Data Security. We all need to deal with it. There are many tried and true ways of doing things. Many of the problems you'll encounter have been solved. Some of them will require creative thinking. All require a basic understanding of the difference between big thing and little thing. Not everyone possesses the ability to differentiate between the two.

R.J. works for a health insurance company. These folks have access to some of our most private information, and take HIPAA regulations to secure and protect it quite seriously. Any breach of security requires notifying customers of potential exposure, as well as reporting to government imps bureaucrats better not dealt with. Naturally, the bean counters from the board on down all repeat the mantra of protecting the customer data at all costs.

The team that employs R.J. developed the phone menu system. You're familiar with these beasts; they're designed to teach you Zen levels of patience while you try to do something, anything, while preventing you from having contact with a human. To that end, they allow you to perform all manner of tasks, provided you can stumble through the maze to the right sub-menu, and enter the magic code(s).

One day, while snoozing on his bus ride home, R.J. got an emergency email entitled Potential Personal Health Information Exposure. As he grudgingly opened the email, the familiar Star Trek red-alert security-whoop sounded. The mail details stated that every enterprise level team (e.g.: all of them) had to be on an emergency call immediately! Wanting to be a good Red Shirt, R.J. jumped onto the call.

Unfortunately, along with 9 levels of management, all in full panic mode, there was only one other person on the call; a DBA.

After 15 minutes of managers pouring gas on the fire and assuring each other that there was plenty to panic about, the DBA got a moment to talk. There wasn't an actual data breach and no information had been affected or viewed. As part of a routine audit, the DBAs had discovered that a determined individual could find out that member id nnnnnnnnn had a birthday of yyyy-mm-dd. The DBAs already had a fix and just wanted to let the consumers of the data (e.g.: R.J., and all the other teams that hadn't joined the call) know that the affected data would be unavailable for a few hours while they applied their change.

This set the managers off on a rant that could only be had if you were a manager:

  Mgr: What if someone gets the data before the fix can be applied?
  DBA: That's why we've already taken it off line (until we can apply the patch)
  Mgr: But what if they get to it anyway?
  DBA: It's off line - it's inaccessible to anyone
  Mgr: But you can access it, so other people can too!
  DBA: No, off line means OFF LINE; I work here and have privilege, others don't
  Mgr: Someone get Legal on this call!
  ...

...and downhill it went from there.

After 15 more minutes of this, R.J. had reached his stop, and disembarked both call and bus, secure in the knowledge he could sleep in peace.

The next day is when the fun really started. The DBAs had fixed the potential problem and all was well. In Techno-Land. But managers, especially the C** variety, don't live there....

The memos flew fast and furious about data security being of paramount importance. Everyone, with no exceptions (except the high level managers, of course) was required to take the HIPAA and internal data security training courses - again. Committees (of managers) were formed to assess what needed to be done, and spec out the work and cost.

All for a problem that had been identified and fixed before it was even noticed by anyone.

[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

http://thedailywtf.com/articles/reactions

"No! Never! Absolutely not!...Well, OK, back in college. Just once," writes Jack R..

"I think Outlook has spent a little too long reading Facebook," wrote Ryan.

Paul C. wrote, "It's a little hard to believe there is a big overlap in Meat Loaf and Sound of Music fans."

Joey writes, "Noticed this when I bought a ticket in Italy with Trenitalia. Seems like someone had trouble with adding a newline."

"I pulled into the local community college and went to pay the parking meter," John S. wrote, "I was pleasantly surprised to see that the Grim Reaper was on my side."

"Fortunately for me, Dell thought of everything when they package a printer." Scott M. wrote.

"Got this one while trying to fill out a survey on telecommunications service providers," Quentin G. "I better not pick 'other' else the consequences might be a bit harsh!"

"Spirit Airlines is letting me know what my account status is," Ian writes.

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/are-you-using

As tends to happen with people who do good work, Robert got pulled away from his XMPP system to save another project from sinking. It would continue to work well enough on its own without much hand-holding. When new nodes needed to be added to the system, that duty fell to Robert's coworker Jens. He kept complaining that it was too much work to pair the new nodes with the XMPP server, but Robert brushed it off because for someone like Jens, tying his shoes was too much work.

Jens had been mysteriously quiet about the XMPP setup duties for a while, before he randomly shouted "I just showed you up, Bobby!" one day. Robert assumed he accomplished something meaningless like topping the office high score in Tetris. "Since your XMPP system is so hard to maintain, I took the opportunity to make some improvements! No more painful setup!"

