- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I think Jerry Sandusky is simply misunderstood.
Admin
Odd, when I type my password out for my account here it doesn't display in plain text: **********
See?
Admin
You are not here to take a field trip through the comments page. Fix the bug.
Admin
Admin
Also, I bet the submitter's real name is Bobby Tables.
Admin
Remy beat the spread (he had the over/under at 6 comments for a Bobby Tables comment).
Admin
"5,[email protected],*******" - am I the only one who sees this perfectly secured file line?
Admin
I love this for the 'hunter2' reference and the people above me who also caught it. :)
Admin
Admin
I don't know about you, but it appears to me super securely as:
Admin
I've worked with some horrible managers, but this just sounds too far fetched.
Admin
The only thing unbelieveable about this story is how fast the guy got fired.
What is believable is the bad code. I worked on a project that was a direct port from classic ASP to ASP.NET. They just replaced the ASP snippets with C# using a plain text editor - no visual studio, no intellisense. And classic ASP sites are full of inline SQL code. That is just how it was done back then.
Isn't Nagesh Hindi for anonymous?
Admin
This got a wow from me. Luckily if I was using that system on behalf of my company I would have caught the UserId thing right away and immediately stopped using their product.
I wonder if the boss has pointy hair
Admin
I don't believe it as written. Something's gotta be missing or not told right about this story. Either that or it has been embellished.
Admin
Victor gets two benefits of being let go:
He doesn't have to work with that horrible application, obviously.
He (hopefully) learned that no matter how fucked up things are at a new job, nobody wants to hear about it from the new guy.
Admin
Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.
Admin
TRWTF-ery:
"It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"
Admin
Security is so important, and since we have no idea how to make things secure, the web site isn't even visible on the internet.
We receive our orders by e-mail, which our site operators transcribe, submit through the web site, and e-mail back the response. .replace("operators", "interns").replace("transcribe", "print, wooden table, ocr, yada enterprizy").replace("email back the response", "screenshot, print, wooden table, etc. more enterprizy")
Admin
Business as usual - you can't imagine how many other systems that are designed the same way.
Admin
I don't recall reading anything about our hero asking exactly what the secure coding practices to which he had to adhere were.
That might have made for an interesting post in and of itself.
Admin
Still, before he left Victor should have asked his boss what things he should have focused on, if only for an added punchline to this story.
Admin
Sounds like the story of my IT Career: Get suckered in by a smooth-talking company that presents itself as having great developers, good code and a great working environment to find out the codebase is trash, most if not all of my co-workers wouldn't know OOP if it bit them on the ass, and the company is more focused on PR and looking like a great company than actually BEING a great company.
I definitely sympathize with this story. I've been let go of a fair number of jobs for doing a similar thing as Victor here and pointing out critical flaws in the code that everyone ignores.
Nope, it's accurate. Many companies think everything is sunshine and rainbows and if a new hire finds issues, the problem is the new guy and not the code, and will swiftly replace the new employee with someone who doesn't care if the code is spaghetti or if the site is ripe for hacking, as long as they get their assigned tasks done and don't muck around "fixing things"
Admin
I'm going to assume for the sake of argument that this tale isn't fiction.
The response to the boss should have been.
"Security is job 1, right? So how about a little wager? If you win I quit with no complaint or requirement for a severance package, if I win I get a 10% raise. The challenge is this, take away all of my permissions to the system and give me 15 minutes to retrieve sensitive customer data."
Admin
So, at the end of the day, Victor knows how to break into their application. I would make $$$ if I was him.
Admin
Admin
Admin
and then, there's that little thing called 'spine'.
Admin
"Secure';" ... That's an odd ending to a presumed SQL injection attack. :P I wonder what happened. ;)
Admin
And risk going to jail. Great idea.
(You can get jailed for federal crime of unauthorized computer use regardless of how easy it was to do it).
Admin
Hint: When hired by a stupid boss, you must be sure not to let him realize you know more than he does. That makes such people verrrry nervous. You have to be blind to his crap so he can continue trotting around believing he's the king of the world and none of his underlings can see through his facade.
Admin
Admin
I had that last 'feature' in a web service I tested for call center use back in the day. To be fair, the project manager eventually asked how I was getting into the secure pages and had it fixed before it went live.
Admin
Admin
And after retrieving that customer data, they sue Victor for "hacking" their "secure" site.
Admin
Paste classic ASP code into C#? Admittedly I've never used classic ASP, but I thought classic ASP only worked with VB, since C# hadn't been invented yet - or did it actually support C++?
Admin
Classic ASp working with javascript also. @Language=VBScript or @Language=Javascript
but javascript != c#.
Admin
Admin
Classic ASP sites are no more full of inline SQL code than any other type of site. Ours is 99.9% parameterized stored proc calls.
Admin
Admin
Well, there's your problem!
Someone is using "hunter2" instead of "*******" as their password!
Admin
Also http://javascriptdotnet.codeplex.com - you can write asp.net in javascript. "Javascript .NET integrates Google's V8 Javascript engine and exposes it to the CLI environment. Javascript .NET compiles (at runtime) and executes scripts directly from .NET code. It allows CLI objects to be exposed and manipulated directly from the executed Javascript."
Admin
If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal. Fuck Capitalism.
Admin
Admin
Admin
I briefly worked at a company that did document management for various other companies. I found a couple places (I think one was a parameter in the URL's query string and another was a POST parameter) that took what appeared to be a file path as a value. Turned out that the path was passed directly to include(). Since PHP won't start parsing an included file until it reaches the <?php tag, any file that wasn't PHP would just get sent to the browser. My demonstration was giving it enough "../" followed by "etc/passwd".
Admin
Admin
(Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)
Admin
In my experience that usually doesn't work - the company usually will be like "Sorry, that's confidential information" or similar. Of course, that may or may not be a red flag about the job - if I'm interviewing at NASA or similar I could understand the whole "Proprietary information" argument, but if I'm interviewing at ACME Widgets as a senior developer for their internal CRM, what is proprietary about that?
I have never met a company that would say "Okay here's a sample of our codebase", its always an excuse why they can't do that for legal reasons, but they want a sample of YOUR code...
Admin
Boss is right, Victor obviously doesn't understand their kind of "security"...
Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html
Admin
Wow that article was a bunch of corporate bullshit. Immediately fire people who actually stand up for themselves and suggest ideas instead of just shutting up and doing exactly what their corporate masters tell them.