I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.
-
They were stored in a configuration file, in xml format.
-
The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.
-
This was then sent to the server as pure sql, no orm.
-
Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.
This one is funny because it 100% still exists somewhere, but I haven’t had the chance to verify it again.
Okay so basically its a data recorder box (ex: brainbox) that connects to a bunch of industrial sensors and sends the data over the network with your preferred method.
Builtin firmware gives you an HTTP webui to login and configure the device, with a user # and password.
I think the user itself had a builtin default admin which was #0, which everyone uses since there wasn’t really much use for other users.
Anyway, I was looking at the small JS code for the webui and noticed it had an MD5 hashing code that was very detailed with comments. It carefully laid out each operation, and explained each step to generate a hash, and then even why hashes should be used for passwords.
Here’s the kicker: It was all client side JS, so the login page would take your password, hash it, and then send the hash over plaintext HTTP POST to the server, where it would be authenticated.
Meaning you could just mitm the connection to grab the hash, and then login with the hash.
I sat there for like 10 minutes looking at the request over and over again. Like someone was smart enough to think “hey let’s use password hashing to keep this secure” and then proceeded to use it in the compleltly wrong way. And not even part of like a challenge/handshake where the server gives you a token to hash with. Just straight up MD5(password).
It was so funny because there were like a hundred of these on a network, so getting a valid hash was laughably easy.
I never got to check if this was fixed in a newer firmware version.
The C++ code went something like this:
- Conver pointer to int
- Serialize the int over IPC to self using Linux Message Queues
- Delete/free the pointer
- Read the int from the queue
- Convert to pointer
- “Use” the pointer
Only reason I can think to do that is to “verify” the data in the pointer is not null/empty and is a valid int???
There are much better ways to do that but I can’t think of any other intent the programmer had.
Ok so this one is someone trying to move to “the cloud.”
They had a database they used. It was on a server in the office. We were tasked to clone the db server to a hosted VM. Due to order of creation this got put on a new host without anything yet on it.
They needed a site to site VPN to keep privacy, that was all fine. However after the clone and during testing, their guy there said that this one part was really slow. We take a look and everything is good with performance of the server and of the VPN. I have to pop on to take a look.
It was in an office app and written in VB. (I forgot which one.) It was indeed slower on the hosted server. So I took a look at the function (he got it up for me) and I could instantly tell the issue.
This part was a lookup page that searched for you input. The function retrieved the entire table, then filtered the results in the client. I explained that transferring the whole table over the internet would be slower than on the local lan.
This guy said he originally wrote this, but “forgot VB.”
In the end they decided not to update the app or keep the server in the office, but instead they rented some VDIs in the same data centre as the db.
Sounds like he didn’t have much to forget
I saw a talk recently, I can find the video if you like but pretty sure it was the most recent ND conference, where they made the point that a lot of lack of efficiency in modern code is because of large companies. Basically in alot of cases it’s more important to get a product out ASAP then to care if it was well done. Ok, a poorly written program may cost an extra $10,000 a month to run but if it earns them a million a month and saves 6 months of development time it pays for itself and they can eat the cost.
This seems like the case with renting vdis instead of fixing the program.
Lots. But one that springs to mind is a custom CMS where a new dev decided to print out the sql generated for a particular content type on paper. He took it to the CTO without comment.
What was wrong?
It was 12 pages.
Am I reading that right, that he printed out the generated sql query?
If so depending on context that may make sense to complain about. A 12 page sql query would be insane, something sounds like their are other issues.
That said I probably wouldn’t go to cto, I would go to manager or a senior dev and ask why it was so complex to get a particular content type. If there were no performance issues or bugs I would just ask out of curiosity.
There was something like
# sleep for about a second on modern processors math.factorial(10000)After it was found we left it in the code but commented out along with a
sleep(1)for posterity.In the readme: if you want this program to be usable, press the turbo button until the turbo light is OFF.
That’s atleast pretty creative
Whatever is happening in Monster Hunter Wilds.
Private key for a third-party API hard-coded into the front-end web app
Weather forecasting software that maintains a linked list. When it eventually freed the memory used by the list, it would walk to the end of the list and free the last item. Then it would go back to the beginning of the list and do it again - rinse and repeat. Wonder why it was having performance issues 🙄
What were they storing in the linked list?
A program that HR had built so that all employees could they their payment receipts online
The username was the companies’ email address, the password was a government personal id code that you can lookup online, a don’t change, and you can’t update the password to something else.
So I told the director of HR this was a bad idea. She told me I was overreacting until I showed her her own receipt, then she finally understood that this is a really fucking bad idea.
Okay, so now she out me in charge of debugging that program.
So I setup a meeting with the director of the company they hired, he came by with the developer: a 21 yo girl who I think hadn’t finished college yet. Great start! Apparently it was her idea to do the authentication like that so that explains a few things.
So we dive in to the code.
First of all, the “passwords” were stored in blank, no hashing, no encryption, nothing. That wasn’t the worst.
For the authentication she made a single query to check if the user email existed. Of that was true, then step two was a second query to see if the password existed. If that were true, the email had been authenticated.
So let’s say, hypothetically, that they had actual passwords that people could change… I could still login with the email from anyone, and then use MY OWN password to authenticate.
