Slashdot Mirror

Or FILENOTFOUND?

If I could find the original post on TheDailyWTF about that one, I'd link to it.

..because she was simply brillant!

You've obviously never seen The Daily WTF. I wouldn't touch that software with a 10-foot pole controlled 10,000 miles away through a SSH connection.

If the server, by default, doesn't accept special characters in a password field, then that fixes most of these problems.

But then you couldn't make good passwords. Also, the password field isn't the only... oh wait, you said that:

Obviously, the password field isn't the only place where you can muck with the SQL

Exactly. So maybe you can't write "O'Hare" as a password, but with your method you couldn't enter it as your name. You just can't disallow special characters as a generic solution.

but if you're getting malformed fields from a valid userid and password, then you are much further along the path to shutting out the problem user who misused or had his access compromised.

You can hit SQL Injection problems by using the system exactly as you are ment to, for example if your name is O'Reily.

Read the full paper. Its very interesting. As stated in the paper, people can be distinguished by their handwriting, by their fingerprints, etc etc. New studies states that people can be distinguished by their mouse movements, strokes in a keyboard (the time between strokes in two different keys). Even their usual movements in a city can be tracked by a handheld device and used to distinguish people. This paper is just another way to distinguish people: the way people browse the internet. I'm sure I'm the only one here at the company who visits slashdot about 4 times / day in almost always the same hours of the day, visits http://thedailywtf.com/ once a day at about 8pm GMT, opens http://google.com/ig every hour and check the news in http://www.terra.com.br/ every X hours.

Imagine that being used by a bank. If an account owner usually checks the statement, read the selected news about investments and then start making payments and transfers, an alert (and maybe an extra security check) could be done if the user suddenly changes the behaviour. If someone that claims to be the account owner logs in and instantly transfers 1M to another account, something is very strange :-)

Diagram

Now, where's my nickel? ;)

What we have is total morons passing themselves off as web developers, just like we have thousands of "web designers" who don't know the meaning of the word "design".

"Web design" is for aesthetics and graphics people, like "interior design". Of course you run into problems when you have a web designer doing development work!

As for "No web developer has written XSS vulnerable code since 2002", I refer you to The Daily WTF.

Excellent advice. Even I'll find it useful, as I'm at that age now. As for SelfTaught -- well, just remember your name. I go to a relatively small school whose only "technology" course on the proper use of Microsoft Office (taught by someone whose only experience is reading the textbook), so I feel for you. However, you have to realize that most of those who are truly interested in technology (specifically CS) are dedicated and smart enough to learn it for themselves. In all honesty, those who don't meet those requirements are probably just in it for the money and will most end up as freelance coders for the benefit of The Daily WTF readers.

And like others have said, don't complain about funding for athletics, especially if you want to get anything done. Personally, I would much rather have a new football field than a pseudo-CS course taught by an inept instructor. Of course, I might be biased considering that I love (and play) football and other sports.

Anyway, I'm done ranting. Good luck with your efforts. It's great to hear about people that are in the same situations as me -- it gradually deflates my ego. ;)

And you didn't even take a screenshot for the daily WTF ??

... I hope the director is not related to Paula.

• RSS headlines appear in a subject window similar to a mail/news reader.
• Clicking on a RSS subject shows you the overview of the story without having to go to the website. Some sites even give the whole story. eg Daily WTF, although I dont know how this helps them with their ad-revenue!
• Opera will notify you when new news has arrived on a particular feed, without having to keep looking at changing menus ala firefox. For example you can get automatic notifications when "stories" change on - ahem - vcdquality
• Opera tracks which ones you've already read and shows a summary of unread news (ala any mail client)
• Opera holds a history of stories until you delete them. (useful but also need an autoexpire feature unless I missed it somewhere)

Yep: http://thedailywtf.com/forums/thread/60879.aspx

For those who, like me, had heard of dtrace but little more (is it like strace, for example), this is very handy article written by one of the authors in Communications of The ACM

http://www.acmqueue.org/modules.php?name=Content&p a=showpage&pid=361&page=1

Yeah,it's 5 pages long, so those won't RTFA are even less likely to read this, but it's a good read covering motivation, history, solution compromises and some anecdotes that could qualify for http://thedailywtf.com/

"What makes this next -- erm popInTheMail-up? -- even more fun is that this is the twelfth time that Avesh Jain has received a "1 of null" DVD. Wonder if his bill will be $NULL ... "

http://thedailywtf.com/forums/thread/90530.aspx

THESE are some impressive technical feats, as in the "what the HELL was the guy who made this smoking?!?!" kind of impressive.

