Calling all the Visual Basic snitches: Keep quiet about it and so will he... If it's Monday, then it must be time for another jaunt to the hallowed confessional of Who, Me? where Register readers confess their, or their co-workers', deepest darkest sins. Today's story concerns the acquaintance of a reader. Having stuck a hand in The Register's big bag 'o pseudonyms, we shall call the miscreant "Ron". …
But why would anyone sell me software that is broken or can't do what it says on the side of the box it came in?
And why would anyone update software they sold me that was working properly?
I begin to suspect that the entire post-internet software business model is fundamentally flawed.
Tsk! Late binding, dynamic linking and silent downloading, eh?
I begin to suspect that the entire post-internet software business model is fundamentally flawed.
FTFY
The difference pre-internet was that you might never actually get patches for the broken stuff you bought until you bought the newly released version.
Only if you insisted on running your enterprise on toy computers.
When I took my first look at a DEC Alpha after being spoiled by years working on 1100/2200 series Unisys machines I was appalled that the man pages listed known bugs in commonly used utilities - that were 20 years old by that point. Even ICL (bless their oft-darned cotton socks) could do better than that.
It was the push to internet-enabled updating that fueled the "ship any old crap and fix it in 1.1" attitude that is the standard operating procedure of all software companies, it seems.
It was dynamic linking that enabled and continues to enable the malware merchants who can change the fundamental way one's legacy software works overnight with no warning they have done so.
It is late binding that makes all this easier when using the hated Javascript, which can so easily become the slim-jim that cracks open the doors of your computer so the evil doers can have a good root around before crapping all over the seats.
Hello. Welcome to IT. I see you're new here.
It's theoretically possible that at some time, someone, somewhere has sold someone a piece of software that wasn't broken, but I've never heard of such a thing and frankly I doubt if it's ever really happened.
Integrity
Fail fast, fail often. Except when you're dealing with transactions that must not fail and must have integrity.
People have gone to prison for "working around the technology" in the regulated industry, if you change the software when you're not permitted, go straight to jail, do not pass go, do not collect £200.
"What is this "must" you speak of? "
Not really a "must".... but.... " "just another requirement", no less negotiable than every other requirement in the spec " is bollocks. There's always requirements that are more important than others. For example in a banking system, the requirement for transactions to 'never fail' is clearly (to anyone in IT) impossible. However the requirement for a success rate in the very high 9s and a logging/flagging procedure for failures would probably be a non-negotiable requirement, while the colour of the screen terminal is certainly negotiable
My wife needed Windows 10 only to run a single sign on security application so we find an unused Genuine Windows HDD and install it on an old laptop. We had forgotten the Windows Experience:
Which is One of:
Fire up the thing from sleep, for a quick check before going to work, then some 45 minute update kicks in because Windows-Internal stuff is always more important than our work.
Fire up the thing, for a quick check before going to work, then some upgrader process flatlines the CPU and HDD for about 25 minutes because, Obviously, there are priorities and then there is you.
Good thing that most people working with Windows still gets paid while the OS is generating internal heat or the economy would suffer.
Let us not forget the "initiate Windows shutdown because I have to leave to catch a flight, and Windows decides to start installing updates, and You Must Not Turn Off The Computer for the next half hour while it does that idiocy".
Thank the gods there's an option buried somewhere (Group Policy, maybe?) to disable the astoundingly stupid bit of code that changes the Shut Down menu option to "Install Updates and Shut Down".
Ron was gainfully employed performing IT functions for the equities business of an investment bank back in the early noughties. "It was," said our reader, "when Risk was still just a board game."
I can remember playing Risk on a Mac SE in about 1990 or 1991. The computer player wasn't very good.
(OK, I probably haven't interpreted that the way it was meant.)
It seemed to me that that remark, from someone working in investment banking of all industries, suggested a great obliviousness to the big picture.
If investment bankers, even in the noughties, didn't think all the time about risk, then they deserved everything bad that happened to them and so much more.