This just blew my mind so hard that I don’t think I ever fully recovered, I still need treatment. The stupidity hurts
I wouldnt blame that on stupidity as much as on ignorance and naivety. Many people simply don’t think about anybody deliberately misusing their design. The idea that somebody could even want to access somebody elses receipts didn’t occur to them. And if they were still doing their studies they might not have known that you can “combine” SQL queries and ask for two things at once.
I don’t blame the girl, but whoever chose her to design a system with sensitive information.
Doesn’t that mean that your encryption algorithm and key is stored inside the code?
And since you are opening the code in Visual Studio anyway, just follow the function called by the “Decrypt” button, copy the function into another project and now you have a decryptor.I believe so but I don’t remember the exact encryption algorithm and don’t have access to the code anymore.
This was the same place that had a 500 line file named glob_vars.cs which you can guess the content of because “passing around variables cause memory leak issues”.
So this is not as bad as some of the other stories I’ve seen, but I’ll bite.
It was an old .NET Framework MVC app. Some internal product management system or something. There was a need to do a PDF export in one of the use cases, so someone implemented it. It wasn’t a good implementation: one big controller, mixing UI and business logic, etc. However, it basically came down to a single private method in a specific controller for a page.
Now time passes and lo and behold, we need a PDF export in another page for a different use case. “No problem,” - same dev, probably - “I already solved this problem. I’ll just reuse the PDF generation logic.”
Now, any sane person would probably try to refactor the code responsible for PDF stuff into a separate service (class) and reuse it. A less sane, but somewhat, acceptable approach would have been to just copy paste the thing into another controller and call it a day.Ha! No no no no no no… Copy pasting is bad, code should be reused…
The end solution: REFLECTION. So the dev decided that the easiest way to make it work was to: 1) use reflection to inject one controller into another; 2) then use reflection again to get access and call that private method for PDF rendering into a stream.
Fortunately I didn’t have to fix that fragile mess. But I did my fair share of DevExpress corpse hacking and horrible angular “server side rendering” workarounds.
The architect sending a pointer over an API, in hexadecimal string format. char *c = “71E4F33B” just cast it on the right structure bro.
Just to add, we only did C/C++, on windows mfc, in a monolithic software.
I spent quite some time assuring myself that I was not the insane person before bringing it up with him.
Mine was very much like that, but they also deleted the pointer after sending it, but before receiving it for good measure.
A memory pointer? So it must have been a program sending a pointer using an API to itself so it ends up in the same process again?
A raw memory pointer.
XML-DOM page templates stored in a database, line by line.
So rendering a page started with:
select * from pages
where page_id = ‘index’
order by line_number asc;
Each line of XML from each record was appended into a single string. This string was then XSLT transformed to HTML, for every page load.
This has to be one of the worst ways to reinvent a filesystem that I’ve ever heard. At the very least, storing static data in an relational database at this scale should be a slappable offense.
The session data, that would have been fantastic to have in a relational, queryable, reliable and trustable format was stored as a single giant string of PHP pickled data structure in a session file associated with the users cookie id.
This sentence has made me violently ill. Please take it back.
For anyone who knows and understands Android development, process death, and saved state…
The previous dev had no understanding of any of it, and had null checks with returns or bypassing important logic littered all over the app, everywhere.
I could only assume he didn’t understand how all these things were randomly null or why it was crashing all the time so he thought oh, i’ll just put a check in.
Well, you minimize that app for a little bit, reopen it, and every screen was fucked visually and unusable, or would outright crash. It was everywhere. This was before Google introduced things like view models which helped but even then for awhile weren’t a full solution to the problem.
It was many many months of just resolving these problems and rewriting it the correct way to not have these problems.
Oh I remember. There are tons of events and associated handlers. Even just switching to landscape view stops and restarts an android view I think. Friends at uni handled that problem by disallowing landscape view instead of handling it hahah
Friends at uni handled that problem by disallowing landscape view instead of handling it hahah
😭
Such a tragic and common ‘solution’ because it doesn’t actually solve it, it just delays it until someones minimizes the app for 30 minutes and re opens it, or one of the many many other ways that also trigger it.
I’ve had some apps that I do lock to portrait, but I would disable that flag on debug builds, since rotating the phone was the easiest way to test for some of those bugs. I didn’t worry about a good looking UI since it’d be locked in portrait, I just used it to test for bugs.
I don’t have any specific examples, but the standard of code is really bad in science. I don’t mean this in an overly judgemental way — I am not surprised that scientists who have minimal code specific education end up with the kind of “eh, close enough” stuff that you see in personal projects. It is unfortunate how it leads to code being even less intelligible on average, which makes collaboration harder, even if the code is released open source.
I see a lot of teams basically reinventing the wheel. For example, 3D protein structures in the Protein Database (pdb) don’t have hydrogens on them. This is partly because that’ll depend a heckton on the pH of the environment that the protein is. Aspartic acid, for example, is an amino acid where its variable side chain (different for each amino acid) is CH2COOH in acidic conditions, but CH2COO- in basic conditions. Because it’s so relative to both the protein and the protein’s environment, you tend to get research groups just bashing together some simple code to add hydrogens back on depending on what they’re studying. This can lead to silly mistakes and shabby code in general though.
I can’t be too mad about it though. After all, wanting to learn how to be better at this stuff and to understand what was best practice caused me to go out and learn this stuff properly (or attempt to). Amongst programmers, I’m still more biochemist than programmer, but amongst my fellow scientists, I’m more programmer than biochemist. It’s a weird, liminal existence, but I sort of dig it.