And yet these guys have probably been writing successful software systems for years, what's going on?

Here's a clue.

I'm sorry you didn't appreciate the ironic quotes around "developed". Perhaps your definition of progress is uncontrolled industrialisation, environmental destruction and social injustice such as the West has enjoyed on an unprecedented scale since the Industrial Revolution. The quotes are intended to question these criteria of civilised Progress.

You have to be a pretty big wanker to think it's an insult to call a country both fat and lazy. That's a fucking achievement. Many countries -- wait a second, I think they're called developing countries -- are hard-working and starving-thin.

It is quite clear from context that I referred to Australians as "fattening" -- not as fat as Americans perhaps, but like all the "developed" bodies, certainly getting there. Oh, there I go again with the quotes.

Ditto "lazy republics" is obviously talking about those who manage to piss huge sums down the drain on dimwitted, porkbarrelling IT with not much to show for it. I even linked to two examples.

I'm sorry you somehow read that as criticising Chinese or Indians, who I fully realise often possess a very healthy work ethic undiluted by bourgeois sloth; I was not.

Personally, I can't wait to see some of the code of this undoubtedly awesome enterprise-level code show up on the daily wtf. This should be good for a few laughs (then at least my taxes can give me some entertainment value).

What about the brillant paula bean ? http://thedailywtf.com/forums/thread/40043.aspx/
This software blew me away !

You could just discard decimal numbers altogether and only use integers. After all, it's the enterprise-y thing to do.

They're convenient while programming, but they can certainly be a PITA to use properly. First they don't compare properly (you can't test equality), and if you have to do multiplatform programming transferring floats, they had better be stored in standard format (which can have a nasty side-effect of slowing down your floating point arithmetic since after each operation the unit has to return it back to IEEE format from machine native).

I've seen programmers who never realized these facts and had them ask why their code didn't work (they stored statistics gathered from a monitoring unit on an ARM Linux embedded board, transferred them to a PC, and had nonsensical results). Altering the way they serialized their floats and doubles fixed that issue. And nevermind that processing a float on different architectures can have slightly different results (or big results, depending on how you write your code). I guess some people treat floating point numbers the same way as integers, when they're more approximation than anything.

Or you can write code like this guy - http://thedailywtf.com/forums/thread/71883.aspx

It's still used :)

We had a POS (point of sale) / inventory system that would occasionally freeze for everyone for exactly 3 minutes. There were also times where it'd slow to about 1/20th of it's normal speed (3 second report might take a minute) until the database server (just the service) was restarted. I never could find any network problems to explain it, and the server was pretty idle almost all the time. Maybe the author believed us, but it was never resolved. Eventually we just made the costly switch to something else.

Though I'm sure you encounter many customers who expect the software to be infinitely intelligent and psychic. If they're sincere, there's not much you can do about them, except sever your relationship with them and feel secure in the knowledge that their life will be full of disappointment. But I suspect a number of customers will just exaggerate the problems of the software in an attempt to end their service agreement with a refund, like this person.

Definition of programming. Programming is race between Programmers, to produce idiot proof apps, and God, to create better idiots. So far God is winning.

Of course, since idiots get into programming too.

Check the Daily WTF if you want exemples : http://thedailywtf.com/

... dismisses as 'random malarkey' the idea that Microsoft is having trouble hiring and keeping the kind of brilliant employees that have always been the company's competitive weapon.

I'd love to nominate this CMS but the author
has kept it anonymous!

From that page:

"It didn't take too long for Bryan to figure it out. Being a Web 2.0 system, the CMS used JavaScript that dynamically loaded JavaScript that dynamically loaded XML that was dynamically transformed into proprietary commands that were parsed to dynamically execute JavaScript to dynamically load content."

I actually tend to take at least three breaks a day for about five to ten minutes each. The first two, I read Slashdot; usually around 10:00am and the other right before lunchtime. I don't eat out often, but I do pick up lunch and then around 4:00pm, I check out the latest 'IT' curiosity posted on The Daily WTF http://www.thedailywtf.com/ [thedailywtf.com]. I also check Slashdot again right before I leave so I don't miss some of the few gems posted here.

