• (cs) in reply to Chris S.
    Chris S.:
    Well, there's your problem!

    Someone is using "hunter2" instead of "*******" as their password!

    Don't laugh. I once very carefully programmed a classic bug into an application I was custodian of that managed completely accurately to replace the password of anyone who went into the "Amend password" page to a row of asterisks. D'oh!

  • Paul (unregistered) in reply to airdrik
    airdrik:
    Security is so important, and since we have no idea how to make things secure, the web site isn't even visible on the internet. We receive our orders by e-mail, which our site operators transcribe, submit through the web site, and e-mail back the response.

    Are you INSANE? Email spreads viruses! Customers have to fax or snail-mail their orders, which the site operators then enter by hand into the website. Then they print the results and either fax them back, or snail mail them in the stamped addressed envelope the customer provided, as per the instructions in the printed catalog (a printout of the entire website, stapled together).

  • (cs) in reply to Bronie
    Bronie:

    "Pony" is London slang for "shit".

    Cockney rhyming slang: Pony and trap, crap.

  • Socio (unregistered) in reply to Anketam
    Anketam:
    There really needs to be some law that if you through stupidity provoke someone or something to behave a certain way and they do so they are not at fault.

    Every sociopath and rapist in the world agrees with you. 100%.

  • DCRoss (unregistered) in reply to Hanoi 4 ever
    Hanoi 4 ever:
    http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html
    Smart thinking there. If the product you are developing violates local, state and federal regulations, three international test ban treaties and several inconvenient laws of physics, then you need to fire the wise-ass who complains about it.

    Then you fire the people who don't cheer you on while you're firing the first group of people.

    When you're finished with that you fire everyone who feels that your ham-fisted management style of "Fire everyone and let god sort them out" may just be a teensy bit damaging to morale. Surround yourself with yes-men and people who are either desperate or clueless enough to tell you what you want to hear, and everything will be fine.

    If I hadn't worked there, I wouldn't believe it was possible.

  • (cs) in reply to Anketam
    Anketam:
    ObiWayneKenobi:
    If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal.
    I lament with you. There really needs to be some law that if you through stupidity provoke someone or something to behave a certain way and they do so they are not at fault. An example of this would be an idiot who taunts a tiger and gets mauled and then the idiot tries to sue the zoo for getting mauled. If you leave your site -that- open to hackers it is like taunting hackers to come and get it.

    I wouldn't go that far, but you could look at how insurance companies look at house burglaries. Yes, the burglars (if they can catch them, good luck with that) are punished according to the law, but if the insurance company realise that you don't have locks on your front door they don't pay out. So yes, Victor (if they can find him - he knows the system well enough so as not to be traceable) would have to pay the penalty for his misdeeds, but then the company would also be financially responsible to the customers for fucking them up.

  • Anonymous (unregistered) in reply to Hanoi 4 ever
    Boss is right, Victor obviously doesn't understand their kind of "security"...

    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    Both first two sound like "Har har Boss is always right , fire whoever disagrees".

  • (cs)

    But seriously guys. What Victor should have done was keep his fat mouth shut, find the fucking bug and smile sweetly and deferentially at that shithead of a boss - and at the same time, keep a lovely long list of the shortcomings of the code to slam onto the table when politically advantageous so to do.

  • Guru (unregistered) in reply to Hanoi 4 ever
    Hanoi 4 ever:
    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    Looks like perfect lawsuit against illegal firing

  • Nagesh (unregistered) in reply to Guru
    Guru:
    Hanoi 4 ever:
    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    Looks like perfect lawsuit against illegal firing

    Good artical, plz use link proper url=http://thedailywtf.com/Info/BBCode.aspx]next time[/url].

    Stupid matterhorn Askimet basterd! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u!

    This is cow-feces! Why Akimets such a basterd? May bees linking is being bad ideas, askimet being such a basterd. Basterd Askimet, what is your want for me?

    Askimet, you ashole, let m y coment pas! Ganeshes almity, what does it wanting?

