- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Don't laugh. I once very carefully programmed a classic bug into an application I was custodian of that managed completely accurately to replace the password of anyone who went into the "Amend password" page to a row of asterisks. D'oh!
Admin
Are you INSANE? Email spreads viruses! Customers have to fax or snail-mail their orders, which the site operators then enter by hand into the website. Then they print the results and either fax them back, or snail mail them in the stamped addressed envelope the customer provided, as per the instructions in the printed catalog (a printout of the entire website, stapled together).
Admin
"Pony" is London slang for "shit".
Cockney rhyming slang: Pony and trap, crap.
Admin
Every sociopath and rapist in the world agrees with you. 100%.
Admin
Then you fire the people who don't cheer you on while you're firing the first group of people.
When you're finished with that you fire everyone who feels that your ham-fisted management style of "Fire everyone and let god sort them out" may just be a teensy bit damaging to morale. Surround yourself with yes-men and people who are either desperate or clueless enough to tell you what you want to hear, and everything will be fine.
If I hadn't worked there, I wouldn't believe it was possible.
Admin
I wouldn't go that far, but you could look at how insurance companies look at house burglaries. Yes, the burglars (if they can catch them, good luck with that) are punished according to the law, but if the insurance company realise that you don't have locks on your front door they don't pay out. So yes, Victor (if they can find him - he knows the system well enough so as not to be traceable) would have to pay the penalty for his misdeeds, but then the company would also be financially responsible to the customers for fucking them up.
Admin
Both first two sound like "Har har Boss is always right , fire whoever disagrees".
Admin
But seriously guys. What Victor should have done was keep his fat mouth shut, find the fucking bug and smile sweetly and deferentially at that shithead of a boss - and at the same time, keep a lovely long list of the shortcomings of the code to slam onto the table when politically advantageous so to do.
Admin
Looks like perfect lawsuit against illegal firing
Admin
Stupid matterhorn Askimet basterd! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u! Screwing u!
This is cow-feces! Why Akimets such a basterd? May bees linking is being bad ideas, askimet being such a basterd. Basterd Askimet, what is your want for me?
Askimet, you ashole, let m y coment pas! Ganeshes almity, what does it wanting?
Admin
Victor made the obvious mistake of assuming "security" meant "keeping unauthorized parties from getting hold of valuable company or customer data", when in fact the boss defined it as "not endangering my job or the jobs of any of the people I've hired in the past".
(It's like calling someone a "leader". Everyone assumes that means they're forward-thinking, charismatic people who inspire others, when the same word is also defined as "the piece of blank tape at the beginning of a cassette that you can't record anything on.")
Admin
Being sory for pedophile askimet not leting me post link ashole.
Admin
The real WTF is that Victor never found the bug. Hell, he never even searched for the bug.
Admin
Why does it seem Remy has been Zuned? Hot SQL Injections, Pulling Out etc...
Admin
Admin
Admin
Admin
Admin
Admin
Admin
Admin
Admin
¡poɥɔɹɐpɐɯ pıdnʇs sı ʇǝɯıʞsɐ ǝsnɐɔǝq ʇʇoɔs ǝʞıן ǝǝɹɟ buıǝq ןןıʍ noʎ ˙dn ǝpıs uʍop ɥʇıʍ sʇxǝʇ ןןɐ buıʇıɹʍ ʇsnظ
Admin
Yep. Takes a while. Have patience, new boys, prove you can do shit before you brag about how much you know shit. All your new colleagues know is you gabbed your way round the fat sweaty arsehole that calls himself your boss.
Admin
Admin
Anyone noticing askimet only let coment thru refering to pederesty like Sandusky at Pen State?
Admin
Admin
"Oh, so we don't sanitize browser fields? I see." "We store passwords in plaintext? That's interesting." "So we're not creating a session after authenticating the user? Okay."