Lucky you. My boss says that if I need a 5-10 minute break then I can always review my bug list.

I find that when spending too much time looking at the same code, it starts becoming 'vague' and I feel as if I'm in a fugue. It's akin to the same thing as writing a story or some e-mail and thinking that you've misspelled the words 'it' or 'and'. It may very well be correct, but it looks foreign and you try to fix something that isn't broken. At that point, it's time for a mental break.

I actually tend to take at least three breaks a day for about five to ten minutes each. The first two, I read Slashdot; usually around 10:00am and the other right before lunchtime. I don't eat out often, but I do pick up lunch and then around 4:00pm, I check out the latest 'IT' curiosity posted on The Daily WTF http://www.thedailywtf.com/. I also check Slashdot again right before I leave so I don't miss some of the few gems posted here.

A lot of IT shops have their eye on Web browsing, but they usually won't pay mind to it unless you're not producing or you have a tendency to frequent sites that raise an eyebrow or two (hint: pr0n sites tend to fall in that category). I do like to visit sites geared towards developers, such as GotDotNet http://www.gotdotnet.com/, CodeProject http://www.codeproject.com/, CodeGuru http://www.codeguru.com/ and the latest "up and coming" Krugle http://www.krugle.com/ code search engine. Sometimes visiting those sites will give a tidbit or two that is useful; you may run across some code or solution to a problem that interests you. Also, you may end up learning something that you'll run into in the future. (Coders tend to re-invent the wheel if they don't have the code handy; however, if the code is there, they tend to add spinning rims to it.)

Adding a bit of diversity to the routine helps keep you on the edge and refreshed to approach a problem in a new light.

If you're running raid5 it's probably in an enterprise setup.

try here: http://thedailywtf.com/

all the anecdotes u'll need plus some

Why don't you post your current code so that we can showcase it properly.

[http://www.rncca.com/] Haha, and if you click cancel, you still get directed to the page.

Funny indeed. The password check is a piece of JavaScript on the page. It seems that they used to accept three different passwords and the code that they use to check the password has been rotten. Whitness the following:

var password;
var pass1="rncca";
password=prompt('Please enter the password rncca below!',' ');
if (password==pass1 || password==pass2 || password==pass3)
  alert('Password Correct! Click OK to enter!');
else
  window.location="http://www.wocommsdinner.com";

Notice how pass2 and pass3 are undefined? An exception will not be raised if password is not correct and the script will be terminated before it can execute the window.location line. Bonus WTF points for the fact that the password is displayed in the dialog that prompts for it!

.. nooo!!

Now what the hell am I supposed to do?!?!

For instance, accessing variables that are not defined returns nothing by default (most languages will throw an exception should this happen). This results in problems like this occuring.

There are plenty of easy to learn languages such as Python and Ruby out there that do not have nearly as many problems, so there is not too much of an excuse to use PHP for anything but the simplest web page. What this guy is trying to do, use PHP despite the fact that it is obviously not powerful enough for his requirements), is just wrong.

Well, we're talking about very different purposes here so the engine would be very flexible.

The problem with very flexible engines is that they are essentially a poor reimplementation of C compiler and OpenGL library - assuming that they use compiled scripts, of course; if they use interpreted scripts, it's more like a Basic interpreter and the Draw command, at least as far as speed is concerned ;).

I'm not dissing Rockstar's engine, since I've never seen it in action, but just pointing out this little logical flaw in the idea of a "very flexible engine". Programming languagees are flexible, programs should be specialized. The Daily WTF is full of great examples of what happens when you insist on making a program that is flexible enough to do anything: it ends up being an inefficient (with both computer and developer time) reimplementation of a programming language.

Of course programs can be modular and easily extensible, so that each individual module does just one thing and does it well, and they can be easily bound together to quicly build new programs. But an engine that is equally suited for table tennis and GTA is not going to shine at either unless it was designed by a genius.

Learn what not to do by periodically visiting http://thedailywtf.com/

I realize that, but any half-way competent developer would

Thanks, Slashdot, for getting to the 21st century and updating the GNOME icon. =)

As for the topic... um, I have nothing against the idea, and it's a pretty good one. Just be careful not to hire Paula, who's undoubtedly out of work right now. =)

Lines of code is a stupid metric. It's on the wrong side of the balance sheet. Lines of code is a cost, not a benefit. As a software engineer, your job is to express concepts in as little code as possible. That's why we have high level languages like Lisp, Haskell and Ruby.

