• BP (unregistered)

    Hey, I would have done it for them from scratch... and I'd only have billed a single million...

  • Anita Tinkle (unregistered) in reply to Anita Tinkle

    (psst.  Lucky for Accenture that they executed their name change and shed their original name not long after they were spun out from Arthur Andersen, which "imploded in a wave of accounting scandals")

    :-)

  • (cs) in reply to Jamie Riden
    Anonymous:
    Bad daily WTF! Bad!

    Wrap up an Initialisation Vector, AES encrypted data plus a HMAC in a hex encoding and you will end up with something like this.  I'm not saying that's what they've done, but there are valid reasons for using a 200-odd digit session ID.




    They definitely didn't do that. The session ID is actually the stuff after the underscore.
  • . (unregistered) in reply to loneprogrammer
    loneprogrammer:
    Is that really just the session ID?  It might be the session ID plus a lot more data too!


    It's not the session ID, it's the session....
  • FOO (unregistered) in reply to GoatCheez

    This is a fake...obviously generated...

  • meh (unregistered) in reply to Anita Tinkle
    Anonymous:
    Remember what Accenture was called before the big "cool-one-word" (COW) name changes started happening during the dot-bomb era?

    You guessed it:


    <font size="6">ANDERSEN CONSULTING.</font>

    <font size="6"></font>

    <font size="6">
    </font>And yes, Andersen consultants were (and still are) some of the most expensive college kids you can bring on.  It's still very much a fraternitiy atmosphere there.


    When they came to talk to us to tell us how fabulous they were, they explained that the rebranding people decided that the best words to describe their new direction was "an accent on the future" and thus "accenture" was born, complete with sideways ^.
  • fs (unregistered) in reply to Jamie Riden

    Actually they converted it to hex to pass it through the enigma cipher.

  • (cs) in reply to Suck My Lisp
    Suck My Lisp:
    Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.

    There are about 10^78 atoms in the universe, so if every atom in the universe created a session every second, that site won't run out of sessions for 10^1641 seconds, which is about 10^1635 years.

    That's the kind of Enterprise-class engineering I'd expect in a $165M site.


    You forgot to consider quantum mechanics. Each of these atoms consists of even smaller particles, which might be in a quantum superposition where they create a new session and in the same time do not create a new session; to measure the actual state, you have to reboot the server and see if a session dies or not. Yeah, that's a lot of possible superpositions, hence the long session id.
  • (cs)

    Should've outsourced it to India.
    They could've gotten a site at least as good for under 1M euros.
    Seriously, why would it cost even 60M euros to write a web portal?!?!
    Didn't the government think this was a bit high?

    I guess they don't give a darn if they waste taxpayers money anyway so they were willing to shell out 60M eorus but maybe they couldn't justify the 150%+ increase in price when Accenture 150M.

  • (cs) in reply to meh

    Anonymous:
    ... complete with sideways ^.

    One of these... > ?

    (Sorry, couldn't resist. ;-)

  • Kiss me, I'm Polish (unregistered) in reply to bullseye

    VB stands for Virtual Borland, not Visual Basic

  • (cs)

    To put that 1.6e8 Euros in the right context, only a part of that money was spent on the website; the internal IT of the "Bundesagentur für Arbeit" has also been renewed. Also included is some kind of spider (called "Jobroboter") that seeks vacancies on corporate websites.

  • bongo (unregistered)

     

    Accenture - pronounced "ass enter"

  • aweew (unregistered) in reply to bongo
    From now on, I am appending all sorts of random data to the end of mosts.
     
    ichiban37287824wendys3242startrek32423fark.com
     
     
  • aweew (unregistered) in reply to aweew
    Oh, in situations like these, there's almost always some sort of payoff/embezelment somewhere.  Either someone at Accenture is getting paid off, or someone in the gov't is taking that money.  Stuff like this isn't about consulting companies overcharging, it's about corrupted people somewhere skimming cash.
     
    3838328923489AYHGFYIEFUIFuireg
  • (cs) in reply to ammoQ
    ammoQ:
    Also included is some kind of spider (called "Jobroboter") that seeks vacancies on corporate websites.

    I presume this spider requires all vacancies be listed in a strict XML format on every website with large fines for any company that lists a job opening in any other format.

    I just cannot imagine a government doing anything that doesn't require a lot of red tape for someone to deal with.

  • (cs) in reply to Howard M. Lewis Ship

    For those of us living Stateside, that would make about $195,216,000 (courtesy of Google - yes, it does currency conversions, too).  I could buy a lot of HDTV's with that....

