Sometimes human stupidity still surprises me.

Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.

Put away the keyboard. Think about what you're going to do, chart it out, work through the logic and then, when the entire construct is before you, you start typing.

Yes it will take longer, you're a junior, enjoy that nobody expects you to do miracles (yet) and take the time, you'll get it back when you're so used to working through logical problems that it happens on its own as soon as you hear about the problem.

Cutting corners and "hacking a quick solution" without fucking over the entire system is an art form. Before you do art learn your damn craft.

Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.

Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.

Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.

Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".

Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.

Most memorable coworker? Definitely one of our devs in the first company I worked at. He was around fifty, quirky as fuck but damn knowledgeable about pretty much everything. Think some kind of uncle Iroh who could build his own compiler.
I haven't learned as much from university as I learned from our talks during smoking breaks. He never judged anyone for not knowing something (even really basic stuff) and was actually happy if he could help. Now, a few years later I still find myself applying techniques for conceptualizing software he explained to me on the balcony and I have to say I wouldn't be half the dev I am today if I'd have never met him so I guess that counts as memorable.

Disclaimer: I love open source and I adore the owasp for what they do.

BUT owasp zap has to be the most overly complicated, badly documented tool in existence. As long as one stays within its most basic functions everything is fine, setting it up as a proxy and even issuing a root cert for our test devices worked wonderfully simple.

Then I made the mistake to try to actually do anything with the data we pulled and had to dive into the scripting console.

The documentation basically consists only of "This thing exists", it provides a msg object with no information what it contains or how it's structured, has no code completion and, here comes the kicker, if the script is run and has an error it gets flagged and can't be reenabled after the error is fixed. So I'm currently at forwarder48.groovy trying to simply store the request on a database for possible diagnostics.

So right now I already know that I'll spend most of my vacation next week trying to decipher the source, document it, fix that damn "flagged as error" bullshit and jump through a billion hoops trying to get a pull request through.

Just found the most embarrassing security hole. Basically a skelleton key to millions of user data. Names, email addresses, zip codes, orders. If the email indicates a birthdate, even more shit if you chain another vector. Basically an order id / hash pair that should allow users to enter data AND SHOULD ONLY AUTHORIZE THEM TO THE SITE FOR ENTRING DATA. Well, what happend was that a non mathing hash/id pair will not provide an aith token bit it will create a session linked to that order.

Long story short, call url 1 enter the foreign ID, get an error, access order overview site, profit. Obviously a big fucking problem and I still had to run directly to our CEO to get it prioritized because product management thought a style update would be more important.

Oh, and of course the IDs are counted upwards. Making them random would be too unfair towards the poor black hats out there.

I really miss having a team. Don't get me wrong, right now I do what I love and I got into a position where I can actually do Quality Assurance instead of just testing and I enjoy being able to actually change things instead of just repeating what problems there are and acting surprised when the same processes produce the same bugs over and over again but I really hope that we'll interview anything else than mouthbreathers soon.

I'm aware of the fact that QA isn't sexy and that few people who could become "Software ninja Rockstars" choose to go into it but can it be that hard to find at least two or three people who can write and read code at least on a junior level and understand how web protocols work? I get the feeling my entire branch is nothing but shit talkers clicking around blindly on pages.

I just want to exchange ideas again, come up with innovative tools, tweaking processes, learning from and teaching each other while we watch the entire operation get more and more efficient.

I guess my best AHHA moment was back when I learned that good code is simple code.

When I started out I wanted to prove myself by showing of how good of a programmer I was(and which I retrospectively wasn't) , which basically meant to use every high level concept I was aware of whenever possible. Multi threading where linear execution would have been totally okay, polymorphism with x meta classes where a switch would have been enough, all that shit.

It wasn't until I had to guide the first person through that mess of useless ego stroking that I found out how much time and money I wasted by not going with the easiest approach that solves the problem.

Took me some time to fully lay off that attitude but it surely was one of the most influential moments of my career.

My last day at my current company and damn, I couldn‘t be happier. Consulting was the worst decision I ever made and from tomorrow on I‘ll be free.

No more lying to clients, no more pushing of horrible products, no more silence towards problems because they didn‘t pay for a more expensive service.

I can finally stop hating myself for my job!

