389 points
*

Our business-critical internal software suite was written in Pascal as a temporary solution and has been unmaintained for almost 20 years. It transmits cleartext usernames and passwords as the URI components of GET requests. They also use a single decade-old Excel file to store vital statistics. A key part of the workflow involves an Excel file with a macro that processes an HTML document from the clipboard.

I offered them a better solution, which was rejected because the downtime and the minimal training would be more costly than working around the current issues.

permalink
report
reply
129 points

The library I worked for as a teen used to process off-site reservations by writing them to a text file, which was automatically e-faxed to all locations every odd day.

If you worked at not-the-main-location, you couldn’t do an off-site reservation, so on even days, you would print your list and fax it to the main site, who would re-enter it into the system.

This was 2005. And yes, it broke every month with an odd number of days.

permalink
report
parent
reply
23 points

cleartext usernames and passwords as the URI components of GET requests

I’m not an infrastructure person. If the receiving web server doesn’t log the URI, and supposing the communication is encrypted with TLS, which removes the credentials from the URI, are there security concerns?

permalink
report
parent
reply
31 points
*

Anyone who has access to any involved network infrastructure can trace the cleartext communication and extract the credentials.

permalink
report
parent
reply
3 points

What do you mean by any involved network infrastructure? The URI is encrypted by TLS, you would only see the host address/domain unless you had access to it after decryption on the server.

permalink
report
parent
reply
1 point
permalink
report
parent
reply
11 points

I’m not 100% on this but I think GET requests are logged by default.

POST requests, normally used for passwords, don’t get logged by default.

BUT the Uri would get logged would get logged on both, so if the URI contained @username:Password then it’s likely all there in the logs

permalink
report
parent
reply
1 point

Get and post requests are logged

The difference is that the logged get requests will also include any query params

GET /some/uri?user=Alpha&pass=bravo

While a post request will have those same params sent as part of a form body request. Those aren’t logged and so it would look like this

POST /some/uri

permalink
report
parent
reply
10 points

Nope, it’s bare-ass HTTP. The server software also connected to an LDAP server.

permalink
report
parent
reply
1 point

I don’t even let things communicate on /30 networks via HTTP/cleartext…this whole thing is horrifying.

permalink
report
parent
reply
6 points

I would still not sleep well; other things might log URI’s to different unprotected places. Depending on how the software works, this might be client, but also middleware or proxy…

permalink
report
parent
reply
3 points

supposing the communication is encrypted with TLS

I can practically guarantee you it was not

permalink
report
parent
reply
1 point

Browser history

Even if the destination doesn’t log GET components, there could be corporate proxies that MITM that might log the URL. Corporate proxies usually present an internally trusted certificate to the client.

permalink
report
parent
reply
18 points

downtime

minimal retraining

I feel your pain. Many good ideas that cause this are rejected. I have had ideas requiring one big downtime chunk rejected even though it reduces short but constant downtimes and mathematically the fix will pay for itself in a month easily.

Then the minimal retraining is frustrating when work environments and coworkers still pretend computers are some crazy device they’ve never seen before.

permalink
report
parent
reply
16 points

Places like that never learn their lesson until The Event™ happens. At my last place, The Event™ was a derecho that knocked out power for a few days, and then when it came back on, the SAN was all kinds of fucked. On top of that, we didn’t have backups for everything because they didn’t want to pay for more storage. They were losing like $100K+ every hour they were down.

The speed at which they approved all-new hardware inside a colocation facility after The Event™ was absolutely hilarious, I’d never seen anything approved that quickly.

Trust me, they’re going to keep putting it off until you have your own version of The Event™, and they’ll deny that they ever disregarded the risk of it happening in the first place, even though you have years’ worth of emails saying “If we don’t do X, Y will occur.” And when when Y occurs, they’ll scream “Oh my God, Y has occurred, no one could have ever foreseen this!”

It’ll happen. Wait and watch.

permalink
report
parent
reply
6 points

Sounds like a universal experience for pretty much all fields of work.

Government and policy? Climate change? A fucking pandemic?!

We’ve seen it all happen time and time again. People in positions of authority get overconfident that if things are working right now, they’ll keep working indefinitely. And then despite being warned for decades, when things finally break, they’ll claim no one could have foreseen the consequences of their lack of responsibility. Some people will even chime in and begin theorising that surely, those that warned them, had to be responsible for all the chaos. It was an act of sabotage, and not of foresight.

permalink
report
parent
reply
4 points
*

Places I’m at usually end up bricking robots and causing tens of thousands of dollars of damage to them because they insist on running the robot without allowing small fixes.