The 90's
I remember chatting to my neighbour about his job. He was basically doing IT for a financial institution, and could be called 24/7. If shit happened at the weekend, he logged in from home, some 100 miles away from the office.
I had also, coincidentally, been to a presentation by the same company the previous week. Part of which was about their IT security, and "there are no external lines with access to the system".
I'm fairly sure that the authors of the presentation thought they were telling the truth :-)
Probably were, and they had the official version. The reality of IT is that any rule is only a generality, a guideline, rather than hard fact. That is because it is IT's job to make sure everyone else can work, and nobody is interested in hearing IT say that they can't because rules.
When a manager wants something, he doesn't care about the rules, he just wants the result. So IT bends the rules because, in the end, it's always IT's fault when something doesn't work.
4 letters? Luxury! Wait, make that Security!
Worked for a multi billion US$ corporation where a mid level manager had a 2 letter user name and password. Both the same. With read access to everything and write access to almost everything.
But at least the two letters were not his initials. No, they were his department's.
A few years back, our team of engineers had seperate accounts for logging onto customer systems and openly shared them amongst themselves. Took me months to highlight the practice with project teams and management turning a blind eye but eventually they were forced to stop. The result was that engineers stopped sharing user accounts but now all use the same passwords on every account. Glad I am out of there now... AC cos I'm over paranoid....
Or when IT wants something...
Many years ago, I was in a project to consolidate a number of systems onto a much smaller number of servers and deploy them to production.
I was working alongside two fellow greybeards who really knew their stuff, (and to whom I am very grateful for their advice and help on an OS of which I had far less knowledge).
FWIW, the multiple builds in production included some for which we simply had no test/dev systems so we had to build them and get them working in place.
Of course, *much* data had to be transferred between the firewalled test/dev and production networks - and we were given a DAT based system to do it by the client.
So it was tedious and introduced a lot of delay. We were very clear the project deadline (tight as per usual) was unachievable but shrugged our shoulders and just got on with it.
Until greybeard1 found by accident that he could ssh from a single test/dev server to the live system(!)
... and in the twinkling of an eye had installed a software distribution server.
... and had organised the addition of a LOT of disk to the server for the distributions and database backups etc etc
... and then told us.
Needless to say, our portion of the project's deadlines were met...
I wonder if that hole in the network is still there?
What 'IT' often fails to fully appreciate is that, when there is a breach, management will close ranks and be united in the purpose of making sure that only 'IT' will get to walk the plank over it. They will trade favours expended and received over the matter like one does Pokemon cards while the next 'IT' is installed. Readying for the next 'Big Launch', as it were.
The same goes for "Risk Management" B.T.W.
What 'IT' often fails to fully appreciate is that, when there is a breach, management will close ranks and be united in the purpose of making sure that only 'IT' will get to walk the plank over it.
Completely true, until you have several IT-staff, who have experienced that a couple of times. They will know how to cover themselves and document all requests, with double back-up for anything even the slightest irregular. When (not if) management tries to make IT walk the plank, there will be an Auto-da-fé resulting in a lot of terminally terminated careers. Been there, done that and the marshmallows tasted damned good.
That could well be true. Even here, the systems I work with for 95% of my job can only be connected to from our office's wired network. I don't usually bother taking my laptop to meetings because the few things I can usefully do with it over the wifi aren't worth having to reconnect to everything.
So when I have to fix things in the middle of the night from home, I have to remote desktop in to my office computer first, otherwise I can't do anything.
One place, I used to temporarily turn services *on* here and there. That way the auditors would happily produce an automated network report. Only if a box seemed to be too quiet would they manually check. There always used to be a finger service running somewhere in the bunch because it was funny.
