• smilr (unregistered) in reply to Shinobu

    A programmer knows the name of the company, what business they do on the web, and that their marketing angle includes a focus on the security of their services / products. (He was told as much while interviewing) Combining just that general knowledge with such a huge list of attack vectors and security failings can give us a good ballpark estimate. Something along the lines of "This company will be sued into oblivion or lose enough clients as to become financially insolvent should these issues become public knowledge / exploited" sounds about right.

    He may have been hit with a pink slip, but he REALLY dodged a bullet here.

  • (cs) in reply to Shinobu
    Shinobu:
    programmer:
    The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.
    You, as a programmer, cannot know the cost to the brand, nor even if there will be any cost to the brand, nor how it relates to other factors. The big picture is simply inaccessible to you and even if you had all the figures you probably couldn't make head nor tail of them because you don't have the prerequisite training.

    What if Victor's boss had listened to him and those security fixes prevented the sony attack last spring? Think about what that did to the brand?

    All Victors boss needed to tell him was to write down the lines (numbers) he had concern with on a sticky and send it to someone to say "look, the new guy has some security concerns in our highly secure software... should we be worried about this?"

  • Shinobu (unregistered) in reply to PiisAWheeL
    PiisAWheeL:
    Sony
    I think we can safely say Victor's company wasn't Sony. Probably its situation won't compare with Sony's in any way and yet you are taking a specific situation and pretending that it applies generally. But again, you don't know the big picture and even if you did you wouldn't understand it. And it's easy for you to say ‘all you need to do is X’ but what you're actually talking about is taking up Victor's time, Victor's boss's time, and his co-workers' time. That's an investment - and if the expected return on investment is too low, the boss says no.
  • (cs) in reply to Shinobu
    Shinobu:
    PiisAWheeL:
    Sony
    I think we can safely say Victor's company wasn't Sony. Probably its situation won't compare with Sony's in any way and yet you are taking a specific situation and pretending that it applies generally. But again, you don't know the big picture and even if you did you wouldn't understand it. And it's easy for you to say ‘all you need to do is X’ but what you're actually talking about is taking up Victor's time, Victor's boss's time, and his co-workers' time. That's an investment - and if the expected return on investment is too low, the boss says no.

    I used sony as an example because thats the kind of company where you expect people to know which side of the if statement to put the curly brackets.

    Finding and improving code always costs money and time. When you emphasise to a person that something is important (security) and they bring up a potential security risk, at the very least you could look into it. If they aren't going to look into it or explain to victor why they arent security risks (like the sanitize function is way somewhere else), then they have effectively lied to Victor. They have told him that security is number 1, but their actions speak otherwise.

    The cost of the sony incident (Money and Image) was probably more expensive than if the new guy had gone to a supervisor and said "Hey, this look funny." Now instead of fixing a system with a few security holes they rewrote the infrastructure. How is that better than spending some time to figure out if the new guy is full of shit?

  • (cs) in reply to geoffrey
    geoffrey:
    Victor's boss didn't get to where he was by being stupid.
    BWA-HAHAHAHAHAHAHAHA!

    Note to Geoffrey: Trolls are supposed to be provocative, not amazingly stupendously fantastically stupid. That's Nagesh's role.

  • Socio (unregistered) in reply to Shinobu
    Shinobu:
    programmer:
    The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.
    You, as a programmer, cannot know the cost to the brand, nor even if there will be any cost to the brand, nor how it relates to other factors. The big picture is simply inaccessible to you and even if you had all the figures you probably couldn't make head nor tail of them because you don't have the prerequisite training.
    Oh really? Since you've told me I don't have the training to estimate the cost to the brand, that leaves me only with empirical observation to satisfy my curiosity.

    Step 1: Publicly disclose the vulnerability to customers and shareholders in accordance with the ACM's Software Engineering Code of Ethics and Professional Practice.

    ACM Software Engineering Code of Ethics and Professional Practice:
    1.04. Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.

    Step 2: Enjoy the look on your face.

  • Moe (unregistered)

    Honestly, we don't know for sure what Boss said on interview. May be it was like

    Boss: we need someone for bugfixing shitload of our stinking code which we improving now. Also this is raw prototype full of holes and vulnerabilities we are closing now. What Victor heard: We have improved code. And it's secure

    Later that day: OMGWTF you didn't fixed that easiest bug which I put intentionally in code to verify your qualification. Fired

  • Late Night Pony (unregistered)
  • (cs) in reply to Late Night Pony
    Late Night Pony:

    "Is that reception? Someone's done a fucking pony in my bed."

