Loading...

Follow The Daily WTF | Curious Perversions in Informat.. on Feedspot

Continue with Google
Continue with Facebook
or

Valid

I’ve been a big fan of the work Code and Supply has been doing for years, with their focus on building a community for developers, starting in Pittsburgh and expanding their sights. We’ve co-sponsored a number of events, and I’ve personally found jobs and made friends through the organization.

Their first Abstractions conference, in 2016, was easily one of the best conferences I’ve seen, and they’re bringing it back for 2019.

In addition to a great list of featured speakers, there will be a massive slew of sessions, including two involving yours truly. Neither of them are WTF-related, but I promise, they’re both weird and exciting- one on using small amounts of Python to make weird sounds, and one on how improv comedy skills and exercises can help make you a better developer.

It’s also one of the more affordable conferences, and it’s in a great town. I hope to see you there!

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

"I do my best at teaching my children the basics in life, but then 'educational' toys like this one get in my way," Roger G. writes.

 

"Buying the new CD by English concertina whizz Rob Harbron, I found myself with an interesting selection of 'shipping states'; have the English counties of Middlesex and Wiltshire attained nation status whilst I wasn't paying attention?" wrote Steve M.

 

Drew W. writes, "A brewery in western Maryland loves its beer so much they created a new date just for it!"

 

"This touch screen at the Dr Seuss Museum works great...just as long as you don't press for too long," wrote Mike R. wrote.

 

Mike R. also writes, "Hotwire is further proving the validity of the old saying that the more things change, the more they stay the same."

 

"Not sure what/where 'dma' is, but it appears to be somewhere in the United States", William B. writes.

 

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Many years ago, Chris B. worked for a company that made CompactPCI circuit boards. When the spec for hot-swappable boards (i.e., boards that could be added and removed without powering down the system) came out, the company began to make some. Chris became the designated software hot-swap expert.

The company bought several expensive racks with redundant everything for testing purposes. In particular, the racks had three power supply units even though they only required two to run. The idea was that if one power supply were to fail, it could be replaced while the system was still up and running. The company also recommended those same racks to its customers.

As part of a much-lauded business deal, the company's biggest-spending customer set up a lab with many of these racks. A short while later, though, they reported a serious problem: whenever they inserted a board with the power on, it wouldn't come up properly. However, the same board would initialize without issue if it were in place when the system was first started.

Several weeks slipped by as Chris struggled to troubleshoot remotely and/or reproduce the problem locally, all to no avail. The customer, Sales, and upper management all chipped in to provide additional pressure. The deal was in jeopardy. Ben, the customer's panicked Sales representative, finally suggested a week-long business trip in hopes of seeing the problem in situ and saving his commission the company's reputation. And that was how Chris found himself on an airplane with Ben, flying out to the customer site.

Bright and early Monday morning, Chris and Ben arrived at the customer's fancy lab. They met up with their designated contact—an engineer—and asked him to demonstrate the problem.

The engineer powered up an almost empty rack, then inserted a test board. Sure enough, it didn't initialize.

Chris spent a moment looking at the system. What could possibly be different here compared to our setup back home? he asked himself. Then, he spotted something that no one on the customer side had ever mentioned to him previously.

"I see you only have one of the three power supplies for the chassis in place." He pointed to the component in question. "Why is that?"

"Well, they're really loud," the engineer replied.

Chris bit back an unkind word. "Could you humor me and try again with two power supplies in place?"

The engineer hooked up a second power supply obligingly, then repeated the test. This time, the board mounted properly.

"Aha!" Ben looked to Chris with a huge grin on his face.

"So, what was the issue?" the engineer asked.

"I'm not a hardware expert," Chris prefaced, "but as I understand it, the board draws the most power whenever it's first inserted. Your single power supply wasn't sufficient, but with two in there, the board can get what it needs."

It was almost as if the rack had been designed with this power requirement in mind—but Chris kept the sarcasm bottled. He was so happy and relieved to have finally solved the puzzle that he had no room in his mind for ill will.

"You're a miracle-worker!" Ben declared. "This is fantastic!"