Robert immediately began to feel a sense of dread. Anything Jens touched turned to crap and now he had been messing with Robert's pet project. "What exactly did you do, Jens? Everything was set up the way it needed to be for security's sake."

"First, I got rid of that EJabberwocky setup, or whatever it was. That was pointless- there are much more lightweight Jabber servers out there!. Then I created a single account group for all the nodes so now whenever we add a new one, BAM! It can automatically talk to the XMPP server. This is way more manageable than the junk you had set up."

Every client site was now buddied with *every other* client site. "Dammit, Jens! Why couldn't you just leave it alone?" Robert said, fuming. "Do you realize that now every node can talk to every other node and get information from it?"

"Yeah, well so what?" Jens retorted, taking up a defensive posture. "What are they going to do, have a big chat party? Chill out, man."

"No, this means that anyone out there who has access to our remote nodes can simply log in and get information from every other node on the network, including the ones at customer sites."

"HA! What are the odds of that happening?" Jens scoffed. "Let's take it to Jim and see what he thinks!"

Robert and Jens raced to Jim's office to see who could prove their point first. Robert won but didn't get the answer he was hoping for. "You see, Robert," Jim began to explain, "we can do things the hard way here, or we can do them the efficient way. What Jens has done here will save him countless hours of setup over the course of a year, freeing him up to do even more important things!"

Robert swallowed his pride as they left Jim's office, Jens sneering behind him. Jens destroyed his perfect system, and gave himself more time to screw other things up in the process. Robert was left to wonder if he should give Jens an unexpected Ejabberd to the throat as payback.

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/jibber-jabbered

Last week, we introduced the Lucky Deuce casino contest. This is a series of challenges, brought to you by our pals over at Infragistics, where we call on you to help us build a scoundrels casino.

Last weeks challenge was to build a broken roulette wheel, that instead of being truly random, avoids recently spun numbers to feel more random. Ive rehosted all of the winners code here.

Honorable Mentions

Many of you noticed that, with our rather silly requirements, you didnt need to do anything to make a cheating wheel. By simply betting on the least recently used numbers, your odds were enough to beat the house. This was true, but thats not a terribly fun approach. Still, Ryan gets credit for taking that reality and putting a thumb on the wheel, so to speak. His solution was to be a little sloppy in how he weighted the probabilities, taking a heavy hand:

def random(self):
    r = random.randrange(0, sum(self.weights))
    for i, x in enumerate(self.weights):
        r -= x
        if r < 0:
            result = i
            break
    # adjust weights
    for i, x in enumerate(self.weights):
        if x < SLOTS - 1:
            self.weights[i] += 1
    self.weights[result] -= SLOTS/2
    if result == SLOTS - 1:
        return '00'
    return str(result)

With this approach, recently spun numbers become really unlikely, which makes a smart betting strategy even more profitable. Congrats Ryan, you get the Just Doin My Job award. His solution also comes with a profile.py script, which handily runs a bunch of trials to let you try out his random solution.

Edgar did add a custom cheat, after a fashion. In his solution, instead of checking if a number appears twice in a row, Edgar avoids it if its appeared twice. But thats not what makes his solution entertaining. No, his Python solution, slavishly obeys the PEP8 reccomendations for formatting Python code, to the point of complete unreadability:

    while True:
        # store occurrence of value
        frequency_of_each_roulette_element__list_int[random_position_in_array__int] += __ONE_CONST__INT__
        if frequency_of_each_roulette_element__list_int[random_position_in_array__int] >= __TWO_CONST__INT__:
            # AVOID RUNS, acc. Req #3
            frequency_of_each_roulette_element__list_int[random_position_in_array__int] = __ZERO_CONST__INT__
            random_position_in_array__int =\
                (random_position_in_array__int + __ONE_CONST__INT__) % __size_of_american_roulette_int__

For his work, Edgar gets to take home the Best Use of Variable Names prize.

Another common exploit was to exploit the lack of randomness in pseudo-random number generation. Jonathan took an approach that fed /dev/random through SHA256 to generate his pseudo-random numbers. With that information, he can start making predictions after 64 spins. The real clever part isnt the code itself, but the comments:

    /* this is an excellent source of randomness, bruce says so */
    FILE* fp = fopen("/dev/random", "rb");
    …
    … 
    /* that /dev/random is too slow to use every spin */
    /* cryptographic hash is effectively a random number, bruce says so */
    sha256.add(&state, sizeof(state));
    sha256.getHash(hash);

Edgar gets some stickers as part of the prestigious Bruce Says So award.

