• Dennis (unregistered)
    How do baby wood ducks get down?
    Funkily

    captcha: appellatio - n. - a name that pleases

  • argh (unregistered) in reply to Evo
    Evo:
    Zach Bora:
    amischiefr:
    Monday:
    Polar Bear:
    Steve:
    Steve:
    Monday:
    My Comment:
    I think...
    I think this is a pretty good...
    I think this is a pretty good time to...
    I think this is a pretty good time to try that...
    I think this is a pretty good time to try that thing you were...

    I think this is a pretty good time to try that thing you were going to put in your...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of this stupid sentence!

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of this stupid sentence!^H^H^H^H^H^H^H^H^HVT52 terminal that always...

  • (cs)

    They tune into Radio 1 and dig out the vodka.

  • anschauung (unregistered)

    Hrm. I've been trying to write code that could accomplish this, with the following assumptions:

    1. The programmer knows enough SQL to INSERT and SELETE data
    2. The programmer was not deliberately shooting for a mention in TDWTF

    Given this, we can through out bad insertion and bad selections (for the redisplay) as possibilities -- there's just no way to do this without writing code that's obviously wrong even to a novice. (For example, you could make a self-referential join with wildcards, but there's no way that this could be done by accident)

    Then I came on it: They're storing the all the security questions in a different table!

    There's a table somewhere with two columns (id, security_question), and every time someone changes their security question they match it (with wildcards) against an existing example that already exists in security_questions.

    The users table (or equivalent) has a column that is then updated with security_questions.id

    Its the only way....it's some wacky (or at least poorly implemented) attempt at normalization!

  • Nunja Business (unregistered)

    VBscript errors up the ying yang. Can't even generate a certificate - 1024 or 512 bit.

    They must be trying to "fix" the problem.

    I am whelmed.

  • Bob (unregistered) in reply to Jay
    Jay:
    Using "what is your favorite color" as a security question is sexist. It makes men's accounts much more vulnerable than women's. After all, if you ask a man to name his favorite color, his answer is likely to be limited to one of "red", "blue", "green", "yellow", "orange" and perhaps a dozen or so other possibilites. A hacker could easily run through all the possibilities in a few minutes. But a woman may say "burgundy" or "mauve" or "chartreuse" or "sea foam" or hundreds of other colors that I couldn't identify if you showed them to me.
    Hex colors. Then instead of "blue" you can put #007FFF. 16,777,216 combinations vs probably less with words.
  • El_oscuro (unregistered) in reply to AF
    AF:
    FYI, Trinity is a time not a place. It refers to the summer term in Oxford University. The question apparently concerns the door code for Balliol College bar.

    http://www.ballioljcr.org/site/facilities/lindsaybar.asp

    It is also a time and a place (July 1945, New Mexico), as well as a strange game http://en.wikipedia.org/wiki/Trinity_(computer_game)

  • SteveC (unregistered) in reply to Binary Logic
    Binary Logic:
    Does anyone else see a problem with a security question that has only two possible answers?

    [Yes] [No]

    You are presuming that the response has to be correct/truthful. As long as you response is the SAME each time, you could answer [dog biscuits] if you felt like it!

  • Jimmy (unregistered) in reply to AF
    AF:
    FYI, Trinity is a time not a place. It refers to the summer term in Oxford University. The question apparently concerns the door code for Balliol College bar.

    Hrm.. so if someone unexpectedly sneaks into the bar one night via the door code, then I suppose the Thawte database admins will be at the top of the list of suspects?

  • The Fake WTF (unregistered) in reply to Rogerwilco
    Rogerwilco:
    It gets better.

    It first asks you to fill in a full century, not just 1908-2008 or something, but then it doesn't like my entry :-D

    I know the number of people born in 1907 who need their service is small, but then just supply a pulldown box or something?