  • programmer (unregistered) in reply to Shinobu
    Shinobu:
    programmer:
    The cost-benefit pales must include the cost to the brand should a severe security breach occur, and on that basis alone, the manager should have been fired.
    You, as a programmer, cannot know the cost to the brand, nor even if there will be any cost to the brand, nor how it relates to other factors. The big picture is simply inaccessible to you and even if you had all the figures you probably couldn't make head nor tail of them because you don't have the prerequisite training.

    Very ingenious misdirection. No amount of business-speak can detract the central message that a porous application begs for security breaches and damage to the brand can and does occur.

    Whenever there is the kind of blatant weaknesses that allow for SQL Injection, I can assure you that a simple arithmetic can be done to demonstrate how much damage can be done not just to the brand, but to the continued employment of said manager.

    Imagine what damning report the auditors would give to an application whose focus is on security?

  • yox (unregistered)

    TRWTF is saying "foomail.it" instead of "example.com". Future owners of foomail.it will thank you for helping webscrapers find foomail.it-email-addresses. Jerk.

  • cox (unregistered) in reply to yox
    yox:
    TRWTF is saying "foomail.it" instead of "example.com". Future owners of foomail.it will thank you for helping webscrapers find foomail.it-email-addresses. Jerk.

    TRRWTF is that all of the pros here watching daily-wtf did not notice this sooner.

    Of course, the real pros don't feel satisfaction by watching daily-wtf because they know they are good and that's it.

    Oh, that also disqualifies myself as a pro. Anyways, we all are idiots.

  • Timmy (unregistered) in reply to Nagesh
    Nagesh:
    Isn't Nagesh Hindi for anonymous?

    No, it's Hindi for Lord (God) of snakes aka Shiva, who happens to be most of the popular Hindu Gods. No, there are no typos or grammatical issues in the previous sentence. Shiva is literally most of the popular Hindu Gods. He has many 'incarnations'

  • (cs) in reply to Matt Westwood
    Matt Westwood:
    geoffrey:
    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

    Hate to say this, but for once I agree with geoffrey here. Just that I disagree with the boss's reasons (as given in the anecdote) for firing Victor.

    I disagree. When you employ a new member of staff, you need to cut him a little slack. You also need to be aware that there will be at least a little shaking of the departmental tree, where all sorts of little personality details come to the fore. In the UK it is usual for there to be a period of probation (of the order of 3 months or so) in order for the new employee to shake down and establish whether he is a fit or not. To dismiss him on the basis of his performance on his first assignment is alarmingly premature.

    Under the circumstances as described (and understanding that there is a considerable quantity of simplification and personal bias in the tale as told), it appears that Victor's skill and experience would be of considerable use in that company - but maybe not performing tasks of the particular kind that had been assigned him on his first day. Having said that, such should have been clear to Victor's boss (or Victor's boss's boss - we don't know how large an enterprise we are talking about here) at the interview.

    In conclusion: Victor's boss is more at fault than Victor here, although Victor will no doubt have learned a valuable lesson in politics.

  • Reception (unregistered) in reply to Matt Westwood
    Matt Westwood:
    "Is that reception? Someone's done a fucking pony in my bed."

    Of course it's fucking pony! What you were expecting for your money, a woman? Enjoy yourself! hangs

    [image]
  • An innocent abroad (unregistered) in reply to Timmy
    Timmy:
    No, there are no typos or grammatical issues in the previous sentence.
    That is true. On the other hand, all the content is wrong. Not even "it's Hindi" is true.

    Snake-deities: Nāgas (Sanskrit/Pali, actually instead of Hindi) are completely unrelated to Shiva. Nagesh: an Indian male given name as well as surname.

    You may have been thinking of Ganesh, the God of Obstacles (amongst others); but again, not a manifestation of Shiva in any way. I always think of the manifold Nagesh-es as dyslectic inverted manifestations of Ganesh (who is "remover of obstacles" and hence God of Progress, Science and Enlightenment) -- these Nagesh-es just create obstacles and hamper reading.

    Bad luck, Timmy, try again, you were a nice contestant.

  • (cs) in reply to An innocent abroad
    An innocent abroad:
    Timmy:
    No, there are no typos or grammatical issues in the previous sentence.
    That is true. On the other hand, all the content is wrong. Not even "it's Hindi" is true.