The Winner

We had a lot of great submissions- and a lot of them. There were a lot of clever approaches, a lot of Konami codes, and a few that did some sleight of hand with unit tests to cover up their cheats. For sheer energy and thoroughness, I have to give Ben, who sent us a submission that isnt just clever code, but an extremely thorough write-up in a README file. In that write up, he first explains all the work he did to make sure his RNG was secure- and then pulls the rug out to explain exactly why it isnt. Seriously, his README is more of a work of art than any of his code.

That isnt to say that his code doesnt have a fun twist to it. With a perfect combination of extremely thorough comments and a clever use of bitwise operations, Ben hides his sleight of hand right in the open:

    /* Make sure the fourth-least significant bit
     * is different from the last result. All other bits are random,
     * but we know it'll definitely not be identical *again*.
     * Why the fourth? I expect "professional" roulette players to
     * closely observe some properties, including even/odd (lsb),
     * and let's assume they even observe "value mod 4" (second-lsb)
     * and "value mod 8" (third-lsb). */
    const uint mask = 1 << 3; /* Fourth bit, so shift '1' by three. */
    const uint a = avoided & ~mask; /* Take the opposite bit. */
    const uint b = generated & mask; /* Take from randomness. */
    generated = a | b; /* Merge. */

Read through his code, and try and figure out his trick before reading his README.

The Lucky Duece: Getting in the Slot

You had a close call in Bartsow last week. The FBI tried to catch you coming out of a truck stop diner along Route 66, and its only because Gilda, the waitress, tipped you off that you were able to slip out the back. Thats what you get for leaving behind good tips, but youve padded your bankroll nicely with the proceeds of the Roulette job. You had padded it, anyway- apparently while Gilda was showing you out the back door with one hand, she stole your wallet and got a really big tip with the other.

Out of cash, youve been hitchhiking along back roads. Last night, you got picked up by a bunch of hippies on their way back from San Francisco, and they were good enough to drop you off in a little dirt patch called Dogtown. Its then that your cellphone dings- youve got a new set of requirements.

The Requirements

GRT JOB, the message starts, you did good work. We want you to work on our slots machine project now, it is the same more work that you already did.

Slot machine? Great, they want you to generate some more broken numbers? Or is there something else? As you read the requirements, you see some key points. First off, yes- they do want you to generate some random numbers- three of them to be exact. Theyre less concerned with imitating wheels with all of the complexity that entails, and instead, just want a function or program that can output three random numbers- but with constraints.

Firstly, we want suspense. After each number is output, there must be a pause or a wait before the next number is coming. This adds tension and makes our customers more excited. Secondly, the probabailities[sic] that the first and second numbers are the same must be very high! But the probability that all three numbers match must be very low.

You scratch your chin while thinking about the requirements. Thats all pretty easy, but it gets you thinking. With all those pauses in there, theres gotta be some way you can sneak a cheat in between them. You're going to figure out a way to rip off this slot machine, and rebuild your bankroll.

Entering & Judging

To enter, send an email to byoc15@worsethanfailure.com with a link or attachment of your code. In the body of the email, explain how your cheat works and what we need to do to run your code. You can use any language you like, but we have to be able to run it with minimal setup.

You dont need to build a GUI, but if you do, and you do it using tools from Infragistics, we'll send you a free license (one per entrant, supplies limited). Consider this your Infragistics bonus.

Assume we have access to stock Windows, Linux and OSX instances, if we need to run your software locally. You could target MUMPS running on a mainframe, but we can't run it, and you probably won't win. You must get your submission in before 11:59PM Eastern Time, Sunday the 16th of August to be eligible for judging. We'll announce the winners next Wednesday, along with the next leg of the contest!

The overall winner will be chosen by how interesting and fun we think their solution and cheat is.

Thanks to Infragistics for making this possible.

A worldwide leader in user experience, Infragistics helps developers build amazing applications. More than a million developers trust Infragistics for enterprise-ready user interface toolsets that deliver high-performance applications for Web, Windows and mobile applications. Their Indigo Studio is a design tool for rapid, interactive prototyping.

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/the-lucky-deuce-getting-in-the-slot

If there's one thing more exhausting and ridiculously over-complicated than moving house, it's moving legacy apps. Something as simple as a migration to another, identically configured (in theory) server can cause unexplained breakages and weird glitches in bits of the code no current staff member has ever touched.