    Form Processing Error
    An error occurred while we were processing your form. Usually this means that one of the values you submitted in your form was invalid, or you did not put a value in a required field. Please check the error message below, and then review your submission.
    
    The actual error given was:
    
    Year must be after 1910.
    

    I think we'll be able to find more.

    Why does that date remind me of a very old Excel bug. You don't suppose they have a giant, evil Excel spreadsheet hiding at the center of their operation, do you?

  • (cs) in reply to Justice
    Justice:
    Q: Does your wife have a big butt?
    I wasn't aware Sir Mix-A-Lot used Thawte.
    If you use this for your security question, you cannot lie.
  • (cs) in reply to Jeff
    Jeff:
    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.
    NOWAYINHELLISTHATSECURE. Use this:

    n0W@y1Nh3l1W1l1I@nSw3RtH1s

    That should be easy to remember.

  • (cs) in reply to Code Dependent
    Code Dependent:
    Justice:
    Q: Does your wife have a big butt?
    I wasn't aware Sir Mix-A-Lot used Thawte.
    If you use this for your security question, you cannot lie.
    AARGH! MY EYES!
  • (cs) in reply to JamesQMurphy
    JamesQMurphy:
    Code Dependent:
    If you use this for your security question, you cannot lie.

    AARGH! MY EYES!

    Seconded! Seriously, NSFW (and fairly disgusting to boot).
  • Allister (unregistered)

    Q: What is the airspeed velocity of an unladen swallow?

    A (no, Q): African or European?

    Classic line from a classic movie!

  • OhU (unregistered)
    Personal: * Is this the best I can be? * Will I ever be fat?

    Very Personal: * Does my wife have a pierced navel? * Does your wife have a big butt? * did I ever had sex? * Do you love Allan?

    Questions we all want answered: * Is this a dream?

    Q: What do all these questions have in common? (UPPERCASE) A: They can all be answered with a yes or no!

    FAIL

  • (cs) in reply to anschauung
    anschauung:
    1) The programmer knows enough SQL to INSERT and SELETE data
    WTF?! A mix of SELECT and DELETE? PLZ to send codz!
  • Impi (unregistered) in reply to Walleye
    Walleye:
    Q: What's the difference between a duck? A: One of it's legs is both the same.

    Especially the right leg!

  • anschauung (unregistered) in reply to Havstein

    What? Don't tell me you've been using two consecutive queries when you want to SELECT data and immediately DELETE it ...

  • (cs) in reply to OhU
    OhU:
    Q: What do all these questions have in common? (UPPERCASE) A: They can all be answered with a yes or no!

    FAIL

    Personal: * Is this the best I can be? Probably not, but I'm not willing to make the effort to improve * Will I ever be fat? Waddiatalkin bout? I already am

    Very Personal: * Does my wife have a pierced navel? No, but her boyfriend does * Does your wife have a big butt? Well, you probably don't think so, but then you don't have a very wide range for comparison * did I ever had sex? Does masturbation count? * Do you love Allan? Funt? Alda? Edgar Poe? Gimmie specifics.

  • nananonymus (unregistered) in reply to Voodoo Coder

    damn

  • John (unregistered) in reply to AF

    I think there will be several Universities around the world which have adopted Oxfords's naming convention for academic terms.

    Sydney University is one of them.

  • (cs)
    As for why Thawte chose to implement shared questions in this manner... I’ll leave that as an exercise in speculation for the reader.
    Because it wasn't very well Thawte out?*

    *I can't believe nobody has capitalized on this stupid pun yet. What's the matter with you guys?

  • (cs)

    Maybe if you add a few "xxxx" or "zzzz" after the question then it won't autocomplete, because it won't find a question

  • Elephant Man (unregistered) in reply to Walleye
    Walleye:
    Q: What's the difference between a duck? A: One of it's legs is both the same.

    What's the difference between an elephant and a cranberry? Nothing. They're both small, round and red, except for the elephant.....