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
  • (cs)

    Victor made the obvious mistake of assuming "security" meant "keeping unauthorized parties from getting hold of valuable company or customer data", when in fact the boss defined it as "not endangering my job or the jobs of any of the people I've hired in the past".

    (It's like calling someone a "leader". Everyone assumes that means they're forward-thinking, charismatic people who inspire others, when the same word is also defined as "the piece of blank tape at the beginning of a cassette that you can't record anything on.")

  • Nagesh (unregistered) in reply to Nagesh

    Being sory for pedophile askimet not leting me post link ashole.

  • (cs)

    The real WTF is that Victor never found the bug. Hell, he never even searched for the bug.

  • Nimon (unregistered)

    Why does it seem Remy has been Zuned? Hot SQL Injections, Pulling Out etc...

  • Nagesh (unregistered) in reply to Pim
    Pim:
    The real WTF is that Victor never found the bug. Hell, he never even searched for the bug.
    No, real WTF is pedophile askimets.
  • Nagesh (unregistered) in reply to Nimon
    Nimon:
    Why does it seem Remy has been Zuned? Hot SQL Injections, Pulling Out etc...
    Zunesis, Askimets and Remy being brothers in pederasty.
  • Nimon (unregistered) in reply to anon
    anon:
    Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.
    <sarcasm>I agree too. All of the non-technical people I work for would always listen to some new guy who's been here for 5 minutes....</sarcasm>
  • Nimon (unregistered) in reply to @Deprecated
    @Deprecated:
    TRWTF-ery:

    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"

    Have you ever learnt anything on a field trip?

  • (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    D-Coder:
    One of the things I have learned from this site is, when interviewing for a job, ask the company for a sample of their code.

    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)

    In my experience that usually doesn't work - the company usually will be like "Sorry, that's confidential information" or similar. Of course, that may or may not be a red flag about the job - if I'm interviewing at NASA or similar I could understand the whole "Proprietary information" argument, but if I'm interviewing at ACME Widgets as a senior developer for their internal CRM, what is proprietary about that?

    I have never met a company that would say "Okay here's a sample of our codebase", its always an excuse why they can't do that for legal reasons, but they want a sample of YOUR code...

    I wait until the tech interview. One place (did hospital-related billing) said no, others have said yes (and generally apologized for the state of their code, although it was generally decent). A 5-second look shows if it's indented and has variable names better than "a1", "a2", "a53" etc.

  • Nagesh (unregistered) in reply to Nimon
    Nimon:
    @Deprecated:
    TRWTF-ery:

    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"

    Have you ever learnt anything on a field trip?
    I am lerning askimets is basterd pedophile.

  • Nagesh (unregistered) in reply to Nimon
    Nimon:
    anon:
    Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.
    <sarcasm>I agree too. All of the non-technical people I work for would always listen to some new guy who's been here for 5 minutes....</sarcasm>
    Sound like programers of basterd askimets.
  • Nagesh (unregistered) in reply to Nimon
    Nimon:
    Why does it seem Remy has been Zuned? Hot SQL Injections, Pulling Out etc...
    aSKIMETS NOW REQUIRE AL SUBMISION TO CONTAIN REFERENCE TO PEDRESTY.
  • ɥsǝbɐu (unregistered)

    ¡poɥɔɹɐpɐɯ pıdnʇs sı ʇǝɯıʞsɐ ǝsnɐɔǝq ʇʇoɔs ǝʞıן ǝǝɹɟ buıǝq ןןıʍ noʎ ˙dn ǝpıs uʍop ɥʇıʍ sʇxǝʇ ןןɐ buıʇıɹʍ ʇsnظ

  • (cs) in reply to Nimon
    Nimon:
    anon:
    Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.
    <sarcasm>I agree too. All of the non-technical people I work for would always listen to some new guy who's been here for 5 minutes....</sarcasm>

    Yep. Takes a while. Have patience, new boys, prove you can do shit before you brag about how much you know shit. All your new colleagues know is you gabbed your way round the fat sweaty arsehole that calls himself your boss.