Sometimes I wish I was allowed to just strangle my colleagues...

Example from the 'code base':

try:
do_something()
except Exception as e:
log(e)
do_something()

When I asked why they would redo the same call right after it failed I was told that 'It works the second time because it takes time to raise the Exception '.

Bitch, you've got a race condition in your sensitive banking software. You know it's there. Do you really want to trust the time needed to raise your exception will always be enough to synch that dumpster fire you call code?
Show some fucking respect for your craft and fix that shit. But of course they won't, because it will work flawlessly until it suddenly stops working. Taking down who knows what in this damn, undocumenred monolith with it....

Sometimes I'm honestly afraid to trust banks with my money.

!rant

On my way to a second Interview that might just liberate me from my dispicable existence as a consultant.

If all goes right I get my own Departement and can grow an entire Testautomation team. So, wish me luck guys.

Honestly, mentoring is in my opinion the best part of the job. My firts mentee was a student in my last job, smart af but lazy and unable to trust in herself. I wasn't really too sure in myself at the time either but since I had to teach hery craft there was no place for me to doubt myself.

So I taught her everything I knew and in turn I learned to trust myself and once I had mastered the art of self confidence I could make her believe in herself. Since then I trained five more test automation engineers, some of them might be close to surpassing their 'master' (though won't make it easy for them 😏) and with every Single one I've developed a deeper understanding of my craft by explaining. I needed to research stuff I never questioned to answer their questions and therefor became better at what I do.

Three weeks ago I got an email from the girl I first mentored, she's in another company now and she thanked me for what I taught her. In my opinion I did a rwally Bad job at it (it was my first time teaching) but reading someone actually believing that one made an impact in their life is something special.

I always loved talking about my craft and I love sharing the knowledge I aquired. Test automation is not a thankfull craft but I'm always happy whenever I can interest someone in it and I fully enjoy seeing them grow and improve into fully fledged TAEs.

Right now, everything. I started at a Consulting firm because I expected many new problems to tackle, solutions to develop and generally to always have a fire burning underneath my ass but instead I always develop the same standard bullshit.

I miss the days in my old job when there was just a problem and the task to solve it. When I stared down giant amounts of data, just KNOWING that somewhere in that mess is some structure I could exploit and that short moment of inspiration when I finally pinpointed it. The rush of endorphins when the solution became clear and everything fell into place to form a beautiful pattern amidst the chaos test data, git commits and numpy arrays.

Now its just "Yeah, would you just write another selenium testsuite that throws out fail or pass and wastes all the information because the only reason I'm a testmanager is because I'm too incompetent to do anything else and not my passion for the field".

The constant, mind numbing repetition of always the same patterns where the occasional dynamic element that becomes stale is the highlight of my work week... I would have never thought that making good money with easy work would ever get me as close to depression as it did.

I'd really like to know what kind of shit the guys at microfocus snorted when they developed uft. Who in his right mind supports only vbscript? It's cumbersome, ugly and depends on an Microsoft environment and yet the only way to get uft to work.

I'm honestly looking into plane tickets to Maryland just to slap anyone of those "fine gentlemen" with rusty garden chairs across their faces.

I promised a friend to have a look over his dads website to add a small blog. No big deal, I've got it on my drive, can reuse it just need to adapt it to the environment.

I take a look at what I'm working with and I see the most terrifying piece of "Please, take my data" code I could possibly imagine (And I've seen passwords, in plain text in a script tag). I quote "function queryDB(mode, val) {
var query=" ";
if(mode==="findProd")
query="Select * from Products where ProdNam=" +val;
... (same shit for different cases)
sendQuery(query) ;
}

He literally built the query on the client side sent it to a php script (without validation) and inserted it into the database.
You could literally call window.sendQuery with any sql query and get the result printed into the console.
And other than the plain text passwords guy that wasn't some kid someone knew, this was a "Webdesign" Agency.
Now I took the entire thing offline, called my friends dad, explained it to him and try to sort this out. I would not charge a good friends father but that hack will get a quite hefty bill since my hourly rate just tripled.