  • THAWTF (unregistered) in reply to Ben
    Ben:
    Claxon:
    Given that God is infinite and that the universe is also infinite... Would you like a toasted tea-cake?

    I'm a waffle man myself.

    That'll explain all your nonsensical waffling....

  • alskjdfh (unregistered) in reply to KattMan
    KattMan:
    erich:
    Binary Logic:
    Does anyone else see a problem with a security question that has only two possible answers?

    [Yes] [No]

    lol, yeah, was thinking the same thing. Maybe it's case sensitive, which gives 12 choices. :)

    Someone needs to learn binary math 2^5

    Perhaps when you correct someone you should double check you're actually right (or validus, according to captcha)

  • BlokHed (unregistered) in reply to Scott
    Scott:
    L:
    Reminds me of my favorite game.. searching for things like "and he got his * stuck in a *" in Google. Hours of fun!
    this page is the 7th result on google for that query.

    It number 1, it number 1!

  • (cs) in reply to KattMan
    KattMan:
    erich:
    Binary Logic:
    Does anyone else see a problem with a security question that has only two possible answers?

    [Yes] [No]

    lol, yeah, was thinking the same thing. Maybe it's case sensitive, which gives 12 choices. :)

    Someone needs to learn binary math 2^5

    Someone needs to learn that 2^3 + 2^2 = 12.

  • Nick J (unregistered)

    You are Brillant. What is your name?

  • Another pointless french coder (unregistered) in reply to Walleye
    Walleye:
    Q: What's the difference between a duck? A: One of it's legs is both the same.
    Q: What's the difference between a cop ? A: He can't neither read.
  • (cs) in reply to MetalPig
    MetalPig:
    L:
    Q: Does your wife have a big butt? A: FileNotFound
    File not found because your big-butted wife is sitting on it, I suppose.

    Edit: Sorry, Thom already did that.

    Dude, everyone's done his wife's butt.

  • (cs) in reply to Claxon
    Claxon:
    Jeff:
    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.

    ... and what was your username again?

    AzureDiamond

  • (cs) in reply to The Fake WTF
    The Fake WTF:
    Why does that date remind me of a very old Excel bug. You don't suppose they have a giant, evil Excel spreadsheet hiding at the center of their operation, do you?

    That old Excel bug in early 20th century dates wasn't actually a bug. Those early dates were deliberately calculated wrong in order to be compatible with Lotus 123, which also calculated them wrong. Joel Spolsky talks about it in this article:

    http://www.joelonsoftware.com/items/2006/06/16.html

  • (cs)

    Hmm... autocomplete bugs ... like the one in the Sidebar? ;)

    Though TRWTF is, of course, the fact that they implemented autocomplete in the user questions.

    But hey, at least they support custom security questions. I really hate those sites that only allow common knowledge questions like "What's my pet's name?" "Mother maiden name?" (If you're from Latin America, anyone who knows your full name also knows that answer!) "When is your birthday?"

  • Jay (unregistered)

    For the places that let you make up your own security question, and who then do the password reset over the phone, one could have all sorts of fun. Like:

    "So what is the answer?"

    You could have fun by pretending not to remember you had given this as the question.

    "I need a password reset." "Okay. You'll have to answer a security question." "That's fine. What the question?" "So what is the answer?" "The answer to what?" "The question is, So what is the answer?" "But you didn't tell me the question." etc.

    Or how about: "Will you take me out to dinner this Friday?"

    Obvious answer: "Sure, baby. But let's get my password reset done first."

    (One could, of course, imagine more explicit or vulgar versions, but I'm a mild-mannered guy.)

    There must be all sorts of potential for fun here!

  • Curious (unregistered) in reply to shepd
    shepd:
    And, if they know you, the social engineering to find out something like "What was my prom date?" is beyond simple.
    "What was my prom date?", not "who"?

    Wait, are you Welsh? Was your prom date a sheep?

