- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
A programmer knows the name of the company, what business they do on the web, and that their marketing angle includes a focus on the security of their services / products. (He was told as much while interviewing) Combining just that general knowledge with such a huge list of attack vectors and security failings can give us a good ballpark estimate. Something along the lines of "This company will be sued into oblivion or lose enough clients as to become financially insolvent should these issues become public knowledge / exploited" sounds about right.
He may have been hit with a pink slip, but he REALLY dodged a bullet here.
Admin
What if Victor's boss had listened to him and those security fixes prevented the sony attack last spring? Think about what that did to the brand?
All Victors boss needed to tell him was to write down the lines (numbers) he had concern with on a sticky and send it to someone to say "look, the new guy has some security concerns in our highly secure software... should we be worried about this?"
Admin
Admin
I used sony as an example because thats the kind of company where you expect people to know which side of the if statement to put the curly brackets.
Finding and improving code always costs money and time. When you emphasise to a person that something is important (security) and they bring up a potential security risk, at the very least you could look into it. If they aren't going to look into it or explain to victor why they arent security risks (like the sanitize function is way somewhere else), then they have effectively lied to Victor. They have told him that security is number 1, but their actions speak otherwise.
The cost of the sony incident (Money and Image) was probably more expensive than if the new guy had gone to a supervisor and said "Hey, this look funny." Now instead of fixing a system with a few security holes they rewrote the infrastructure. How is that better than spending some time to figure out if the new guy is full of shit?
Admin
Note to Geoffrey: Trolls are supposed to be provocative, not amazingly stupendously fantastically stupid. That's Nagesh's role.
Admin
Step 1: Publicly disclose the vulnerability to customers and shareholders in accordance with the ACM's Software Engineering Code of Ethics and Professional Practice.
Step 2: Enjoy the look on your face.
Admin
Honestly, we don't know for sure what Boss said on interview. May be it was like
Boss: we need someone for bugfixing shitload of our stinking code which we improving now. Also this is raw prototype full of holes and vulnerabilities we are closing now. What Victor heard: We have improved code. And it's secure
Later that day: OMGWTF you didn't fixed that easiest bug which I put intentionally in code to verify your qualification. Fired
Admin
Admin
"Is that reception? Someone's done a fucking pony in my bed."
Admin
Very ingenious misdirection. No amount of business-speak can detract the central message that a porous application begs for security breaches and damage to the brand can and does occur.
Whenever there is the kind of blatant weaknesses that allow for SQL Injection, I can assure you that a simple arithmetic can be done to demonstrate how much damage can be done not just to the brand, but to the continued employment of said manager.
Imagine what damning report the auditors would give to an application whose focus is on security?
Admin
TRWTF is saying "foomail.it" instead of "example.com". Future owners of foomail.it will thank you for helping webscrapers find foomail.it-email-addresses. Jerk.
Admin
TRRWTF is that all of the pros here watching daily-wtf did not notice this sooner.
Of course, the real pros don't feel satisfaction by watching daily-wtf because they know they are good and that's it.
Oh, that also disqualifies myself as a pro. Anyways, we all are idiots.
Admin
No, it's Hindi for Lord (God) of snakes aka Shiva, who happens to be most of the popular Hindu Gods. No, there are no typos or grammatical issues in the previous sentence. Shiva is literally most of the popular Hindu Gods. He has many 'incarnations'
Admin
I disagree. When you employ a new member of staff, you need to cut him a little slack. You also need to be aware that there will be at least a little shaking of the departmental tree, where all sorts of little personality details come to the fore. In the UK it is usual for there to be a period of probation (of the order of 3 months or so) in order for the new employee to shake down and establish whether he is a fit or not. To dismiss him on the basis of his performance on his first assignment is alarmingly premature.
Under the circumstances as described (and understanding that there is a considerable quantity of simplification and personal bias in the tale as told), it appears that Victor's skill and experience would be of considerable use in that company - but maybe not performing tasks of the particular kind that had been assigned him on his first day. Having said that, such should have been clear to Victor's boss (or Victor's boss's boss - we don't know how large an enterprise we are talking about here) at the interview.
In conclusion: Victor's boss is more at fault than Victor here, although Victor will no doubt have learned a valuable lesson in politics.
Admin
Of course it's fucking pony! What you were expecting for your money, a woman? Enjoy yourself! hangs
[image]Admin
Snake-deities: Nāgas (Sanskrit/Pali, actually instead of Hindi) are completely unrelated to Shiva. Nagesh: an Indian male given name as well as surname.
You may have been thinking of Ganesh, the God of Obstacles (amongst others); but again, not a manifestation of Shiva in any way. I always think of the manifold Nagesh-es as dyslectic inverted manifestations of Ganesh (who is "remover of obstacles" and hence God of Progress, Science and Enlightenment) -- these Nagesh-es just create obstacles and hamper reading.
Bad luck, Timmy, try again, you were a nice contestant.
Admin
Besides, Ganesh is an elephant. Everybody knows that.
Admin
Everybody just don't give a fuck
Admin
For me, the most important phrase is the last. Has Victor been undestand the security requirements of an application???? Perhaps not. Although the application has some bad security programming pratices, maybe it has a security risk level that permits such bugs.
Admin
Why does this remind me of an article I read some time ago about a credit card company? Lessee if I can find it again
Hah, found it :D
http://it.slashdot.org/story/11/06/14/2046216/how-citigroup-hackers-easily-gained-access
Admin
Admin
Admin
5,[email protected],hunter2
that's 3 fields in a key/value 'pair'.
