• TheJonB (unregistered)

    I think Jerry Sandusky is simply misunderstood.

  • (cs)

    Odd, when I type my password out for my account here it doesn't display in plain text: **********

    See?

  • your name (unregistered)

    You are not here to take a field trip through the comments page. Fix the bug.

  • Jozef (unregistered) in reply to BobB
    BobB:
    Odd, when I type my password out for my account here it doesn't display in plain text: **********

    See?

    That's just your browser password plugin. Those of us without one can see clearly your password: donkey1969

  • your name (unregistered)

    Also, I bet the submitter's real name is Bobby Tables.

  • (cs) in reply to your name

    Remy beat the spread (he had the over/under at 6 comments for a Bobby Tables comment).

  • Paul A (unregistered)

    "5,[email protected],*******" - am I the only one who sees this perfectly secured file line?

  • Grank (unregistered)

    I love this for the 'hunter2' reference and the people above me who also caught it. :)

  • Michael Scott (unregistered)
    Remy Porter:
    Wedge, you're not doing any good back there! Pull out! (Which is, in fact, what she said)
    LOL!
  • Machtyn (unregistered)

    I don't know about you, but it appears to me super securely as:

    <users>
     <user>
      <id>5</id>
      <email>[email protected]</email>
      <password>hunter2</password>
     </user>
    </users>
    
  • anon (unregistered)

    I've worked with some horrible managers, but this just sounds too far fetched.

  • Nagesh (unregistered)

    The only thing unbelieveable about this story is how fast the guy got fired.

    What is believable is the bad code. I worked on a project that was a direct port from classic ASP to ASP.NET. They just replaced the ASP snippets with C# using a plain text editor - no visual studio, no intellisense. And classic ASP sites are full of inline SQL code. That is just how it was done back then.

    Isn't Nagesh Hindi for anonymous?

  • (cs)

    This got a wow from me. Luckily if I was using that system on behalf of my company I would have caught the UserId thing right away and immediately stopped using their product.

    I wonder if the boss has pointy hair

  • anonymous (unregistered)

    I don't believe it as written. Something's gotta be missing or not told right about this story. Either that or it has been embellished.

  • (cs)

    Victor gets two benefits of being let go:

    1. He doesn't have to work with that horrible application, obviously.

    2. He (hopefully) learned that no matter how fucked up things are at a new job, nobody wants to hear about it from the new guy.

  • anon (unregistered) in reply to anonymous

    Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.

  • (cs)

    TRWTF-ery:

    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"

  • airdrik (unregistered)

    Security is so important, and since we have no idea how to make things secure, the web site isn't even visible on the internet.
    We receive our orders by e-mail, which our site operators transcribe, submit through the web site, and e-mail back the response. .replace("operators", "interns").replace("transcribe", "print, wooden table, ocr, yada enterprizy").replace("email back the response", "screenshot, print, wooden table, etc. more enterprizy")

  • NH (unregistered)

    Business as usual - you can't imagine how many other systems that are designed the same way.

  • (cs)

    I don't recall reading anything about our hero asking exactly what the secure coding practices to which he had to adhere were.

    That might have made for an interesting post in and of itself.

  • (cs)
    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code."
    So... do you want him learning the code base or not?
    "Victor, I really don't think you understand the security needs of this application. You're focusing on the wrong things. We're going to have to let you go."
    I was about to complain that his boss fired him without giving him any direction, but it seems in the end his boss finally pointed him in the right direction after all: away from that disaster of a workplace.

    Still, before he left Victor should have asked his boss what things he should have focused on, if only for an added punchline to this story.

  • (cs)

    Sounds like the story of my IT Career: Get suckered in by a smooth-talking company that presents itself as having great developers, good code and a great working environment to find out the codebase is trash, most if not all of my co-workers wouldn't know OOP if it bit them on the ass, and the company is more focused on PR and looking like a great company than actually BEING a great company.

    I definitely sympathize with this story. I've been let go of a fair number of jobs for doing a similar thing as Victor here and pointing out critical flaws in the code that everyone ignores.

    The only thing unbelieveable about this story is how fast the guy got fired.

    Nope, it's accurate. Many companies think everything is sunshine and rainbows and if a new hire finds issues, the problem is the new guy and not the code, and will swiftly replace the new employee with someone who doesn't care if the code is spaghetti or if the site is ripe for hacking, as long as they get their assigned tasks done and don't muck around "fixing things"

  • JohnFx (unregistered)

    I'm going to assume for the sake of argument that this tale isn't fiction.