  • Nagesh (unregistered) in reply to Matt Westwood
    Matt Westwood:
    Nimon:
    anon:
    Agreed. Something was definitely omitted or embellished. Anyone smart enough to spot these issues, would be smart enough to convince someone to understand that there are problems. If not, the real WTF is on them for not making more noise about it. A lot of these stories just seem too terse and glossy.
    <sarcasm>I agree too. All of the non-technical people I work for would always listen to some new guy who's been here for 5 minutes....</sarcasm>

    Yep. Takes a while. Have patience, new boys, prove you can do shit before you brag about how much you know shit. All your new colleagues know is you gabbed your way round the fat sweaty arsehole that calls himself your boss.

    Surpising this comenting makes it bny askimet, since not being refer to your bos molesting yung boys (pederesty).

  • Nagesh (unregistered)

    Anyone noticing askimet only let coment thru refering to pederesty like Sandusky at Pen State?

  • FuBar (unregistered) in reply to @Deprecated
    @Deprecated:
    TRWTF-ery:

    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"

    All you're code base are belong to use.

  • (cs) in reply to Matt Westwood
    Matt Westwood:
    Have patience, new boys, prove you can do shit before you brag about how much you know shit.
    So true. Sometimes the best thing to do when starting a new job is to just ask innocent questions while inheriting/reviewing/finding-vulnerabilities-in the existing codebase, and save your smarts for your own code.

    "Oh, so we don't sanitize browser fields? I see." "We store passwords in plaintext? That's interesting." "So we're not creating a session after authenticating the user? Okay."

    People will find you smart and easy to work with, because you are so interested in the existing code that they worked so hard on, even cool with it. But then later, after you've made friends and written your own code:

    Developer: "Hey, what's this?" New Guy: "That? Oh, that's a parameterized query." Developer: "Why'd you write it that way instead of like <injection-prone example>?" New Guy: "Let me show you why: <visit to xkcd>" Developer: "Oh shit, my code is fucked." New Guy: "It sure is!"

  • Machtyn (unregistered) in reply to D-Coder
    D-Coder:
    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)
    I recently turned down a second interview because both of those questions were answered incorrectly. It's too bad, it might have been a good growing opportunity for me.

    The inability to separate application and database, lack of source control, and the obvious wretch I observed when I mentioned Open Source solutions* all added up to a no-go.

    (I respect that some companies are averse to using OSS and have good reasons for it. However, her reasons were she wanted to roll her own code - re-invent the wheel, she could write the code faster, etc.)

  • (cs) in reply to boog
    boog:
    So true. Sometimes the best thing to do when starting a new job is to just ask innocent questions while inheriting/reviewing/finding-vulnerabilities-in the existing codebase, and save your smarts for your own code.

    "Oh, so we don't sanitize browser fields? I see." "We store passwords in plaintext? That's interesting." "So we're not creating a session after authenticating the user? Okay."

    People will find you smart and easy to work with, because you are so interested in the existing code that they worked so hard on, even cool with it. But then later, after you've made friends and written your own code:

    Developer: "Hey, what's this?" New Guy: "That? Oh, that's a parameterized query." Developer: "Why'd you write it that way instead of like <injection-prone example>?" New Guy: "Let me show you why: <visit to xkcd>" Developer: "Oh shit, my code is fucked." New Guy: "It sure is!"

    Disagree. It's usually not even worth wasting the time with people that clueless. It's one thing if you come from, say, a TDD environment and people aren't that up to speed on unit testing - that can be taught. But basic 101 amateur stuff? Better to just up and quit and find people that AREN'T complete idiots.

  • (cs) in reply to boog
    boog:
    Matt Westwood:
    Have patience, new boys, prove you can do shit before you brag about how much you know shit.
    So true. Sometimes the best thing to do when starting a new job is to just ask innocent questions while inheriting/reviewing/finding-vulnerabilities-in the existing codebase, and save your smarts for your own code.

    "Oh, so we don't sanitize browser fields? I see." "We store passwords in plaintext? That's interesting." "So we're not creating a session after authenticating the user? Okay."