Usually a big robot crash will be The Event that teaches people to respect early warning signs…for about 3 months. Then the old attitude slides back.

Good thing we aren’t building something that requires precision, like semi-conductor wafers. Oh wait.

permalink
report
parent
reply
14 points

As weird as it may seem, this might be a good argument in favor of Pascal. I despised learning it at uni, as it seems worthless, but is seems that it can still handle business-critical software for 20 years.

permalink
report
parent
reply
48 points
*

What OP didn’t tell you is that, due to its age, it’s running on an unpatched WinXP SP2 install and patching, upgrading to SP3, or to any newer Windows OS will break the software calls that version of Pascal relies upon.

permalink
report
parent
reply
4 points
*

You’re literally describing the system that controlled employee keyscan badges a couple of jobs ago…

That thing was fun to try and tie into the user disable/termination script that I wrote. I ended up having to just manipulate its DB tables manually in the script instead of going through an API that the software exposed, because it didn’t do that. Figuring out their fucked-up DB schema was an adventure on its own too.

permalink
report
parent
reply
12 points

Anything can if you don’t update it.

permalink
report
parent
reply
12 points
364 points

i worked for a hybrid hosting and cloud provider that was partnered with Electronic Arts for the SimCity reboot.

well half way through they decided our cloud wasn’t worth it, and moved providers. but no one bothered to tell all the outsourced foreign developers that they were on a new provider architecture.

all the shit storm fail launch of SimCity was because of extremely shitty code that was meant to work on one cloud and didn’t really work on another. but they assumed hurr hurr all server same.

so you guys got that shit launch and i knew exactly why and couldn’t say a damn thing for YEARS

permalink
report
reply
64 points

Not to put the blame on the devs, but the problems might have been attenuated by defining a proper interface layer against the server.

permalink
report
parent
reply
135 points

It’s a damn single player game 💀

permalink
report
parent
reply
29 points

The multiplayer stuff was neat in theory, but any multiplayer thing you did took like 20+ minutes to actually propagate to other players games

permalink
report
parent
reply
0 points

Your comment seems to be related to something else… or I’m stupid, which is entirely plausible, too.

permalink
report
parent
reply
33 points

That’s cool to know! I had been wondering what happened with that historically bad launch.

permalink
report
parent
reply
4 points
*

Kevin Fang - The Worst Website Launch of All Time <on Youtube> <on Piped’s frontend (thanks bot!)>

permalink
report
parent
reply
4 points

Here is an alternative Piped link(s): https://piped.video/watch?v=Ui5op0N700A

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I’m open-source, check me out at GitHub.

permalink
report
parent
reply
18 points

I knew that’s gonna be gold after I read that first sentence

permalink
report
parent
reply
271 points

It’s pretty depressing, but the fact that soil and groundwater are almost certainly contaminated anywhere that humans have touched. I’ve seen all kinds of places from gas stations, to dry cleaners, to mines, to fire stations, to military bases, to schools, to hydroelectric plants, the list could go on, and every last one of them had poison in the ground.

permalink
report
reply
89 points

Some places are insanely polluted to the point where you wonder how a whole company could be so braindead and essentially poison themselves.
A place not far from where I live had a chemical plant which just dumped loads of chemicals on a meadow for years. Now there are ground water pumps installed there which need to run 24/7 so that the chemicals don’t contaminate nearby rivers and hence the rest of the country.
When taking samples from the pumped up water you can smell gasoline.

permalink
report
parent
reply
80 points

We’re house shopping and there has been a house on a lake sitting on the market forever. I got curious and researched the lake and… It’s a literal superfund site. The company that was on the other side of the lake just dumped their waste chemicals right on the shore and it has polluted both the lake and ground water forever essentially because they don’t break down. I looked up the previous owner… Died of cancer. The shit that companies are and were allowed to get away with is just insane. Meanwhile right wing nut jobs want to get rid of the EPA (which was ironically created by Richard Nixon).

permalink
report
parent
reply
15 points

Some places are insanely polluted to the point where you wonder how a whole company could be so braindead and essentially poison themselves.

“That’s the future guy’s problem, my problem is making money.”

No need to wonder. That’s how.

permalink
report
parent
reply
5 points

A place not far from where I live had a chemical plant which just dumped loads of chemicals on a meadow for years.