On the other hand, we have people who try to fatten their lines-of-code metric, which is why we have assembler, C, and TheDailyWtf.

If anyone asks me for how many lines of code I've written in a day, I will either respond with a negative number, which is probably correct, or if I'm feeling vicious, One.

What if I take a picture of my screen with the digital camera, import it into the computer, insert it into a word document, email it to a friend who can print it out place it onto a wooden table, take a picture with a nice camera, develop the film, scan it in before finally uploading it to flickr.

Would it be acceptible then??

(appologies to dailywtf for copying an idea)

Maybe they should have moderation. (Score: -1, This deserves to be on http://thedailywtf.com/)

Oh well. Think of it as an opportunity, nay, an encouragement, to feel smug and/or point and laugh :-)

Community Server is the largest PoS software around, unfortunately.

One of my favorite websites runs it (The Daily WTF), and there are continual complaints about it on practically every entry. One of the primary problems (improved, but still not completely fixed) is its mysterious ability to take a nicely formatted post, and end up automagically quoting all the < and > in the HTML view. End result is the preview looks OK, but the final post ends up a gobbledegook of HTML. Turns a nice post into an unreadable mess. It gets worse if people use different browsers.

(And some people complain it's a larger WTF than the WTF's that get posted!). It makes Slashcode look good.

On the upside, Community Server does look very nice. But the mangled posts tends to be a huge problem.

Perhaps that's what's wrong with database development these days (just check out The Daily WTF, as it seems they have a SQL example every other day). When a single year of experience is considered "significant" and "experienced", it's no wonder there are so many crap DBAs out there. We look for people with 5+ years of C# experience (ha! Good luck finding someone with more than 5 years experience ...) for intermediate-level developer positions. There's no way someone with only a year of SQL experience would qualify for an intermediate-level DBA position.

Just as background, I've been doing development on SQL Server for 6 years now (from SQL 7 to SQL 2005). I'm still learning, still finding ways to improve my code's cleanliness and performance, still finding new things I can do in SQL. For example, SQL 2005 finally has CTEs, making it only the second database to implement that ANSI SQL99 standard. CTEs make it very easy to do things that were painfully hard before, like walking a tree or implementing a recursive algorithm over sets of data.

After my fourth year of working with SQL, I'd have been willing to say I had "significant" experience with SQL. Four years is arbitrary -- it really depends on how much you work with it day to day. Someone may have "significant" experience after only two years, while someone else may not be significantly experienced until he's worked with SQL for eight years. If you had to put a number of years on what would constitute significant experience, I'd err on the safe side and go with three or four years. Certainly not just one year.

Without LAMP, I will get much less daily wtfs at http://thedailywtf.com/ !!111one

If you truly do not want to make your code FOSS, then I am a believer in not giving the code out at all, even under contract. Code has a way of making it out to the 'net.

Too true, too true. But how could you forget the obligatory link? :P

Do you think major corporations are just going to hand over source code? Can you imagine the leaks?

Yeah, I think that The Daily WTF will have its hands full.

Speaking of Lotus Notes, I only just got around to reading yesterday's Daily WTF...

My user account (SID) on my x64 windows machine at home isn't in the administrator group, and I occasionally run into problems. Most software works ok, though.

The typical problem is that the programmer or software architect didn't account for user-specific config settings. Just like on unix, Windows lets you keep user-specific stuff in the user's profile. However, Windows has the ability to synchronize the user's profile across the network -- including the HKEY_CURRENT_USER subkey from the registry, so it's not as simple as just writing a bunch of stuff to a dotfile.

The WinNT kernel actually has an entire subsystem in its executive layer dedicated to handling its elaborate permission system: the security manager. It isn't nearly as easy to learn as the unix permission system, but it is capable of doing some pretty nifty things, like creating audit entries every time someone accesses a driver endpoint, or requiring someone to be logged onto the system console before allowing them to do something.

The problem is that it's just like xlib: you'd have to be crazy to use the APIs directly. So, programmers have the option of either:

A) Write hundreds of lines of code to implement graceful fallback using those APIs to test whether a privilege is available (and gracefully handle errors that occur when calling those APIs), or

B) Write one line of code to call MessageBox() and throw up a dialog telling the user they're boned if some API fails and GetLastError() returns 5 (access denied).