    The response to the boss should have been.

    "Security is job 1, right? So how about a little wager? If you win I quit with no complaint or requirement for a severance package, if I win I get a 10% raise. The challenge is this, take away all of my permissions to the system and give me 15 minutes to retrieve sensitive customer data."

  • Flamer (unregistered)

    So, at the end of the day, Victor knows how to break into their application. I would make $$$ if I was him.

  • (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    I've been let go of a fair number of jobs for doing a similar thing
    The best way to handle stuff like that is to figure out what causes the problem, then write a test case to expose it. This way it's not YOU raising the issue. Pointless? Of course, but it can salvage a bad situation to your advantage.
  • Could I Bother You to Recharge My Zune? (unregistered)
    Remy:
    Wedge, you're not doing any good back there! Pull out! (Which is, in fact, what she said)
    Remy:
    He contracted a venereal disease after receiving a hot SQL injection
    Hey that's my job!
  • jc (unregistered) in reply to frits

    and then, there's that little thing called 'spine'.

  • (cs)

    "Secure';" ... That's an odd ending to a presumed SQL injection attack. :P I wonder what happened. ;)

  • Anonymous (unregistered) in reply to Flamer

    And risk going to jail. Great idea.

    (You can get jailed for federal crime of unauthorized computer use regardless of how easy it was to do it).

  • Larry (unregistered) in reply to JohnFx
    JohnFx:
    I'm going to assume for the sake of argument that this tale isn't fiction.

    The response to the boss should have been.

    "Security is job 1, right? So how about a little wager? If you win I quit with no complaint or requirement for a severance package, if I win I get a 10% raise. The challenge is this, take away all of my permissions to the system and give me 15 minutes to retrieve sensitive customer data."

    ...proving that you put a backdoor into the system while you were supposed to be fixing bugs. Now you're not just fired, you're going to jail.

    Hint: When hired by a stupid boss, you must be sure not to let him realize you know more than he does. That makes such people verrrry nervous. You have to be blind to his crap so he can continue trotting around believing he's the king of the world and none of his underlings can see through his facade.

  • (cs) in reply to Could I Bother You to Recharge My Zune?
    Could I Bother You to Recharge My Zune?:
    Remy:
    Wedge, you're not doing any good back there! Pull out! (Which is, in fact, what she said)
    Remy:
    He contracted a venereal disease after receiving a hot SQL injection
    Hey that's my job!
    Getting fucked by squirrels is your job?
  • Lee (unregistered)

    I had that last 'feature' in a web service I tested for call center use back in the day. To be fair, the project manager eventually asked how I was getting into the secure pages and had it fixed before it went live.

  • Could I Bother You to Recharge My Zune? (unregistered) in reply to no laughing matter
    no laughing matter:
    Could I Bother You to Recharge My Zune?:
    Remy:
    Wedge, you're not doing any good back there! Pull out! (Which is, in fact, what she said)
    Remy:
    He contracted a venereal disease after receiving a hot SQL injection
    Hey that's my job!
    Getting fucked by squirrels is your job?
    Have you been looking at my browser history? Just 'cause I watch it doesn't mean I want to be a part of it! (Tell that to squirrels in spring! Good luck keeping your nuts!)
  • gunther (unregistered) in reply to JohnFx
    JohnFx:
    I'm going to assume for the sake of argument that this tale isn't fiction.

    The response to the boss should have been.

    "Security is job 1, right? So how about a little wager? If you win I quit with no complaint or requirement for a severance package, if I win I get a 10% raise. The challenge is this, take away all of my permissions to the system and give me 15 minutes to retrieve sensitive customer data."

    And after retrieving that customer data, they sue Victor for "hacking" their "secure" site.

  • (cs)

    Paste classic ASP code into C#? Admittedly I've never used classic ASP, but I thought classic ASP only worked with VB, since C# hadn't been invented yet - or did it actually support C++?

  • (cs) in reply to ekolis
    ekolis:
    Paste classic ASP code into C#? Admittedly I've never used classic ASP, but I thought classic ASP only worked with VB, since C# hadn't been invented yet - or did it actually support C++?

    Classic ASp working with javascript also. @Language=VBScript or @Language=Javascript

    but javascript != c#.

  • (cs) in reply to jc
    jc:
    and then, there's that little thing called 'spine'.
    Which comes in handy when you're fighting "Toothless Jay" for your crackers on the soup line.
  • Brian White (unregistered) in reply to Nagesh
    Nagesh:
    The only thing unbelieveable about this story is how fast the guy got fired.