Sounds cheap.

permalink
report
parent
reply
1 point

The largest lake in the UK by area got massively polluted and turned into a swamp of toxic green algae. It’s crazy how people just let stuff like that happen.

permalink
report
parent
reply
44 points
*

It’s just as depressing when something counts as “clean”. My saddest example was a former sand pit, they spent 30 years digging out 15 meters of sand, then another 30 years filling it with anything from industrial to veterinary waste, “capped” it with rubble in the late 40s and called it clean enough.

Had a bigass job digging out the top 3 meters of random waste, including several thousand of barrels of whatever the fuck. And definitely no unexploded ordnance (spoiler, after finding several ww2 rifle stocks and helmets, the first mortarshells were dug up too). After makimg room, it was covered in sand, clay, bentonite and a protective grid.

So naturally, 3 months after that finished, some cockhead decided to throw an anchor and hit go all ahead flank on his assholes boat and tore the whole thing up. No need to fix anything though, just shovel some more sand it, that’ll stop the anthrax!

This was all in open connection with a major river, of course. One people swim in.

permalink
report
parent
reply
2 points

@Tar_alcaran @thrawn21 fucking yikes. Was the public notified in any way? Did it make it to the news? Or just kind of brushed under the rug?

permalink
report
parent
reply
40 points

What are they poisoned with and how does it happen?

permalink
report
parent
reply
64 points
*

Varies depending on the site, sometimes it’s gasoline, or solvents, or heavy metals or PFAS. As for how it happens, accidental or deliberate releases. I’ve found military documents from the 50s that say the official place to dispose of used motor oil was a pit they’d dug in the ground.

permalink
report
parent
reply
24 points

Yep, the regulation is now a 5ft cubed hole dug around the soil in any spill. It’s resulted in folks being more careful but also hiding where things are spilled. I’ve not once seen a hole dug. Corporations are roughly similar. Small organizations don’t care at all.

permalink
report
parent
reply
18 points

Here’s a recent article about PFAS in drinking water. Very unfortunate.

permalink
report
parent
reply
13 points

Heavy metals and PCBs are most common in my area, various VOCs aren’t far behind. Prior to the EPA and associated legislation companies would commonly use waste process waters for dust control, dump wastes in to pits or on the ground, spills would be left to soak away, and general processes were dirtier and uncontrolled.

One terrible example from western NY that bugs me even more than Love Canal is the involvement with the Manhattan Project. Local steel workers rolled Uranium and they were never told what is was, given any protections, or cared for when the inevitable happened. Radioactive waste was later used as fill for residential and commercial properties in the area. These Hotspot still exist and it is a slow process to get any cleanup done.

permalink
report
parent
reply
20 points

I work in air quality and it’s a similar story. It’s crazy to me seeing how much is unregulated, grandfathered in, or simply not enforced.

permalink
report
parent
reply
2 points

What do you want? They moved it out of the environment. . .

permalink
report
parent
reply
261 points

The programming team that is working hard on your project is just one dude and he smells funny. The programming team you’ve met in your introductory meeting are just the two unpaid interns that will be fired or will quit within the next two months and don’t know what’s happening. We don’t do agile despite advertising it. Also your project being a priority means it’ll be slapped together from start to finish 24 hours prior to the deadline. Oh and there will be extra charges to fix anything that doesn’t work as it should.

permalink
report
reply
67 points

I think we work in the same company, the dude does not smell funny to me but maybe that’s just me.

permalink
report
parent
reply
88 points

Are you that dude?

permalink
report
parent
reply
16 points

No he is many things including functioning alcoholic and a choleric but I could not detect strong odor.

I do not know what my thing is because that’s obviously my blind spot.

permalink
report
parent
reply
3 points
*
Removed by mod
permalink
report
parent
reply
1 point

We all work for that company. Except at mine, I work remote, so I have only myself to blame the stinkiness on.

permalink
report
parent
reply
49 points

When you have a great programmer working on your project he will be cycled to a new project in 2-3 months. Your new senior developer who silently takes over the project is part time because he’s working on finishing his education.

No one knows how anything works, except that one guy, who left the company half a year ago. That’s how all software development is.

permalink
report
parent
reply
4 points
*

Throw in a mysterious comment that says “Don’t change anything below this line or everything breaks” and it’s complete.

