Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "clever little shit"
So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)
Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.
Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.
Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.
It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.
I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.
So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.
I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.
Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.
An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:
"please reenter card number to validate."
Bupkiss. Dead end.
OR SO YOU WOULD THINK.
One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:
"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"
One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:
With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.
So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.13
Google is getting smarter with their recruiters, if those recruiters are even people at all. I have this recruiter message me once a month and her messages are so targeted and specific.. like.. she ACTUALLY read my profile. She writes a lengthy message that includes my previous company's name, work experience, and even the projects I have on Github (as in specific questions, not just the name of the repository or some shit that can easily be scraped). She mentions events specific to the area where I live in, etc.
She's doing these things that I've been planning to do. Maybe a web crawler and a game of adlib to make people think you actually read about them and cared one bit when in reality, you're just a bot who have access to public information. You just bind them all together and fill in the blanks and then send it away.
Maybe you have a few message templates and use a bit of code to shuffle some words a little bit, make them less perfect and more human. Throw in a few "unintentional" mistakes to make it look more casual, add some warmth to your cold, metallic, robot heart. With all these, you get more variety on the messages you send. Maybe apply some machine learning or some shit, have it listen/read from different people, and give it an illusion of a personality.
But what's this? She did not send the message on an "o'clock" time. It wasn't 12:00 AM at all, or 7:00 PM, or 4:00 PM. The follow-up email was sent on 12:20 AM. Was all the messages queued and the job runs at 12:00 AM but she's sent it to so many that it reached me 20 minutes later? Nah. Or maybe this is intentional, some low-key "I'm not a bot, I don't operate at exactly 12:00 AM. I don't have a cron, I have a heart." But if I were to make one, I would send it at times like 9:34 AM, a little less suspicious. I want to see if there's a pattern on what time she sends these things but I only see the date on the previous messages now because I didn't care enough to read it before.
Also, this is LinkedIn, they give scrapers a hard time but then again, this is Google and they have the money to pay for abuse. Now I want to check our time difference. What time did she actually send this and was it really rainy in Ireland that time OR ARE YOU LYING TO ME, CLAUDIA? I thought you cared about me? Was it all a fucking lie? Do you know me at all? Or was it all just a clever game to get into my pants?
Now I want to make a new account that has almost the same details to see if she messages that one but I don't want to go back to the asylum, I know how deep it goes. I either hunt down this bot or make a counter-bot to cross-check all the shit she and other recruiters are telling me.
Or maybe this is exactly what they want to happen.. For me to lose my mind and post in a forum where I would "unintentionally" spread the word and they can attract/trap more people.
Fuck it, early onset dementia.2
Started vacation today and arrived at our glorious holiday lodge. It is lovely. All very modern and funky. And it has a lovely cooker hob with touch controls... ooooo!!
And I swear I've never seen anything as complicated and confusing in all my life. It's a fucking cooker!! But it has no knobs you turn to set how hot a fucking cooking ring is. This thing has 2 pages of instructions to fucking turn it on - and they don't bloody help!! Want a ring on at heat 6? That's 9 fucking touches - but not like a smartphone touch, each a fucking 1sec+ touch!!
UX is about conventions and thinking of your users. The people who designed this obviously think they're visionaries and pioneers when everyone who actually uses their gear just curses them up and down for being stupid. Cookers are cookers and everybody knows how they work and how they use them?!?!
Holy shit designers, stop being too fucking clever for yours and everyone else's good!!
You can tell how nice and relaxed I am having started my vacation today... and read the rest of my rants to see how little I swear. But, by God, this thing is ridiculous. I blame the influence of @Letmecode for my reaction!! 😂1
I recommend this to 'myself later'
you are in the flow maaan... you fucking rock it... i swear, to GOD!
I'm in the most mindblowing.. thinking out-of-the-box... thinking about the system... everything that just can help recover a little piece of your soul... and resolving the worst bugs you've ever had... and you are just fucking ROCK IT! And you are on the highway to finish it all, but then suddenly a thought kicks in, and won't let you "do ya' thing".
That little piece of shit is now not a man, not a thing, nor anything... just some old tune from your dreams... and NOW! You! You are in the flow... and suddenly know what is your youtube's playlist name... from your saved 170+ playlists...most of them with 30+ saved videos... and you fucking see through that madness now, and THAT contains that tune!!!
You dropp EVERYTHING! YOU ARE IN THE FLOW! And you just solved a "bug" inside you, 'cause if you listen that song, than finally will Soothe Your Pain (haha... https://youtu.be/MJpQx57uoRc )... And you know it... you are in a hurry, and you will forget the name again... so you just go to youtube... and try to search it... "piano"
you are always in a hurry... so -> hotkey Ctrl + T... (y -> auto youtube search) "y_piano" -> result is "personalized"...
a lot of really irrelevant youtube videos...
Ok... scroll down...
BOOM Dr. Dre ft. Snoop Dogg between Mozart and Chopin...
"ok so personalized..." but not my playlist...
You check your youtube account... playlists... ALL PLAYLIST -> "Ahh finally, maybe a new search implementation!"...
Naaah... just shitty 170+ videos...
"thanks youtube..." No filter, no search... NOTHING...
"Fuck..." ok. fuck... go to old youtube page, you saved just for these situations... (remember... you are clever! and thank me later: https://youtube.com/view_all_playli... )
And it is not looking like it looked back in the day... and a little piece of it warns me that it will be removed soon... :'(
You lost the flow... you desperatly breaks down... What?!?!! that is the worst thing could happen to me... this is the only search option which works atleast a little bit... and it don't bothers anyone... and it will be abandoned, and shut down soon... :'(
So you sadly search that playlist... listen to that tune... turns up the volume... so that I can cry calmly in the corner, and no one can hear it...
And you know, everything you done, is fucked up, you don't even remember where this half sandwich came, in front of you?! nor what is the time?! anything...
You just wasted half an our, from your best fuckig time you can have right now... you could done all your tasks, all your bugs inside you... but you fucking wasted 30+ minutes (btw which is the most valuable thing in this fucking miserable life... and you wasted it to "search the youtube's UI where could you finally SEARCH WITH GOOGLE/YOUTUBE"!!!
And even that song is ruined for you now, 'cause this will be even worst in the future...1