The binary +1 feature has not gone unnoticed 👍🏽
@dfox @trogus

Sooooo me and the lead dev got placed in the wrong job classification at work.

Without sounding too mean, we are placed under the same descriptor and pay scale reserved for secretaries, janitors and the people that do maintenance at work(we work for a college as developers) whilst our cowormer who manages the cms got the correct classification.

The manager went apeshit because the guidelines state that:

Making software products
Administration of dbs
Server maintenance and troubleshooting
Security (network)

And a lot of shit is covered on the exemption list and it is things that we do by a wide fucking margin. The classification would technically prohibit us from developing software and the whole it dptmnt went apeshit over it since he(lead developer) refuses (rightfully so) to touch anything and do basically nothing other than generate reports.

Its a fun situation. While we both got a substantial raise in salary(go figure) we also got demoted at the same time.

There is a department in IT which deals with the databases for other major applications, their title is "programmers" yet for some reason me and the lead end up writing all the sql code that they ever need. They make waaaaay more money than me and the lead do, even in the correct classification.

Resolution: manager is working with the head of the department to correct this blasphemy WHILE asking for a higher pay than even the "programmers"

I love this woman. She has balls man. When the president of the school paraded around the office asking for an update on a high priority app she said that I am being gracious enough to work on it even though i am not supposed to. The fucking prick asked if i could speed it up to where she said that most of my work I do it on my off time, which by law is now something that I cannot do for the school and that she does not expect any of her devs to do jack shit unless shit gets fixed quick. With the correct pay.

Naturally, the president did not like such predicament and thus urged the HR department(which is globally hated now since they fucked up everyone's classification) to fix it.

Dunno if I will get above the pay that she requested. But seeing that royal ammount of LADY BALLS really means something to me. Which is why i would not trade that woman for a job at any of my dream workplaces.

Meanwhile, the level of stress placed my 12 years of service diabetic lead dev at the hospital. Fuck the hr department for real, fuck the vps of the school that fucked this up royally and fuck people in this city in general. I really care for my team, and the lead dev is one of my best friends and a good developer, this shit will not fucking go unnoticed and the HR department is now in low priority level for the software that we build for them

Still. I am amazed to have a manager that actually looks out for us instead of putting a nice face for the pricks that screwed us over.

I have been working since I was 16, went through the Army, am 27 now and it is the first time that I have seen such manager.

She can't read this, but she knows how much I appreciate her.

"Errors? Won't happen to me!"

One of my first jobs was to finish and maintain a program, that was made by a guy who had a real genius image among others. Years later, people said "oh him, that smart guy."

I never met him, but that's what i heard.

However, he was not only smart, but it seems he was also very confident. That's what i deduct from his code.

He didn't use catch-blocks. They were all empty. Not even logged.

If errors appeared , it was not possible to see what happened and where and why. The program would continue it's execution and if following steps could not work, because there had been an unnoticed exception, it would just throw another unnoticed exception and at some point, end in an undefined state.

I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...

#1 - Most expensive lesson learned

Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.

This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...

After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.

Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.

#2 - Hardest to find

This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.

Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.

#3 - Most elegant fix

Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.

My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.

So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.

You know what i hate? Applying to jobs and never getting feedback--if a polite "we didn't hire you because x and y" is too damn hard, i would still rather a royal refusal over not hearing anything back at all. It's happened to me 3-4 times in a row now, probably going to be 5 - 6 soon enough. Seriously though, what is this shortage of devs everyone talks about? Because here i am with both hands and a leg in the air high as i could manage and you're not even acknowledging me? I even made a small React SPA once to satisfy a company's questions and show a bit of my competence--you think i ever got a reply from them? Shit, i didnt even get an auto reply. And from what ive read here on others' rants, im far from being alone. At least i could understand why they dont look at me (Bahamian, no degree, never had a dev job, etc.), but for proven programmers to go unnoticed the way they do is ridiculous.

The bug made it through unnoticed. sh1t storm wednesdays. FML

I used to do audits for private companies with a team. Most of them where black box audits and we were allowed to physically manipulate certain machines in and around the building, as long as we could get to them unnoticed.

Usually when doing such jobs, you get a contract signed by the CEO or the head of security stating that if you're caught, and your actions were within the scope of the audit, no legal action will be taken against you.

