Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)
Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.
Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.
Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.
It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.
I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.
So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.
I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.
Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.
An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:
"please reenter card number to validate."
Bupkiss. Dead end.
OR SO YOU WOULD THINK.
One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:
"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"
One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:
With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.
So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.13 -
Our web department was deploying a fairly large sales campaign (equivalent to a ‘Black Friday’ for us), and the day before, at 4:00PM, one of the devs emails us and asks “Hey, just a heads up, the main sales page takes almost 30 seconds to load. Any chance you could find out why? Thanks!”
We click the URL they sent, and sure enough, 30 seconds on the dot.
Our department manager almost fell out of his chair (a few ‘F’ bombs were thrown).
DBAs sit next door, so he shouts…
Mgr: ”Hey, did you know the new sales page is taking 30 seconds to open!?”
DBA: “Yea, but it’s not the database. Are you just now hearing about this? They have had performance problems for over week now. Our traces show it’s something on their end.”
Mgr: “-bleep- no!”
Mgr tries to get a hold of anyone …no one is answering the phone..so he leaves to find someone…anyone with authority.
4:15 he comes back..
Mgr: “-beep- All the web managers were in a meeting. I had to interrupt and ask if they knew about the performance problem.”
Me: “Oh crap. I assume they didn’t know or they wouldn’t be in a meeting.”
Mgr: “-bleep- no! No one knew. Apparently the only ones who knew were the 3 developers and the DBA!”
Me: “Uh…what exactly do they want us to do?”
Mgr: “The –bleep- if I know!”
Me: “Are there any load tests we could use for the staging servers? Maybe it’s only the developer servers.”
DBA: “No, just those 3 developers testing. They could reproduce the slowness on staging, so no need for the load tests.”
Mgr: “Oh my –bleep-ing God!”
4:30 ..one of the vice presidents comes into our area…
VP: “So, do we know what the problem is? John tells me you guys are fixing the problem.”
Mgr: “No, we just heard about the problem half hour ago. DBAs said the database side is fine and the traces look like the bottleneck is on web side of things.”
VP: “Hmm, no, John said the problem is the caching. Aren’t you responsible for that?”
Mgr: “Uh…um…yea, but I don’t think anyone knows what the problem is yet.”
VP: “Well, get the caching problem fixed as soon as possible. Our sales numbers this year hinge on the deployment tomorrow.”
- VP leaves -
Me: “I looked at the cache, it’s fine. Their traffic is barely a blip. How much do you want to bet they have a bug or a mistyped url in their javascript? A consistent 30 second load time is suspiciously indicative of a timeout somewhere.”
Mgr: “I was thinking the same thing. I’ll have networking run a trace.”
4:45 Networking run their trace, and sure enough, there was some relative path of ‘something’ pointing to a local resource not on development, it was waiting/timing out after 30 seconds. Fixed the path and page loaded instantaneously. Network admin walks over..
NetworkAdmin: “We had no idea they were having problems. If they told us last week, we could have identified the issue. Did anyone else think 30 second load time was a bit suspicious?”
4:50 VP walks in (“John” is the web team manager)..
VP: “John said the caching issue is fixed. Great job everyone.”
Mgr: “It wasn’t the caching, it was a mistyped resource or something in a javascript file.”
VP: “But the caching is fixed? Right? John said it was caching. Anyway, great job everyone. We’re going to have a great day tomorrow!”
VP leaves
NetworkAdmin: “Ouch…you feel that?”
Me: “Feel what?”
NetworkAdmin: “That bus John just threw us under.”
Mgr: “Yea, but I think John just saved 3 jobs. Remember that.”4 -
Company website with images path relative to my localhost/
....
so everything work just on my machine .
the client and pm send me emails to fix the sites but I open the url everything works correctly.
after 5 days the pm attach an image .. at that moment I was like 😖😖😖😖😖😖2 -
Today I discovered what slowed my productivity the most: variable naming.
In a project I was naming many variables 'dirname' in different parts of the my code, but it represented 3 things: only the name of the directory, relative path + directory, and absolute path + directory.
