- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Addendum (2008-12-05 08:16): I must correct myself: the s|z change comes about because of French, not Latin. I don't fully understand that myself. Not to mention the fact that many -ise / -ize words have a correct and standard noun form ending -ist. So yes, a theorist theorizes (rather than theorising, you understand). That's Greek for you...
Admin
I'm surprised[1] no one has yet brought up ubersoldat's misuse of "this", where he means "these". Or possibly "theze".
[1] Though definitely not "surprized", as the word came into English through French.
Admin
Admin
';DROP TABLE users;
Admin
just checking
Admin
So, are you from Cambridge, or did you just go to Uni there?
Admin
My friends, why do we always have to argue about regional differences in spelling and grammar? The vast majority of people on this site are industry professionals with years of experience in writing and maintaining expansive enterprise applications. Yet we can't even have a friendly discussion without someone shouting out "you spell that word different to me, you're STUPID and so is your STUPID country".
I truly don't understand why so many people on this site behave like school children. Actually, that's not fair - because this would be immature behaviour even in school.
That's all I have to say. So, are we going to try to get along or are you all going to berate me for spelling "behaviour" in the British form instead of the American form?
Admin
oh i have been there. experienced that exact same situation.
this story was like a page out of my diary -- except that i don't have a diary and if i did it wouldn't have pages just bytes.
Admin
Admin
Depends what you mean: I'm not originally from Cambridge but went to the University and have lived here ever since.
And sorry for not noticing your subtle comment: Muphry's (sic) law applies at least twice ;)
Admin
It is true that organisation was spelled interchangably with "z" or "s". It was standardised (note the "s") by Dr. Johnson with his dictionary, which superceded the previous attempts at dictionaries and became the only correct spelling.
As for those across the pond, they emigrated there before this happened so can't be blamed for it all.
The fact that OED even lists variants has made me deliberately ignore any new editions. They are basically saying it is correct spelling when it isn't (in this country). Pupils have been marked down for American spelling (even if it is in OED) and a good thing too. English is hard enough for the dyslexics without variant spellings and non-existent words (like "incentivize").
Admin
1,000 Million?
Admin
I am adamant that this comment.
Captha: Validus
Admin
What amazes me each time, is how hard it is to get management and the technician/programmer to communicate.
It seems a lot of us have a big problem to be acknowledged to be right, even if we are right.
I've been in similar situations myself. I once could not convince my boss to buy my 512Mb ram so I could run my computations, because he would not spend any money, unless I could show him exactly how much the company would save if I could run my computations. The irony: The computations were supposed to show how much money we could save. (I'm talking easily 10 million euros or more annualy, because it was about forecasting nationwide electricity usage).
It still is one of the most frustrating moments of my life that I could not get someone to spend 50 euros to save possible millions.
What is so fundamentally wrong that this kind of communication fails all the time?
What should the submitter of the story have done differently to get management to realise the errors of the website design?
Anyone has a clue?
Admin
DreamWeaver, FrontPage, and Notepad are just tools.
You can code a beatiful site in Notepad (yeah, I know, REAL programmers use COPY CON PROGRAM.EXE), and you can create a pile of crap in DW. Or the other way around.
Don't blame the tools. Blame the complete lack of any type of education regarding good design, common sense, and basic understanding of usability.
Admin
Well, over 9000 to be sure.
Admin
I remember experiencing some second-hand pain with an outsourced marketing website a few years ago.
It was ASP, and had an excellent search function. You filled in your search term, hit search, at which point it would read the full text of all files in the web application directory trying to find exactly matching text. No indexing. On demand. Including the source code of all ASP files. So you could search for "<!--" and it would match every single page in the site. Also, if you hit search too many times, funnily enough it would slow to a crawl...
Admin
I prefer this:
(emphasis mine)That was copy/pasted from wikipedia but matches what I was taught in school and have known as the definition of "profession" since I was a child.
So I'm not redefining but using the common definition.
There are professional societies for IT. There is certainly a particular vocabulary. Where are the ethics and standards of care?
That depends. If she is responsible for bridge safety (like the IT guy was taking responsibility for IT security) she has not only the right but the responsibility for vetting the 3rd party work and authorizing changes to the design. There is no need to be installing beams at night. If she is an engineer she should stamp her changes and send a work crew. She is going to need to document the work and get it paid for anyway. That sort of thing happens all the time in bridges -- and IT. The English tradesman is neuter. :)Admin
There are no professional societies for IT. There are attempts but until they are recognized by the government as having some authority, they are nothing more than glorified clubs.
Let me know when one of them lets me say to my employer "That is against code and potentially dangerous. I will not do it and I will not order others to do it. If I find that you have found someone who is not a member of our organization to do it for you, I will report you to the proper authorities who will force you to do it properly or stop you from doing it at all."