There was this one time a company hired us to test their badge system, and our main objective was to scrape the data on the smartcards with a skimmer on the scanner at the front of the building.

It's easy to get to as it's outside and almost everyone has to scan their card there in order to enter the building. They used ISO 7816 cards so we didn't even really need specified tools or hardware.

Now, we get assigned this task. Seems easy enough. We receive the "Stay-out-of-jail"-contract signed by the CEO for Company xyz. We head to the address stated on the contract, place the skimmer etc etc all good.

One of our team gets caught fetching the data from the skimmer a week later (it had to be physically removed). Turns out: wrong Building, wrong company. This was a kind of "building park" (don't really know how to say it in English) where all the buildings looked very similar. The only difference between them was the streetnumber, painted on them in big. They gave us the wrong address.

I still have nightmares about this from time to time. In the end, because the collected data was never used and we could somewhat justify our actions because we had that contract and we had the calls and mails with the CEO of xyz. It never came to a lawsuit. We were, and still are pretty sure though that the CEO of xyz himself was very interesed in the data of that other company and sent us out to the wrong building on purpose.
I don't really know what his plan after that would have been though. We don't just give the data to anyone. We show them how they can protect it better and then we erase everything. They don't actually get to see the data.

I quit doing audits some time ago. It's very stressful and I felt like I either had no spare time at all (when having an active assignment) or had nothing but spare time (when not on an assignment). The pay also wasn't that great.

But some people just really are polished turds.

Today at work I found this in the code...

if (argCount < 2 && argCount > 3) {
// log invalid arg count
return;
}

And this passed code inspection and has been sitting there unnoticed for about a year and a half... 😂

Whether it's mixing up and with or, or forgetting a semicolon, we've all done it at some point! 😊

Microsoft Azure down on a Friday at home time? Whoever tripped over that cable is probably trying awfully hard to slink out of the building unnoticed right about now

The moment when the music is playing while coding and you realize that 5 of your favorite music tracts has passed unnoticed. #YouMakeWild

Most painful code error you've made?

More than I probably care to count.

One in particular where I was asked to integrate our code and converted the wrong value..ex

The correct code was supposed to be ...

var serviceBusMessage = new Message() {ID = dto.InvoiceId ...}

but I wrote ..

var serviceBusMessage = new Message() {ID = dto.OrderId ...}

At the time of the message bus event, the dto.OrderId is zero (it's set after a successful credit card transaction in another process)

Because of a 'true up' job that occurs at EOD, the issue went unnoticed for weeks. One day the credit card system went down and thousands of invoices needed to be re-processed, but seemed to be 'stuck', and 'John' was tasked to investigate, found the issue, and traced back to the code changes.

John: "There is a bug in the event bus, looks like you used the wrong key and all the keys are zero."
Me: "Oh crap, I made that change weeks ago. No one noticed?"
John: "Nah, its not a big deal. The true-up job cleans up anything we missed and in the rare event the credit card system goes down, like now. No worries, I can fix the data and the code."
<about an hour later I'm called into a meeting>
Mgr1: "We're following up on the credit card outage earlier. You made the code changes that prevented the cards from reprocessing?"
Me: "Yes, it was my screw up."
Mgr1: "Why wasn't there a code review? It should have caught this mistake."
Mgr2: "All code that is deployed is reviewed. 'Tom' performed the review."
Mgr1: "Tom, why didn't you catch that mistake."
Tom: "I don't know, that code is over 5 years old written by someone else. I assumed it was correct."
Mgr1: "Aren't there unit tests? Integration tests?"
Tom: "Oh yea, and passed them all. In the scenario, the original developers probably never thought the wrong ID would be passed."
Mgr1: "What are you going to do so this never happens again?"
Tom: "Its an easy addition to the tests. Should only take 5 minutes."
Mgr1: "No, what are *you* going to do so this never happens again?"
Me: "It was my mistake, I need to do a better job in paying attention. I knew what value was supposed to passed, but I screwed up."
Mgr2: "No harm no foul. We didn't lose any money and no customer was negativity affected. Credit card system may go down once, or twice a year? Nothing to lose sleep over. Thanks guys."

A week later Mgr1 fires Tom.

I feel/felt like a total d-bag.