“We don’t know why this works, but it does, don’t touch it.” would also be acceptable.

permalink
report
parent
reply
3 points

“The server mangles the authentication token after receiving it for reasons we don’t really understand, so this function just checks to see that it’s set in the request, but nothing actually cares if it’s valid. DO NOT RETURN USER ACCOUNT DATA HERE AND YES THAT MEANS YOU MARCUS”

permalink
report
parent
reply
1 point

Thai is basically my current team, haha.

permalink
report
parent
reply
40 points

In my company we have a very modern agile workflow where QA is top priority.

At least that what we advertise. In reality it’s all an unorganized clusterfuck where I’m pretty sure I am the only one who bothers to write automated tests. Who’s got time to write tests bro just push that shit out ASAP we’ll deal with it when the client calls us in the middle of the night to complain about previously-working shit being broken now.

permalink
report
parent
reply
8 points

I’ve worked for one company that actually did it right (complete with pair programming, even). It was pretty nice.

Too bad we were apparently the “experimental?” team and the only one in the whole company doing it that way.

permalink
report
parent
reply
6 points

I worked for a company like that. Wall Street shits bought us up and sold everything that wasn’t bolted down.

permalink
report
parent
reply
33 points
*

A lot of outsourcers do this. Here’s my experience with a few companies.

  • The “team” you meet are competent, English speaking fronts. They are the demo models of the people who will work on your projects.
  • After the contract is signed, these people are swapped out with randos of varying competence.
  • In some cases, some of these randos are further hidden behind aliases: people with names that are actually more than one person sharing logins and passwords.
  • They will string you along, trying to charge maximum hours worked without regards to product or services delivered.
  • Most of these companies have a “bucket of crabs” mentality: the managers are horrible, the staff incompetent, and once the gain some skill, they leave for better companies. They backstab one another, hijack projects to fuck over coworkers, and lie and cover their tracks. Some of this is cultural, like a caste system, while some are just racist.

At one time, these people were pretty good, but they realized they had skills and left for other countries for better pay and better working conditions. The bids got more and more competitive, cutting costs until they were literally filled with low-skilled labor who can’t be promoted or leave for economic or competence reasons.

permalink
report
parent
reply
2 points

Now that I read this, I’m kinda glad that our company doesn’t do anything like that. But it’s just a small indie team porting games to consoles, so I guess what you’re mentioning is the bigger corp problem.

permalink
report
parent
reply
31 points

Programming teams I’ve worked with are a joke.

Company A: We got hacked and the lead dev argued for days it wasn’t a hack. Malware was actively being served to customers during this time period because she refused to deal with it and there was no security team.

Company B: programming team was the IT guys nephew and some random UI designer who hadn’t finished college and was never able to be employed after finishing college…

Company C: We interviewed a candidate who was way over qualified and would make our life so easy because he was eager and hungry. Instead we hired a bootcamper who had never heard of docker (half our infra is docker), react, or anything other than vanilla JavaScript. She failed our practical but still got hired because the hiring manager wanted and assistant. She has become a glorified project manager, but still has the title software engineer.

permalink
report
parent
reply
19 points

Can confirm. I am the smelly guy. Leave me alone and you get code. Bother me and you don’t.

permalink
report
parent
reply
4 points

Hah, is this contracting? And what is done vs agile?

permalink
report
parent
reply
5 points

Think waterfall. But like. No design and no testing.

Not contracting, just another small shop that offers “complete” solutions from a to z kinda situation.

The only competent person in that org would be, oddly enough, the ceo. Everybody else just feel like they show up to be marked present on an attendance sheet in terms of being useful.

permalink
report
parent
reply
6 points

Think waterfall. But like. No design and no testing.

That’s just “cowboy coding.”

permalink
report
parent
reply
248 points

I used to work for a popular wrestling company, billionaire owner, very profitable, would write off any OSHA penalties as the ‘cost of doing business’ just as they did in 1998, when The Undertaker threw Mankind off Hell In A Cell, and plummeted 16 ft through an announcer’s table

permalink
report
reply

Ask Lemmy

!asklemmy@lemmy.world

Create post

A Fediverse community for open-ended, thought provoking questions

Please don’t post about US Politics. If you need to do this, try !politicaldiscussion@lemmy.world


Rules: (interactive)


1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can’t say something nice, don’t say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.

It is not a place for ‘how do I?’, type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


Community stats

  • 11K

    Monthly active users

  • 4.4K

    Posts

  • 232K

    Comments