In the end, functionality won out over ambiance; the fix proved successful on the customers' other racks as well. Ben was so pleased, he treated Chris to a fancy dinner that evening. The pair spent the rest of the week hanging around the customer's lab, hoping to be of some use before their flight home.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Consuela works with a senior developer who has been with the company since its founding, has the CEO’s ear, and basically can do anything they want.

These days, what they want to do is code entirely locally on their machine, hand the .NET DLL off to Consuela for deployment, and then complain that their fancy code is being starved for hardware resources.

Recently, they started to complain that the webserver was using 100% of the CPU resources, so obviously the solution was to upgrade the webserver. Consuela popped open ILSpy and decompiled the DLL. For those unfamiliar with .NET, it’s a supremely decompilable language, as it “compiles” into an Intermediate Language (IL) which is JIT-ed at runtime.

The code, now with symbols reinserted, looked like this:

private static void startLuck()
{
    luck._timer = new Timer(30000.0);
    luck._timer.Elapsed += delegate
    {
        try
        {
            luck.doFiasco().ConfigureAwait(true);
        }
        catch (Exception)
        {
        }
    };
    luck._timer.Enabled = true;
    luck._timer.Start();
    Console.WriteLine("fabricating...");
    Console.WriteLine(DateTime.UtcNow);
    while (true)
    {
        bool flag = true;
    }
}

The .NET Timer class invokes its Elapsed delegate every interval- in this case, it will invoke the delegate block every 30,000 milliseconds. This is not an uncommon way to launch a thread which periodically does something, but the way in which they ensured that this new thread never died is… interesting.

The while (true) loop not only pegs the CPU, but it also ensures that calls to startLuck are blocking calls, which more or less defeats the purpose of using a Timer in the first place.

Consuela pointed out the reason this code was using 100% of the CPU. First, the senior developer demanded to know how she had gotten the code, as it was only stored on their machine. After explaining decompilation, the developer submitted a new DLL, this time run through an obfuscator before handing it off. Even with obfuscation, it was easy to spot the while (true) loop in the IL.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Oliver Smith stumbled across a small but surprising bug when running some automated tests against a mostly clean code-base. Specifically, they were trying to break things by playing around with different compiler flags and settings. And they did, though in a surprising case.

bool long_name_that_maybe_distracted_someone()
{
  return (execute() ? CONDITION_SUCCESS : CONDITION_FAILURE);
}

Note the return type of the method is boolean. Note that execute must also return boolean. So once again, we’ve got a ternary which exists to turn a boolean value into a boolean value, which we’ve seen so often it’s barely worth mentioning. But there’s an extra, hidden assumption in this code- specifically that CONDITION_SUCCESS and CONDITION_FAILURE are actually defined to be true or false.

CONDITION_SUCCESS was in fact #defined to be 1. CONDITION_FAILURE, on the other hand, was #defined to be 2.

Worse, while long_name_that_maybe_distracted_someone is itself a wrapper around execute, it was in turn called by another wrapper, which also mapped true/false to CONDITION_SUCCESS/CONDITION_FAILURE. Oddly, however, that method itself always returned CONDITION_SUCCESS, even if there was some sort of failure.

This code had been sitting in the system for years, unnoticed, until Oliver and company had started trying to find the problem areas in their codebase.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Andrew H sends a line that isn't, on its own, terribly horrifying.

Utilities.isTestEnvironment = !"prd".equals(environment);

The underlying reason for this line is more disturbing: they've added code to their product which should only run in the test/dev environments. Andrew doesn't elaborate on what that code is, but what it has done is created situations where they can no longer test production behavior in the test environment, as in test, the code goes down different paths. Andrew's fix was to make this flag configurable, but it reminds me of some code I dealt with in the bad old days of the late 2000s.

The company I was with at the time had just started migrating to .NET, and was stubbornly insistent about not actually learning to do things correctly, and just pretending that it worked just like VB6. They also still ran 90% of their business through a mainframe with only two developers who actually knew how to do anything on that system.