Talking to 'John' later about it, turns out Tom's attention to detail and 'passion' was lacking in other areas. Understandable since he has 2 kids + one with special-needs, and in the middle of a divorce, taking most/all of his vacation+sick time (which 'Mgr1' dislikes people taking more than a few days off, that's another story) and 'Mgr1' didn't like Tom's lack of work ethic (felt he needed to leave his problems at home). The outage and the 'lack of due diligence' was the last straw.

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

I want to explain to people like ostream (aka aviophille) why JS is a crap language. Because they apparently don't know (lol).

First I want to say that JS is fine for small things like gluing some parts togeter. Like, you know, the exact thing it was intended for when it was invented: scripting.

So why is it bad as a programming language for whole apps or projects?

No type checks (dynamic typing). This is typical for scripting languages and not neccesarily bad for such a language but it's certainly bad for a programming language.

"truthy" everything. It's bad for readability and it's dangerous because you can accidentaly make unwanted behavior.

The existence of == and ===. The rule for many real life JS projects is to always use === to be more safe.
In general: The correct thing should be the default thing. JS violates that.

Automatic semicolon insertion can cause funny surprises.
If semicolons aren't truly optional, then they should not be allowed to be omitted.

No enums. Do I need to say more?

No generics (of course, lol).

Fucked up implicit type conversions that violate the principle of least surprise (you know those from all the memes).

No integer data types (only floating point). BigInt obviously doesn't count.

No value types and no real concept for immutability. "Const" doesn't count because it only makes the reference immutale (see lack of value types). "Freeze" doesn't count since it's a runtime enforcement and therefore pretty useless.

No algebraic types. That one can be forgiven though, because it's only common in the most modern languages.

The need for null AND undefined.

No concept of non-nullability (values that can not be null).

JS embraces the "fail silently" approach, which means that many bugs remain unnoticed and will be a PITA to find and debug.

Some of the problems can and have been adressed with TypeScript, but most of them are unfixable because it would break backward compatibility.
So JS is truly rotten at the core and can not be fixed in principle.

That doesn't mean that I also hate JS devs. I pity your poor souls for having to deal with this abomination of a language.

It's likely that I fogot to mention many other problems with JS, so feel free to extend the list in the comments :)

Marry Christmas!

There should be an open source, Linux based Printer operating system. Like OpenWRT for routers, also works with almost every device in the wild.

This would be such a relief for everyone. Come on, most printer firmwares are crap.

Remember Scannergate? Yep, the one about professional xerox scanners changing numbers in scanned document. Went unnoticed for 8 years and affected almost every workcenter even in the highest compression setting. Just because they wanted to save a few bytes by using pattern matching.

I figured out why FS2020 crashed all the time.

One day when I was just casually playing FS2020, I bluescreened with a watchdog violation. For some reason this corrupted a DLL which was part of my graphics driver which is not required for the output to come out of course. The DLL is “atidxx64.dll”.

Somehow, this went unnoticed.

After digging into the extremely well-hidden crash log I found out that it accuses this DLL file, dug up on it and I saw that it is made by AMD.

Reinstalled the drivers and now it works fine.

FUCK MY LIFE I REDOWNLOADED THIS 95GB SIMULATOR 4 TIMES BEFORE DIVING INTO THIS

story of a release
v2.1.0 major changes went live : new features, bug fixes, optimisations. also included releases for 2 associated libraries
release process tasks:
- do code
- update test cases
- test sample app
- test on another sample app
- get code reviewed and approved by senior ( who takes his own sweet time to review and never approves on first try)
- get code reviewed again
- merge to develop after 20 mins( coz CICD pipeline won't finish and allow merging before that)
- merge to master after 20 mins( coz CICD again)
- realise that you forgot to update dates in markdown files as you thought the release will be on 10th sept and release is happennig on 12th sept coz of sweet senior's code fucking/reviewing time
- again raise a branch to develop
- again get it a review approval by sr (who hopefully gives a merge approval in less time now)
- again get it merged to develop after waiting for 20 mins
- again get it merged to master after waiting for 20 mins
- create a clean build aar file
- publish to sonatype staging
- publish to sonatype release
- wait for 30 mins to show while having your brain fucked with tension
- create a release doc with all the changes
- update the documentation on a wyswig based crappy docs website
- send a message to slack channels
- done

