Our business-critical internal software suite was written in Pascal as a temporary solution and has been unmaintained for almost 20 years. It transmits cleartext usernames and passwords as the URI components of GET requests. They also use a single decade-old Excel file to store vital statistics. A key part of the workflow involves an Excel file with a macro that processes an HTML document from the clipboard.
I offered them a better solution, which was rejected because the downtime and the minimal training would be more costly than working around the current issues.
The library I worked for as a teen used to process off-site reservations by writing them to a text file, which was automatically e-faxed to all locations every odd day.
If you worked at not-the-main-location, you couldn’t do an off-site reservation, so on even days, you would print your list and fax it to the main site, who would re-enter it into the system.
This was 2005. And yes, it broke every month with an odd number of days.
cleartext usernames and passwords as the URI components of GET requests
I’m not an infrastructure person. If the receiving web server doesn’t log the URI, and supposing the communication is encrypted with TLS, which removes the credentials from the URI, are there security concerns?
Anyone who has access to any involved network infrastructure can trace the cleartext communication and extract the credentials.
What do you mean by any involved network infrastructure? The URI is encrypted by TLS, you would only see the host address/domain unless you had access to it after decryption on the server.
They said clear text, I would assume it’s not https.
The comment we are replying to is asking about a situation where there is TLS. Also using clear text values in the URI itself does not mean there wouldn’t be TLS.
Nope, it’s bare-ass HTTP. The server software also connected to an LDAP server.
I would still not sleep well; other things might log URI’s to different unprotected places. Depending on how the software works, this might be client, but also middleware or proxy…
Browser history
Even if the destination doesn’t log GET components, there could be corporate proxies that MITM that might log the URL. Corporate proxies usually present an internally trusted certificate to the client.
downtime
minimal retraining
I feel your pain. Many good ideas that cause this are rejected. I have had ideas requiring one big downtime chunk rejected even though it reduces short but constant downtimes and mathematically the fix will pay for itself in a month easily.
Then the minimal retraining is frustrating when work environments and coworkers still pretend computers are some crazy device they’ve never seen before.
Places like that never learn their lesson until The Event™ happens. At my last place, The Event™ was a derecho that knocked out power for a few days, and then when it came back on, the SAN was all kinds of fucked. On top of that, we didn’t have backups for everything because they didn’t want to pay for more storage. They were losing like $100K+ every hour they were down.
The speed at which they approved all-new hardware inside a colocation facility after The Event™ was absolutely hilarious, I’d never seen anything approved that quickly.
Trust me, they’re going to keep putting it off until you have your own version of The Event™, and they’ll deny that they ever disregarded the risk of it happening in the first place, even though you have years’ worth of emails saying “If we don’t do X, Y will occur.” And when when Y occurs, they’ll scream “Oh my God, Y has occurred, no one could have ever foreseen this!”
It’ll happen. Wait and watch.
Sounds like a universal experience for pretty much all fields of work.
Government and policy? Climate change? A fucking pandemic?!
We’ve seen it all happen time and time again. People in positions of authority get overconfident that if things are working right now, they’ll keep working indefinitely. And then despite being warned for decades, when things finally break, they’ll claim no one could have foreseen the consequences of their lack of responsibility. Some people will even chime in and begin theorising that surely, those that warned them, had to be responsible for all the chaos. It was an act of sabotage, and not of foresight.
Places I’m at usually end up bricking robots and causing tens of thousands of dollars of damage to them because they insist on running the robot without allowing small fixes.
Usually a big robot crash will be The Event that teaches people to respect early warning signs…for about 3 months. Then the old attitude slides back.
Good thing we aren’t building something that requires precision, like semi-conductor wafers. Oh wait.
That’s just be on them losing tons and tons of money from bad usable platter space lol they’re machine gunning themselves in the legs
As weird as it may seem, this might be a good argument in favor of Pascal. I despised learning it at uni, as it seems worthless, but is seems that it can still handle business-critical software for 20 years.
What OP didn’t tell you is that, due to its age, it’s running on an unpatched WinXP SP2 install and patching, upgrading to SP3, or to any newer Windows OS will break the software calls that version of Pascal relies upon.
