- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Who needs debugger? We, experienced PHP developers, use "echo" statements all the time. Put it here and there and all problems are solved!
Admin
Yup, another WTF perpetuated by a developer with a lack of testicular fortitude, well done!
Admin
After nearly two years, I've concluded that you refuse to proofread articles on purpose ;) - it's your own inimitable trollery against your readers. Like a text-based MFD.
Admin
PAH...I type code by wiping my feel on the carpet and tapping the serial port with my finger and using the static electricity I've generated...
Anyway, I think I've worked at that place...I should did out some of my old Lotus Notes (v3 !!!) stuff to find a glut of WTFs??!?!!
Admin
No, it's obviously "enbug", which is a synonym of "programming".
Admin
Debugging using Trace statements!?!?! Talk about living in the dark ages!
Amazing how many people haven't heard of "When Hit" breakpoints!
Admin
Well in ASP printf is pretty useless.
Admin
If I had not worked at a bank before I would have thought this story was made up. Now it just brings back bad memories... brrrrr...
Admin
Have you finished that Hello World program yet or do you need another six months?
Admin
As as developer at a bank subject to strict banking secrecy laws, I can explain this.
"if your developers are a security risk you're screwed already"
This sort of fatalism is not acceptable to the customers and share holders of a financial institution.
Code promoted from DEV to TEST must be identical and reproducible. There is no removing debug statements before deploying to TEST and no recompiling with different settings. Any trace statements that would end up in the logs in the DEV environment would go all the way to production, and anyone with read access to the file system (tech support for example) would be able to read private customer information in the log files .
The developers are not allowed to modify or even touch the code past the DEV stage, for security reasons. This is to prevent 'hidden' code ending up in production that can not be traced back to the author in the standard DEV repository. You don't want a contractor to be able to sneak code into production that would add a couple of digits to a certain account, or forward the details of a certain account to someone else.
People who do have access to the Test, Quality Assurance and Production stages are never allowed to modify the package in any way. People who are allowed (and have the tools and access) to modify a package are never allowed access to anything past the DEV stage.
The same applies with regard to remote debugging. If this were enabled, it would be potentially be possible to make untraceable changes to the running code, or just to read private and sensitive customer data.
You would think that the bank in the article could save a lot of time and money by installing a local dev server on the development machines of the programmers. I don't know what their reasons are to disallow this, but chances are either the insurance, local laws or the share holders require it.
Admin
Comment? We're a bank! The last thing we want is an end user reading a comment!
Admin
I see your point. To correct and clarify how I feel: not having a debugger is not a WTF. Not having any test environment whatsoever is.
Admin
I agree. I can't remember the last time I needed a debugger. Logging and unit tests do it better, IMHO. And, yes, I am aware of how debuggers work and what they can do.
The real WTF here is that dev managers and what-not couldn't tell the difference between a dev and production environment. As for the "challenge" of having to compile for another platform in order to debug, the WTF there is that the company isn't asking "how can we make tedious, non-business tasks easier or non-existent for devs, so we can maximise production, ergo, teh moneyz?"
Admin
You had ones? Lucky bastard, we only had zeros!
Admin
TYPING in binary? Use a magnetised needle on an open hard drive like the rest of us!!!
Admin
Binary? Cushy.
Real men use a magetised needle and a steady hand.
Admin
I thought Irish girls mostly brought beer. Or my book. http://thedailywtf.com/tizes/ads/1/wth-ad.jpg (Gratuitous commercial plug.)
Admin
That's a great idea, and -- IF IT WERE ACTUALLY IMPLEMENTED -- would satisfy the whole point of control systems. In my company, though, it was just POLICY, and there were no actual systems in place to PREVENT this. Doing so would become a big hassle, and cost a lot of money, and, well, THAT ain't gonna fly. But unless you technologically prevent this sort of thing, at best you have but a Good Idea (TM). (As an example, it was written policy that it was "security's" job to handle user accounts, but people who had root or administrator on the machines weren't prevented from doing anything they wanted with the accounts anyway.)
What I'm trying to say is that, if your business is "cool" enough to actually, really, truly NEED this kind of control, then, great, put it in your policies, put the systems in place to do it (like mandatory access controls, which is Hard), and do auditing against it.