    What is believable is the bad code. I worked on a project that was a direct port from classic ASP to ASP.NET. They just replaced the ASP snippets with C# using a plain text editor - no visual studio, no intellisense. And classic ASP sites are full of inline SQL code. That is just how it was done back then.

    Isn't Nagesh Hindi for anonymous?

    Classic ASP sites are no more full of inline SQL code than any other type of site. Ours is 99.9% parameterized stored proc calls.

  • Mandatory Cutie Pony (unregistered)
  • Chris S. (unregistered)

    Well, there's your problem!

    Someone is using "hunter2" instead of "*******" as their password!

  • Brian White (unregistered) in reply to Nagesh
    Nagesh:
    ekolis:
    Paste classic ASP code into C#? Admittedly I've never used classic ASP, but I thought classic ASP only worked with VB, since C# hadn't been invented yet - or did it actually support C++?

    Classic ASp working with javascript also. @Language=VBScript or @Language=Javascript

    but javascript != c#.

    It actually supported VBScript or JScript. JScript being mostly Javascript, but not kept up to date with the standard so you have trouble if you try to get Prototype or JQuery running as server side code. Though I believe people did get certain verstion Prototype running as server side code in classic ASP, which is actually pretty cool.

    Also http://javascriptdotnet.codeplex.com - you can write asp.net in javascript. "Javascript .NET integrates Google's V8 Javascript engine and exposes it to the CLI environment. Javascript .NET compiles (at runtime) and executes scripts directly from .NET code. It allows CLI objects to be exposed and manipulated directly from the executed Javascript."

  • (cs)

    If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal. Fuck Capitalism.

  • Nagesh (unregistered) in reply to Nagesh
    Nagesh:
    ekolis:
    Paste classic ASP code into C#? Admittedly I've never used classic ASP, but I thought classic ASP only worked with VB, since C# hadn't been invented yet - or did it actually support C++?

    Classic ASp working with javascript also. @Language=VBScript or @Language=Javascript

    but javascript != c#.

    2 late, every1 know u r faker, haker schoolboy!

  • Bronie (unregistered)
  • (cs)

    I briefly worked at a company that did document management for various other companies. I found a couple places (I think one was a parameter in the URL's query string and another was a POST parameter) that took what appeared to be a file path as a value. Turned out that the path was passed directly to include(). Since PHP won't start parsing an included file until it reaches the <?php tag, any file that wasn't PHP would just get sent to the browser. My demonstration was giving it enough "../" followed by "etc/passwd".

  • (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal.
    I lament with you. There really needs to be some law that if you through stupidity provoke someone or something to behave a certain way and they do so they are not at fault. An example of this would be an idiot who taunts a tiger and gets mauled and then the idiot tries to sue the zoo for getting mauled. If you leave your site -that- open to hackers it is like taunting hackers to come and get it.
  • (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    Sounds like the story of my IT Career: Get suckered in by a smooth-talking company that presents itself as having great developers, good code and a great working environment to find out the codebase is trash, most if not all of my co-workers wouldn't know OOP if it bit them on the ass, and the company is more focused on PR and looking like a great company than actually BEING a great company.
    One of the things I have learned from this site is, when interviewing for a job, ask the company for a sample of their code.

    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)

  • (cs) in reply to D-Coder
    D-Coder:
    One of the things I have learned from this site is, when interviewing for a job, ask the company for a sample of their code.

    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)

    In my experience that usually doesn't work - the company usually will be like "Sorry, that's confidential information" or similar. Of course, that may or may not be a red flag about the job - if I'm interviewing at NASA or similar I could understand the whole "Proprietary information" argument, but if I'm interviewing at ACME Widgets as a senior developer for their internal CRM, what is proprietary about that?

    I have never met a company that would say "Okay here's a sample of our codebase", its always an excuse why they can't do that for legal reasons, but they want a sample of YOUR code...

  • Hanoi 4 ever (unregistered)

    Boss is right, Victor obviously doesn't understand their kind of "security"...

    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

  • (cs) in reply to Hanoi 4 ever
    Hanoi 4 ever:
    Boss is right, Victor obviously doesn't understand their kind of "security"...

    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    Wow that article was a bunch of corporate bullshit. Immediately fire people who actually stand up for themselves and suggest ideas instead of just shutting up and doing exactly what their corporate masters tell them.

Leave a comment on “Secure';”

Log In or post as a guest

Replying to comment #:

« Return to Article