That must handled by using a boolean as in : True False File not found
Admin
Ah, so you're the 'Victim' type. Please clean your desk by tomorrow morning.
Admin
Quite not false ...
And packaging half a billion OSS libraries with duct tape isn't what I'd call decent programming, even though it's the norm nowadays --
Admin
Err . that would be sex I guess - otoh if they're begging for sex and then refusing it .. you may guess where some people felt misunderstood --
Admin
Nagesh got promoted to management?!
Admin
That is not being mine account! A school-boy haker being intimating me! Here he is noticed having slip-up.
Admin
Admin
plz stop post of URL without link.
Admin
Admin
Admin
Admin
Admin
Admin
Anyways, for all you lazy buggers who don't want to copy-paste: Link to that Slashdot article about "hacking" Citibank accounts by changing the account number in the URL
Admin
Admin
I'm glad to see at least some of the commenters here have the same perspective I do.
Victor's boss assigned him a task to do: investigate and fix a bug. That should have been his first priority.
He was told twice to focus on the bug, but instead chose to continue his independent audit of code quality. I wouldn't want somebody on my team who couldn't take direction, would you?
Admin
Given that code quality is THE MOST IMPORTANT THING in our profession, and the key to having your application actually live past a few months, I'd rather have somebody who can point out critical flaws instead of being a mindless drone typing away at a keyboard like a monkey because that's what their master tells them to do.
Good companies want independent thinkers, not drones. Idiots like the OP's company and, evidently, some of the posters here, want yes-men who won't question things even when it's obviously wrong.
Admin
I don't know, if I heard the word 'Clearcase' I'd be out the door.
Admin
I am also big fan of English poetry, and am finding also that The Rape of the Lock is bieng among the very of verse, in all languages even, but even I am not to say that Pope is incarnation of Shiva.
Admin
I refer you to @Deprecated:
PHB contradicts himself - he IS there to take a field trip. His boss is a prick.
Admin
Admin
APPLAUSE
Admin
And if you win, I still don't want you working for me because you're a jackass with an ego the size of Manhattan's population.
The boss and the code is clearly a horrible situation. But a response like that means you're not a team player. If I were your boss, I would respect and appreciate you bringing such issues to my attention. But I don't want you to be a jackass about it. Be a team player...not a player of the team.
Admin
Nageshwar Temple in Dwarka
Nageshwar Temple or Nagnath Temple is located on the route between Gomati Dwarka and the Bait Dwarka Island on the coast of Saurashtra in Gujarat. The Jyotirlinga enshrined in the Temple of Nagnath is known as Nageshwar Mahadev and attracts thousands of pilgrims all round the year. This powerful Jyotirlinga symbolizes protection from all poisons. It is said that those who pray to the Nageshwar Linga become free of poison. The Rudra Samhita sloka refers to Nageshwar with the phrase 'Daarukaavane Naagesham'.
Legend Behind Nageshwar Temple According to Shiv Purana, a Shiva devotee by name Supriya was attacked by a demon Daaruka while in a boat. The demon imprisoned him along with several others at his capital Daarukaavana where he resided with his wife Daaruki. Supriya advised all prisoners to recite the mantra ‘Aum Namaha Shivaya’. When Daruk came to know about this he ran to kill Supriya. Instantly Lord Shiva appeared in the form of a Jyotirlingam and vanquished the demon with the Paasupata Astram.
This Jyotirlinga manifestation of Shiva is worshipped as Nageswara. Two other sites in India, one near Audhgram near Purna in Andhra Pradesh and another near Almora in Uttar Pradesh also enshrine temples to Nageswara Jyotirlingam. According to the Shiv Purana, any one who ever with devotion reads the birth and greatness of this Jyotirlinga shall beget all material happiness and divine status in the end.
Structure of Nageshwar Temple Nageshwar Mahadev Sivalingam is facing South while the Gomugam is facing east. There is a story for this position. A devotee by name Naamdev was singing bhajans in front of the Lord. Other devotees asked him to stand aside and not hide the Lord. To this Naamdev asked them to suggest one direction in which the Lord does not exist, so that he can stand there. The enraged devotees carried him and left him on the southside. To their astonishment, they found that the Linga was now facing South with the Gomugam facing east.
Admin
Admin
I agree with other commenters that if Victor never actually fixed the bug then that's a problem. I also noticed this line in the original article: "Each time he found one, he stopped by to talk to his boss." I've worked with people who kept interrupting me every 10 minutes to ask a simple question (e.g. something they could have looked up in online help), so it took me a while to regain my concentration afterwards. After a while, I asked them to save up their questions until the end of the day, then go through them all at once. Victor should have done the same thing, i.e. made a list of all the security flaws that he came across while fixing the bug, then given that whole list to his boss.
Admin
Once again... the sony comparison was to demonstrate damages to both cost and brand. Its a "whatif" and nothing more. I never at any point claimed any association between this story and sony.
And the people who are paying victor told him that they are paying him to write secure code. If the code is not secure and he is being paid write secure code, he has cause for concern. He could at least write it down for later.
And yes whoever said victor should have fixed the bug and given his boss a list of concerns instead of going the jack russell terrier route was correct.
Admin
I want to know what company this was. That's just plain negligent.