I wasted to much time just figuring out which was which everytime until I finally decided to organize variables names better and see the wonders of the world. Result:
- dirname: only the name
- reldirname: relative path + dir
- absdirname: absolute path + dir
Such simple solution, yet took me years to actually see the benefits, my god
(First devRant post btw :3)7 -
Past two days one of the senior devs has been complaining to anyone who will listen about a UI assembly containing 'hard-coded' references to a third party component causing several builds to break. The developer who added the telerik component probably had no idea the reference is pointing to his personal directory instead of a relative path. Easy fix? Uh...yea...but he just ranted to our boss for about 10 minutes about he has no idea how to fix the problem and the TFS build failure holding up his other projects.
WTF!? You fracking know what the relative path is!...just fracking change it and move the frack on.
The drama this drama-queen keeps spewing out is driving me out of my mind.
3 -
My wet dream is pressing tab when entering a path in cmd.exe and it suggests folders/files relative to the already entered path.
Like bash does it.12 -
This is a story of how I did a hard thing in bash:
I need to extract all files with extension .nco from a disk. I don't want to use the GUI (which only works on windows). And I don't want to install any new programs. NCO files are basically like zip files.
Problem 1: The file headers (or something) is broken and 7zip (7z) can only extract it if has .zip extension
Problem 2: find command gives me relative to the disk path and starts with . (a dot)
Solution: Use sed to delete dot. Use sed to convert to full path. Save to file. Load lines from file and for each one, cp to ~/Desktop/file.zip then && 7z e ~/Desktop/file.zip -oOutputDir (Extract file to OutputDir).
Problem 3: Most filenames contain a whitespace. cp doesn't work when given the path wrapped in quotes.
Patch: Use bash parameter substitution to change whitespace to \whitespace.
(Note: I found it easier to apply sed one after another than to put it all in one command)
Why the fuck would anyone compress 345 images into their own archive used by an uncommon windows-only paid back-up tool?
Little me (12 years old) knowing nothing about compression or backup or common software decided to use the already installed shitty program.
This is a big deal for me because it's really the first time I string so many cool commands to achieve desired results in bash (been using Ubuntu for half a year now). Funny thing is the images uncompressed are 4.7GB and the raw files are about 1.4GB so I would have been better off not doing anything at all.
Full command:
find -type f -name "*.nco" |
sed 's/\(^./\)/\1/' |
sed 's/.*/\/media\/mitiko\/2011-2014_1&/' > unescaped-paths.txt
cat unescaped-paths.txt | while read line; do echo "${line// /\\ }" >> escaped-paths.txt; done
rm unescaped-paths.txt
cat escaped-paths.txt | while read line; do (echo "$line" | grep -Eq .*[^db].nco) && echo "$line" >> paths.txt; done
rm escaped-paths.txt
cat paths.txt | while read line; do cp $line ~/Desktop/file.zip && 7z e ~/Desktop/file.zip -oImages >/dev/null; done3 -
New models of LLM have realized they can cut bit rates and still gain relative efficiency by increasing size. They figured out its actually worth it.
However, and theres a caveat, under 4bit quantization and it loses a *lot* of quality (high perplexity). Essentially, without new quantization techniques, they're out of runway. The only direction they can go from here is better Lora implementations/architecture, better base models, and larger models themselves.
I do see one improvement though.
By taking the same underlying model, and reducing it to 3, 2, or even 1 bit, assuming the distribution is bit-agnotic (even if the output isn't), the smaller network acts as an inverted-supervisor.
In otherwords the larger model is likely to be *more precise and accurate* than a bitsize-handicapped one of equivalent parameter count. Sufficient sampling would, in otherwords, allow the 4-bit quantization model to train against a lower bit quantization of itself, on the theory that its hard to generate a correct (low perpelixyt, low loss) answer or sample, but *easy* to generate one thats wrong.
And if you have a model of higher accuracy, and a version that has a much lower accuracy relative to the baseline, you should be able to effectively bootstrap the better model.
This is similar to the approach of alphago playing against itself, or how certain drones autohover, where they calculate the wrong flight path first (looking for high loss) because its simpler, and then calculating relative to that to get the "wrong" answer.
If crashing is flying with style, failing at crashing is *flying* with style.15 -
Steps to make a portable version of Minecraft Java Edition (for Windows):
1. Get a flash drive, preferably of a decent size (>500MB). I used a 128GB flash USB 3.
2. Download Java JRE (version 8).
3. Download MultiMC
4. Install Java, put destination on flash drive. example: x:/mc/java
5. Eject flash drive.
6. Uninstall JRE from computer. This will remove the installation entry in the computer. Since flash drive is ejected it cannot delete off drive.