Both ways will result in working software -- as long as the user is running as administrator. Your typical profit-oriented software house doesn't have any financial incentive to help the users run with least privilege, so they nearly always choose option B if they have a choice about it. This is why a lot of people hold a grudge against certain application packages for throwing up uncomprehensible error messages. It's not that the programmers don't know how to do it right, it's just that they don't want to.

As a specific example, Cadence's capture product for EE work will throw up this helpful dialog if you don't have write access to the HKLM registry key, which is only writable by the Administrator and LocalSystem users by default.

By the way, the poster's use of the word "root" is a little misleading. In Windows terms, "root" is really the LocalSystem user, which has full access to everything, including \Device\PhysicalMemory and other juicy objects. The Administrator user has the ability to escalate privileges to LocalSystem, but it requires a few extra steps.

As far as helper software goes, there are only two things you need to know: the RUNAS command and the *.MSC files. The *.MSC files are Microsoft Management Console profiles, which are used by MMC to throw up dialogs like Local Users and Groups (lusrmgr.msc), Disk Management (diskmgmt.msc), and Device Manager (devmgmt.msc). You can even run them from the run dialog or the command prompt, since the MSC extension is associated with the MMC program by default. Go try it, I'll wait.

But how does this help you if you don't have privileges to modify disks or devices? Enter the RUNAS command. If you've heard of sudo, you can think of this as sudo for Windows. In fact, I usually do this on Windows boxen where I'm non-root:

C:\>cd %userprofile%
C:\Documents and Settings\myself>mkdir bin && cd bin
C:\Documents and Settings\myself\bin>copy CON SUDO.CMD
@ECHO OFF
REM sudo -- run program as administrator
runas /user:administrator %*
^Z
1 file(s) copied.

C:\Documents and Settings\myself\bin>sudo "mmc devmgmt.msc"
Enter the password for administrator: *************
Attempting to start mmc devmgmt.msc as user "MYBOX\myself" ...

C:\Documents and Settings\myself\bin>

Then the de

The thing is, sometimes dirty php hacks are fine.

What are you coding? If I went to ebay, or amazon, or something like that, and they didn't have a serious n-tier architecture, and all their logic code was scattered randomly throughout their html source, that would be a proper WTF.

On the other hand, when I knock up some sort of ultra-basic blog for myself, or a cheesy feedback form for my band's website, or something like that, then using full-on OOP and MVC is an equally big WTF. In that situation, please stop about impressing other people on slashdot with your architecture model professionalism, and write something shamelessly quick and easy. You're going to be the only person updating it, so who cares?

One further point on that subject... everyone praises a clean separation / MVC approach for being essential when you have multiple developers updating code. Well... true in a way... but there are qualifications to that. I remember doing some hacking on php blogging software Plog for a customer last year. That's completely OOP and MVC, using Smarty for templating, and the intellectual side of my brain was impressed with the cleanliness of the design patterns, but the practical side of my brain found it a pain in the arse. The client would say "you see this output of such-and-such a word on such-and-such a page, can we change it?" If it had been I'd go into the source for that page and it would be pretty much a single line of code...

model._request->("by_categories").view

or something ludricously cryptic like that. So I'd have to trying and "trace" things from the by_categories.php through the templates into all the object classes... of course the OOP was so fully-blown that you'd reach some initial completely generic class whcih told you nothing, you needed something which inherited off something which inherited off something.... etc, etc. It was an absolute nightmare, for the simple reason that the documentation, like so many OSS projects, was extremely lacking, verging on non-existent. I went to their wiki and found a page with the perfect title, something like "which functions are handled in which classes", but it just said "coming soon".

To their credit, when I asked on their forums I got a quick and friendly reply, but still, I think it illustrates my point. If you're going to put things into an elaborate architecture so that what-you-see-in-the-final-html-pages bears almost no direct relationship to organisation of the 'business logic' source files, then documentation is essential otherwise it's actually harder for multiple developers to hack than if you just stuff your html full of inline php.

As others have suggested, be VERY suspicious if it isn't an incremental switchover. I have a feeling that won't happen for you, and the offshore company is going to enjoy your company's money a lot.

When it all goes wrong, please do a little write up of the events and submit it to The Daily WTF.