I once visited a potential customer around 1990 who had an unusual request, although this didn't become apparent until I was in an enclosed room within the bowels of the organisation. The wanted the accounting program my company was a reseller for - all run of the mill stuff. But then they said that they wanted two copies. I countered that one copy would quite easily cope with the number of seats and transactions they performed each day. It was only then they informed me that they actually did twice as many transactions - half for their tracking and half for the official logs for the Tax man! And before I could blurt out a reason to leave the meeting they started outlining the front end they required to split incoming details to both the company and official (filtered) copies of the accounts.
Needless to say I left the meeting as soon as possible "to discuss the detail with my boss". Whilst I was recounting the meeting to the company owner, he was called by the accounts software authors, who warned us not to go to said customer as they had already reported them to the authorities after they had been in to see them on the previous day!
I used to know someone who wrote POS software for a small distributed industry in the US with about 200 clients. Every year he had a client meeting to discuss features and problems.
One year he was asked if it was possible to modify the software so that every 5th (say) transaction wouldn't be logged.
He then pointed out that were he to do that, there would be 200 points at which it might get picked up by the IRS, and catching one would result in tax inspections for the entire 200, with him going to jail.
They backed off.
Some years ago, in Spain, most locally developed POS software had a special "training mode" where transactions were not recorded. One day the tax authorities did a major sweep and shut down hundreds (if not more) shops until they adquired new, properly certified, software (oh, did I mention the fines... those hurt)
I remember reading of a case in the UK, probably in the 90s, where the directors of a small software house were jailed after selling customers an accounts package that contained two sets of books, the real (hidden) ones, and the ones sent to the Revenue.
The one I'm familiar with was in the '80s (courtesy of a close contact in the Customs & Excise computer investigation branch).
An Apple II accounting package was found to have a backdoor .. log in with the regular password and accounts were clean, but append a value, e.g. password10, and that percentage of transactions would be 'lost'.
IIRC the program was written in BASIC, so once suspicions were aroused it wasn't too difficult to find out what was going on.
In the early 90s, I worked with a girl who ran a husband and wife accounts software house in East London.
None of that '2 sets of books' nonsense for them. A simple electromagnet pair, one disguised as a very heavy and secure lid for their floppy storage case, the other housed in a drive bay in the PC, flicked on by a single desktop switch that could be yanked off the desk, pulling the cables with it, and chucked in the bin when the Excise Men came a callin was quite possibly the reason why she never turned up for work one morning.
I was once pulled into the CEO's office of the biggest privately-owned IFA in Scotland by his PA who wanted me to take a client's signature on one document, scan it, clean it all up and make it sparkle, and then print it onto a Power of Attorney declaration.
"It's all above-board - we've got his permission to do it."
I pointed out that there was no way I was going near that document, and there was no way they could make me go near that document. Then I left the room and got back to proper work that my conscience could cope with.
Back in the 80's, I used to sign my name hundreds of times a day on busy days, now once a month? I was shocked when I checked my old passports against my current one, my sig has changed substantially. I can see I don't really care what my sig looks like anymore.
Especially in Scots law before 1995 where a signiture was not what we'd normally call a signiture unless accompanied by something else.
It's more then 30 years since I had experience of this, but I vaugely remember something about "holograph", something about a signiture is only valid if the document is also in the hand of the signiture, so signing a printed document does not have any legal effect unless accompanied by additional words by the signer so there is more that just the signiture in the signer's hand.
Nope. I was much less paranoid then.
Funnily enough, I was fucked over by that company. Much later, in a completely different way, and I was collateral damage to the large number of other people who got shafted. :-/
Edit - and that CEO and his PA were both gone by then.
As a general rule, if a company allows any of this sort of thing to go on, whether it is strictly legal or not, it is a good indicator of the corporate culture as a whole. If you ever find yourself in such a situation, then you should be trying to find a new job as quickly as is practical. You can even cite the lack of corporate responsibility in your current place of work as your reason for looking for a new job in the interviews - a good prospective employer should take it as a positive thing on your part that you won't be party to that sort of thing, as a demonstration of integrity. A positive side-effect is that if the interviewer thinks your reasoning is bad, then you've identified another company you should be avoiding.