  • (cs) in reply to ammoQ

    What does it mean when a line is indented by 892 tabs?  I can imagine a good portion of code inspection time debating whether it should be 894.

    And this isn't the first boondoggle for the company.  They bodged a contract with the Ontario (Canada) government a few years ago.
    http://www.canadiansocialresearch.net/onbkmrk.htm#Andersen

  • (cs)
    <font size="5">I</font> like the list of meta keywords on their page.  I'm sure that 
    Ausbildungsbedingungen and Zugangsvoraussetzungen are typed in
    several times a day by people looking for thia site.

  • (cs) in reply to triso

    Wow. This is actually a lot like what I sent in today, except multiplied by a thousand.

    GET parameters should come with some kind of warning label.

  • (cs) in reply to Coughptcha
    Coughptcha:
    ... http://www.canadiansocialresearch.net/onbkmrk.htm#Andersen
    <font size="5">T</font>hanks for that link.   Here's another with a top-ten list of Anderson screwups: http://www.nupge.ca/publications/MiscPDFs/andersen.pdf
  • anonymous (unregistered)

    That looks like an IOR (CORBA object handle in string form), an underscore, and a UUID to me.

  • bad_pie (unregistered) in reply to triso

    Your Tax Euros At Work Folks!

    Seriously, for that kind of money the only "enterprise" thing I'd wanna see is of the friggin "starship" variation...

  • Boner (unregistered) in reply to bad_pie

    I don't speak german so I don't know exactly what's going on at that site and I may be missing a lot of the functionality, but from what I see I wouldn't have quoted more than a few thousand $ for that website.

    So, umm, how do I go about winning bids for $200,000,000 projects that I can finish single handedly in a couple of weeks?  What a crock...

  • XPA (unregistered) in reply to Anita Tinkle

    I worked for SBC a while back and they brought Accenture (This was actually during their name transition) in to consult on a project. I was 22 or so at the time and so was everyone that Accenture sent our way. Most of them had chemical engineering degrees or accounting degrees. They were not programmers by trade, but they were being trained to do it Accenture's way.

    Well, the VPs at SBC finally bitched and moaned enough that Accenture sent out some real developers and architects (btw...everyone has the title "architect" of some sort there...or so it seemed), but of course, those people cost more. So, the project was 8 months behind schedule at the 1 year mark (no kidding), and we were no closer to a solution at the 14 month mark. I left at the 18 month mark and the first iteration was almost done, a full 13 months behind schedule. Money well spent indeed.


  • Dr Awkward (unregistered)

    I see their problem!  They've got letters mixed up with their numbers!

  • nikolas (unregistered) in reply to sir.steve.h

    they seem to be charging about $200,000,000 for every enterprise-artwork they create.
    i sure would like to see their enterprisey $200,000,000 - 'hello world' - app.
    the customer would have to pay $18,181,818 per character - now that's posh !

  • Dennis Howlett (unregistered)

    I am so relieved to see that Accenture is still capable of wrapping up simple problems in complexity enough to bamboozle what's left of IT intelligence inside government.

  • Ikarus (unregistered) in reply to Dennis Howlett

    so. 160.000.000€... that's enough money to buy all good-looking girls of east-europe and create the largest porn-site ever. so we germans could earn enough money to build a rocket that brings all that unemployed crap and all those Accenture-guys up to f**king mars and store them there, where they belong.

    damn. the real WTF in here is, why my fellows did elect that merkel-tussie and not me. i think i have better future-visions and i know how to get rid of all those burglars.

    VOTE FOR ME!

  • (cs)
    Alex Papadimoulis:

    German readers may be familiar with the story of Arbeitsagentur.de, the official website of the Bundesagentur für Arbeit (Federal Labour Office). It's a fairly typical "big business" story: government wants a job portal website, large consulting company (Accenture) bids €65.5M, government accepts, consultants start it but say they need another €100M to complete it, government becomes outraged, news stories are written (like this one), and eventually a horribly slow low-functionality website gets built.

    But there's something I just can't wrap my mind around with stories like this. Why do people get outraged with a job portal website costing 160,000,000+ euros? Don't they realize how much enterprise is bundled with a price like that? Can't they understand that the slowness and poor usability is key part of enterpriseness and, that this is actually a good thing?

    Well I hope that I can set the record straight today and give Accenture the credit they are due. It's impossible to explain the value behind a €160M+ website in such a small space, but I think that Wladimir Palant found the perfect example that you can actually check and see for yourself (view source on arbeitsagentur.de). It's a 714-byte session identifier that's unique enough to represent all sessions across all websites across all the Internets across all galaxies throughout all of time ... four times over. Now that's enterprisey ...