What I actually have found in real life is that Big Corp goes out and hires Big Auditing Firm who come in with "Best Practices" for everyone BUT the people they're supposed to be helping, and corporate IT policies then come to reflect controls designed for people with MUCH higher and stricter standards than they need. So you get policies but no systems -- rules with no teeth -- and a lot of wasted effort getting around them because if you didn't do so, you'd never get anything done on time.
Meanwhile, everyone gives lip service to the Right Way of doing things, the auditors are pacified, and the end result is that the sort of thing financial controls are supposed to prevent are WIDE OPEN, while upper management thinks that all the i's are crossed and the t's dotted.
Admin
Real men read threads before posting and make up jokes that haven't been heard before.
Admin
I suspect you missed the point. I don't think CWM was trying to discourage contributors. I read his overly cutesy comment letter as actually encouraging TDWTF editors to stop fabricating story structures around submissions, and let the contributions through on their own merit, or at most, minimally anonymized. If you actually read the article, the difference between Mark's voice and the voice of the contributor is painfully obvious, because Mark doesn't seem able to weave the WTFacts into his yarn without hot glue, duct tape and baling twine. This isn't about the author, it's about the editor. Reading comprehension goes best with a helping of common sense.
Cheers,
lw
Admin
And what's this? This confusing subject/object placement in connection with the adjective "abhorrent"...? Does he really think the extraneous facts abhor Creative Writing Major? No, that can't be it...
Hold a tick, I recognize this style of literary abuse! And, of course! ...facepalm... How did I not see it before: Confusing the "author" "retain[ing]" extraneous information, but admitting to increased length? MARK, is that YOU!?
How shameful, it seems you let Creative Writing Major get under your skin enough to flame your own boards anonymously and accidentally admit that the stories are fabricated -- er.. "author"ed -- by the editors.
My, how embarrassing. :$
Admin
Please god, no more lolcats on here. I am beginning to think that there is no safe haven from seeing that retarded #$%!. Seriously they are as mind-numbingly dumb as the ads one see for "L@@k!!!! OVAR ONE THOUSAND SMILIES FOR FREE!!!111ONE-THOUSAND ONE-HUNDRED ELEVEN!!!!" They have been posted here before but I plead you to have some dignity and dont post them here ever again. This is your blog but seriosly show some respect for yourself. You showed feel as ashamed for posting it as you would be if you ever installed BonziBuddy.
Admin
Out of curiosity I just tried this. I put Pokipsy into wikipedia's search... it took me directly to the article on Poughkeepsie, New York.
I guess the original assertion, which did specifically mention wikipedia, for good or ill, is correct.
Admin
At the banks I've worked for, it goes a lot further than just lip service. The laws of various countries (e.g. Luxembourg, Switzerland) require a high degree of confidentiality. The development team couldn't even get a copy of the log files in case of a bug. You would get manually audited fragments.
I can't think of a reason why a customer would ever need that level of privacy other than for tax evasion, but that's another matter
Admin
Admin
Admin
Admin
A former boss actually told me that at one point. But I managed to keep a straight face. :)
Admin
There are ways to minimize that risk. What I do is start all my debug printf()s in the leftmost column of code, to make it extremely obvious that they are only meant to be there temporarily.
Finding them before a checkin is a simple matter of 'grep ^printf *.cpp' (or your favorite equivalent). If you wanted to, you could even put in a SVN hook that would reject commits containing any lines with ^printf in them.
Or if that's not enough, you could just do the easy thing and have a special debug_print function that is a no-op when executed on the production server.
Admin
Nah, as opposed to those of us who pound out some code that compiles and looks like it might work, but never go back to carefully review what we've written. Easier to just wait for the QA team to test it for us, no? :^)
Admin
The rest of us mere mortals sometimes have whole minutes where we know we made a mistake and need to find it, and having tools to help us find our mistake is something we're ok with.
A bug is a mistake? It means you did something wrong? And a mistake is "a personal failure"? Well, I guess that's working out for you, so that's cool.
But I tell you, I'll be on my knees praising the first deity to claim credit for giving me a boss who isn't as much of a hard-ass perfectionist as you are.
Admin
Your devout belief that one man fighting alone against overwhelming odds can fix all corporate problems merely by the power of balls in an inspiration to all of us weak and helpless cowards.
In fact, I'ld be prepared to go as far as saying that your entire life is a testament to balls.
Admin
"Write it in native binary like a man, chuck." That's right! screw hex, yay binary! My keyboard has only two keys... "0" and "1"
Admin
I'm still surprised by how few developers in the working world seem to know that debugging even exists.