You’re literally describing the system that controlled employee keyscan badges a couple of jobs ago…
That thing was fun to try and tie into the user disable/termination script that I wrote. I ended up having to just manipulate its DB tables manually in the script instead of going through an API that the software exposed, because it didn’t do that. Figuring out their fucked-up DB schema was an adventure on its own too.
I’m also describing the machine in my office that runs my $20,000 laser plotter/large format scanner. The software in the machine uses (Java?) over a web interface which was deprecated and removed from all browsers around 2012-14, iirc. The machine isn’t supported anymore and the only way to clear an error or update where it sends scans is using that interface. I have a XPSP2 machine running the internal IE6 browser which will still display the interface. Since I’m now a one-person office, and I use the scanner about 6 times a year, I keep that machine around in case I need to turn it on to update the scanner or clear a print error. Buying a new plotter isn’t worth the time/money - when it dies I’ll just farm out the work to a 3rd party vendor; but while it does work it’s convenient to have in-house.
If it’s that old, I’m betting it doesn’t use HTTPS for its connections. You could do a network packet capture on the XP machine (or if you can find one, hook it up to a network hub with another computer attached and capture there) while performing the “clear error” action and find out how it works/what you need to send to it to clear the error. You could also set up a SPAN port on a switch and mirror the traffic on the port going to the printer to capture the traffic, if you have a switch capable of doing that. If not, you can get one off Amazon for about $100.
It’d be pretty simple to put together a script that sends the “clear error” action to the printer after seeing how it’s done in the packet capture. I’ve done this numerous times, the latest of which was for a network-connected temperature sensor that I wanted to tie into but didn’t (publicly) expose an API of any kind.
It’s more than that, though - it’s used to setup custom sheet widths as well as enter new server and login details for sending scans via FTP to a server. If I’m doing billable work, I’m charging $225/hr. If I’m snooping the network, which isn’t my field and I do almost never so it takes me several times longer than an expert, I’m making nothing. With an annual value on the machine’s services at less than $500 (more than half of which would become reimbursable if I didn’t have it), there’s no actual value in “fixing” it by creating a different work around. 🤷♂️
Anything can if you don’t update it.
i worked for a hybrid hosting and cloud provider that was partnered with Electronic Arts for the SimCity reboot.
well half way through they decided our cloud wasn’t worth it, and moved providers. but no one bothered to tell all the outsourced foreign developers that they were on a new provider architecture.
all the shit storm fail launch of SimCity was because of extremely shitty code that was meant to work on one cloud and didn’t really work on another. but they assumed hurr hurr all server same.
so you guys got that shit launch and i knew exactly why and couldn’t say a damn thing for YEARS
Not to put the blame on the devs, but the problems might have been attenuated by defining a proper interface layer against the server.
It’s a damn single player game 💀
The multiplayer stuff was neat in theory, but any multiplayer thing you did took like 20+ minutes to actually propagate to other players games
I wonder if that’s related to “the wrong cloud”. Imagine if someone wrote some super slick code that worked really really well in the original cloud, and just couldn’t figure out how to make it work in the new cloud, so everything is just an awful workaround.
Unless you’re really deep into a particular provider’s unique-esque products (Lambda, Azure AD, Fargate, etc), this is exactly why things like Terraform exist.
Oh for sure, but the games industry is one of the few that still does some weird stuff because a lot of the software is only expected to last 5 years or so at most, and needs to get every drop of performance.
I could definitely see some hyper optimized cloud API looking really great and then not having an equivalent in another ecosystem (or at least not one that could be quickly swapped out just before release).
Your comment seems to be related to something else… or I’m stupid, which is entirely plausible, too.
I think it’s refering to the fact that the reboot SimCity was a single player game (you could never play with someone else) but that was always online anyway
There was no Rebooted SimCity in Ba Sing Se
All this fuss over servers for a single player game. Not only did they handle the migration poorly, it shouldn’t need to talk to servers period!
I think it’s AWS
That’s cool to know! I had been wondering what happened with that historically bad launch.
