or even intentionally stupid about the original programmer. I think that it's just a copy-and-paste error: Originally, they had a method to get the PIN. They introduced a timeout variable, and the developer copied the method getPIN() and renamed it getTimeOut() -- but forgot to change the key it used to look up the variable. Since everything seemed to work, it went into production.
But that's just me. Without seeing the rest of the code, I wouldn't know for sure.
Admin
Profit.
Sorry. I believe that's an overused joke from somewhere, but never saw the original.
Admin
The timeout should just be hard-coded at 15 or 30 minutes (or have it set in a config file).
Admin
Captcha: secundum - no thanks, already ate.
Admin
You know, I'd probably reach a compromise on this one: leave the code WTF in, just so long as people stop bloody well saying PIN number.
Admin
It's funny because it's true!
Admin
Ah, old 7734, from the classic days of turning LED calculators upside down to spell, well, basically HELL and BIG.BOOBS and not much else.
Admin
I've been sitting here thinking how much more satisfied I was in my old telecoms job until you said that and reminded me of some truly awful variable names.
But now as I'm writing this, I'm remembering my recent fiasco trying to figure out the difference between sAccountName, sFundame, cAccountFundCode, cFundName, cFundCode, and cFundAccountName. I guess stuff like that happens everywhere.
bIgnoreStandardsToSupportCustomerName at my old job was my favoritest variable name ever though.
Admin
5318008
Admin
Why do people say things like "SCUBA diving"? I mean, by definition you're going to be underwater when using your self contained breathing apparatus, so do you really need to specify that you're diving?
As a fan of recursive acronyms, I've come to see redundant ones as a close cousin, and therefore something to be appreciated. You know your acronym has made it big when people use it without having to know what it actually stands for.
Admin
My grandmother knew Errol Flynn, and I have worked for several major credit card companies. I Know These Things.
Unfortunately, I can't tell you the unit of calibration, because then they'd have to chop mine off.
I look forwards to the unsolicited adverts for Viagra below this.
Admin
Epic?
I would offer the Modest Proposal that this is evidence of an insane disconnect between the back-brain and the anus. In what way does it make sense to correlate a session timeout with the password supplied?
Admin
Why on earth would anyone want the timeout to vary by user?
Admin
It's originally from South Park. In the episode Underpants Gnomes, said gnomes business plan was:
Admin
The consensus among English professors is that ATM machine and PERL language are not redundant, because the initialism becomes its own word. A word that out of context can't stand on its own without an added specifier. Does the author mean a PIN diode or a PIN number? (In this case it's obvious but in others it's certainly not.)
Still I think this situation could be avoided by saying AT machine and PI number, following the example of "MAO inhibitors" (instead of MAOIs).
Admin
I can't think of anyone I know who regularly uses "SCUBA dive" unless they're differentiating it from "board diving" or "cliff diving". Usually, you'd just say "a dive", as in, "I'm going for a dive on Saturday."
Also, I know people who have gone "drowning" while wearing SCUBA gear. (One of the guys I did AOW with died on a later dive.)
The U is for Underwater, and that differentiates it from SCBA, which can't be used underwater (except when it is.)
Admin
So I believe what you all are saying is that "PIN number" is the real WTF fuck.
(or is that WTF failure? hm..)
Admin
The real WTF is that there is no WTF. $pin_number actually stands for Periodic Identity Neutralization number - the system is operating as intended, and there is no redundant acronymization with the variable name.
Admin
And what if getTimeOut is also use to verify the PIN on login?
Admin
I've been programming for a long time and I can never understand the mindset that allows programmers to make choices like this.
I suppose it seemed clever at the time.
Admin
(Sigh. test used <sarcastically> there </sarcastically>).
Admin
Actually, I was thinking it was more along the lines of a hack to prevent people from logging in if they didn't provide a PIN.
If there's no PIN supplied, then getTimeOut() would return 0, NULL, or false (commonly interchangeable in sloppy PHP), Making the person's session immediately time out.
Instant timeout = failed login attempt
Admin
Admin
I usually just say "I'm going Self Contained Breathing Aparatusing" People ALWAYS know what I mean.
Admin
re: "PIN Number"
William Safire said OK to "SALT Talks."
Admin
Admin
how about just..
return 1000 + (enter_some_time_here);
if he was so wise to dwelve in the code.. why didn't he just made that simple change in the function rather than have to reset his pass to some 1000+ value to make a totally non-sensical system work...
Admin
This just hurts my brain. As confused, convoluted, flawed, and otherwise bad as most of the other WTFs are, this one truly blows my mind. How could anyone -- ANYONE -- ever think to write code like this???
Admin
It looks like a kludge to lock people out. Suppose there was originally no way to lock people out, and for some reason there was no easy way to add a flag that would let you tell if someone was allowed to log in. If you set someone's personal identification PIN number to zero they can't log in, because the system will immediately timeout. So, you've got a lock-out mechanism that will work well for 99% of all PINs. It's an ugly kludge, but who knows what they had to work around.
Admin
The real WTF is using 4-digit numbers for authentication, let alone authentication info as a timeout.
Also, Nintendo NES System.
Admin
All you're really saying is that a word without context needs context. If I say "tree" to you, it's about as meaningful as "PIN." Perhaps you imagine an oak or pine, but I was actually talking about syntactic parse trees. All words depend on their use context for their expressive power.
Yeah, but why bother avoiding the situation? Nobody actually misunderstands when someone says ATM machine or PIN number, despite the prima face redundancy. And, I'd imagine that most of the people carping about it here would actually produce sentences containing the phrase "PIN number" and "ATM machine" in normal speech, if they weren't deliberately trying not to.
It's not that different from the silly prescriptive grammatical rules they make you learn in grade school. You're told, for example, that it's wrong to end a sentence with a preposition, despite the fact that it's quite natural and common in English (and has been for most, if not all, of its history). It's a post-hoc justification for some personal prejudice.
Admin
What does bird food have to do with it? mmm, birdy num nums
Admin
Admin