• Little Bobby Tables (unregistered)

    Frist back in 2000.

  • zen (unregistered)

    having worked at a bank, this is not unusual :)

  • bvs23bkv33 (unregistered)

    documentation! it exists! nice

  • (nodebb)

    So the WTF is that there is no WTF?

  • (nodebb)

    Wait, the server has been running since 2000? Never rebooted??

  • Dave (unregistered)

    Eric? Edward? Trwtf is that it wasn't Derrick.

  • VB_Guy (unregistered)

    I was writing VB 6.0 in 1998. Why would they write their software in VB 4.0? Also I am going to go out on a limb and say that SSL in VB 4.0 wasn't worth spit. Can't they just rewrite it in Access???

  • Naomi (unregistered) in reply to Steve_The_Cynic

    You're kidding, right?

  • (nodebb)

    In the various governement organizations I've done consulting for, there's a shameful secret called EUD (end-user development). This refers to a collection of scripts, macros, procedures, VBA, spreadsheets, Access DBs, built by end-users over the years to circumvent problems or lack of functionality in legacy enterprize apps. Not necessarily WTFy until some piece of EUD ends up on the list of mission-critical assets, with a RTO of 4 hours, and you find out it only runs on an outdated OS version, uses hard-coded IPs, directly accesses confidential data and/or PID, uses a system account with a weak password hard-coded in the script in clear text, with granular access privileges to the individual data objects granted directly to the account, resides on a public share with no access control and no access logging, is undocumented, was written 15 years ago by some guy who's long gone, and now nobody will take ownership for it. Oh and there's 5 versions of it residing on 5 desktop PCs.

  • (nodebb) in reply to Mr. TA

    In a closet, that has since been covered with sheetrock during a remodel.

  • WTFguy (unregistered)

    @The_Dark_Lord: Finding / fixing / replacing EUD has kept me in high clover for a decade or four. Not that we used to call it that, but hard on the heels of the very first hobby computers being hauled into accounting and sales offices across the globe in the late 1970s EUD has been growing, spreading, mutating, ensnaring all it touches in its kudzu-like grip.

    Even Veeger couldn't sterilize this stuff.

  • Bruce W (unregistered)

    TRWTF is Derrick still going on about a application owner when his compliance brain should have melted over a key application running on a server whose OS hasn't been supported in years.

  • sizer99 (google) in reply to Steve_The_Cynic

    You think a dozen WTFs held together with chewing gum and paperclips make a no WTF?

  • sizer99 (google)

    This is completely typical, BTW. Banks and anyone related to health care have the worst IT infrastructure and people on the planet, behind governments. I was on a bank site recently (BoA?) trying to figure out why it was so terrible by looking at the HTML/JS source and there were still 2002 copyright notices in there.

  • (nodebb) in reply to sizer99

    The basic WTF is being sold as "they found a well-constructed, well-documented thing, and tried to hide it."

    The environment is a big WTF, and the overall system is, as a consequence, a big WTF, but Ropeway itself appears to have been competently constructed and documented. And they want to hide it.

    And the hole in my cheek from where my tongue poked through it is still bleeding.

  • Andrew A. Gill (unregistered) in reply to Steve_The_Cynic

    TRWTF is that they're going to need to forge hours & pretend to work hard on this issue when all they're really doing is flipping a switch.

    Well, that & the fact that the reason why they're embezzling money is that if they didn't, the whole project would probably be moved under IBM's contract, where they'd probably have to budget 10x what they'll wind up billing in-house.

  • (nodebb) in reply to Mr. TA

    it's a service, it's surely set up to priority autoslaunch on system start.

    Addendum 2020-01-09 23:40: *autolaunch, dammit

  • None (unregistered)

    And at the end of the movie the protagonist walks out of the building, holding the laptop with the checkbox screen, mouse pointer on the save button. Walking away he clicks the save button, and does not flinch even in the slightest as the building explodes behind him.

  • Dave (unregistered)

    Oh gawd, we have the opposite of EUD, we're not allowed to develop anything in-house because $government-bullshit-not-compete-with-industry whatever. So we have guys here who worked with software that... well among other backgrounds some of it involved fissile materials and who know a little bit about making stuff shit reliable and secure, and instead we're forced to farm the work out to strategically-shaved chimpanzees who work for large contractors and take five years for something we could do in-house in six months, and when we're done it would actually work, unlike what they shipped us.

  • SG (unregistered)

    Given that VB4 was released before SSL was invented, I'm a little sceptical of the details of this story... and even more so, given that anything it would be talking to is unlikely to still support anything old enough to still be calling it "SSL" instead of "TLS"...

  • WTFguy (unregistered)

    @SG: As always these stories as written contain a bit of ~~fiction~~ editorial license. The story says the docs date from Mar 2000. The dev's email says in effect "VB4 - I think". Which of those two "facts" more reliably sets the era of the tech involved?

    In 2000 SSL/TLS was old news. Both SSL 3.0 & TLS 1.0 were in public use by 1998.