Kevin Fang - The Worst Website Launch of All Time <on Youtube> <on Piped’s frontend (thanks bot!)>
Here is an alternative Piped link(s): https://piped.video/watch?v=Ui5op0N700A
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source, check me out at GitHub.
I knew that’s gonna be gold after I read that first sentence
It’s pretty depressing, but the fact that soil and groundwater are almost certainly contaminated anywhere that humans have touched. I’ve seen all kinds of places from gas stations, to dry cleaners, to mines, to fire stations, to military bases, to schools, to hydroelectric plants, the list could go on, and every last one of them had poison in the ground.
Some places are insanely polluted to the point where you wonder how a whole company could be so braindead and essentially poison themselves.
A place not far from where I live had a chemical plant which just dumped loads of chemicals on a meadow for years. Now there are ground water pumps installed there which need to run 24/7 so that the chemicals don’t contaminate nearby rivers and hence the rest of the country.
When taking samples from the pumped up water you can smell gasoline.We’re house shopping and there has been a house on a lake sitting on the market forever. I got curious and researched the lake and… It’s a literal superfund site. The company that was on the other side of the lake just dumped their waste chemicals right on the shore and it has polluted both the lake and ground water forever essentially because they don’t break down. I looked up the previous owner… Died of cancer. The shit that companies are and were allowed to get away with is just insane. Meanwhile right wing nut jobs want to get rid of the EPA (which was ironically created by Richard Nixon).
Some places are insanely polluted to the point where you wonder how a whole company could be so braindead and essentially poison themselves.
“That’s the future guy’s problem, my problem is making money.”
No need to wonder. That’s how.
A place not far from where I live had a chemical plant which just dumped loads of chemicals on a meadow for years.
Sounds cheap.
The largest lake in the UK by area got massively polluted and turned into a swamp of toxic green algae. It’s crazy how people just let stuff like that happen.
What are they poisoned with and how does it happen?
Varies depending on the site, sometimes it’s gasoline, or solvents, or heavy metals or PFAS. As for how it happens, accidental or deliberate releases. I’ve found military documents from the 50s that say the official place to dispose of used motor oil was a pit they’d dug in the ground.
Yep, the regulation is now a 5ft cubed hole dug around the soil in any spill. It’s resulted in folks being more careful but also hiding where things are spilled. I’ve not once seen a hole dug. Corporations are roughly similar. Small organizations don’t care at all.
Here’s a recent article about PFAS in drinking water. Very unfortunate.
Heavy metals and PCBs are most common in my area, various VOCs aren’t far behind. Prior to the EPA and associated legislation companies would commonly use waste process waters for dust control, dump wastes in to pits or on the ground, spills would be left to soak away, and general processes were dirtier and uncontrolled.
One terrible example from western NY that bugs me even more than Love Canal is the involvement with the Manhattan Project. Local steel workers rolled Uranium and they were never told what is was, given any protections, or cared for when the inevitable happened. Radioactive waste was later used as fill for residential and commercial properties in the area. These Hotspot still exist and it is a slow process to get any cleanup done.
It’s just as depressing when something counts as “clean”. My saddest example was a former sand pit, they spent 30 years digging out 15 meters of sand, then another 30 years filling it with anything from industrial to veterinary waste, “capped” it with rubble in the late 40s and called it clean enough.
Had a bigass job digging out the top 3 meters of random waste, including several thousand of barrels of whatever the fuck. And definitely no unexploded ordnance (spoiler, after finding several ww2 rifle stocks and helmets, the first mortarshells were dug up too). After makimg room, it was covered in sand, clay, bentonite and a protective grid.
So naturally, 3 months after that finished, some cockhead decided to throw an anchor and hit go all ahead flank on his assholes boat and tore the whole thing up. No need to fix anything though, just shovel some more sand it, that’ll stop the anthrax!
This was all in open connection with a major river, of course. One people swim in.
@Tar_alcaran @thrawn21 fucking yikes. Was the public notified in any way? Did it make it to the news? Or just kind of brushed under the rug?
I work in air quality and it’s a similar story. It’s crazy to me seeing how much is unregulated, grandfathered in, or simply not enforced.
What do you want? They moved it out of the environment. . .
The programming team that is working hard on your project is just one dude and he smells funny. The programming team you’ve met in your introductory meeting are just the two unpaid interns that will be fired or will quit within the next two months and don’t know what’s happening. We don’t do agile despite advertising it. Also your project being a priority means it’ll be slapped together from start to finish 24 hours prior to the deadline. Oh and there will be extra charges to fix anything that doesn’t work as it should.
I think we work in the same company, the dude does not smell funny to me but maybe that’s just me.
Are you that dude?
No he is many things including functioning alcoholic and a choleric but I could not detect strong odor.
I do not know what my thing is because that’s obviously my blind spot.
That’s what he said, yep.
In my company we have a very modern agile workflow where QA is top priority.
At least that what we advertise. In reality it’s all an unorganized clusterfuck where I’m pretty sure I am the only one who bothers to write automated tests. Who’s got time to write tests bro just push that shit out ASAP we’ll deal with it when the client calls us in the middle of the night to complain about previously-working shit being broken now.
I’ve worked for one company that actually did it right (complete with pair programming, even). It was pretty nice.
Too bad we were apparently the “experimental?” team and the only one in the whole company doing it that way.
I worked for a company like that. Wall Street shits bought us up and sold everything that wasn’t bolted down.
When you have a great programmer working on your project he will be cycled to a new project in 2-3 months. Your new senior developer who silently takes over the project is part time because he’s working on finishing his education.
No one knows how anything works, except that one guy, who left the company half a year ago. That’s how all software development is.
Throw in a mysterious comment that says “Don’t change anything below this line or everything breaks” and it’s complete.
“We don’t know why this works, but it does, don’t touch it.” would also be acceptable.
“The server mangles the authentication token after receiving it for reasons we don’t really understand, so this function just checks to see that it’s set in the request, but nothing actually cares if it’s valid. DO NOT RETURN USER ACCOUNT DATA HERE AND YES THAT MEANS YOU MARCUS”
A lot of outsourcers do this. Here’s my experience with a few companies.
- The “team” you meet are competent, English speaking fronts. They are the demo models of the people who will work on your projects.
- After the contract is signed, these people are swapped out with randos of varying competence.
- In some cases, some of these randos are further hidden behind aliases: people with names that are actually more than one person sharing logins and passwords.
- They will string you along, trying to charge maximum hours worked without regards to product or services delivered.
- Most of these companies have a “bucket of crabs” mentality: the managers are horrible, the staff incompetent, and once the gain some skill, they leave for better companies. They backstab one another, hijack projects to fuck over coworkers, and lie and cover their tracks. Some of this is cultural, like a caste system, while some are just racist.
At one time, these people were pretty good, but they realized they had skills and left for other countries for better pay and better working conditions. The bids got more and more competitive, cutting costs until they were literally filled with low-skilled labor who can’t be promoted or leave for economic or competence reasons.
Programming teams I’ve worked with are a joke.
Company A: We got hacked and the lead dev argued for days it wasn’t a hack. Malware was actively being served to customers during this time period because she refused to deal with it and there was no security team.
Company B: programming team was the IT guys nephew and some random UI designer who hadn’t finished college and was never able to be employed after finishing college…
Company C: We interviewed a candidate who was way over qualified and would make our life so easy because he was eager and hungry. Instead we hired a bootcamper who had never heard of docker (half our infra is docker), react, or anything other than vanilla JavaScript. She failed our practical but still got hired because the hiring manager wanted and assistant. She has become a glorified project manager, but still has the title software engineer.
Can confirm. I am the smelly guy. Leave me alone and you get code. Bother me and you don’t.
Hah, is this contracting? And what is done vs agile?
Think waterfall. But like. No design and no testing.
Not contracting, just another small shop that offers “complete” solutions from a to z kinda situation.
The only competent person in that org would be, oddly enough, the ceo. Everybody else just feel like they show up to be marked present on an attendance sheet in terms of being useful.