Yeah - you're right. In truth that place was a toxic environment, but I never really realised until I was out of it. Spoke to others who felt the same way after "The Event".
That said, the pool of toxicity just went along the road and started again.
One of life's little lessons that cost me a significant amount of mental anguish and money. If I knew then etc etc...
When I was working for a large electrical engineering company, part of my job included buying tools, parts, and materials for use in our development activities. As I was writing and signing several tens of Purchase Orders per day, I scanned my own signature and added it as a bitmap to my own copy of the official Purchase Order file. Thus I could print hardcopies for filing in the department, but could email the order to the supplier without having to print it out, sign it, and then scan it back in again.
I find it hard to believe that after the flash crash of 87, and other computerized fat finger, evil intent (Enron anyone) and just plain incompetence demonstrated since the dawn of model and computer driven trading, that "risk" could be so unobvious. In fact, the Tulip Bulb thingee back in the olden days, and the loss of heads in more than one kingdom over "poor" decisions more than demonstrated the risk involved in dealing in currency and market manipulation and transactions.
I was visiting an institution the day after someone got caught with their fingers in the till - so to speak, so I got to hear all of the gory details.
The institution had security auditors in, to review the security set up of their systems. People were told, just do your normal work, help them when asked ( do not offer information unprompted) do not try to be clever.
This "clever" sysprog then invisibly installed a keystroke logging program for the userid allocated to the auditors, to see what they did, and learn from it.
20 minutes after the auditors arrived the sysprog was called into the senior managers office for an explanation. Another 20 minutes later he was out, his belongings in a black bin liner.
It turns out the auditors were much smarter than the sysprog, Although the program was invisible to the casual user. If you dumped the thread stack you could see it in the call back trace. There was also a hidden low level trace that had the sysprog's finger prints in it.
Ironically, the auditors would probably have been receptive to someone approaching them openly with an interest in how they do their job, what they are looking for, etc., with a view to improving things. After all, it's likely to all end up in their report anyway, and if the programmers know what to do to prevent the things they are looking for, then they'll have less work to do, and less to write up in their report next time (for the same amount of money).
Rules of thumb for anyone contemplating shenanigans in our line of business:
1) You are nowhere near as clever as you think.
2) Everyone else is nowhere near as stupid as you think.
Of course, not believing these rules is what makes people undertake unethical shenanigans in the first place.
And people like [] and [] (insert names of choice) who inherit Daddy's fortune, don't succeed in business, and go into politics because of their sense of entitlement. These are the worst, followed by the ones who make a fortune in business and then still feel they want more, more. Bill Gates is no saint, unless you compare him to Rupert Murdoch or Zuckerberg.
It was a failry common trick, I think most of us have done this at some point in the past. I remember doing this around 1994. Trying to get people out of the way during the busines day so you could issue updates was a major PITA, so you simply put new editions on network shares when they started it up it would, update itself in the background and then reset. I put "kill switches" in some apps, the app would check once an hour if a flagfile was on the network, if so then it would wait until 11pm, quietly save everything and shut down. Then when the user started it up again it would update itself.
I think "if errors are seen, automatically rollback to the previous version" is a step further than I've seen anyone do before.
I have to admit, if it wasn't explicitly about dodging a change freeze I'd be pretty impressed at that little innovation.
He worked in a small team of five people, responsible for developing and supporting a business-critical liquidity and capital allocation platform that had to be running whenever trading was occurring.
Sounds like a money laundering operation.
I managed to, in the cashiers words 'crash their pc' because I inserted my card into the reader too early.
It was my local RBS subsidiary that goes by another name but the lovely person was nice enough to tilt the screen so that I could see the windows XP loading logo, this was 6 months ago just before the bank closed. I wasn't paying peanuts for various services but got monkeys anyway lol. Apparently it took 30 minutes to load up and it was near closing time, please come back tomorrow...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