This created all sorts of problems. For starters, no one actually knew how to create or run a test environment in the mainframe system. There was only a production environment. This meant that, by convention, if you wanted to test sending an invoice or placing an order, you needed to do the following:

  1. Get one of the two mainframe developers on the phone
  2. Prep the invoice/order in your application, and make sure the word "TEST" appears in the PO number field
  3. Make sure you're not near one of the mainframe processing windows which will automatically submit the invoice/order
  4. Submit the order
  5. Wait for the mainframe developer to confirm it arrived
  6. The mainframe developer deletes it before the next processing window

Much like in Andrew's case, our new .NET applications needed to not talk to the mainframe when in test, but they needed to actually talk to the mainframe in production. "Fortunately" for us, one of the first libraries someone wrote was an upgrade of a COM library they used in Classic ASP, called "Environment". In your code, you just called Environment.isProd or Environment.isTest, as needed.

I used those standard calls, but I didn't think too much about how they worked until I needed to test invoice sending from our test environment. You see, normally, changes to invoice processing would be quickly put in production, tested, and then reverted. But this change to invoice processing needed to be signed off on before the end of the month, but we were in the middle of month-end processing, which is when the users were hammering the system really hard to get their data in before the processing deadline.

So, I said to myself, "I mean, the Environment library must just be looking at a config flag or something, right?"

Well, sort of. You see, when any new server was provisioned, a text file would get dropped in C:\env.txt. It contained either "PROD" or "TEST". The Environment library just read that file when your application launched, and set its flags accordingly.

Given the choice of doing a quick custom build of Environment.isProd which always was true, or fighting with the ops team to get them to change the contents of the text file, I took the path of least resistance and made a custom build. Testing proceeded, and eventually, I managed to convince the organization that we should start using the built-in .NET configuration files to set our environment settings.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

"Searching for 'Pink Tile Building Materials' in Amazon results in a few 'novelty' items sprinkled in, which, to me, isn't a huge surprise," Brian G. wrote, "But, upon closer inspection...professional installation you say?"

 

"Well, at least they're being honest," Josh wrote.

 

Brian writes, "You know, I wonder if 'date math' would qualify as business technology? If it doesn't, they should probably make an exception."

 

"Spotted in Belgium, I can only assume this is Belgian for 'Lorem Ipsum'," writes Robin G.

 

Wouter writes, "Cool! Mozilla has invented time travel just to delete this old Firefox screenshot."

 

"To cancel or...cancel...that is the question...really...that's the question," Peter wrote.

 

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today, we have the special true confession from Bruce, who wrote some bad code, but at least knows it’s bad.

Bruce is a C# developer. Bruce is not a web developer. Someone around the office, though, had read an article about how TypeScript was closer to “real” languages, like C#, and asked Bruce to do some TypeScript work.

Now, in C# parlance, your key/value pair data-structure is called a Dictionary. So, when Bruce got stuck on how to store key/value pairs in TypeScript, he googled “typescript dictionary”, and got no useful results.

Disappointed, Bruce set out to remedy this absence:

export class KeyValuePair<TKey,TValue> {
    Key: TKey;
    Value: TValue;
    constructor (key: TKey, value: TValue) {
        this.Key = key;
        this.Value = value;
    }
}
export class Dictionary<TKey, TValue>{
    private Collection: Array<KeyValuePair<TKey, TValue>>
    private IndexMap: Map<TKey, number>
    private index: number;
    public tryAdd(key: TKey, value: TValue): boolean {
        if (this.containsKey(key)) {
            return false;
        } else {
            var kv = new KeyValuePair(key, value);
            this.IndexMap.set(kv.Key, this.Collection.push(kv) - 1);
            return true;
        }
    }
    public tryRemove(key: TKey): boolean {
        var i = this.indexOf(key);
        if (i == -1) {
            return false;
        } else {
            this.Collection.splice(i, 1);
            this.reMap(i, key);
            return true;
        }
    }
   public indexOf(key: TKey): number {
        if (this.containsKey(key)) {
            return this.IndexMap.get(key);
        } else {
            return -1;
        }
    }
    public containsKey(key: TKey): boolean {
        if (this.IndexMap.has(key)) {
            return true;
        } else {
            return false;
        }
    }
   private reMap(index: number, key: TKey) {
        this.index = index;
        this.IndexMap.delete(key);
        this.IndexMap.forEach((value: number, key: TKey) => {
            if (value > this.index) {
                this.IndexMap.set(key, value - 1);
            }
        });
    }

//the rest is recreating C# dictionary methods: getKeys(),getValues(), clear(), etc.
}

The dictionary implementation stores an array of key/value pairs. Now, it’d be expensive to have to search every item in the collection to find the appropriate key/value pair, so Bruce knew he needed to find a way to map keys to values. So he used a Map to store pairs of keys and indexes within the array.