    Snake-deities: Nāgas (Sanskrit/Pali, actually instead of Hindi) are completely unrelated to Shiva. Nagesh: an Indian male given name as well as surname.

    You may have been thinking of Ganesh, the God of Obstacles (amongst others); but again, not a manifestation of Shiva in any way. I always think of the manifold Nagesh-es as dyslectic inverted manifestations of Ganesh (who is "remover of obstacles" and hence God of Progress, Science and Enlightenment) -- these Nagesh-es just create obstacles and hamper reading.

    Bad luck, Timmy, try again, you were a nice contestant.

    Besides, Ganesh is an elephant. Everybody knows that.

  • Nanesh (unregistered) in reply to QJo
    QJo:

    Besides, Ganesh is an elephant. Everybody knows that.

    Everybody just don't give a fuck

  • Marcos (unregistered)

    For me, the most important phrase is the last. Has Victor been undestand the security requirements of an application???? Perhaps not. Although the application has some bad security programming pratices, maybe it has a security risk level that permits such bugs.

  • (cs)

    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

  • (cs) in reply to PiisAWheeL
    PiisAWheeL:
    I don't know if thats bad practice but a great majority of input coming from the user interacted with the database so it seemed the most logical place to put it instead of calling a sanitize function before each sql query.

    ...

    IDK maybe I'm thinking too hard or maybe doing it wrong, but for me sanitizing is done the moment the input hits the server.

    http://diovo.com/2008/09/sanitizing-user-data-how-and-where-to-do-it/ You are doing it wrong. You should sanitize for database right before storing it in the database and sanitize for HTML right before outputting on page. This way someone can actually have a username like "; DROP TABLE users; --"

  • (cs) in reply to D-Coder
    D-Coder:
    ObiWayneKenobi:
    Sounds like the story of my IT Career: Get suckered in by a smooth-talking company that presents itself as having great developers, good code and a great working environment to find out the codebase is trash, most if not all of my co-workers wouldn't know OOP if it bit them on the ass, and the company is more focused on PR and looking like a great company than actually BEING a great company.
    One of the things I have learned from this site is, when interviewing for a job, ask the company for a sample of their code.

    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)

    "What do you use for source control?" "We log the lines we changed in a txt file, zip the entire code up, and mail it to the entire team. That way, we can track changes up til that blasted weekly mailbox purge runs, which was put into place after too many people's mailboxes got too big"

  • itsmo (unregistered)

    5,[email protected],hunter2

    that's 3 fields in a key/value 'pair'.

    That must handled by using a boolean as in : True False File not found

  • just me (unregistered) in reply to Guru
    Guru:
    Hanoi 4 ever:
    Anyway, Victor is kind of developer any innovative company should fire on the spot: http://www.businessweek.com/management/three-types-of-people-to-fire-immediately-11082011.html

    Looks like perfect lawsuit against illegal firing

    Ah, so you're the 'Victim' type. Please clean your desk by tomorrow morning.

  • L. (unregistered) in reply to Expert
    Expert:
    Machtyn:
    I respect that some companies are averse to using Open Source solutions and have good reasons for it. However, her reasons were she wanted to roll her own code - re-invent the wheel, she could write the code faster, etc.

    This is correct. To check what exactly opensource code do, you spend time at least twice as if you write it yourself

    Quite not false ...

    And packaging half a billion OSS libraries with duct tape isn't what I'd call decent programming, even though it's the norm nowadays --

  • L. (unregistered) in reply to Blakeygirl
    Blakeygirl:
    Anketam:
    ObiWayneKenobi:
    If you ask me, the Real WTF is that it's illegal to hack idiots. Oh how many morons I would run into bankruptcy if it wasn't illegal.
    I lament with you. There really needs to be some law that if you through stupidity provoke someone or something to behave a certain way and they do so they are not at fault. An example of this would be an idiot who taunts a tiger and gets mauled and then the idiot tries to sue the zoo for getting mauled. If you leave your site -that- open to hackers it is like taunting hackers to come and get it.
    Just like the girls in short skirts in bars are almost gagging for rape.

    Err . that would be sex I guess - otoh if they're begging for sex and then refusing it .. you may guess where some people felt misunderstood --

  • (cs) in reply to Moe
    Moe:
    Boss: we need someone for bugfixing shitload of our stinking code which we improving now. Also this is raw prototype full of holes and vulnerabilities we are closing now.

    Nagesh got promoted to management?!