If I don't have that right by being a member of an organization then that organization is not a professional society.
So I guess I agree that IT folks are not "professionals" but I strongly disagree that it's due to their actions/in-actions. It's because of all the untrained bosses nephews that fuck everything up.
Admin
Professional societies don't need government recognition. Glorified club is good enough. Law gives a great example: The Bar Association is the professional organization of lawyers, right? Everyone knows that. Lawyers are supposed to be members of their State Bar Association in good standing. The Bar Association can field complaints about lawyers and even sanction lawyers for -- punish them -- for misconduct, failing to maintain standards, or even for the types of ads they run. If a lawyer insists on running ads that promise victory he will likely be thrown out of the Bar Association.
Being a member of the Bar Association is not required to practice law in many states. That's despite the fact that "Bar" comes from "admission to the bar", which is the grant of permission to practice law by a court. You can be admitted to the bar without being a member of the Bar Association. Yes, it is a requirement in others... but you cannot argue that the lack of government recognition makes the bar association all that much less relevant, or a lawyer less of a professional bound to ethical guidelines, in one state vs another.
How does it work? I happen to have a relative who practices law though he is not a member of his state bar association. He has a law degree, he is licensed by his state, has been admitted to the bar, but he never joined the bar association. Dumbest move he could make IMO because he is stuck working for the state (which of course doesn't care about no stinkin association membership), family (at a major discount), or outside of the legal industry -- no member of the bar association will hire or recommend him as a lawyer and most prospective clients leave when they realize he isn't a bar association member in good standing. It's strictly cultural -- no law prevents him from working and in fact he has mostly worked for the state -- but people hiring lawyers go to other lawyers for advice and they won't recommend him so he gets paid half of what a "real" lawyer would for the same work. He's just freaked out by the association admissions requirements and comfortable with the dregs he can get outside the association so he doesn't join...but if he did he would double his yearly income and get a lot more respect.
It's a culture we in IT are fully capable of adopting right now without any government regulation. And yes, the requirement is that we act like professionals.
Or not... there is nothing wrong with being tradesmen. Overtime is nice.
Admin
I just found this:
http://www.harmony-framework.com/
WTF?
Admin
Lawyers get paid by the hour. Most Software guys don't.
Admin
Companies that sell custom software usually bill by the hour. They may or may not pay their programmers by the hour.
If you contact my employer and ask for a service that takes an hour of my time they will bill an hourly rate of several hundred dollars. That does not mean that I am paid by the hour or that I receive several hundred dollars per hour.
In any case the lawyer and programmer are considered "exempt" from overtime under US labor law. So where a pump repair person (salaried or hourly) would usually go from $N/hr to $1.5N/hr after 8 hours per day or 40 per week actually on the job, the lawyer and programmer stay at N whether they work 40 hours or 90...even if they can be fired for working 39 hours. Go figure.
Admin
Absolutely. Brandon supported the business needs of his company by ensuring that their site would be findable by potential customers and that their data assets would be safe from malicious users. As you said, IT's responsibility is to make sure the site can "work to market and sell the product." It can't do this if it can't be found by google users. It can't do this if the database for the site is corrupt or destroyed. Therefore, by your own argument, Brandon performed precisely his job.
Admin
Good to see that my argument was understood.
Admin
What annoys me is that these kind of douche bags seem to be in every company. I get tired of hearing this stuff day in and day out in my job. Please tell me there are companies where everyone is smart and has a clue?
Admin
In a totally unrelated coincidence, the office building burned down latter that day. Strange. At least it was a good way to learn a lesson about fires.
Admin
Notepad is decadent. Real men use Vim.
Admin
Admin
Admin
Admin
Admin
Our decisions create our real worlds. Seems mine is different from yours. So long as we're both happy....
Admin
The company owns the SQL database server, right? Limit the the username given to the 3rd party developers.
REVOKE ALL FROM username; GRANT INSERT, UPDATE, SELECT TO username;
The deadly ALTER, CREATE, and DROP at least go away. If you also REVOKE UPDATE, then they can only add garbage rows.
GRANT and REVOKE, at least, prevent the worst SQL-injection attacks on untrusted webserver code.
Admin
Addendum (2008-12-06 15:55): I would love to have you join Mark and me (see below). I'm sure it would be a stimulating and rewarding conversation.
Admin
Yes. We can agree on what the word "million" means, but to some the word "billion" means a thousand million and to others it means a million million. (The word for a thousand million in the UK would be "milliard", though it's not in common use -- probably in order to avoid mathematicians giggling every time a calculation resulted in a number between 1,000,000,000,000 and 999,999,999,999,999.9... Guess what a thousand billion is called?)