I used to work for a popular wrestling company, billionaire owner, very profitable, would write off any OSHA penalties as the ‘cost of doing business’ just as they did in 1998, when The Undertaker threw Mankind off Hell In A Cell, and plummeted 16 ft through an announcer’s table
The company would bid on government contracts, knowing full well they promised features that didn’t exists and never would, but calculating that the fine for not meeting the specs was lower than the benefit of the contract and getting the buyers locked into our system. I raised this to my boss, nothing changed and I quit shortly after.
eh DHCP isn’t really important right? obviously if it hasn’t changed since the 80’s why would you need to reboot your server.
what are vulnerabilities?
You responded to the wrong comment, but i’ve been seeing that a lot so I wonder what causes it.
Being a frontend dev myself, I’d guess someone screwed up the indexing of comments :P
Sounds like a DHCP issue.
(I mean, not really, but it rhymes I guess.)
I’ve worked in IT consulting for over 10 years and have never once lied about the capabilities of a product. I have said, it doesn’t do that natively, but if that’s a requirement we can scope how much it would take to make it happen. Sadly my company is very much the exception.
The worst I saw was years ago I was working on an infrastructure upgrade of a Hyper-V environment. The client purchased a backup solution I wasn’t familiar with but said it supported Hyper-V. It turns out their Hyper-V support was in “beta”. It wasn’t in beta. They were literally using this client as a development environment. It was a freaking joke. At one point I had to get on the phone with one of their developers and explain how high-availability and fail-over worked.
I could very well have been that developer. Usual story, sales promised the world, that our vmware-based system would run on anything and everything, and of course it’s all HA and load balanced, smash cut to me on Monday morning trying to figure out how to make it do that before it goes live on Wednesday.
The contractor I worked for was run by a man who used to say “if the contract says they’ll blow up the contractor on delivery, we’re putting in a bid and solve the problem later”
Promising features that never existed is part and parcel to a lot of software sales, whether gov or private. Speaking from post-sales experience.
I think it’s fine to promise them, but to claim they currently exist when you never plan to implement them is what I couldn’t support.
I worked in government contracting (and government, for that matter) for years and that blows my mind. I can’t remember the details, but if you even had a bad reviews, much less being found noncompliant, it could disqualify you entirely from some contract vehicles for a matter of years. Wild that there’s some agency that somehow lets people get away with fraud.
Also, if that cost the government money, there’s a chance you could report that after the fact and make some money.
Might be local government. Me and sales have this argument pretty often
Me: it is in the spec
Sales: no one noticed it except you
Me: thanks?
Sales: no one is going to care
Me: then take it out of the spec and resign everything.
Sales: why are you making a big deal about this?
Me: because it is in the spec that we signed and if we don’t honor the spec they can backcharge us.
Sales: that won’t happen
Me: you are right because we are going to follow the spec. If you don’t want me to please email me, the department head, and the client specifically ordering me not to follow the contract that we signed.
Yeah I’m in Europe and our customers were municipalities buying healthcare related solutions. It happened after our little startup got taken over by a big player and they started getting involved in the contract bids.
Big german TV production company with succesful primetime action series used rented cars for their stunts. Different people from the team rented them with full insurance, returned them crashed. They did this until every car rent in the city stopped offering insurance without retention.
Anybody knows that one waterfall attraction in the Southeast US? The one that advertises bloody everywhere? Waterfall is pumped during the dry seasons, otherwise there’d be nothing to see. Lots of the formations are fake, and the Cactus and Candle formation was either moved from a different spot in the cave, or is from a different cave in New Mexico. Management doesn’t want people to know that, but fuck 'em.
Ruby Falls?
Ye!
After looking it up, you can find reports from others stating the same things. When I was there as a kid, I remember that they claimed no one knew where the source of the water came from… I guess they actually know enough to help it out at least, lol
I really enjoyed it and would like to go again, but it’s no Mammoth Cave.
Gravity Falls?
Boop!
Niagara falls?
Nawh mate, that’s up in New York and Canada.
I’m simple man not from US. I hear waterfalls, I think Niagara ¯\_(ツ)_/¯
As a simple Canadian man having been to Niagra Falls several times, I defy humanity to engineer a way to pump that much water.