7. Install multimc. example: x:/mc/multimc
8. Point multimc to JRE location on flash drive.
9. Edit the path of the JRE to be something like this: ../java/etc... This keeps it from trying to use the drive letter and use a relative path instead. I edited the multimc config file to do this. Can probably be done in program too. If you modify config file you will have to quit multimc.
10. Login with your minecraft account in multimc.
11. Download some version of minecraft or modpack.
12. Enjoy on any windows computer and take with you!8 -
"hey, write us a simple interface for this shell script.."
script:
- input must be a file, does not accept loading through stdin/redirect
- accepts relative path input from one specific directory only
- fails if provided absolute path
- even though it fails, it still returns return code 0
and every time we've tried to open up a topic of programming practices we got slammed with "we're ops. you should be glad they're doing at least some scripting"5 -
So let me get this straight:
Out of the dozen odd solutions python has been through, virtualenv is now depreciated in favor of venv as of 3.5+? And venv ships standard now?
What happened to simplicity and there being "only one way" of doing things?
I hope python isn't catching a case of js-fever.
Someone was saying the problem with virtualenv was that it doesn't play well with relative path names?16 -
So I ran into a perplexing "issue" today at work and I'm hoping some of you here have had experience with this. I got a story-time from my coworker about the early days of my company's product that I work on and heard about why I was running into so much code that appeared to be written hastily (cause it was). Turns out during the hardware bring-up phase, they were moving so fast they had to turn on all sorts of low level drivers and get them working in the system within a matter of days, just to keep up with the hardware team. Now keep in mind, these aren't "trivial" peripherals like a UART. Apparently the Ethernet driver had a grand total of a week to go from nothing to something communicating. Now, I'm a completely self-taught embedded systems focused software engineer and got to where I am simply cause I freaking love embedded systems. It's the best. BUT, the path I took involved focusing on quality over quantity, simply because I learned very quickly that if I did not take the time to think about what I was doing, I would screw myself over. My entire motto in life is something to the effect of "If I'm going to do it, I'm going to do it to the best of my abilities." As such, I tend to be one of the more forward thinking engineers on my team despite relative to my very small amount of professional experience (essentially I screwed myself over on my projects waaaay too often in the past years and learned from it). But what I learned today slightly terrifies me and took me aback. I know full well that there is going to come a point in my career where I do not have the time to produce quality code and really think about what I am designing....and yet it STILL has to work. I'm even in the aerospace field where safety is critical! I had not even considered that to be a possibility. Ideally I would like to prepare now so that I can be effective when that time does come...Have any of you been on the other side of this? What was it like? How can I grow now to be better prepared and provide value to my company when those situations come about? I know this is going to be extremely uncomfortable for me, but c'est la vie.
TLDR: I'm personally driven to produce quality code, but heard a horror story today about having to produce tons of safety-critical code in a short time without time for design. Ensue existential crisis. Help! Suggestions for growth?!
Edit: Just so I'm clear, the code base is good. We do extensive testing (for lots of reasons), but it just wasn't up to my "personal standards".2 -
I feel so dirty rn. Been struggling with webpack all day to just generate some pages based on the object a js script exports. The issue was that I needed a path to an image and the path webpack's require returned was a relative path (it started with a .), which wouldn't work because my generated page wasn't in the root folder. I tried making it work "the right way" all day, nothing worked. So in the end I just removed the . from the fucking path using substr and that's that.
Also, why the fuck does webpack's require return a fucking relative path anyway?1 -
How is building Typescript libraries for esm, cjs and dts with Rollup still breaking in 2023? I had a setup last year that worked perfectly fine, I copied it over to a new library and now tslib is being imported by relative path from node_modules? Why would that ever work?5
-
How do y'all approach media-endpoints?
Specially publicly accessible user-uploaded media
Rn I encrypt the path to the media-
/file and expose it, decrypt on the server (returning a relative file-path) which then fetches the file via File.Read and returns it as-is
I put a cache header and works fine
But something in the back of my mind makes me feel it isnt right
Like, normal endpoints and file-read endpoints shouldnt be in the same backend, potentially affecting each other
But since it's just a fun pet project so Im not paying for a 2nd baremetal server as a CDN/media server -.-
Worst case scenario I use it as-is, but would appreciate hearing other approaches9
Top Tags
Weekly Rant
View