Admin
Actually, it always used to be that billion in the UK meant a 10^12, but to the French and Americans it's always meant 10^9, but now, to avoid confusion, the UK now officially (in the sense of the government) takes it to mean 10^9 too. Many older people (including myself, a mere lad of 45) were still taught that it meant 10^12) I think it's best to refer to the number of zeroes as I've done here to save confusion if you're intending to be accurate, and not just using it to mean a massive number.
Admin
Anyway, what I was going to say was: I once got a job on a major website in the UK, which is now a household name. When I started, though it wasn't part of my job, I had some experience of SEO so they asked me to take a look at their rankings which were basically non-existant.
Well, the pages weren't too optimised, but they had good keyword densities, and they had some good links, some from national newspapers and the BBC, plus their hits were high.
Eventually I found a bit of code which - first thing in every page - took a look at what browser you were using, and (this is bad enough in itself) decided that if your browser's version number was 2.0 or less, it would redirect you to a very simple page which essentially said 'get a better browser and come back then'. (This used to be quite common in the early days of the web, though this was only 6 years ago). This page contained no links, and no other text.
Well, when GoogleBot 1.3 hit the site.... you can figure out the rest.
Admin
Control of a matter is assigned by management. It decides who/which company gets to work on the matter at hand (the website). If that control is not assigned to you, the professional, then you cannot be held responsible for it.
You are responsible for making sure management is informed about the issues you, as a professional, detect, so management can make an informed decision how to proceed in this matter.
Sure, in a professionally run company, management takes a backseat to letting the professionals do their jobs, and create a climate and circumstances in which the right professional flourish to fulfill the goals of the company. In the real world only a few companies (or other organizations for that matter) are run that way. Professionalism is more and more stifled by management, and that is a shame.
Admin
It's called humor. It's like being serious, except not.
Admin
1 - Backup database 2 - SQL Inject the site with something like DROP (or even some INSERTs with goofy data) 3 - Inform the product manager "oh noes, we've been 0wned!" 4 - When the marketing guys whine, just rebutt with "oh, do you still think SQL Injection is not a concern?" 5 - After the marketing guys have been sacked, restore DB.
Admin
"that's only a problem for the government and huge corporations"
i've heard that argument before - but there have been automated sql injection attacks going around the net. http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html
getting hacked rarely means there's some snivelling hollywood computer hacker hunched over a computer yelling "i hack you" as it all happens..
Admin
Most English men are.
CAPTCHA: nobis
Admin
Back to the original story:
Brandon acted responsibly and in the best interest of his company. Furthermore, I can't believe that anyone would acvocate his sabotaging the website by intentionally injecting malicious SQL commands just to prove it can be done. This does nothing but make the company look bad publicly, and if someone did that I would not only fire them but have them brought up on criminal charges.
Brandon does need to work on his communication so that his temporary fixes are official and so the larger problems can be dealt with, but in the meantime he's got his finger in the dam.
Admin
Yes. I'm sure someone does. It might even be me. Just in case it is me...
I think you're missing a key portion to communication. It's not just understanding, semantically, what the other person said, and saying the semantically correct answer.
To really communicate, you need to understand, semantically, what the other person thought they said, and you need to say, semantically, what they will understand to indicate the correct answer. This sounds like it would require powers claimed by psychic hotlines everywhere. However, it's not that bad, because most people understand their native language fairly well.
In my experience, the most common reason why people fail to say something that the other person will understand is that they forget that the other person doesn't necessarily know all of the same fundamental things. The most common reason why people fail to understand something someone else said is that they fail to realize that person may have additional information they're not realizing they need to say.
If I tell my manager that a website is insecure, and that manager tells me that only VBCs need to worry about web site security, then it's pretty likely that my manager doesn't know about automated malware. Rather than wasting time thinking about how he's an idiot, I should consider how to relate this information to him in a way he'll understand. This is potentially more complicated than it sounds, because he's almost certainly heard about viruses, and it's almost certain he thinks he understands them. To relate this, I need to know more about him. Armed with only the knowledge I've gotten from the conversation portion I've mentioned above, I'm almost guaranteed failure at communicating. But I at least have a better shot than someone who thinks, "What a moron", and then repeats that the website is insecure.
For what it's worth, what your management probably wanted was for you to do what you could to estimate the numbers, given the hardware that you had available to you. At least, that's my guess, from having numerous coworkers in that situation, and me responding by helping them come up with estimates, and them being surprised that they got hardware out of it.
There are, of course, other reasons for communication failures. Too many clauses. Too many disjoint concepts in one (sentence|paragraph|page|chapter|post|book). Bad organization. Excessively complicated sentence structure. I've often had those issues. But I seem to have better success at communicating than my coworkers. My coworkers tend to use simpler sentences. I tend to use excessively complicated sentences.
Of course, sending emails to many people can be quite stressful to one such as myself. Forum posts can be worse.