    As was VB4, in fact it was long obsolete in 2000. VB5 came out in 1997 and VB6 in 1998. For comparison VB.Net v1.0 was still in the future; it was released in 2002.

    So it's a pretty good bet the app was "really" written in VB6.

    An interesting observation is that (like the Y2K mitigation problems in another recent WTF) the Ropeway folks are staring down the barrel of a different problem soon: Protocol obsolescence. Which will manifest at some random date in the fairly near future.

    The VB6 app's HTTPS code may have been built to use any of SSL 2.0/3.0 or TLS 1.0. Or it may be locked into just one of those depending on just how configurable it is and just how complete VB6's HTTPS support was in those days.

    Both SSL versions have now been deprecated for years and TLS1.0 deprecates this year. Soon enough they may have problems creating certificates and configuring endpoints that Ropeway can still connect to. So someday some certificate will expire and the replacement cert won't have the right fields or some server will be upgraded / replaced that now doesn't support the old version protocol. Surprise mystery outage!

    Maybe they already have that problem right now. Chris will soon find out when that setting "changes itself one day."

  • BB71 (unregistered)

    Why is this text riddled with bad English? "If had he been at the bank as long as his team had", "what shouldn't even by my problem", "exactly who's budget",... You'd think that the one article this site posts each day would have been thoroughly copy-edited...

  • Rich (unregistered)

    The real WTF is that someone didn't yell out "JODY DORCHESTER BUILT THIS IN CAVE! WITH A BOX OF SCRAPS!"

  • Zed (unregistered)

    The real WTF is programmers actually having well documented applications

  • Worf (unregistered) in reply to The_Dark_Lord

    EUD is everywhere. Even private businesses do it. Some guy does a little thing that makes his job just a bit easier and then it gets incorporated into everything else.

    If someone is lucky, some crappy spreadsheet they designed to help them with their job suddenly spreads to everyone computer, and before you know it, everyone is doing stuff by that spreadsheet.

    It's in our nature to seek out ways to make our lives easier, and sometimes some stupid little thing blows up because it makes other's lives easier. You know how it is - you write one little shell script that automates something you do, some other guy sees you using it and wants it and now it's an Official Aministrator Script(tm).

  • drobnox (unregistered) in reply to WTFguy

    [blockquote]The VB6 app's HTTPS code may have been built to use any of SSL 2.0/3.0 or TLS 1.0. Or it may be locked into just one of those depending on just how configurable it is and just how complete VB6's HTTPS support was in those days.

    Both SSL versions have now been deprecated for years and TLS1.0 deprecates this year. Soon enough they may have problems creating certificates and configuring endpoints that Ropeway can still connect to. So someday some certificate will expire and the replacement cert won't have the right fields or some server will be upgraded / replaced that now doesn't support the old version protocol. Surprise mystery outage![/blockquote]

    My guess is that with the checkbox on, Ropeways just uses a procol prefix of "https". for 16 hours of work, the guy was delving into the internals of the VB^ networking stack.

  • Alex (unregistered) in reply to WTFguy

    Yeah, there are some APIs at my company that are still http since when https is enabled any app that runs on Windows XP will fail to connect since .NET 4.0 doesn't support TLS 1.2.

  • Gustav (unregistered)

    I hope Jody charged at least $50k for the software!

  • (nodebb) in reply to drobnox

    My guess is that with the checkbox on, Ropeways just uses a procol prefix of "https". for 16 hours of work, the guy was delving into the internals of the VB^ networking stack.

    I assume you mean was not delving, etc.

    Anyway, it says as much in the article:

    and then Ropeway would construct the Service URL using HTTPS instead of HTTP. That was it, apparently.

  • (nodebb)

    When your 20-years-aged software is less like wine and more like milk.

  • (nodebb)

    If you can't touch it and you don't want to change IP addresses, how about just making the gateways route those systems into a site-to-site VPN? I've done this for things that are ancient and they've been running that way for decades.

  • Some Ed (unregistered) in reply to WTFguy

    I like how you think that new software is written with current software. I want to live in a world like that.

  • Someone who Knows (unregistered)

    VB interop to https is via a COM object. No reason it couldn't be VB4. That COM object is still around in Windows. It'll be using whatever version of SSL that Windows uses, even though the application code doesn't know to ask for it.

    Too bad I can't say the same thing about .NET.

  • guilty 1 (unregistered)

    Even if we assume that the outdated SSL/TLS versions do not cause problems, which does not appear that likely to me: My guess is that once the switch is flipped and Ropeway tries to use HTTPS, it refuses to connect to AppPortal because AppPortal uses a server certificate signed by an bank-internal certification authority that is unknown to the Ropeway server.

  • Taurmin (unregistered)

    Real WTF here is the way this story portrays derrick wanting someone to take ownership of a business critical application as unreasonable.

Leave a comment on “The Compliance Ropeway”

Log In or post as a guest

Replying to comment #510845:

« Return to Article