And the worst thing : If I publicly name that asshole or warn the people in his portfolio I can, according to Google, be sued. (But, and I assume thats vague enough not to count as bad mouthing, if anyone of you has a customer from Rheinland-Pfalz, Germany with a preexisting page, please have a look at the database interface)
I will call that agency tomorrow, ask for a detailed explanation for why they apparently let trained monkeys write their code and anonymously warn everyone in their portfolio about those flaws...

I don't know if I'm cursed or if there are just that many bad devs but it seems that once a year I have to stumble over some "mistakes" that make me question my sanity.

Around three months ago in a meeting regarding a new end2end test for a product :
PO: We have a full feature stop, only bug fixes are coming until we can unify all products.
Me : So I can use any selectors without worrying the whole thing breaks with the next update?
PO: Sure.

Last Thursday :
PO: Yeah, we gonna overhaul the entire UI with the next release to get better UX.

Why would any sane person reinvent an entire product thats already scheduled for discontinuation in 2018? And how is it possible that a few months ago nobody knew anything about it? Are they using fucking tatot cards for management decisions?

Somehow I feel like I personally owe Linus for git.

17:50 Colleague whispers "fuck" and the entire project we've worked on for the last half year responds with 404.

17:55 A quick diagnosis shows that she wrote "rm - rf ../" instead of "./" when she threw out her staging dir an thereby deleted everything.

17:58 git pull, everything is back.

18:15 everything is configured and we're up and running again.

**Alternative Timeline without Version control **

17:58 We start looking through Backup folders

18:20 We're fairly confident to have found the most up to date Backup in /var/backup/newback/v2/june/new/released/ and start copying back into the project directory.

19:30 Some files are missing we start patching shit up.

19:40 I realize how much work went down the drain and start strangling my colleague. The Api seems to do the most important things again.

20:00 My colleagues dead body is hidden and I'm 80% confident that the tasks depending on us should run.

Next day: They didn't run. Every nightly build failed, nobody can do anything useful.

A week later : Shits starting to work again, all lost files are replaced. Replacement for dead colleague still missing though.

It's moments like this that make you really appreciate the luxurys we have nowadays...

PMs are strange. I spend over a year to perfect a self optimizing, state agnostic End2End test with almost no flakyness and they're like "Yeah, nice". I write a frickin 15 line php script to display in which translation file a certain string is defined and they act as if I'd just walked over water.

Why does it have to be so incredibly hard to get an nvidia card to work under Linux? The driver is in available, we have the technology but every time I try to get this damned thing to work I end up in front of a fucked XServer and this stupid "Something went wrong" gdm screen only to apt-purge nvidia from my drive and start from the beginning once more.

Paranoia. Programming affected my life by making me paranoid. Creating a new account on any website that even needs rudimentary information about me has to go quite some vulnerability testing since I've seen enough hack jobs that throw around sensitive data because they're too incompetent to follow simple must dos.

Yesterday my father called me and asked if I'd have a look at his website to exchange his logo with a new one and make some string changes in the backend. Well, of course I did and hell am I glad I did it.
He had that page made a few years ago by some cousin of a friend who "is really good with computers", it's a small web shop for car parts and, as usual costumer accounts. Costumer Accounts with payment infos.
Now I've seen a lot of bad practices when it comes to handling passwords and I've surely done a few questionable things myself but this idiot took the cake. When a new account was registered his php script would read the login page, look for a specific comment and add a string "'account; password'," below into to a js array. In clear text. On the website. One doesn't even have to breach the db, it's just there, F12 and you got all the log ins.

Seriously, we really need a licensing system for devs, those were two or three years this shit was live, 53 accounts... Now I've gotta decipher this entire bowl of spaghetti just to see if he has done any more unspeakable things.

I'm going to kill management.
After a serious migration fiasco at one of our biggest costumers the platform was finally usable again (after two days instead of 10 hours) and, of course, users started to report bugs. So good old po came in ranting that we as qa did a horrible job and basically tried to fault us for a fucked up update (because we produced user pain, which of course not being able to log in didn't do). Among the issues: If the user has more than a hundred web pages the menu starts looking ugly, the translation to dutch in one string on the third submenu of a widget doesn't work and a certain functionality isn't available even if it's activated.
Short, they were either not a use case or very much minor except for that missing function. So today we've looked through the entire test code, testing lists, change logs and so on only to discover that the function was removed actively during the last major update one and a half years ago.

