Slashdot Mirror

Exactly, No need to change it.

oh wait!

A changelog would imply they're following some kind of "design" or "plan" when they're clearly not. They make changes to people using the "version 1 discussion system" obviously intended for users of the "version 2 discussion system", like the Users page. They randomly break things, then half-repair them. i.e. listing the wrong content (submitted articles), then 'fixing' it by showing the intended content (recently posted comments) wrongly (incorrect scores).

Oh, and they're owned by the company that runs SourceForge, the site that frequently looks like this: http://schend.net/images/screenshots/slashdot/sourceforge_blank_window.png or this: http://schend.net/images/screenshots/slashdot/sourceforge_wish_it_was_a_blank_window.png

Slashdot seems to be a classic DailyWTF-esque "Developmestuction" environment: http://thedailywtf.com/Articles/The_Developmestuction_Environment.aspx

There isn't anybody at the entire Sourceforge/Slashdot corporate entity I'd call a "web developer".

If you want a dose of wacky technology stories (or, at least, wacky IT stories) you need to visit with the Daily WTF (Worse Than Failure) at http://thedailywtf.com/

I'm not sure where you'd go for wacky science/engineering stories though. Some website called "slashdot" or something like that, probably.

Re-inventing the wheel after you finish your education is pathology.

Knowing how to re-invent the wheel, and how to do it properly, is what's important. Every CS graduate should be able to put an implementation of strcpy() on a white board in under five minutes. In elementary school, you need to learn how to add and subtract by yourself before you can go using calculators to do higher-level stuff.

Otherwise you end up with yet another WTF.

That's the difference between a craftsman and a random person standing in the day-labor crowd in front of Home Depot. One of them has a Yellow Pages listing because you can trust him to see the big picture, instead of nailing up a bunch of boards until someone (maybe) points out to him that he's installing everything upside-down.

it's presented by good Java programmers who try to teach good practices and do not encourage excessive reliance on libraries

Maybe you would like to see the source of what seems to be 99% of the content on TDWTF

You're right though, I always find that I have way too much time to waste and money to burn in my job. This is why I also choose to ignore well designed, supported and tested libraries in favour of rolling my own.

I think the definition here is better
http://forums.thedailywtf.com/forums/p/9553/178343.aspx/

... it gets posted here.

At the cost of being slower, making the entire kernel slower, bigger, and buggier, making it harder to adopt new methods and implementations unless their API is compatible, and generally making working on the Linux kernel (as a developer) much harder, so users get less features slower.

That's not quite the reason behind not implementing the stable interface, as I discovered in another thread. The real issue is dependant on the C compiler version and kernel build options which kill compatibility with binary modules, and it's an issue with Linux because of the nature of the kernel. BTW, size doesn't translate into slowness or bugginess - those two are related to bad design rather than simply having more code or "too many functions". It may make the code less maintainable, however.

Even so, you still have to have the driver as a slightly seperate component from the kernal, even if it isn't a via a publically stable API. As you can tell, the kernal is always under development and even if developers are careful, it only takes one undiscovered bug to crash a driver - and if it's kernel level, it brings down the system. (This can happen anytime.)

For everything else, there's already a standard interface through /dev/* for most of the devices, which works if the device doesn't need high performance. That system was used for mice before HID-compliant USB mice were available, and with only a few exceptions, can be a centre for any virtual driver you want.

If the answer to either of these is no, it's not really relevant, now is it?

The first reference to my network card is here (did you confuse the display driver with the network driver?)

Also, does the situation change if the answers to the questions are "yes"? It won't if the issue can't be reproduced on another system, or if I can't track down the issue myself. (Speaking of which, I haven't seen that problem for a while, which makes me wonder what happened.)

"We have buttiduously canvbutted the industry, buttessed what is available and buttembled the finest selection of PFI contractors for this buttignment. The filters will buttociatively clbuttify all communications and filter then, I can butture you, rebuttemble them with surpbutting exacbreastude in any quanbreasty. Consbreastuents can be rebuttured that a mulbreastude of industry compebreastors will butture quality and keep our clbuttrooms safe. EDS Capita Goatse will not embarbutt us."

The first filtering offices will be set up in Arsenal, Penistone and Scunthorpe.

(Inspiration: The Daily WTF.)

I have no doubt we *could* do it right. I also have no doubt we could do it very very badly.

The checks are there for people who write code seen on http://www.thedailywtf.com/

At a small company, it's frequently possible to find those people and stop them from writing any more code.

Obviously you can't go too much in the other direction either. The checks are there for people who write code seen on http://www.thedailywtf.com/ who actually click the flashing banner that says they've just won lots, and for those who open up the .exe they found in the email that contains 'instructions on how to get a bigger pen15 2day'.
It's like anything else in life. The sins of one hurt everyone.
There will always be people who get shampoo in their eyes, and because of that these checks will always exist.

In college I liked to play MUDs. Yeah I know, get off my lawn.

The sysadmins hated that though. It was against system policy. Nevermind that we were paying for it with our general course fees. *ahem* Anyways...

I wrote a telnet spoof. It looked just like the dos telnet programs on the PCs. It would give you a perfectly realistic looking logon. It even emulated the clock in the lower right hand corner. You'd type in your name and password, it would hide the info in a file on C: xor encrypted and pretending to be a wordperfect file. Then spit out some gibberish for a moment or two and then reboot the machine. On reboot, the spoof program would restore the original telnet and delete itself. After the reboot, no evidence and everything works correctly. The only clue that something was up was the HD light would flash once, very briefly during the gibberish part. It was a very convincing system crash. I'd load up every PC in the lab with my spoof, and then leave.

A week later I'd go around in the lab and use my key disk and grab the wordperfect files, un-xor them, and I'd have piles of logons to use for mudding.

The ethics part: I would only use disposable computer lab accounts, easily identifiable because they'd be a single letter for the class, a number for the level, and three letters for initials. J2RXB is a disposable account, JMORRIS is not. If I got someone's real account I wouldn't use it - I didn't want to get anyone into trouble. And yes, I'd wait until the labs were over so I didn't screw anyone out of their computer time. The temp lab accounts would stay active for up to a year after the lab typically. Plenty of time to mud. Get caught, account is erased. No biggie, I've got a 1.44 full of 'em. Wait an hour and log back on. Ah, those were the days.

Point being, it is impossible to know exactly who is online. You can know a MAC address, but those can be spoofed. You can know an IP address, but you can spoof those as well. You can even know a Pass/Logon, but I've been all over those too. These days it's even worse with all the wireless gear.

You never know who is logged on, ever.

It's certainly not a perfect interview scenario. However, "filtering those who've not spent 5 minutes with a database" is a useful function. Completely inappropriate people make it to interview regularly. Also, exploring the problem with those who don't twig immediately can give some insight into their problem solving abilities/strategies.

OpenOffice.org Writer 3.0 seems to make this error. It has just treated as integers, some telephone numbers that I entered into a table. So real programmers can make such mistakes.

Be wary of selling yourself short - overestimating average ability, relative to your own. You may find you're further along the bell curve than you think. Although, keep the maxim: I will do stupid things, sooner or later. Doctors recommend reading http://thedailywtf.com/ to maintain a healthy scepticism.

http://thedailywtf.com/Articles/A_Case_of_the_MUMPS.aspx

Interesting that today's top story at TheDailyWTF is all about regexes, too. Except there, they're showing a case when you should NOT use it. I think a few of the people posting here need to take the quote in that article to heart:

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. â" Jamie Zawinski

http://thedailywtf.com/Articles/Now-I-Have-Two-Hundred-Problems.aspx

on the daily WTF: http://thedailywtf.com/Articles/Now-I-Have-Two-Hundred-Problems.aspx enjoy!