===========

why am i telling you this? coz i just found a bug in a code that i shipped in that release which still got in after all the above shitty processes. its a change of a 3 lines of code, but i will need to do all the steps again. even though i am going through the same shitty steps for another library version upgrade that depends on this library 😭😭

AND I AM THE ONE WHO CAUGHT IT. it went unnoticed because both of those shitty samples did not tested this case. now i can keep mum about it and release another buggy build that depends on it and let the chaos do its work, or i can get the blame and ship a rectification asap. i won't get any reward or good impression for the 2nd, and a time bomb like situation will get created if i go with 1st :/

FML :/

PC-Lint is such a useless piece of shit! Tons of warnings with no actual benefit. The obvious motivation behind this crap was to throw as many warnings as this cheap sucker can even generate with no effort to minimise false positives. Typical snakeoil shit, reminds me of ZoneAlarm back then which reported every ping as "attack" just to fool the clueless into buying. Meanwhile, the actual bugs that sophisticated tools can find pass unnoticed through PC-Lint.

I just cannot hold myself laughing at the most serious moments in meetings. People say the funnies/stupidest shit and they go unnoticed!

When I first started learning to program, the first time I spent all day writing code. I was working with lists in common lisp. I sat down with a cup of coffee and my laptop, and the next thing I knew was five hours had passed unnoticed, but rather than feeling tired and irritable, I still felt happy and energized. And I thought, "Cool! This is what I want to do with my life. Good to know."

Didn't see this mentioned before. BeyondCompare is one I use everyday, but goes unnoticed in the fav software list.

Mom: What are you doing right now?
Me: Researching on cocaine. //Assignment was about cocaine in Coca-Cola
Mom: Is cocaine a CS course or something?// So naive
Me: Yes it's a mind boggling course, some people fail to survive the course. It's practiced world wide.
Mom: ooh good good. Carry on

And my sarcasm went unnoticed until later when I told her what cocaine is.😂

Hate it when my question goes unnoticed on stack overflow and Google doesn't give me a proper link to a solution AND THE DOCUMENTATION is not clear! -.-

Sometimes I work from home, I don't know if i'm allowed to but nobody says nothing and I don't notify either, my record is 1 week without showing up at the office, I want to stay one month just to see what happens.

Do you think they trust me or I'm unnoticed and replaceable?

Poorly built software is the other side of the coin of over-engineered software. They both exist because users carelessly use software products. By not exercising the code enough, or system failure not costing the business more penalties than they can bear, incompetent developers will continue to get away with building things haphazardly –not as relates to tech stack, but the nitty-gritty implementation details they gloss over without adequately thinking through

Because of this, there doesn't seem to be sufficient incentive for thorough planning –what could be referred to as over-engineering. Those fancy pedantry in code mostly goes unnoticed by the end user. Of course, this doesn't apply to big corporations in most cases. It's usually unexpected to see elementary bugs in them

#Suphle Rant 9: verbatim exception scare

In multiple rants, I've bitched about laravel stealing suphle features. By some very weird coincidence, it appears I've been given a taste of my own medicine. Let me explain:

We're having a chat this morning on a laravel group chat when someone says he uses their notification component a great deal. Curious, I ask him what he uses it for since I only used it sparingly during my laravel days. To pry an answer out of him, I ask whether he uses them for sending app error alerts to a slack channel, and he responds with an eerily familiar term. I quickly look it up and the results on the docs are chilling: errors can be sent to bugsnag (which suphle has an integration for), sentry and Co. Errors can either be broadcast or disabled. Specific kinds of errors can be caught. My heart sunk. My brother called for something while I was going through it and I was struggling to pull myself together

Their exception component is almost identical to mine and I'm only just realising. It's shameful that I'm just learning about functionality present since 5.8. I thought my creation was novel. BUT! The good news is, the implementation differs

Too many errors went unnoticed during my time there because error broadcasting is optional. Since none of my colleagues read that part of the documentation, we were firefighting by pulling and wrangling production error logs. This informed their abolishment in suphle altogether

A relatively minor difference is in the APIs –their philosophy makes significant use of global functions, violating SRP, etc.

But the most important difference, that still cheers me up, is that they only catch known errors. Suphle has a construct for isolating calls to a decorated service. Any unforeseen error to occur during its execution will do a series of things before control is returned to the caller