- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Right, you're vandalizing his web site. However...you could probably cover this issue with language in the contract. Something like "If payments are delinquent more than 90 days, Developer may use technological means to disable and/or delete all software furnished under this Agreement, and Customer hereby grants the Developer access to Customer controlled computers or computer accounts in order to do so, and Customer hereby releases Developer from all liability for doing so and agrees to indemnify, defend and hold harmless..."
Well, you get the idea. You'd probably have to agree to disable the backdoor once the contract is complete and paid in full. A lawyer could probably craft language that works.
Admin
"the nation that secures freedom" - NOT! "strategic weakining (of the nation) that secures freedom" - maybe
Admin
I don't want to disturb you while you are busy looking at your belly button there, but: a) We don
t need your help. Really, we are doing fine without the incommensurable value that you bring with your killing of civilians and taking possessions of assets you couldnt otherwise buy on a free market. Go home. b) "Balance of power". That's you sitting on the heavy site, isn't it ? c) Weak-E-ning. Nu-C-L-E-A-R. Learn to write. It is freedom. No, not that kind; hold on, wait... don't shoot your students and steal their lunch money. Look up "freedom" in a dictionary. See how it doesn't involve coercion ? That's nice. Now try it.Admin
TRWTF is not running php in safe mode and allow drop on db for untrusted code
Admin
find -name '*.php' -exec grep -H unlink {} \;is better still. Now you aren't searching all your non-PHP files (think large images or PDFs) for that elusive unlink!
Admin
Admin
Admin
Actually, Ondra and Derrick are the same person. Alex just made up that second person so the original author doesn't look like a total asshat.
Admin
Not Always,
http://news.bbc.co.uk/1/hi/8267763.stm
Although apparently the police frown on this sort of thing.
Admin
So many things wrong with that backdoor. So easy to spot, no ability to execute arbitrary commands, not obfuscated or hidden at all, and he practically told them about it. Tsk tsk!
So many things wrong with having to submit my post twice, too.
Admin
I demand that comment be given the blue tint.
Admin
I get it regularly.
And I get unobtanium too.
Mostly off ebay.
Along with electric penguin cleaners, left-handed pencils and uncut dilithium crystals.
Admin
Let's just say that I know of some PHP stored in two (yes, count them, two) CVS repositories… and, yes, I have write access to both.
(One's long-since obsoleted, and the other's been untouched for years…)
Admin
Admin
See, if I didn't see major league WTFs all the time that come out of the combination of idiot bosses and Kerblekistani outsourcing, I would call FUD too.
But it happens again and again.
The combination of idiot bosses + local developers usually reveals the bosses idiocy early. If it is easy to push bosses on requirements, the idiocy will be revealed right away.
"Wait, if the user can't search for what they want, how is this product going to be even remotely useful?"
Idiot bosses + outsourced developers can let the idiocy fester for months. The spec gets sent out, no questions get asked because each question takes 12 hours to answers, and GIGO.
Indeed, idiot bosses tend to flee to Kerblekistani devs because they get tired of having local, competent, smart, expensive devs ask them hard questions that illustrate their idiocy. Kerblekistan just implements their idiocy.
Admin
¹ Who know enough about grep.
Admin
-Harrow.
Admin
In case you're serious, it's the precious mineral the invading humans want on the moon the alien race lives in, in the film Avatar.
Yes the writers really were that imaginative.
Admin
Although the word itself was used in a high-end road bike ad from the early 2000s from, I believe, Specialized, who were jokingly one-upping the competition with a material so light, so stiff, and so rare, that nobody could get it. Ever. It was pretty funny.
Admin
Not quite. It's a common term in both science fiction and real-world engineering. It's been in common usage for close to 60 years. Its usage in "Avatar" was almost certainly a deliberate homage to this, not a case of the writers being "unimaginative" as you seem to imply.
Admin
If the writers were that daft, it sort of makes me not want to see the movie.
grep -c gives you filenames, or did you oversnip?
Admin
Sounds like NI LabView to me. Horrible write-only stuff.
Admin
Admin
No comments, unit tests, documentation, code review, &c, &c. QED, PHP drones are all oxygen thieves.