I just discovered a good regexp used to check file permissions : http://thedailywtf.com/Articles/Now-I-Have-Two-Hundred-Problems.aspx

This might not apply to your specific situation, and is meant more for higher ups, but may be of use, anyway.

If someone asks you why they should have IT, ask them if they have a lawyer either on retainer or employed full time.

Any large company worth its salt will have at least one. So, ask them if they are currently being sued or the government is investigating them. Probably not. Ask them, then, why they have the lawyer. They obviously don't need his or her services right now. They'll respond with something about ensuring the company is following the law, watching for copyright issues, drawing up contracts with terms only lawyers can understand, and so forth; basically, preventative maintenance (that includes the contracts). Point out that they are mostly preventative maintenance, and that the IT department/your job is exactly the same thing: you ensure that operating systems and software are regularly updated ("following the law"), plugging security holes and ensuring any government compliance you might have to follow ("drawing up contracts", sort of), and making sure the company is running at optimal efficiency with regards to technology ("copyright issues", or protecting your stuff).

If it's a small company (as your situation states), they might have a business card or three, but otherwise might not have a regular lawyer; they hire one when one is needed. In that case, IT is probably the same way, best done by some third party that's called in now and then and does a visit once a month to do regular upkeep.

Obviously, suggesting your role should be outsourced doesn't work well for you. So, to justify the maintenance, try to find disaster stories from similar-sized companies (or even somewhat smaller ones) to say "without my work you could be in this same situation". Start with sites like TheDailyWTF, which has a few entries about that kind of stuff, then go to various online tech magazine (a sister site of /., or CNET, or something) and do a bit of research. Then include the amount of man hours you save employees by being on hand to fix problems as they arise, rather than them having to wait for someone to drive in: Average the hours spent fixing something over three months, double it for an external worker (aside from driving, they won't be as familiar with everything and one, so it will take them longer), and show the difference (multiplied by hourly wages) as money you save the company.

No, better:

-1, Brillant

That's absolutely clbuttic!

If they'd written it in COBOL they wouldn't have these problems... I guess they paid some high-cost consultants to rewrite it in something modern so it'd be faster and more configurable :-)

I feel someone needs to have a look at their code and then post to WTF

I can simply trace what is on the screen. Maybe its just the way I work, but also printing some of my stuff is a pain in the ass.

Printing is more of a pain in the ass than tracing it by hand? Who's your IT guy?

TFA reminded me of a particular daily WTF.

Anatomii of a Hack - The Daily WTF.

Short explanation on how one of the first hacks worked. Lazy coding.

The console is about as cheap as they get

Uhm, for the hardware you get, it's actually rather overpriced (Nintendo makes a nice profit from each console sold). Also, the topic is about running homebrew software, not necessarily about running pirated games. (Yes, I know a lot of people will use it to do just that).

Thirdly Nintendo may not have deliberately broken the previous hacks anyway. All they did was release a new binary and the compiled code moved a bit in memory.

This is decidedly not true; they add code that specifically fixes the symptoms (current exploits against known holes), but not the real cause (horribly broken usage and implementations of crypto/hashing/signing algorithms, among others). This is why new cracks typically appear within a day or two. Putting in such code, however, can hardly be designated "accidental". Please do a little fact-checking next time.

Check this article to find out why this is not really surprising.

Yup, that is indeed Nintendo featuring on TheDailyWTF.

"We have buttiduously canvbutted the industry, buttessed what is available and buttembled the finest selection of private contractors for this buttignment. The filters will buttociatively clbuttify all communications and filter then, I can butture you, rebuttemble them with surpbutting exacbreastude in any quanbreasty. Consbreastuents can be rebuttured that a mulbreastude of industry compebreastors will butture quality and keep our clbuttrooms safe. EDS Capita Goatse will not embarbutt us."

(Inspired by Daily WTF.)

Exactly. Over-complicated solution to a simple problem. Buy a Caravan/RV/Winnebago instead. The clue is in the phrase "mobile home".