  • Nagesh (unregistered) in reply to D-Coder
    D-Coder:
    geoffrey:
    Victor's boss didn't get to where he was by being stupid.
    BWA-HAHAHAHAHAHAHAHA!

    Note to Geoffrey: Trolls are supposed to be provocative, not amazingly stupendously fantastically stupid. That's Nagesh's role.

    That is not being mine account! A school-boy haker being intimating me! Here he is noticed having slip-up.

  • Nagesh (unregistered) in reply to Timmy
    Timmy:
    Nagesh:
    Isn't Nagesh Hindi for anonymous?

    No, it's Hindi for Lord (God) of snakes aka Shiva, who happens to be most of the popular Hindu Gods. No, there are no typos or grammatical issues in the previous sentence. Shiva is literally most of the popular Hindu Gods. He has many 'incarnations'

    pope is being one of them.

  • Nagesh (unregistered) in reply to The poop of DOOM
    The poop of DOOM:
    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

    plz stop post of URL without link.

  • (cs) in reply to Nagesh
    Nagesh:
    The poop of DOOM:
    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

    plz stop post of URL without link.

    What, copy-paste is too hard for you? If you want a clickable link, go complain to Askimet.

  • Nagesh (unregistered) in reply to The poop of DOOM
    The poop of DOOM:
    Nagesh:
    The poop of DOOM:
    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

    plz stop post of URL without link.

    What, copy-paste is too hard for you? If you want a clickable link, go complain to Askimet.
    Don't blame lazy on my when it was urself first.

  • (cs) in reply to cox
    cox:
    Anyways, we all are idiots.
    Thirded.
  • (cs) in reply to QJo
    QJo:
    An innocent abroad:
    Timmy:
    No, there are no typos or grammatical issues in the previous sentence.
    That is true. On the other hand, all the content is wrong. Not even "it's Hindi" is true.

    Snake-deities: Nāgas (Sanskrit/Pali, actually instead of Hindi) are completely unrelated to Shiva. Nagesh: an Indian male given name as well as surname.

    You may have been thinking of Ganesh, the God of Obstacles (amongst others); but again, not a manifestation of Shiva in any way. I always think of the manifold Nagesh-es as dyslectic inverted manifestations of Ganesh (who is "remover of obstacles" and hence God of Progress, Science and Enlightenment) -- these Nagesh-es just create obstacles and hamper reading.

    Bad luck, Timmy, try again, you were a nice contestant.

    Besides, Ganesh is an elephant. Everybody knows that.

    The one blind guy thinks he's a snake.

  • (cs) in reply to The poop of DOOM
    The poop of DOOM:
    Nagesh:
    The poop of DOOM:
    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

    plz stop post of URL without link.

    What, copy-paste is too hard for you? If you want a clickable link, go complain to Askimet.
    Askimet doesn't validate comment edits.

  • (cs) in reply to frits
    frits:
    The poop of DOOM:
    Nagesh:
    The poop of DOOM:
    Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again

    Hah, found it :D

    http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access

    plz stop post of URL without link.

    What, copy-paste is too hard for you? If you want a clickable link, go complain to Askimet.
    Askimet doesn't validate comment edits.
    That's a WTF too, actually... Although I can understand the reasoning behind it.

    Anyways, for all you lazy buggers who don't want to copy-paste: Link to that Slashdot article about "hacking" Citibank accounts by changing the account number in the URL

  • TheJonB (unregistered) in reply to TheJonB
    TheJonB:
    I think Jerry Sandusky is simply misunderstood.
    Oh very good, clever, I see what you did there...
  • (cs)

    I'm glad to see at least some of the commenters here have the same perspective I do.

    Victor's boss assigned him a task to do: investigate and fix a bug. That should have been his first priority.

    He was told twice to focus on the bug, but instead chose to continue his independent audit of code quality. I wouldn't want somebody on my team who couldn't take direction, would you?

  • (cs) in reply to Rootbeer
    Rootbeer:
    I'm glad to see at least some of the commenters here have the same perspective I do.

    Victor's boss assigned him a task to do: investigate and fix a bug. That should have been his first priority.

    He was told twice to focus on the bug, but instead chose to continue his independent audit of code quality. I wouldn't want somebody on my team who couldn't take direction, would you?

    Given that code quality is THE MOST IMPORTANT THING in our profession, and the key to having your application actually live past a few months, I'd rather have somebody who can point out critical flaws instead of being a mindless drone typing away at a keyboard like a monkey because that's what their master tells them to do.