He spent an entire afternoon coding this masterpiece before realizing that Maps stored key/value pairs… just like a dictionary.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Gary works at a medium company. Big enough that workers are specialized in their duty, but small enough to know people in other departments and to make turf wars a little more close and personal: danger close. Most of the departments see themselves as part of a team, but a few individuals see themselves as McCarthy, who will themselves alone save the company and defeat the enemies (who are all spies inside the company sent to destroy it from the inside).

One of these individuals is named Eric. Eric is close to a Kevin. Eric is the front-end developer, and neither likes nor cares about what happens on the backend. Whenever Eric has an issue, he blames the backend. CSS rendering glitch? Backend problem. Browser crash? That’s the backend problem. Slow UI, even when all the data is cached clientside? Definitely a backend problem. Gary used to get mad, but now knows that Eric is so dumb that he doesn’t even know how dumb he is.

Eric grates on people’s nerves. Since nothing is his problem, he doesn’t seem to have any work, so he bugs backend developers like Gary with terrible jokes. A typically Eric joke:

“Do you know why they call back end developers back end,” Eric asked.
“No?” Gary questioned
“Because you look like your back end!”
“ …?…ha”

Another typically Eric joke is taping up backend developer work in progress on the men’s restroom stall. Gary knows it was Eric, because he came to ask the connection details for the color printer (the printer nearest Eric is grayscale only).

The first telling is almost funny. The second telling is less so. The 100th joke while Gary is trying to debug a large Perl regex, and Gary is less inclined to be sympathetic.

Eric and Gary have had in a couple danger close incidents. The first time involved an issue where Eric didn’t read the api naming conventions. He wrote front-end code with a different naming convention, and insisted that Gary change a variable name in the API. That variable is referenced twice on his front end and and in over 10,000 lines of backend code.

The most recent danger close incident involved the Big Boss. The Big Boss knows how Eric can be, so he generally gives Eric some time to find out the problem, but features need to ship. Eventually, the Big Boss calls a meeting.

“Hey Gary, Eric, I don’t know whose fault it is, but when I log in as a superuser, log out and log back in as a limited user, I still see data for a superuser. This is an information security issue. Now I’m not sure which part is causing this, but would you know?” asked Big Boss.

“I’m sure it’s the backend.,” Eric proclaimed.

“100% sure it’s a backend issue?,” the Big Boss asks to help give Eric an out.

“I only display what the backend returns. It must be what they are returning to me and not checking the user credentials,” Eric stated as the law of the universe. This recalled another joke of his: the front end is a pipe to the backend and the backend is the crap that the developers put into it.

“So you are positive that it’s a back end issue,” Big Boss asked.

“I mean I can even show you right now how to test it. If I’m sending different identities to the backend, then the backend should reply with different sets of data,” said Eric.

Eric grabbed the boss’s mouse and started clicking around on his computer. After a moment, he started shouldering the boss further away from his computer.

“Aha, See? It’s definitely different identities, but we see the same set of data, which as I’ve said is FROM THE BACKEND. You have to fix the backend, Gary,” Eric said.

Gary watched this, silently. He already knew exactly what was happening, and was just waiting to hang Eric out to dry. “Hey boss, can you try a couple things? Can you disable the browser cache and refresh the page?”

The Boss cleared and disabled the cache and refreshed. The Boss logged back in several more times, under different identities, and everything was correct. They re-enabled the cache, and the buggy behavior came back in. Clearly, the front-end was configured to aggressively cache on the client side, and Gary said as much.

“But it needs to be that way for performance…,” whined Eric. “Because the backend is so slow!”