Wouldn't be the first time this happened...

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

No ifs, ands, or buts about it.

Some time ago I found a gapingly large security whole in a major credit card company's online credit card processing system when I was being paid to implement an online shopping cart system. It was a terrible, nasty security hole - bad enough that I could have purchased anything I wanted to at any vendor's website that used this gateway for FREE, without the use of any special "hacking toolz", just a browser and a text editor.

The kind of thing that you see most commonly at the Daily WTF.

So I wrote a detailed email, indicating that I was recommending against this company to my client, along with explicit details, step by step, for how to completely compromise their gateway. I also included specific details for how the security hole could have been completely mitigated. I sent this email to every account that I could find/think of at the company, including abuse@, sales@, customerserver@, postmaster@, webmaster@, etc as well the reps that I'd been working with to that point, cc my client.

My client canceled the account with said company and moved to one with a much more secure API. Having done my duty by protecting my client, I promptly forgot all about the original credit card processing company.

Over a year later, long after I forgot completely about the original credit card company, I got a phone call, from a very agitated-sounding gentleman on the phone. He verified my identity, then asked me questions about the security hole. My only verbal response to him was something like: "Everything I know is in the email I sent to you, the email speaks for itself. A qualified software engineer could read it and should know exactly what to do.". But he wasn't happy with this. He asked me if I'd tried to use the security hole, and I said nothing. He then started this rant, going on and on about how it really wasn't a security hole, and how it's really not a problem. Over and over, he repeated himself.

Finally, he threatened to sue me if I disclosed the security hole to anybody else, and hung up the phone.

The point being? Having been given the problem on a silver platter, with details, implementation details, and a detailed description of how to fix the problem, their "solution" was to yell at and threaten me, the discloser. Never mind the fact that the knowledge needed to compromise their gateway was public information. (their documentation was freely downloadable)

As a professional in either security and/or the digital arts, you frequently find yourself in the unenviable position of seeing the emperor stark naked in front of the crowds. It's not a pleasant experience. Merely helping somebody can be grounds for attack the weak whose fear stems from their misunderstanding - all too often, they confuse the message with the messenger.

Anyone else feel that their methods "for muting offensive words and replacing them with less offensive versions" could lead them into a clbuttic mistake?

Seriously, after all these years of success and reliability, anyone claiming Open Source software is an organizational threat is simply in the tank for Microsoft. Firefox, a threat? VIM, a threat? While Internet Explorer and MS Word are paragons of safety? The man is provably out of his fscking mind.

Schwab

> What on Earth is "hand-coded" C? And why is it better than... wait... what other kind of C is there?

There are also "Foot in Mouth" C, "Head up Arse" C and so on.

http://thedailywtf.com/ might have some examples.

Inspired by The Daily WTF.

Sure it's not much money to some, but unlike many other computer users I already spent $0 on my operating system, $0 on my DVR software, and $0 on nearly every application I run.

So you're the reason the $0 bill dispenser cassette is out or not fully inserted?!

I then take screenshots of it (or print to postscript), then paste the cropped screenshots into OO.o and save that result as a .DOC file.

The professional version of this process is to print the document out, take a photo of the printout placed on a wooden table, print the photo and finally scan it in.

Then you can save the result as a .DOC, and you get to keep all your formatting and your current job!

Mumps? I seem to remember hearing about that before ...

I remember receiving a spammy email like this. And just for giggles, I used "Reply All" and bitched to the sender about how all these email addresses are public knowledge, and about how all the recipients of the email were going to be spammed by any spammer with a worm on anybody's computer on the list, and how annoying it was to receive email like this with everybody on the "to" line...

By replying to all, everybody's address was on the "to" line.

Again.

Maybe I'm just sick. I don't know. But I did get a few responses from people like "Why did you send your reply to everybody?!?!?! Aren't you just making the problem worse!?!?!". But the funniest part is when one of these replies was sent - you guessed it - to everybody on the list.