    <FONT face=Georgia>I don't think we realize the magnitude of what we're witnessing here. This is truly the new benchmark by which all other Enterprise solutions will be measured. We're watching history in the making, folks. [<:o)]</FONT>

     

  • (cs)

    It looks like some object has been serialized(maybe even encrypted afterwards), and added just before the session ID.
    Maybe they wantd to pioneer a session without having anything on the server for longer than the request handling.
    But the real WTF is that they put it INTO a COOKIE ALSO.

  • (cs) in reply to meh
    Anonymous:
    Anonymous:
    Remember what Accenture was called before the big "cool-one-word" (COW) name changes started happening during the dot-bomb era?

    You guessed it:


    <FONT size=6>ANDERSEN CONSULTING.</FONT>

    <FONT size=6></FONT>

    <FONT size=6>
    </FONT>And yes, Andersen consultants were (and still are) some of the most expensive college kids you can bring on.  It's still very much a fraternitiy atmosphere there.



    When they came to talk to us to tell us how fabulous they were, they explained that the rebranding people decided that the best words to describe their new direction was "an accent on the future" and thus "accenture" was born, complete with sideways ^.

    <FONT face=Georgia>          >                                                                                                                                                                                                          Accenture 's recent <a href="http://www.e-health-insider.com/news/item.cfm?ID=1795">struggles</a> wouldn't have anything to do with shoddy products, right?</FONT>

  • (cs) in reply to Otto
    Otto:
    Anonymous:
    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland

    Hah. Looks like they're using Borland Enterprise Server and screwed up their pointers somewhere. What you're seeing there is most likely some contents of the stack at some point, with the crap after the underscore being the real session id. There's probably a security hole there somehow as well.




    I tend to think you are completely correct, sir.  =)

       -dave-
  • (cs)

    Sorry, but that's not a WTF.  I'm sure that, being an Accenture job, there's lots of WTF to be had, but this one simply isn't among them.

    Privacy laws surrounding government web sites border on the paranoid.  It is often a requirement that all cookies, not just persistent cookies, be disabled in the web server.

    In order to preserve session state, Tomcat (and every other web application engine) needs a session cookie that uniquely identifies the user's session.  Tomcat has a feature whereby if the client doesn't accept session cookies or the server is configured not to send them, it will instead encode the session ID in the URL of all links that refer back to the application.  The programmer needs to do a little work to ensure that this occurs each and every time, but it is possible to write a complete enterprise-class web application without ever sending a cookie back to the client.

    That explains why the session ID is encoded in the URL.  Now for why the session ID is so large...

    The back-end application server is the Borland Enterprise Server.  I can't tell if they're using CORBA or EJB technology, but the encoded session ID contains enough information for the Apache web server IIOP plug-in provided by Borland to route the request back to the same application instance that served the previous request.

    In a clustered environment, you could have requests serviced by any one of (for example) eight machines.  If you hit a different back-end server every time you submit a request to the application, each server would have to take time to load your session from a persistent store before it even thought about servicing the request.  This incurs a severe performance penalty as you would have only a 12.5% chance that your next request would be serviced by the same server that serviced the previous request.  When you hit the same server on the current request that you did on the previous, your session is likely still in memory and the "reload session" performance hit is eliminated.  In order to locate the same application instance that you used last time, the server name, cluster name, and Tomcat instance name all need to be encoded in the URL.  In the event that your application instance can't be located (e.g. hardware failure), the IIOP plug-in will happily reroute your request to another server in the cluster, which will then rewrite your session ID to reflect the fact that the application instance has changed.

    As much as it pains me to say this about Accenture, this is actually an example of good design as far as clustering and session management go.  Based on the performance of the application, I'm sure there's a lot of real WTF behind the scenes, but not because of these session IDs.

  • (cs) in reply to ferrengi

    that's the price of OSS

  • Andreas (unregistered)
    Alex Papadimoulis:

    But there's something I just can't wrap my mind around with stories like this. Why do people get outraged with a job portal website costing 160,000,000+ euros? Don't they realize how much enterprise is bundled with a price like that? Can't they understand that the slowness and poor usability is key part of enterpriseness and, that this is actually a good thing?



    Yeah..this happens when you give contract to the famous T-Systems company...one of the top-5 software
    and system companies in Germany.
  • (cs) in reply to Cipher
    Anonymous:
    Yeah, I don't even see the code. I just see blondes, brunettes, and redheads.