People will find you smart and easy to work with, because you are so interested in the existing code that they worked so hard on, even cool with it. But then later, after you've made friends and written your own code:
Developer: "Hey, what's this?" New Guy: "That? Oh, that's a parameterized query." Developer: "Why'd you write it that way instead of like <injection-prone example>?" New Guy: "Let me show you why: <visit to xkcd>" Developer: "Oh shit, my code is fucked." New Guy: "It sure is!"
Admin
The inability to separate application and database, lack of source control, and the obvious wretch I observed when I mentioned Open Source solutions* all added up to a no-go.
(I respect that some companies are averse to using OSS and have good reasons for it. However, her reasons were she wanted to roll her own code - re-invent the wheel, she could write the code faster, etc.)
Admin
Disagree. It's usually not even worth wasting the time with people that clueless. It's one thing if you come from, say, a TDD environment and people aren't that up to speed on unit testing - that can be taught. But basic 101 amateur stuff? Better to just up and quit and find people that AREN'T complete idiots.
Admin
Boss: "I hear you've been encouraging your colleagues to surf the internet for cartoons. Please collect your paperwork from HR on your way out."
Admin
Admin
This is correct. To check what exactly opensource code do, you spend time at least twice as if you write it yourself
Admin
As long as they don't bring back the "fire anyone you become dependent on" that was popular for a few years ago.
Admin
Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.
Admin
Hate to say this, but for once I agree with geoffrey here. Just that I disagree with the boss's reasons (as given in the anecdote) for firing Victor.
Admin
Admin
Admin
Admin
At the least, I would think there'd be some solid consulting opportunities by going to the clients and showing them how insecure their data is.
Admin
Admin
Victor's boss was right to let him go. He probably understood the security needs of their application better than Victor. There is simply no way that you as a developer can know the cost-benefit picture of application security. Yes, doing X, Y and Z will make it more secure. But it will cost money (if only to train the other developers to use new practices) and depending on your situation the likelihood that people will poke around and ‘test’ the security of your application may be slim. And even if they do, they might not do the company that much monetary damage and possibly the potential damage done could be shifted to a third party. You, as a developer cannot know this. If your boss says the application doesn't need to be secure, then don't go bother him with security flaws. It's just a waste of both your time.
As for those bashing the Businessweek article, you clearly don't get it. The article wasn't aimed at you, but at your boss. The developer who e.g. complains that any solution would be incompatible with the laws of physics will hold the team back from developing the half-assed non-solution that he needs to keep his department or company afloat until the next quarter.
Admin
Boss actually said application DOES need to be secure.
Reading comprehension FTW
Admin
Not surprising that the Businessweek article goes on to praise Thomas A. Edison, ruthless idea-stealing businessman extraordinnaire.
Admin
Actually, Victor's boss did him a huge favour. Given the bad state of the application and the overall emphasis on security when none is to be had, it would not be hard to imagine who would take the rap for the inevitable security intrusion.
The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.
Admin
"... learn our code base." said Victor's boss "Security is job one," the boss said.
It seems by learning the code base, and finding security flaws Victor was doing exactly what he was told. Its just that Victor's boss didn't actually mean anything he said except the "look at this bug" part.
Admin
That is a weak justification for insubordinate behavior. Victor's boss didn't get to where he was by being stupid. He needed a bug fixed, not to be repeatedly told about known issues of lower priority while ignoring a top priority defect. Victor's boss needed a team player, not a cowboy.
Admin
Admin
TRWTF is that the article doesn't state whether Victor fixed the bug.
Admin
So we are assuming that victor already knows where the input comes from? The last webapp I wrote called a sanitize function to make the input sql friendly before it even bothered to check what it was. This means that no matter where in the program the input was used it was already sanitized and ready for the database (even if the input didn't need it). I don't know if thats bad practice but a great majority of input coming from the user interacted with the database so it seemed the most logical place to put it instead of calling a sanitize function before each sql query.
I don't know if i'm missing something but just because query input isn't sanitized right then and there doesn't mean that the input wasn't sanitized somewhere else (that victor hadn't seen, assuming they know which module had the bug in it).
IDK maybe I'm thinking too hard or maybe doing it wrong, but for me sanitizing is done the moment the input hits the server.