  • Ricky Fine (unregistered)

    The answer to that question can be found in "Monty Python and the Holy Grail." Remember the discussion about how he got the coconut?

  • Fenestra (unregistered)

    I think it was thawtful of them to provide default questions.

  • dan (unregistered) in reply to Walleye

    posessive:

    its

    plural:

    are

    "One of its legs are both the same"

    I think I should stop using this question and answer though, perhaps it's not as obscure as I'd hoped.

  • dan (unregistered) in reply to Walleye

    What is the airspeed velocity of an unladen swallow? Depends if its an African or European swallow.

  • LEGO (unregistered) in reply to KattMan
    KattMan:
    cheers:
    KattMan:
    Someone needs to learn binary math 2^5

    Don't you mean 2^3 + 2^2 I mean, I don't think the answer will be yEsnO

    Oh god! I was just a victim of the Math Axiom to Muphry's Law wasn't I?

    No, you were a victim of a math corollary of Muphry's Law.

  • Zapakh (unregistered) in reply to dan
    dan:
    posessive:

    its

    plural:

    are

    singular:

    One

    One is both the same.

    One of its legs is both the same.

    Dig?

  • suitable (unregistered) in reply to Walleye

    Thank you. I remember the question (from circa 1974) but didn't remember this answer. The one I was given was "the faster you pull it, it quacks" but I could have been misled by the friend who shared it with me.

  • Bob E (unregistered) in reply to Walleye

    Things that make you go hmmmmm.

    Q: What's the difference between a duck? A: One of it's legs is both the same.

    My mother tells me she was present when some inebriated personage of her aquaintance was trying to tell a joke and came out with this particular piece of wit. Of course our family has since told this joke many times. WTF (Where the F) did this version come from? hmmmmmm??

    Could it actually have made the rounds to show up here?

  • Andrew (unregistered) in reply to Binary Logic
    Binary Logic:
    Does anyone else see a problem with a security question that has only two possible answers?

    [Yes] [No]

    Unless the answer is something like "maybe".

  • Jim (unregistered)

    There is a classic from the twenties: "Why does a mouse when it spins?" The answer is: "Because the higher it flies the much."

  • Jon (unregistered)

    "What is the airspeed velocity of an unladen swallow?"

    Someone's a Monty Python fan....

  • Harry G (unregistered) in reply to Walleye

    I accidentally the whole duck!

  • (cs) in reply to anschauung
    anschauung:
    Hrm. I've been trying to write code that could accomplish this, with the following assumptions:
    1. The programmer knows enough SQL to INSERT and SELETE data
    2. The programmer was not deliberately shooting for a mention in TDWTF
    You're missing any assumptions that management is sane... That should be your first clue... ;-)
    anschauung:
    Given this, we can through out bad insertion and bad selections (for the redisplay) as possibilities -- there's just no way to do this without writing code that's obviously wrong even to a novice. (For example, you could make a self-referential join with wildcards, but there's no way that this could be done by accident)

    Then I came on it: They're storing the all the security questions in a different table!

    Bingo!
    anschauung:
    There's a table somewhere with two columns (id, security_question), and every time someone changes their security question they match it (with wildcards) against an existing example that already exists in security_questions.

    The users table (or equivalent) has a column that is then updated with security_questions.id

    Its the only way....it's some wacky (or at least poorly implemented) attempt at normalization!

    The way I see it happening is:

    The original requirement was for a list of security questions to be available, probably in a dropdown... (like Yahoo! uses).

    Programmer creates table structure as you describe, to allow more questions to be added later, and possibly to "retire" old questions by preventing them showing up in the dropdown later...

    At some point, the PHB decides that people should be able to enter their own questions.

    Programmer does not want to redesign entire database structure... (What would the DBAs say??!?!?)

    So we end up in the situation you describe...

Leave a comment on “Thawtf”

Log In or post as a guest

Replying to comment #:

« Return to Article