Admin
That's pretty daft. It should be pretty easy to set up secure debugging.
The big WTF here is obvious. Without having a good system for finding problems in code and testing there's an even greater chance of a bug occuring that allows people to violate security.
Admin
Writing native binary?
A real man creates software by tapping on the CPU with a pair of drum-sticks, bud.
Admin
Admin
As someone who spent about 5 hours last night alternating between the Visual Studio debugger and WinDbg trying to diagnose a "problem" that turned out to be a consequence of either corrupted debugging symbols or a broken debugger, I'm getting a kick out of this thread.
(For WinDbg people, this is a couple commands I ran after a line in std::vector::_Insert_n that said "_Ty _Tmp = _Val;". _Ty is a template parameter, in this case std::string. _Val is a parameter, declared as "_Ty const &".)
0:000> dt -r _Val Local var @ 0x12a14c Type std::basic_string<...>* 0x0012a5fc +0x008 _Bx : std::basic_string<...>::_Bxty +0x000 _Buf : [16] "000000" +0x018 _Mysize : 0xf +0x01c _Myres : 0xcccccccc 0:000> dt -r _Tmp Local var @ 0x12a0f8 Type std::basic_string<...> +0x004 _Bx : std::basic_string<...>::_Bxty +0x000 _Buf : [16] "0b00000000" +0x014 _Mysize : 0xa +0x018 _Myres : 0xf(I've edited that a little bit. The relevant stuff is still left.)
Note that it sees _Val as a string * and _Tmp as a string. However, it thinks the offsets of the members are different.
It says that _Bx (the backing store in MS's string implementation*) is at offset 4 in _Tmp (which is right) but offset 8 in what _Val points to.
Furthermore, everything is shifted 4 bytes: the first 4 characters of the string are truncated in _Val since it thinks it starts 4 bytes after where it is. It thinks that _Mysize has value 0xf in _Val because it thinks it's at offset 0x18; in actuality, offset 0x18 is _Myres, which you can see has value 0xf in _Tmp. Finally, _Myres in _Val then gets shifted off to memory following that, which in this case is the characteristic 0xCCCCCCCC.
Note that all this is after copying from _Val (the broken one) to _Tmp (the correct one), so the data is there. (The debugger showed the same stuff before the declaration of _Tmp too, just for the record.)
Basically wherever I looked around that point, string objects were displayed fine, but string * and string & objects were broken.
I shouldn't have relied on the debugger being correct for as long as I did, but I haven't seen any issues like this before in unoptimized debug code.
Admin
native binary?? We use electrons!
Admin
Admin
Heard it all before:
"Unit testing? We don't do unit testing because it takes to much time".
(From a project manager) "You developers need to do it once and do it right!"
When you are unable to do your job because of the stupidity and/or arrogance of your 'superiors' it is time to move on.
Admin
And despite many banks having such tight security rules, half the major banks still had SQL injection issues on their login screen for months after SQL injection became a well publicised problem.
Admin
One of our developers' wives can't see why we don't just write the code properly in the first place. I suppose she has a point, if you wrote it without bugs it would cut out a lot of testing time.
Admin
The problem there is naive upper echelons entrusted the wrong person to set and fix development standards. In those situations, you can almost guarantee it's one person making that rule. Generally that person has been around forever, or left a legacy so strong no one re-examined policy.
Yeah, corporate environments breed that, but there's 80 people in that office that can poke their heads up and say something about it.
Admin
What about writing unit-tests? You shouldn't need a debugger if your code is properly unit-tested.
Admin
Real programmers use a magnet and a steady hand... http://xkcd.com/378/
Admin
Remote Debugging: "what's that? Like putting Response-dot-Write statements in and stuff?"
classic asp.WTF, ROFLMAO, had these guys ever stepped thru lines of code in their lives? I suppose the manager worried code comments could be reflected by "problom people" who download DLLs off the server... debugging is risky:)
Admin
No, it was definitely UBS. This coming from someone who will be getting the hell out of there at the earliest opportunity (which, with a 3 month notice period, can't be early enough!) precisely because of bone-headed, futile, bureaucratic measures, similar to the one described in the article, to counter perceived and misunderstood security risks. Bet you the cube farm was the one in Opfikon, too.
Admin
TRWTF is that he was going to attach a debugger to a program running on a local testing server. Think of all the security issues!
Admin
http://xkcd.com/378/