Mikail's company knew better than to try to extract this particular app and repot it in another server. After all, most of the core functionality was written by interns several years back, and since it wasn't in source control at the time, nobody had been willing to touch it. But with a major merger came a domain name change, leading to a slew of unexpected errors in production (Test environment? What test environment?).

The following was designed to obtain a number from the query string so it could figure out what product to display. Most seasoned .NET professionals would go right for Request.QueryString["number"];, but not this special snowflake:

  protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {            
            //...
            string strUrl = HttpContext.Current.Request.Url.AbsoluteUri;
            string strNumber = "";

            if (strUrl.Contains("?") == true)
            {
                strNumber = strUrl.Substring(58, strUrl.Length - 58);          
            }
            //...
        }
    }

She counted the number of characters in the base URL before the query parameter she wanted, and took a substring from the URL. While that worked for a time, the new domain was longer, leading to errors when bits of the path were converted to an Integer. At least it was easy to find the error. One down, only a dozen left.

[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

http://thedailywtf.com/articles/count-on-it

As someone who has spent more than three decades working for all manner of huge financial-conglomerate IT departments, I've seen pretty much every kind of WTF imaginable. At every level. At every scale. For years, I chose to view it as getting paid for being entertained. But over time, it dawned on me that perhaps the reason these companies are so inept at IT is that they're so focused on the job of getting business done that they can't take the time needed to learn to think through a software development project in the way you need to in order to, well, develop software.

This time around, I joined a fairly small financial firm that has a reputation for being fairly laid back. Most of the reviews by current and former employees stated that the management allowed them the time to (reasonably) properly plan out and run a software development project. I spoke with several managers, all of whom assured me that the project was reasonably budgeted for the appropriate folks (developers, QA testers, business analysts, project managers, architects, etc.). Requirements were being mandated by an industry edict. My role was simply to be one of more than 100 Java developers on the project.

After two months on the job, it became clear that it was all a smoke screen.

Apparently, while the industry edict was fairly specific as to what needed to be done, the business analysts and architects could not agree on how to do it. You see, the architects were drawing data flow diagrams showing what data flowed between what systems, and where things would need to change in order to implement the new requirements. However, the business analysts decreed that all of the old systems needed to go away and all new systems would need to be built.

Naturally, the technical folks laughed raucously and pointed out that this would entail about 10,000 man years of effort, whereas simply augmenting all of the existing systems would take about 200 man years of development effort.

The BAs put their collective foot down and refused to allow any architecture documents to be released to any of the teams. No new data structures would be specified. No interfaces between systems would be defined. Nobody would be allowed to start work building any of the components until the BAs were satisfied that what was going to be done would make them happy.

This started about 3 months before I was hired, and went back and forth for about 5 months.

Not a single page of documentation of what the new requirements were intended to accomplish, or how it would be done was distributed to any of the technical folks.

After two months on the job, it was best summed up by this conversation (that took place over three weeks) with my boss:

  Me:   Although we don't know the specifics, we know where the industry is
        going and have a cursory idea of what needs to be done. We've built
        pipes to move generic data structures with key-fields between logical
        black boxes to perform specific chunks of processing. The details can
        be filled in later once they figure out what they want. This way, when
        they finally realize that time is short and they have to make a decision,
        we won't need to worry about the plumbing, and can concentrate on the
        business problem itself!
  Boss: This is a huge, two year project across nine departments, over 100  
        programmers and a few dozen business analysts. You are not ever going 
        to get requirements because the business doesn't know what they want, 
        but you will absolutely be held accountable for building what they need.
        If what you build doesn't solve their (undefined) business problem, it 
        will be your fault and there WILL be consequences!
  Me:   I don't mind a challenge, but I don't read minds. If they want to fly
        without a net, then they need to understand that there are going to be
        countless changes/enhancements
  Boss: They're never going to give you that leeway. If it doesn't work as
        expected on initial delivery, it's going to be a political nightmare
  Me:   I'm just a developer; politics is your department; code is mine
  Boss: You don't understand, people get fired for delivering software with bugs
  Me:   Not according to the employee reviews on glassdoor.com - something is
        fishy in this department
  Boss: HR put those there to stem the tide of folks who were refusing offers
        because of how things work here
  Me:   Wha...?
  Boss: You need to figure out what they need, and build something sufficiently
        flexible so that it does what they want, properly, on the initial delivery
  Me:   WTF?!

A very short time after that, they realized that they were going to miss the industry deadline because, as much as they didn't believe it, not all developers know all languages or how to use every tool. They had assigned front end web developers to do code to do batch processing because Java == JavaScript (they both say "Java" so it must be the same thing). They had assigned C# developers to do C++ because they're the same thing (variants of "C").