Admin
The name comes from "unobtainable" (you can't have it) and "ium" (ending of the last few elements on the periodic table). The mineral comes from Pandora, a moon of Polyphemus, which orbits Alpha Centauri A. It is a room temperature super-conductor for energy, which makes it very valuable: it's worth $20 Million per kilogram on Earth. However, It is vastly expensive to mine on Pandora since humans are unable to breathe in the Pandoran atmosphere. Because of this, all personnel are required to wear a mask and it is very cumbersome.Unobtainium has a unique magnetic field and properties of superconductivity, causing it to levitate. On Pandora, the magnetic effect causes huge outcroppings of Unobtainium to rip loose from the surface and float in the magnetic vortexes. These huge islands, named Hallelujah Mountains by Earth's explorers, are called Thundering Rocks by the Pandorans, who hold them sacred. The unique magnetic properties of Unobtainium are used to contain and direct the energy of the matter-antimatter annihilation which propels ships like ISV Venture Star. Without Unobtanium, interstellar commerce on this scale would not be possible. Unobtanium is not only the key to Earth’s energy needs in the 22nd century, but it is the enabler of interstellar travel and the establishment of a truly spacefaring civilization. Making a feed back loop, the more Unobtainium is mined, the more ships can be built, and more mining equipment can be sent to Pandora.
Admin
He is an idiot. He could have deleted the files and told the customer that he had a copy of it, available upon receipt of the payment.
In this case, the dev was in a situation where he was violating the agreement, and he had been paid for several months already, so using it would have been wrong.
On the other end, every once in a while, you have an a*hole who orders work, receives it and does not pay. And if the customer does not pay, the work actually belongs to the dev who has done it and he is justified to delete it, if reasonable efforts to recover the money fails.
Admin
And puts a lien on your property.
Admin
In the Czech language, Ondra is a familiar diminutive of Ondřej. And Ondřej is Czech for Andrew, and quite a widespread name.
Admin
(Context is in the article; and if it's not quoted, it can't be snipped…)
Admin
There is no reason to be allergic to the word 'cat'.
Admin
[cat | grep]
‘-h’, a.k.a. ‘--no-filename’, solves that one. Who said anything about aller… sniff… sniff sneeze sneeze sniff sneeze sneeze sneezeYou owe me one clean keyboard.
Admin
The FBI has no jurisdiction in Kerbleckistan. You'd be fucked.
Admin
Surely this would be a non-event anyway? Even if the original programmer did manage to invoke his back door you'd just restore all the files from the previous day's backup and then continue as normal (disabling the back door before restoring 'net access obviously).
Mind you, I'm surprised a web application would be given write access to its own code.
Admin
The irony of that being that if the developer was successful and smart enough to do that he very likely would have never landed in that situation in the first place. Plus, from what the OP said he very likely would have been doing the company a benefit if he had executed the code in the first place.
For developers, this is probably a good lesson in never handing over the source code until payment is completely or nearly completely made. Put it on a test server or hand over a product that leaves an identifiable watermark.
Admin
Nowadays FBI is tough on people who waste their time.
Admin
That's a dirty trick. But then again as others have said the site owner was probably better off starting from scratch anyway...
It does however remind me of a situation a friend once had. He and two others founded their own company and developed a CMS. At some point one of them jumped off and took a copy of the project with him to get some customers for himself. Obviously the various attempts of convincing him to stop failed so they probed his webserver and found out that he had server-wide write enabled anonymous ftp access. They uploaded a few quick changes to the code so a message was displayed on every page saying that the site was run on stolen software...
Captcha: bene, molto bene!
Admin
You mean
Admin
Admin
Admin
Excellent stuff... so true I want to smile/cry :)
Admin
find expects a path argument, so it's "find . -name" and so on. Also, you only want to grep regular files: "find . -type f -name" etc.
Captcha: veniam (veni, veni, venias, ne me mori facias)
Admin
Perhaps, but very often, such a backdoor is always included in the SECOND program one writes as a freelancer…
CAPTCHA: cæcus
Admin
LOL, "Ondra M." is an anagram of "random".
Admin
Admin
No, the dirtiest trick was a small disk magnet on a system drive.
It was a really weak one, would barely hold up a paper on a refridgerator, but over a few hours of hard spinning, eventually destroyed the data on the drive. A stronger one would have been noticed immediately, I think. This one was JUST strong enough to eat a few bits at a time.
Admin
Hey - has anyone mentioned that Ondra is Czech for Andy?
Admin
What he should have done is make the page print out things like "Dropping all tables", but not actually do anything, so the Kerbleckistani would think everything was deleted. If you know his IP address, route him to a default Apache page or something so he thinks he wiped the site (he doesn't sound smart enough to actually check)
Admin
Mr. Kerbablestan is literally a much more malicious (and illiterate) version of Paula.
// I be so brillant if ($_GET['page'] == "delete_all_files"){ echo "paula"; mysql_query("DROP TABLE *"); unlink("index.php"); unlink("apps.php"); unlink("resources"); ... snip all files ... }