Probably just be easier to pay off literally everyone who goes there to lie about it.
Victoria falls?
Moria Falls
~Wonder if anyone will pick up on this.~
For some reason I’m not surprised to learn this about Ruby Falls. Lived near it awhile and visited.
Eh kinda cruddy to learn, but also was still a cool experience.
Nawh mate, Rock City is different from Ruby Falls. They also hate the guts out of Ruby Falls lol
Ah, you mean:
It hasn’t got that many signs, though! In fact, I only recall seeing the one at the entrance…
Health insurance company I worked for would automatically reject claims over a certain amount without reviewing them. Just to be dicks and make people have to resubmit. This was over 25 years ago, but it’s my understanding many health insurers still pull this shit. They don’t care if it’s legal or not. Enforcement is lazy and fines are cheaper than medical claims.
Obviously this is in the USA.
The majority of tech startups are super chaotic and barely keeping things running. More than you would ever imagine.
There is a million times more counterfeit/fake items at amazon than you think, and they dont care one bit to fix the problem
Geek Squad, We were flying under the radar upgrading Macbook RAM, until one day we became officially Apple Authorized to fix iPhones, which means we were no longer allowed to upgrade Macbook RAM since the Macbooks were older and considered “obsolete” by apple, meaning we were unable to repair or upgrade the hardware the customer paid for, simply because apple said it was “too old”. it was at this point in my customer interaction, that we recommend a repair shop down the road that isn’t held at gunpoint by apple ;)
I worked at an ISP. The DHCP server we use for our DSL offering was made in the 90s and hasn’t been updated since.
Frankly, I don’t see this a a problem as long as the software is up to date and the hardware is sound. I bet there are thousands of SPARC servers out there processing data 24/7 since 1995.
Might want to get on updating it soon for IPV6 though
I don’t know, I remember hearing that everything would soon be IPV6 a couple decades ago.
The alternative to IPv6 is CGNAT.
CGNAT is really annoying for users, since the entire ISP looks like a single IP address. This can lead to situations where the entire ISP accidentally gets classified as a bot or otherwise blocked. It’s not too hard to find these kinds of stories from StarLink customers.
We are at the point where we are are legitimately out of IPv4 addresses. Household NAT isn’t enough and CGNAT has too many problems. IPv6 code was written ages ago and is very stable in all OSs these days.
It really is just these legacy middle boxes holding us back.
This guy knows. CGNAT is incredible sucky and we are definitely out of ipv4. Why not everyone is hopping on IPv6 I don’t know. I’m thinking people are afraid of the formatting but that’s just dumb.
but if we move to ipv6 then my no place like 192.168.1.1 tattoo would lose all meaning! /s
You could have saved quite a bit of ink with an IPv6 tattoo though.
I’ve tried running my house on ipv6 only before, but you run into A LOT of issues, even with major services. Example: sometimes my devices would fail when trying to connect to Netflix. Netflix.com issues round-robin DNS. One (1) of the possible endpoints turned out to be unreachable from me over IPv6 because of return path MTU shenanigans I had zero control over.
I’ve worked for a few of the larger ISPs in the US. They all have their own special weird shit like a windows NT machine shoved in a corner in a CO in west Texas that you have to remote desktop into and run some java applet from the 90 to log into a hardwired machine from the 70s just to set up a voicemail box for a phone line. Ain’t broke don’t fix it leads to some wild setups at companies you wouldn’t expect it from.
I’d actually rather this than making new software with all kinds of bugs
If it works and is secure, what’s the problem
DoorDash and food apps are willingly scamming restaurants, and users.
They are perpetually in debt as they aren’t actually making money and they will likely only make very little.
Ubers only profitable line of business was UberFrieght, then they decided to outsource it or shutter it.
Both of these companies broke laws early on in order to operate.
Most of you support that came from Uber in before 2019 were coming from drunk 20 something’s.
The buildings alarm code was 0711. Guess where I worked…
No way.
Circle K?
Olive garden?
Plaid Pantry?
Kidding.
Dollar tree?