    That made my day... First time I actually laughed out loud while reading TDWTF.

  • (cs) in reply to kdean
    kdean:

    Tomcat has a feature whereby if the client doesn't accept session cookies or the server is configured not to send them, it will instead encode the session ID in the URL of all links that refer back to the application.  The programmer needs to do a little work to ensure that this occurs each and every time, but it is possible to write a complete enterprise-class web application without ever sending a cookie back to the client.



    Wow, how advanced. "Lowly" PHP can do that automagically and it doesn't even claim to be an enterprise-class platform.

    And by the way, "enterprise"? That must be the greatest buzzword of all times...
  • Paula (unregistered)

    I don't see what the fuss is about; we needed to store the session data, and when you cluster you can't store it one the server... has to go somewhere...

  • fnord (unregistered)

    So? DailyWTF encrypts their forums with The Word That Shall Not Be Named Starting With J.

  • William Hughes (unregistered) in reply to Coughptcha
    Coughptcha:
    What does it mean when a line is indented by 892 tabs?  I can imagine a good portion of code inspection time debating whether it should be 894.


    It means they're using the Whitespace language to do more enterprise-ness.

    http://compsoc.dur.ac.uk/whitespace/.
  • (cs) in reply to Boner
    Anonymous:
    So, umm, how do I go about winning bids for $200,000,000 projects that I can finish single handedly in a couple of weeks?  What a crock...


    Well, if you're in Britain, you get yourself onto the government's "preferred list" of suppliers ("preferred" is an understatement - government aren't actually allowed to look elsewhere) and then you pay lobbyists large amounts of money to encourage the government to introduce lots of shiny new IT schemes in almost every department - even creating new ones to keep the ball rolling (qv. ID cards) if necessary, and regardless of need or past experience - which will then come back to you in the form of obscenely lucrative contracts for piss-poor work.

    Like stealing candy from a baby, really. If you have the right friends.

    (And people wonder why I'm an anarchist...)

  • Chris (unregistered)

    I went for a job at Accenture once, I was lucky enough not to get it.

  • Chris (unregistered) in reply to gwenhwyfaer

    Well, if you're in Britain, you get yourself onto the government's "preferred list" of suppliers ("preferred" is an understatement - government aren't actually allowed to look elsewhere) and then you pay lobbyists large amounts of money to encourage the government to introduce lots of shiny new IT schemes in almost every department - even creating new ones to keep the ball rolling (qv. ID cards) if necessary, and regardless of need or past experience - which will then come back to you in the form of obscenely lucrative contracts for piss-poor work.

    Like the NHS IT system? Which is an Accenture CONtract.

    CAPTCHA - enterprise.

  • ref (unregistered) in reply to APAQ11
    Anonymous:
    That's not a WTF... that's just coding for the future. The world population, it is a multiplying.
    Could be a reason, but the german population is actually decreasing.
  • Rainer Zufall (unregistered)

    VB's most likely for VisiBroker, Borland's CORBA implementation

  • (cs)

    Speaking about the "Arbeitsagentur" that reminds me of a "bug" a site from the "Arbeitsamt" once had.

    In the job description pages were images. Ok, thats nothing wrong with it but the url to every description had the path to the image and the name of the job. So you could change both to whatevery you want, no check for correct name and path were done. Too bad they changed it shortly after it was found... but we had some fun before that :D

  • Cope with IT (unregistered) in reply to Anita Tinkle

    Anonymous:
    Heh.  I can't even get their website to come up.
    That in fact is not a bug - it's a feature: Apparently you are emplyoed and they already figured you'd just not need their service.

    BTW, WTF ... why the heck doesn't that captcha thingy work?!?      

  • Nik (unregistered)

    Directly from the html:

    <!-- die folgende Datei gibt es nur im Internet-Center, Fehler auf anderen Rechnern bitte ignorieren -->
    <script src="http://proxy.internetcenter/berufenet.js" type="text/javascript"></script>
    That comment says something like: This file can only be accessed locally, please ignore errors on other machines.

  • Cope with IT (unregistered) in reply to FOO

    Anonymous:
    This is a fake...obviously generated...

    Well, actually, yes, the session + session ID stuff is generated... By that server they have at the "Bundesagentur für Arbeit". In fact you can generate this data yourself: Just go there and surf a just a little bit...

    So sad...

Leave a comment on “The 160 Million Euro Session”

Log In or post as a guest

Replying to comment #:

« Return to Article