Being a freelancer is hard. Being a freelancer during the downturn after the Dot-Com bust was even harder. Jorge was in that position, scrambling from small job to small job, fighting to make ends meet, when one of his freelance clients offered him a full-time gig.
Carol, the customer, said “Jorge, we’re really short-handed and need help. We’d like you to start on Monday. You know PHP, right?”
Jorge didn’t know PHP, but he knew plenty of other languages. He said yes, crash-coursed over the weekend, and was confident he could learn the rest on the job. When he showed up on Monday, Carol introduced him to Luke- “who will mentor you on our application.”
“Hey!” Luke grabbed Jorge’s hand, started shaking, and kept at it for far longer than comfortable. “It’s great to have you here, really great, you’re really going to like our code, it’s really really great. We’ve got a lot of great customers, and they’re really really happy with our great software. Do you like encryption? I built our encryption layer. It’s really really great. And I hope you like getting things done, because we’ve got a really really great environment with no obstacles.”
Jorge recovered his hand, wiped it on his pants, and tried to smile to cover the internal panic that was taking over his thought processes. That internal panic got louder and louder as Luke showed him the ropes.
They had a few dozen tiny applications, and the code for those applications lived in one place: the production server. Server, singular. There was no dev environment, there was no source control server. Their issue tracking was, “When there’s an issue, a customer will call you, and you’ll fix it.” Luke explained, “I like to work on it while I’m on the phone with them, so I can just edit the code and have them refresh the page right there.”
Jorge nearly quit, but Carol had been a great customer in the past, and he really wanted a steady gig. He ignored his gut, and instead tried to convince himself, “This is an opportunity. I can help them get really up to speed.”
He found an ancient Cobalt RaQ in a closet, with a 366MHz processor (with MMX!) and 64MB of RAM. Jorge hammered on that whenever he had a spare moment, setting it up as a dev environment, a CVS server and Bugzilla. This took weeks, because Jorge didn’t have a lot of spare moments. Luke kept him busy on a “deep dive” into the code.
Jorge was largely ignorant of PHP’s details and nuances, but Luke was massively ignorant. Luke’s indentation was so chaotic it could double as a cryptographically secure random number generator. Wherever possible, Luke reinvented wheels. Instead of using a server-side redirect, he instead injected a <script> block into the page to send the browser to a different page. When PHP changed their register_globals
behavior for security reasons, Luke didn’t think about why that happened or what that meant. He didn’t even bother to flip the PHP.ini flag which would revert to the old behavior. Instead, he just pasted this block into every PHP file:
while(list($GET_Key,$GET_Val)=each($HTTP_GET_VARS)){
$Var_Key_VAR = $GET_Key;
$$Var_Key_VAR = $GET_Val;
}
while(list($POST_Key,$POST_Val)=each($HTTP_POST_VARS))
{
$Var_Key_VAR = $POST_Key;
$$Var_Key_VAR = $POST_Val;
}
while(list($SERVER_Key,$SERVER_Val)=each($HTTP_SERVER_VARS)){
$Var_Key_VAR = $SERVER_Key;
$$Var_Key_VAR = $SERVER_Val;
}
Jorge didn’t know enough about PHP at the time to recognize how horrible this was, or how horrible PHP’s register_globals behavior was. He knew it was bad, though. What he didn’t realize was that the entire situation was actually worse than that.
“Luke,” Jorge said, “why do I see your name peppered everywhere in the code?” Everywhere. Luke had tagged the code with his name like a graffiti artist trying desperately to get arrested. His name was in the commons, he was given credit in the meta
tags of most pages, he named variables after himself, and even a few page titles actually said “by Luke S…”
“Oh,” Luke said, “well the work’s really, really great, right? Like art, and you’ve got to sign your great art. Let everybody know who the great developer behind it was. I’m sure you’ll get the chance to sign your name in a few places soon, right? It’ll be great. Really really great.”
The whole thing made Jorge suspicious. He removed the obvious signatures and started throwing the code into Google. Luke had barely written a single line of the code- 90% of what Jorge found had been copied-and-pasted from tutorials or other sites. Even some of the copy on pages had been stolen from other sites. It all came from somewhere else, and had been thrown together with no sense of what any of it actually meant.
Jorge was about to bring this up to Carol when Luke added: “You should really check out the encryption layer I built for security. It’s really, really great.”
It was really really something. It took a little while for Jorge to understand the purpose of the encryption until he dug past it into the underlying application. This application was a blog-style platform. Different users could manages posts in several feeds. Luke didn’t understand how to verify what user was logged in, so at one point, a little URL tampering would have allowed users to tamper with other users posts. Luke “solved” this by “encrypting” the URL params so that they couldn’t be edited. His cutting edge encryption algorithm was the most secure solution since ROT13: encode_base64
.
This was Jorge’s final straw. Luke was a plagiarist hack, and there was no way Jorge could hope to maintain this application. He went to Carol to give his notice. “Oh, no,” Carol said, “you can’t quit! Luke just gave his notice today.”
“Wait, Luke is leaving?”
“Yes,” Carol said. “He thinks he can make more money as a freelancer, like you were. He’s already got several clients lined up, he says.”
“Well, that’s really, really great.”
Jorge is still in that job, but Luke’s creation has long since been entirely junked and rewritten. Luke is still out there somewhere, freelancing away.