    Good companies want independent thinkers, not drones. Idiots like the OP's company and, evidently, some of the posters here, want yes-men who won't question things even when it's obviously wrong.

  • C# Guy (unregistered) in reply to D-Coder
    D-Coder:
    One of the things I have learned from this site is, when interviewing for a job, ask the company for a sample of their code.

    (Also, "What do you use for source control?" and "How do you back up?", where almost any answer other than "Nothing" is acceptable.)

    I don't know, if I heard the word 'Clearcase' I'd be out the door.

  • Nagesh (unregistered) in reply to Nagesh
    Nagesh:
    Timmy:
    Nagesh:
    Isn't Nagesh Hindi for anonymous?

    No, it's Hindi for Lord (God) of snakes aka Shiva, who happens to be most of the popular Hindu Gods. No, there are no typos or grammatical issues in the previous sentence. Shiva is literally most of the popular Hindu Gods. He has many 'incarnations'

    pope is being one of them.

    I am also big fan of English poetry, and am finding also that The Rape of the Lock is bieng among the very of verse, in all languages even, but even I am not to say that Pope is incarnation of Shiva.

  • itsmo (unregistered) in reply to Matt Westwood
    Matt Westwood:
    geoffrey:
    Priority one for Victor should have been completing his assignment as directed by his superiors. If someone on my staff isn't going to work on the tasks at the top of my list, then I have no use for them. Every app has its problems, and I don't need the new guy throwing them in my face all at once, especially when his work is still sitting there, undone.

    Hate to say this, but for once I agree with geoffrey here. Just that I disagree with the boss's reasons (as given in the anecdote) for firing Victor.

    I refer you to @Deprecated:

    @Deprecated:
    TRWTF-ery:

    "It'll be a good way for you to learn our code base." ... "You're not here to take a field trip through our code,"

    PHB contradicts himself - he IS there to take a field trip. His boss is a prick.

  • Shinobu (unregistered) in reply to PiisAWheeL
    PiisAWheeL:
    ... lied to Victor ... ... Sony ...
    It isn't your boss's job to tell you the truth all the time. It's his job to get his department to the next quarter. And again, pulling in comparisons with Sony doesn't help us. We know that Victor's company wasn't like Sony, and we don't even know if Sony's decision was wrong. Sometimes you roll a D30 banking on a 2+ and it comes up 1.
    Socio:
    ACM
    ACM is a private organisation that has no power to tell you what to do. As such, if you decide that the proper authority to report your flaws to is your boss who is sick of you wasting his time, saying ‘ACM told me so’ isn't going to prevent your dismissal. And if you decide the proper authorities to be some third party, saying ‘ACM told me so’ isn't going to help you one bit in court.
    programmer:
    I can assure you that a simple arithmetic can be done
    No you cannot, because you don't know the numbers to plug in. For that matter, you probably don't even know the equations to use, and even if you did you probably couldn't tell if they applied to the company's situation.
    ObiWayneKenobi:
    Given that code quality is the most important thing in our profession,
    No it isn't. It's giving the people who pay you what they want. I repeat for the sake of clarity, in the vain hope to get this into your skull: you aren't being paid to write beautiful code. If you want to write polished code, go work on a personal or free software project in your spare time.
  • (cs) in reply to Shinobu

    APPLAUSE

  • D. T. North (unregistered) in reply to JohnFx
    JohnFx:
    "Security is job 1, right? So how about a little wager? If you win I quit with no complaint or requirement for a severance package, if I win I get a 10% raise. The challenge is this, take away all of my permissions to the system and give me 15 minutes to retrieve sensitive customer data."

    And if you win, I still don't want you working for me because you're a jackass with an ego the size of Manhattan's population.

    The boss and the code is clearly a horrible situation. But a response like that means you're not a team player. If I were your boss, I would respect and appreciate you bringing such issues to my attention. But I don't want you to be a jackass about it. Be a team player...not a player of the team.

  • (cs) in reply to Timmy
    Timmy:
    Nagesh:
    Isn't Nagesh Hindi for anonymous?

    No, it's Hindi for Lord (God) of snakes aka Shiva, who happens to be most of the popular Hindu Gods. No, there are no typos or grammatical issues in the previous sentence. Shiva is literally most of the popular Hindu Gods. He has many 'incarnations'

    Nageshwar Temple in Dwarka

    Nageshwar Temple or Nagnath Temple is located on the route between Gomati Dwarka and the Bait Dwarka Island on the coast of Saurashtra in Gujarat. The Jyotirlinga enshrined in the Temple of Nagnath is known as Nageshwar Mahadev and attracts thousands of pilgrims all round the year. This powerful Jyotirlinga symbolizes protection from all poisons. It is said that those who pray to the Nageshwar Linga become free of poison. The Rudra Samhita sloka refers to Nageshwar with the phrase 'Daarukaavane Naagesham'.