The biggest WTF was when they had financial Quant's implement a library to perform extremely complex calculations that were the crux of the changes. They wrote it in C++. Then they wrote a wrapper in WXL so that the C++ functions would be callable from Excel. Then they called the macros from the Excel spreadsheet. Then they distributed the Excel spreadsheet to the teams that needed to use the calculations. The underlying C++ was distributed only as a DLL built without debug info. When developers said that they needed to know the underlying C++ interfaces, they were told to just call the spreadsheet functions. From their server-side code.

Let's see how we might do that. I suppose they could programmatically open the spreadsheet with the embedded macros, use some library to populate a few cells representing input data, execute the macros and read the result-cells, and then close the spreadsheet without saving changes.

OBTW: this has to happen in under 1 ms because there will be many calls to this - in parallel (so I'm thinking one copy of the spreadsheet file per worker thread) - and anything slower than that will just back things up.

The more experienced folks in the department all left, leaving the entire project staffed with junior developers who don't yet see the sh*tstorm headed their way.

[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

http://thedailywtf.com/articles/the-coming-storm

"I'm not sure if the WTF is that I have to find 0000FF]2 piles of dirty clothes," Simon H. writes, "or the fact that the ']' makes it look like they entered the information in something resembling BBCODE."

"SSMS would like to firmly remind me that it is not just some floozy, and I should treat it with respect," writes Matthew F..

"I wanted to get my no longer new laptop back on it's feet, but not literally," wrote David, "I only right-clicked in the body of an email."

"I think I'll pass on continuing my 214748 mile journey. That would take 5 months at 60 mph," Jakob W. wrote, "but I suspect that the number is actually 2147483647 miles, in which case this is a ride of nearly 4100 years."

Adam F. writes, "Thanks Lenovo! I never thought I'd get to have a say in the matter."

"What's that? Suppressing warnings will give me better performance? Well then...SIGN ME UP!," Sam W. wrote.

"Why yes...I do drive in my city and my region? How could they know?!" Nikolei Z. wrote.

"Even though I am a prince, I am not totally convinced that spending an extra lb15 of my princely fortune for a 0Mb superfast fibre connection is good value for money," Ian writes.

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/piles-of-unsanitized-clothes

The Top 10 Ways to See if an Item Is in a List, Only 90s Kids Will Get this

Pardon the clickbait headline. Were only going to look at one method to tell if an item is in a list. A bad one.

Andrew M. inherited some software that tracks metrics. There are three general categories of metrics- MS, FN, and CM. Each of these categories contains a number of specific metrics, each assigned its own ID.

So, the previous developer needed to write a function that answered this simple question: given a metrics ID, is it an MS, FN, or CM metric?

public static string GetModel(int metricId)
{
    string caMSMetricIdList = "29477|29478|29479|29480|29481|29482|29483|29484|29485|29486|29487|29488|29489|29490|29491|29492|29493|30157|30732|30735|30738";
    string caFNMetricIdList = "29411|29412|29413|29414|29415|29416|29417|29418|29419|29420|29421|29422|29423|29424|29425|29426|29427|29428|29429|29430|29431|29432|29433|29434|29435|29436|29437|29438|29439|29440|29459|29460|29461|29462|29463|29464|29465|29466|29467|30181|30183|30185|30187|30189|30436|30607|30608|30609|30610|30611|30612|30615|30616|30731|30734|30737";
    string caCMMetricIdList = "29005|29364|29365|29366|29367|29368|29369|29370|29371|29372|29373|29374|29375|29376|29377|29378|29379|29380|29381|29382|29383|29384|29385|29386|29387|29388|29389|29390|29391|30435|30553|30554|30555|30556|30557|30558|30730|30733|30736";

    if (caMSMetricIdList.Contains(metricId.ToString()))
    {
        return "MS";
    }

    if (caFNMetricIdList.Contains(metricId.ToString()))
    {
        return "FN";
    }

    if (caCMMetricIdList.Contains(metricId.ToString()))
    {
        return "CM";
    }
    return "";
}

On the bright side, these arent technically magic numbers, and since the fields are delimited by pipes, there wont be any lurking run-over bugs, where the substring of two IDs mashed together is a valid ID.

On the dark side, Andrew wasnt the first person to inherit this. A long line of developers preceded them, and each of them simply appended each new set of metric IDs to the ever growing lists. Andrew replaced this with a simple lookup using a dictionary .