“Well, it fixes the issue,“ the Big Boss said. ”So, Eric fix that front-end caching issue please."

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Keith H’s boss came by his cube.

“Hey, you know how our insurance quote site has TLS enabled by default?”

“Yes,” Keith said. The insurance quote site was a notoriously kludgy .NET 4.5.1 web app, with no sort of automated deployment and two parallel development streams: one tracked in Git, and one done by editing files and compiling right on the production server.

“Yes, well, we need to turn that off. ‘Compliance reasons’.”

This created a number of problems for Keith. There was no way to know for sure what code was in Git and what was in production and how they didn’t match. Worse, they relied on reCAPTCHA, which required TLS. So Keith couldn’t just turn it off globally, he needed to disable it for inbound client connections but enable it for outbound connections.

Which he did. And everything was fine, until someone used the “Save as PDF” function, which took the page on the screen and saved it as a PDF to the user’s machine.

protected void btnInvoke_Click(object sender, EventArgs e)
        {
            var url = util.getUrl("Quote", "QuoteLetterPDF.aspx");
            url = url + "?QuoteId=" + hdnCurrentQuoteId.Value;
            var pdfBytes = UtilityManager.ConvertURLToPDF(url);
            // send the PDF document as a response to the browser for download
            var response = HttpContext.Current.Response;
            response.Clear();
            response.AddHeader("Content-Type", "application/pdf");
            response.AddHeader("Content-Disposition",
                String.Format("attachment; filename=QuoteLetter.pdf; size={0}", pdfBytes.Length));
            response.BinaryWrite(pdfBytes);
            // Note: it is important to end the response, otherwise the ASP.NET
            // web page will render its content to PDF document stream
            response.End();
        }

public static byte[] ConvertURLToPDF(string url)
        {
            // ...redacted for brevity
            byte[] pdfBytes = null;
            var uri = new Uri(url);
            var encryptedParameters = Encrypt(uri.Query);
            var encryptedUrl = uri.Scheme + "://" + uri.Authority + uri.AbsolutePath + "?pid=" + encryptedParameters;
            var htmlData = GetHtmlStringFromUrl(encryptedUrl);
            pdfBytes = pdfConverter.GetPdfBytesFromHtmlString(htmlData);
            return pdfBytes;
        }

 public static string GetHtmlStringFromUrl(string url)
        {
            string htmlData = string.Empty;
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
            System.Net.ServicePointManager.ServerCertificateValidationCallback =
        ((sender, certificate, chain, sslPolicyErrors) =>
        {
            return true;
        });
            var response = (HttpWebResponse)request.GetResponse();
                if (response.StatusCode == HttpStatusCode.OK)
                {
                    Stream receiveStream = response.GetResponseStream();
                    StreamReader readStream = null;
                    if (response.CharacterSet == null)
                    {
                        readStream = new StreamReader(receiveStream);
                    }
                    else
                    {
                        readStream = new StreamReader(receiveStream, Encoding.GetEncoding(response.CharacterSet));
                    }
                    htmlData = readStream.ReadToEnd();
                    response.Close();
                    readStream.Close();
                }
            return htmlData;
        }

It’s a lot of code here. btnInvoke_Click is the clearly named “save as PDF button” callback handler. What it does, using ConvertURLToPDF and GetHtmlStringFromUrl is… send a request to a different ASPX file in the same application. It downloads the HTML, and then passed the HTML off to a PDF converter which renders the HTML into a PDF.

For reasons which are unclear, it encrypts the parameters which it's passing in the query string. These requests never go across the network, and even if they did, it's generally more reasonable to pass those parameters in the request body, which would be encrypted via TLS.

And it does send this request using TLS! However, as Keith disabled support for incoming TLS requests, this doesn’t work.

Which is funny, because TLS being disabled is pretty much the only way in which this request could fail. An invalid certificate wouldn’t, because of this callback:

            System.Net.ServicePointManager.ServerCertificateValidationCallback =
        ((sender, certificate, chain, sslPolicyErrors) =>
        {
            return true;
        });

Keith re-enabled TLS throughout the application, “compliance” reasons be damned.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!
Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview