- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Delaying comment by 5000ms
Admin
First!
(Oh, god, I can't believe I've sunk so low)
Admin
1... 2... 3... 4... 5...
Maybe it was to make room for "optimisation" later.
Admin
Ah I see that WTF... they just immediately put in the fix and brought with it the speedup. What SHOULD have been done was keep it in their back pocket and only implement it just before pay review time.
Admin
Reminds me of the Speed Up Loop http://thedailywtf.com/Articles/The-Speedup-Loop.aspx
Admin
This guy wanted to be a hero later no so he placed things in there to intentionally make it slow, just so that he could go and save the day later. Brilliant!!!
Admin
Maybe to prevent brute force attacks?
Or more likely job security. I did allocate some almost useless big buffers in an embeded application once, and when time came to optimize memory usage, I just removed them and then I was a hero. That is, until I admited a few seconds later how stupid (or drunk) I was when I first wrote the code.
Admin
I am both disappointed and saddened by this post, moreso than the usual depression that hits with the reading of these. It would have been far better if it slowed waaaaay down once he removed the sleep calls. Ah well.
Good moral though. Maybe he slept with the boss (or the bosses wife) and stuck the code in there as sabotage.
Admin
Parsing error: Mismatched number of quotes detected (").
(A)bort, (R)etry, (T)RWTF?
Admin
It's actually quite a clever way of preventing brute force logins and multiple user account creation. If getProcessingDelay() doubled after each failed login attempt, it would be a pretty effective technique.
Admin
I ran into a similar thing recently. Code I was maintaining waited several seconds before running reports launched from a web site. It used to be that several objects were not thread-safe, so the delay had to be there to ensure that the HTTP response finished before the report started. The objects were later made thread-safe, but the delay was not removed.
Admin
Not so Brilliant when you leave it in there long enough for somebody else to save the day and make you look like an a!!.
Admin
This isn't by chance taken from the new hotmail code base?
Admin
Well, when you sell an application (even web) to your customer you sell it "as it is". So when you later on add more functionality which makes it slower you can be sure the customer will bitch about it. Doing it this way you can later on add features and in the mean time reduce the delay so that in the end it is as fast as before so no one sees a difference in the speed. Even if it could run faster it will always run at almost the same speed. People love what they are used to.
Admin
This surely is just a poorly implemented method of slowing down logins to prevent brute-force attacks?
No one really puts slowdown loops in their applications, do they...?
Admin
that's it. not so brilliant but, eh
Admin
Not sure that fixing a minor usability issue by introducing a brute-force attack vulnerability is quite the best way around things...
It'd be better to remove the delay only for the first request for a given IP and/or username. Even better is for subsequent requests to increase the time required to the point where "normal" usage (one or two password miskeys followed by in) incurs only a small time penalty, barely noticeable on human timescales, whereas "abnormal" situations like a brute-force attack quickly reach a point where each failed attempt takes so long that even a dictionary attack is going to be a life-of-several-universes job.
Admin
Sadly most of my code has plenty of room for "optimisation" at a later date!
Admin
It's a brilliantly implemented method of allowing denial of services attacks though - create thousands of threads which sleep for a long time, eating up resources.
Admin
That was The Speed-Up Delay. He should have changed it to
Admin
public void lay() { try { Bed.sleep(getGirlfriend()); } catch (InterruptedException ignored) {} }
Admin
It seems much more likely that this was an idiot fix to a racing condition that probably has been unwittingly reintroduced by the moron submitter that will end up costing his company millions.
Admin
The anti-brute-force idea is possible. It's also possible that they slowed down by a constant amount to get a more uniform response time.
If the login time is between 0.2 seconds and 3 seconds depending on network load and the number of hops, then the 3 seconds looks very slow. Add three seconds, and you get the login time to be between 3.2 and 6 seconds. Now the 6 seconds doesn't feel slow, because you're used to it taking time to log in.
Admin
Oh well, I would be first if it wasn't for the login delay.