    People will find you smart and easy to work with, because you are so interested in the existing code that they worked so hard on, even cool with it. But then later, after you've made friends and written your own code:

    Developer: "Hey, what's this?" New Guy: "That? Oh, that's a parameterized query." Developer: "Why'd you write it that way instead of like <injection-prone example>?" New Guy: "Let me show you why: <visit to xkcd>" Developer: "Oh shit, my code is fucked." New Guy: "It sure is!"

    Boss: "I hear you've been encouraging your colleagues to surf the internet for cartoons. Please collect your paperwork from HR on your way out."

  • (cs) in reply to Matt Westwood
    Matt Westwood:
    boog:
    Matt Westwood:
    Have patience, new boys, prove you can do shit before you brag about how much you know shit.
    So true. Sometimes the best thing to do when starting a new job is to just ask innocent questions while inheriting/reviewing/finding-vulnerabilities-in the existing codebase, and save your smarts for your own code.

    "Oh, so we don't sanitize browser fields? I see." "We store passwords in plaintext? That's interesting." "So we're not creating a session after authenticating the user? Okay."

    People will find you smart and easy to work with, because you are so interested in the existing code that they worked so hard on, even cool with it. But then later, after you've made friends and written your own code:

    Developer: "Hey, what's this?" New Guy: "That? Oh, that's a parameterized query." Developer: "Why'd you write it that way instead of like <injection-prone example>?" New Guy: "Let me show you why: <visit to xkcd>" Developer: "Oh shit, my code is fucked." New Guy: "It sure is!"

    Boss: "I hear you've been encouraging your colleagues to surf the internet for cartoons. Please collect your paperwork from HR on your way out."

    Well yeah, if you want to be realistic about it.

  • Expert (unregistered) in reply to Machtyn
    Machtyn:
    I respect that some companies are averse to using Open Source solutions and have good reasons for it. However, her reasons were she wanted to roll her own code - re-invent the wheel, she could write the code faster, etc.

    This is correct. To check what exactly opensource code do, you spend time at least twice as if you write it yourself

  • will (unregistered) in reply to Hanoi 4 ever
    Hanoi 4 ever:
    Boss is right, Victor obviously doesn't understand their kind of "security"...

    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    The text is not totally bad the "examples" they give at the start of each type are just horrid and in some cases don't reflect what they mean. Overall a good example of poor writing and editing for a magazine.

    As long as they don't bring back the "fire anyone you become dependent on" that was popular for a few years ago.

  • geoffrey (unregistered)

    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

  • (cs) in reply to geoffrey
    geoffrey:
    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

    Hate to say this, but for once I agree with geoffrey here. Just that I disagree with the boss's reasons (as given in the anecdote) for firing Victor.

  • (cs) in reply to Nagesh
    Nagesh:
    Anyone noticing askimet only let coment thru refering to pederesty like Sandusky at Pen State?
    Please give it a rest and go back under your bridge.
  • (cs) in reply to Machtyn
    Machtyn:
    D-Coder:
    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)
    I recently turned down a second interview because both of those questions were answered incorrectly. It's too bad, it might have been a good growing opportunity for me.
    Yeah... no, not the kind of growing opportunity that I want.
  • Dinner Time (unregistered)
  • A Gould (unregistered) in reply to Flamer
    Flamer:
    So, at the end of the day, Victor knows how to break into their application. I would make $$$ if I was him.

    At the least, I would think there'd be some solid consulting opportunities by going to the clients and showing them how insecure their data is.

  • Blakeygirl (unregistered) in reply to Anketam
    Anketam:
    ObiWayneKenobi:
    If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal.
    I lament with you. There really needs to be some law that if you through stupidity provoke someone or something to behave a certain way and they do so they are not at fault. An example of this would be an idiot who taunts a tiger and gets mauled and then the idiot tries to sue the zoo for getting mauled. If you leave your site -that- open to hackers it is like taunting hackers to come and get it.
    Just like the girls in short skirts in bars are almost gagging for rape.
  • Shinobu (unregistered)

    Victor's boss was right to let him go. He probably understood the security needs of their application better than Victor. There is simply no way that you as a developer can know the cost-benefit picture of application security. Yes, doing X, Y and Z will make it more secure. But it will cost money (if only to train the other developers to use new practices) and depending on your situation the likelihood that people will poke around and ‘test’ the security of your application may be slim. And even if they do, they might not do the company that much monetary damage and possibly the potential damage done could be shifted to a third party. You, as a developer cannot know this. If your boss says the application doesn't need to be secure, then don't go bother him with security flaws. It's just a waste of both your time.