Admin
Um, no. In French (the entire francophonie, AFAIK, including the Canadian French I grew up speaking), 10^9 is properly a milliard. We bilingual types never had a problem with it.
Admin
This is exceedingly true. It's also worth noting that 'your employer' can frequently be a complex entity.
When I started working for my current company, I was brought on to fix a catastrophically failing system. It took me about 3 weeks to diagnose it, and 6 more weeks to fix it (had to order hardware). My manager thought, "He's apparently at least semi-competent," and proceeded to second-guess every decision I had to run by him.
After working there about 8 months, I changed departments, and thus managers. The new manager had heard about my previous accomplishments, and was delighted to trust me on all of my suggestions. He even asked me for advice on technical issues outside my job description.
About six months after that, my department went corporate; my manager stayed put, so I got a third manager. He saw me as the senior tech on a successful team (yes, turnover heck), and so he trusted me on most of my recommendations (semantic tip: all recommendations are suggestions; the reverse is not true). He also encouraged me to mentor the newer team members.
Recently, my department was reorged, getting a new manager in the process. To my latest manager, I'm one of the old fogies who was working here long before him. I sometimes act like I know more than the person who wrote my department's processes (um, I wrote most of my department's processes, back when I didn't know quite as much...) even if I do follow them except when I have a waiver (that is, the rest of the department's agreed with me that the process isn't appropriate). Possibly worst of all, I'm openly critical of projects that I'd originally advised against and have since had numerous project failures (especially those I'm not on and don't have sufficient access to sabotage - note I'm being critical of projects here, not the competency of the unfortunates tasked with performing these projects). When I give him advice that's contrary to what he already thought, it's because I don't understand business needs. If I tell him something will cost either more or less than he thinks it will, I'm bad at making estimates. This doesn't change when it turns out that it costs more or less than what he thought it should cost.
Admin
I started out in IT as a contractor for a company whose internal I.T. staff believed that a bridged network was appropriate for an international corporation with over 50,000 computers total. For clarification, that's a single, international bridged network.
Depending on network issues and server availability, it was possible for a mobile computer in California, USA to be served its DHCP information from a DHCP server in Italy. A diskless terminal in Germany on rare occasion would boot off of a server in Japan. These sorts of issues were considered flukes, rather than signs of real problems.
Of course, such international broadcast packet responses were very infrequent, because not only were nearer servers more likely to respond first, but the international circuits randomly dropped around 98% of the 3,00+ broadcast packets per second from the US network, as well as impressive but lesser portions of their broadcast packets from international locations. (Yes, that's right, randomly. Another bright idea from one of their internal I.T. staff.)
For what it's worth, they're all better now - they hired a contracting company to come in and fix it all for them.
Since then, I've heard of a number of other companies who also managed to extend bridged networks to 50,000+ computers. All of these companies did so on the advice of their internal I.T. staff.
Note that I'm not saying that companies cannot have competent IT staffers. I currently work at a place where the average internal IT staff is easily twice as competent as the average outsourced IT "professional". What I am saying is what other people before me have said much less verbosely: idiots are everywhere. Competent people are everywhere. Failure is identifying one as the other.
Admin
Erhm... Doesn't GWT use this approach as well? Look at the source / HTML for a GWT app and it's prety much a couple of style sheets and a javascript include... So pages made with GWT can't really be indexed by Google... Interesting...
Admin
I woulda made a backup of the codebase and the table, constructed a careful SQL statement, told^H^H^H^Hconvinced the manager to make the call, then it would've probably gone something like this:
"OK," Brandon replied. "Another concern I had was SQL injection. On the contact us page, if you ..."
"Wait a second," interrupted the rep. "Did you say SQL injection? You guys really don't have to worry about that. I mean, really, that's only a problem for the government and huge corporations."
"Yes, but it's not that hard to prevent ..."
The marketing rep interrupted again: "You see, Brandon, we're employing a brand-new technology called AJAX that makes your pages load lightning-fast, form submissions quicker and be more responsive. It's a win-win for everyone."
feigning sincerity again "Okay, okay, I see your point. Hey can I quickly try something? It'll take about 15 seconds."
"Okay, what?"
sound of typing
"..."
"Okay, take a look at the site now."
"...WHAT ON EARTH JUST HAPPENED?"
"I didn't touch any of the code just there. I did all that through a browser, and anyone looking at your site would've come to the same conclusions I just did to figure out that what I did was possible. Your code is completely insecure."
"...uhh..."
"And for your information, 'Google indexing' isn't simply having a search box on the site. It's the ability for Google to FIND the site in the first place."
"But Google handle all that themselve--"
"No they don't. Google have a dumbed-down robot that scans web pages for data. It's incapable of reading stylesheets or Javascript. Look on Wikipedia as to the definition of 'Search engine optimization'."
click