Admin
Probably a concurrency issue. This must have been to avoid using a shared resource (the log file) from two simultaneous threads.
Admin
We had a webapplication once with a 10 second javascript 'delay' that would let your PC count to ten million while showing a 'please wait' screen.
I saw it was completely useless and removed it, because it served absolutely no purpose. Now you would go instantly from screen A to B!
A day later my boss received a phonecall from one of the managers with the complaint that the 'please wait' screen was gone. A few minutes later he told me to put it back.
Admin
Coincidentally, I've spent most of the day looking at completely undocumented sleep calls in our code. Interestingly enough, some of them are for a single millisecond only. Usually TDWTF is a pleasant escape from reality but today it just looks like the same crappy code I'm being forced to work on...
Admin
I vote for #4.
Admin
I just hope the OP TESTED the change, and thoroughly. It could have been in there to fix a really subtle and nasty bug, and not documented by the person who wrote it.
Never change stuff in production. I think that's a bad habit web developers get when their first experience is of HTML, which since it's not a programming language can't go disastrously wrong.
Admin
Wow. Just wow.
Admin
yes. some of us know when to shut up and accept the applause. others of us (myself included) seem to ramble on until no one in the room believes that we could have fixed the problem ... ever.
Admin
Admin
... the LoginAction and SignupAction will get brute-forced a lot faster too!
Admin
FTFY.
Admin
That reminds me of the time, I saw this guy limping. I asked if he twisted an ankle or hurt his leg. He said he just had a pebble in his shoe. I asked if I could have his shoe and dumped the pebble out. He starting walking away and asked for his pebble back.
Admin
Admin
The best way to fix a bug in a multi-threaded application is to throw in a bunch of random delays, and pray that your application never actually has to do two things at once.
Admin
And then failed at it anyway.
Thanks for playing, please don't come around here any more.
Admin
Maybe it's so you can't brute force a login? That's perfectly reasonable. (More reasonable might be to delay 0ms for the first three, then slowly ramp it up, but still).
Admin
Also... millisecond sleep? is that usleep(1000) or what? as far as I know, sleep() is measured in seconds and reduces to usleep(1000000*n) by the time it's compiled and linked.
Admin
Probably an attempt to fix the max(id) + 1 problem from yesterday's post!
Admin
[quote user="kastein"][quote user="Anonymous"] Also... millisecond sleep? is that usleep(1000) or what? as far as I know, sleep() is measured in seconds and reduces to usleep(1000000*n) by the time it's compiled and linked. [/quote]
Then you're looking at the wrong language. This looks like .NET and there Thread.Sleep is in milliseconds.
Admin
CAPTCHA: Damnum, all the people who come up with these things.
Admin
I don't normally make "the REAL WTF is..." type posts but I really have to say this: the real WTF (sorry) is all the people who think that fixed delays are a suitable solution to multi-threading concurrency issues! How have so many people suggested this? It's guaranteed to slow down execution, it's a maintenance nightmare just waiting to happen and let's be honest, once you've got your head around multi-threading it is trivially easy to manage threads properly without ever having to rely on fixed period blocks.
Thanks.
Admin
Looks like a performance loop to me.
Admin
This is usually a sign of somebody trying to cheat a multithreaded application. A Thread.Sleep(1) is effectively <Trigger Interrupt> so that if it's the first thread to get there, someone else gets to go first instead. I'm not advocating the practice, I'm just saying that that's what I've seen it used for. It makes the race condition that they were trying to fix happen less often.
Admin
Admin
Admin
[quote user="Anon"][quote user="kastein"][quote user="Anonymous"] Also... millisecond sleep? is that usleep(1000) or what? as far as I know, sleep() is measured in seconds and reduces to usleep(1000000*n) by the time it's compiled and linked. [/quote]
Then you're looking at the wrong language. This looks like .NET and there Thread.Sleep is in milliseconds.[/quote] Lower case "S" and "D" (in delay). Java
Admin
I think the idea was to slow down spam bots and password crackers, and they were too lazy to have it only delay on repeated attempts.