It was like a barf storm of recursive spammy WTFs.

BWAAA HA HA HA HA HA!!!

You might want to check out http://thedailywtf.com/ before making any more of those statements.
Oh, and it's "their skills", not "they're skills".

What is a bad idea is a link that will add someone as a friend or delete a picture, you get the idea.

no, not necessarily.

No, it is.

you could simply add the session ID as one of the necessary GET parameters, and redirect the client afterward, so as to not display the URL with the session ID to her, lest she copies and pastes it to someone.

But, nonetheless, a simple link on that page could destroy the data.
- Could be some web spider (unless also, a FORM is required to log-in before being issued the required session id. Otherwise, it will just be like all those "&sid=" that you see in google result URLs)
- A user could be download a whole website to keep a copy on his computer and use a plugin (which download everything recursively) instead of manual opening/saving everything. The user could very well be logged and thus have a valid session ID. (Even more so if the user wants to back up a website hidden behind a password).
- Could be one of the various caching system that pre-caches all the linked pages on a viewed page by pre-retrieving all the URLs of some page.
- Could be one antivirus - like AVG - which pre-scans all pages linked from the currently displayed one
- etc...
All this system will blindly follow any link on a page, including a "delete link" and if the user has logged previously, will have a valid session ID.

The way web was designed, a link is just a damn *hyper-link*. Its just serves to enable one to jump from one document to another. Nothing more.
Forms is what was designed to communicate information to a webserver.

Yes we can bend a little bit some rules and put a couple of parameters in a GET request (to specify which information to display on a dynamic site). But fundamentally it still the "link as a way to reach one page of informations from another" approach.

*ALWAYS* keep in mind which way things are designed, because otherwise, you will very likely end up running into some situation which assumes the classical design (links moves, never edits) and may break your site.

NEVER PUT ANYTHING IN A LINK THAT MODIFIES DATA. NEVER. EVER.

this simplifies development, because you don't need a form to let the user perform actions.

Going through complex protections to avoid false triggers isn't exactly what I would call "simplifying".

POST just makes it a bit harder to do (e.g., [img] tags in a forum software won't suffice)

Well, forms (be it with GET or POST request) essentially diminish the risk of *accidentally triggering* some action.
They require intent (either conscious intent from the user who clicks or malicious intent from the cracker who writes a script which exploits the function), no risks to break anything by error.

It doesn't stop script kiddies, its stops legitimate spiders triggering dangerous actions by mistake.

Actually he spelled it perfectly.

Here is not a comprehensive list of those programmers, but at least a comprehensive list of their collective works:
http://thedailywtf.com/

That reminds me (somewhat tangentially) of a story on the DailyWTF.

1. Read The Daily WTF. 2. Don't do that.

3. Profit. How could you forget that?

The money does indeed follow buzzwords, like "Neural Network" for example...
http://thedailywtf.com/Articles/Classic-WTF-No-Quack.aspx

1. Read The Daily WTF. 2. Don't do that.

The Daily WTF - Coding Standards Training
Dilbert - Management Training

Actually, I've had "ERROR: No error" before.

I've seen the following in the Windows "Event Viewer" logs. (Reproduced from memory, so it's not verbatim, but it's pretty close.)

The following problem occurred during installation of Microsoft Office 2003:
Success

(Apparently, when installing via GPO, MSI sometimes reports an error despite everything being okay. So the message gets logged. It can happen with any package. I just liked the double entendre from when it happened to Office.)

(BTW, the subject line comes from this essay. If you haven't read it, you should. What's worse than failure? Success. HHOS.)

Rocky!

Banks tend to have ridiculous security measures.

No, I don't mean "ridiculously secure", I mean ridiculously annoying, and ridiculous that anyone believes they make it more secure.

I'm particularly looking at the wish-it-was two-factor authentication. I absolutely do not want that on PayPal.