    As for those bashing the Businessweek article, you clearly don't get it. The article wasn't aimed at you, but at your boss. The developer who e.g. complains that any solution would be incompatible with the laws of physics will hold the team back from developing the half-assed non-solution that he needs to keep his department or company afloat until the next quarter.

  • Guru (unregistered) in reply to Shinobu

    Boss actually said application DOES need to be secure.

    Reading comprehension FTW

  • (cs)

    Not surprising that the Businessweek article goes on to praise Thomas A. Edison, ruthless idea-stealing businessman extraordinnaire.

  • programmer (unregistered) in reply to Shinobu
    Shinobu:
    Victor's boss was right to let him go. He probably understood the security needs of their application better than Victor. There is simply no way that you as a developer can know the cost-benefit picture of application security. Yes, doing X, Y and Z will make it more secure. But it will cost money (if only to train the other developers to use new practices) and depending on your situation the likelihood that people will poke around and ‘test’ the security of your application may be slim. And even if they do, they might not do the company that much monetary damage and possibly the potential damage done could be shifted to a third party. You, as a developer cannot know this. If your boss says the application doesn't need to be secure, then don't go bother him with security flaws. It's just a waste of both your time.

    As for those bashing the Businessweek article, you clearly don't get it. The article wasn't aimed at you, but at your boss. The developer who e.g. complains that any solution would be incompatible with the laws of physics will hold the team back from developing the half-assed non-solution that he needs to keep his department or company afloat until the next quarter.

    Actually, Victor's boss did him a huge favour. Given the bad state of the application and the overall emphasis on security when none is to be had, it would not be hard to imagine who would take the rap for the inevitable security intrusion.

    The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.

  • JD (unregistered) in reply to geoffrey
    geoffrey:
    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

    "... learn our code base." said Victor's boss "Security is job one," the boss said.

    It seems by learning the code base, and finding security flaws Victor was doing exactly what he was told. Its just that Victor's boss didn't actually mean anything he said except the "look at this bug" part.

  • geoffrey (unregistered) in reply to JD
    JD:
    geoffrey:
    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

    "... learn our code base." said Victor's boss "Security is job one," the boss said.

    It seems by learning the code base, and finding security flaws Victor was doing exactly what he was told. Its just that Victor's boss didn't actually mean anything he said except the "look at this bug" part.

    That is a weak justification for insubordinate behavior. Victor's boss didn't get to where he was by being stupid. He needed a bug fixed, not to be repeatedly told about known issues of lower priority while ignoring a top priority defect. Victor's boss needed a team player, not a cowboy.

  • Shinobu (unregistered) in reply to programmer
    programmer:
    The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.
    You, as a programmer, cannot know the cost to the brand, nor even if there will be any cost to the brand, nor how it relates to other factors. The big picture is simply inaccessible to you and even if you had all the figures you probably couldn't make head nor tail of them because you don't have the prerequisite training.
  • wydok (unregistered)

    TRWTF is that the article doesn't state whether Victor fixed the bug.

  • (cs)

    So we are assuming that victor already knows where the input comes from? The last webapp I wrote called a sanitize function to make the input sql friendly before it even bothered to check what it was. This means that no matter where in the program the input was used it was already sanitized and ready for the database (even if the input didn't need it). I don't know if thats bad practice but a great majority of input coming from the user interacted with the database so it seemed the most logical place to put it instead of calling a sanitize function before each sql query.

    I don't know if i'm missing something but just because query input isn't sanitized right then and there doesn't mean that the input wasn't sanitized somewhere else (that victor hadn't seen, assuming they know which module had the bug in it).

    IDK maybe I'm thinking too hard or maybe doing it wrong, but for me sanitizing is done the moment the input hits the server.

Leave a comment on “Secure';”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article