    Legend Behind Nageshwar Temple According to Shiv Purana, a Shiva devotee by name Supriya was attacked by a demon Daaruka while in a boat. The demon imprisoned him along with several others at his capital Daarukaavana where he resided with his wife Daaruki. Supriya advised all prisoners to recite the mantra ‘Aum Namaha Shivaya’. When Daruk came to know about this he ran to kill Supriya. Instantly Lord Shiva appeared in the form of a Jyotirlingam and vanquished the demon with the Paasupata Astram.

    This Jyotirlinga manifestation of Shiva is worshipped as Nageswara. Two other sites in India, one near Audhgram near Purna in Andhra Pradesh and another near Almora in Uttar Pradesh also enshrine temples to Nageswara Jyotirlingam. According to the Shiv Purana, any one who ever with devotion reads the birth and greatness of this Jyotirlinga shall beget all material happiness and divine status in the end.

    Structure of Nageshwar Temple Nageshwar Mahadev Sivalingam is facing South while the Gomugam is facing east. There is a story for this position. A devotee by name Naamdev was singing bhajans in front of the Lord. Other devotees asked him to stand aside and not hide the Lord. To this Naamdev asked them to suggest one direction in which the Lord does not exist, so that he can stand there. The enraged devotees carried him and left him on the southside. To their astonishment, they found that the Linga was now facing South with the Gomugam facing east.

  • (cs) in reply to Shinobu
    Shinobu:
    I repeat for the sake of clarity, in the vain hope to get this into your skull: you aren't being paid to write beautiful code. If you want to write polished code, go work on a personal or free software project in your spare time.
    Wow! My manager also logon to this website now.
  • (cs)

    I agree with other commenters that if Victor never actually fixed the bug then that's a problem. I also noticed this line in the original article: "Each time he found one, he stopped by to talk to his boss." I've worked with people who kept interrupting me every 10 minutes to ask a simple question (e.g. something they could have looked up in online help), so it took me a while to regain my concentration afterwards. After a while, I asked them to save up their questions until the end of the day, then go through them all at once. Victor should have done the same thing, i.e. made a list of all the security flaws that he came across while fixing the bug, then given that whole list to his boss.

  • (cs) in reply to Shinobu
    Shinobu:
    PiisAWheeL:
    ... lied to Victor ... ... Sony ...
    It isn't your boss's job to tell you the truth all the time. It's his job to get his department to the next quarter. And again, pulling in comparisons with Sony doesn't help us. We know that Victor's company wasn't like Sony, and we don't even know if Sony's decision was wrong. Sometimes you roll a D30 banking on a 2+ and it comes up 1.
    Socio:
    ACM
    ACM is a private organisation that has no power to tell you what to do. As such, if you decide that the proper authority to report your flaws to is your boss who is sick of you wasting his time, saying ‘ACM told me so’ isn't going to prevent your dismissal. And if you decide the proper authorities to be some third party, saying ‘ACM told me so’ isn't going to help you one bit in court.
    programmer:
    I can assure you that a simple arithmetic can be done
    No you cannot, because you don't know the numbers to plug in. For that matter, you probably don't even know the equations to use, and even if you did you probably couldn't tell if they applied to the company's situation.
    ObiWayneKenobi:
    Given that code quality is the most important thing in our profession,
    No it isn't. It's giving the people who pay you what they want. I repeat for the sake of clarity, in the vain hope to get this into your skull: you aren't being paid to write beautiful code. If you want to write polished code, go work on a personal or free software project in your spare time.

    Once again... the sony comparison was to demonstrate damages to both cost and brand. Its a "whatif" and nothing more. I never at any point claimed any association between this story and sony.

    And the people who are paying victor told him that they are paying him to write secure code. If the code is not secure and he is being paid write secure code, he has cause for concern. He could at least write it down for later.

    And yes whoever said victor should have fixed the bug and given his boss a list of concerns instead of going the jack russell terrier route was correct.

  • DFPercush (unregistered)

    I want to know what company this was. That's just plain negligent.

Leave a comment on “Secure';”

Log In or post as a guest

Replying to comment #:

« Return to Article