Now it's just waiting for the review meeting with the wonderful talking point "How could effective QA prevent something like this in the future" and throwing that shit into his face.

I mean seriously, if you fuck shit up stand by it. We all make mistakes but trying to pin it on other people is just really, really low.

Why do I always forget how much work it is to get a new linux machine running? One minute I'm happy with my new Hardware the next I'm cursing it because I need to get my wifi drivers from some github account.

Had to work with a lazy, stupid idiot who (literally) couldn't declare an empty string. Got in via nepotism and not only were there no basics but also no willingness to improve.
Something tells me that throwing someone out shouldn't be a pleasant thing to do but hell, I'm so happy that we can finally stop carrying that piece of dead weight and get back to pure coding without having to teach Programming 101 on the side.

My first job as a '"dev"' (I really need some kind of super quotation mark for this).
I was young and too stupid too know how stupid I really was, I jobbed at a small recruiting firm and one day my boss complained about her database system and that she needed to hire a student to remake it. Suffering from the problem to be too incompetent to even recognise I'm incompetent I obviously offered my services as a python wizard I mean I could write a program that saves fibonacci numbers to a csv file, how much more could there possibly be? Fast forward two months and I proudly presented a GUI written in VB (it had an wysiwyg GUI editor) that was loosely frankensteined onto a bunch of together copy pasted python scripts running on a Windows Server. No web interface just accessible via vnc. It was slow, sluggish and soo ugly but it worked and did exactly what she wanted it to do. Sure the database was a bunch of csv files but non the less, to say it in pm, it resolved the user story. I quit shortly after because of her tendency to not pay the last bill after something was done (and tbh i deserved it) but she never removed my account from the server. So I copied my "magnus opus" from there... Let's just say whenever I look back at it I feel ashamed and yet it serves as a reminder to never be content with how good you are.

Today I had the pleasure of adding a feature to our intranet service written by two of my colleagues since they suffer from severe unix dyslexia. One of them was sick so I sat down with the other one and somehow he didn't know how to interpret the output, how to correctly call it from the terminal or even which parameters are needed for it to work so I had to try and decipher their code.
How can one work on something for a month and not know anything about it?

Worst experience with cs profs? Oh boy....

Databases lab: "You'll need to work of this snippet, if your IDE tells you it's deprecated you don't need to care about it"
If you want to imagine the quality of the code base we were expected to work upon just think about that attached xkcd comic, basically an undecipherable black box.

The instructions where at the same time micro managing everything (he gave us frickin variable names to use, and no good ones, no the database connection had to be called datbc, yeah very descriptive) and yet so obfuscated that I'm not completely sure he didn't resurrect Kant himself to ghostwrite for him.

He also didn't like us to use any Java feature that was to 'modern', for example for each loops since "they offer no benefit over normal for loops".

Further, everything we wrote had to be documented with a relationship diagram and a uml. So far no problem if he hadn't invented his own flavor of both (which can be read about in his book).
Oh, and he almost failed me because I used a lambda expression in his 'code on paper' exam and this "arrows are a C command" I "must have been confused"... which is glorious coming from the guy who can't get operators and commands straight.

Just wrote a script that takes anything correctly tagged and pushed to master from gitlab, pushes it to the server, builds a jar and creates a docker image from it. On the one hand I'm happy that I don't have to do it from hand anymore, on the other hand I get the feeling I'm automating myself out of a job...

Which misanthropic, terrible, perverse excuse for a dogfucker decided that damned non breaking spaces (SPACES!) return false on isWhitespace? It's in the name, space, it's white, it's a fucking white space, a whitespace if you will so who do I have to kill for wasting two damned hours of my life trying to parse away those bastards?

Never again will I use eclipses egit extension. First eclipse thought that my plain text java source code should be encoded in some bizarre occult way which made eclipse think its binary what made me try pretty much anything one can do with a .gitattributes file before a colleague suggested to not trust eclipse eith the encoding it was explicitly told to use, then I fetched another branch to merge them which somehow killed my .project file and forced me to delete and refetch the whole thing which led to eclipse not longer recognizing it as a java project. May it be because I'm to stupid to use my tools? Yeah, probably. But I'm done with egit, it's all console gitting from now on, fuck suggested practice.