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/listicle

The life of a developer is about being cunning. When presented a problem that could be solved with strenuous, character-building labor, our first instinct is to automate it and cheat our way around it, if at all possible.

Or maybe Im just projecting. Still, if theres one thing Ive noticed, TDWTF readers are a shifty lot of scoundrels. Its time for us to put that cunning to work.

Thanks to our sponsor Infragistics, for the next five weeks, were going to call upon you to build us a Scoundrels Casino. Each week, were going to introduce a simple programming challenge, and give you a few days to solve it. Each weeks challenge is independent of the last, and each week is going to be a little bit harder than the week before.

And prizes? Prizes! The best entry each week, judged by completely subjective criteria, gets a spanking new TDWTF mug, a single-developer license for Infragistics controls, and some super-sweet stickers. There will be some additional prizes (more piles of stickers) for submissions that seem cool and fun. And most important, every entrant gets the best prize of all: bragging rights.

The Lucky Deuce Casino

You are a developer for an online casino, and thus a wanted criminal in the United States. While you hide from the FBI, your managers keep sending you requirement after requirement, with absurd deadline after absurd deadline. You havent even met the other developers on your team- you write one tiny module for the casino, and it gets taken away from you and bundled with modules written by programmers youve never met, and the end product is almost certainly a bug-ridden mess.

Youre sitting inside a seedy motel on the outskirts of town. Youve got the blinds closed, but that doesnt stop the neon sign for the diner across the street from keeping you up all night. You havent gotten a decent nights sleep in days. Youre wondering what youre doing with your life, and how you can get out before you end up in jail, or worse. And then- DING! An email comes in, bearing the latest requirements for a new module. Youve had enough of this. Youll implement it, alright, but youre not going to settle for the pittance of a salary theyre paying you. Youre gonna get whats coming to you.

The Requirements

The first requirement is pretty normal. Youre supposed to write a module that generates random numbers like a double-zero roulette wheel. They dont specify how the random numbers are generated, but thats basically a single line of code. Super easy.

Its the second requirement that makes you groan with frustration. They dont want the numbers to be really random. In a true random sequence, the write, the same number may appear many times in a row, just do[sic] to random chance. While that is actually random, it doesnt feel random to our players. They want you to track a history of the random numbers generated, and make something that feels random: numbers that have appeared recently are less like to appear. Runs, where the same number appears 3 times in a row, should never happen.

Alright, you say to yourself, I can do that. But you can do one better. In addition to implementing their requirements, you decide to add in your own. Youre going to write in a cheat function- something that lets you either enter in some sort of cheat code, or in some other fashion makes the output of the roulette wheel predictable. Be careful, though, you dont want to get caught! You'll need to get creative to make sure nobody stumbles on your secret- millions of people are going to gamble with this program.

Entering & Judging

To enter, send an email to byoc15@worsethanfailure.com with a link or attachment of your code. In the body of the email, explain how your cheat works and what we need to do to run your code. You can use any language you like, but we have to be able to run it with minimal setup.

You dont need to build a GUI, but if you do, and you do it using tools from Infragistics, we'll send you a free license (one per entrant, supplies limited). Consider this your Infragistics bonus.

Assume we have access to stock Windows, Linux and OSX instances, if we need to run your software locally. You could target MUMPS running on a mainframe, but we can't run it, and you probably won't win. You must get your submission in before 11:59PM Eastern Time, Sunday the 9th of August to be eligible for judging. We'll announce the winners next Wednesday, along with the next leg of the contest!

The overall winner will be chosen by how interesting and fun we think their solution and cheat is.

Thanks to Infragistics for making this possible.

A worldwide leader in user experience, Infragistics helps developers build amazing applications. More than a million developers trust Infragistics for enterprise-ready user interface toolsets that deliver high-performance applications for Web, Windows and mobile applications. Their Indigo Studio is a design tool for rapid, interactive prototyping.

[Advertisement] Scout is the best way to monitor your critical server infrastructure. With over 90 open source plugins, robust alerting, beautiful dashboards and a 5 minute install - Scout saves youvaluable engineering time. Try the server monitoring you'll M today.Your first 30 days are free on us. Learn more at Scout.

http://thedailywtf.com/articles/introducing-the-lucky-deuce

IT jobs are few and far between in the rural United States. Calvin considered it pure luck that he got a new job as a developer in his home town, a small Southern town of only 5,000 people. After a few short interviews, he gladly accepted the job, eager to give up his long commute to another city and stay close to home.

His new company, ITWerks, was actually the former IT department of a local-but-large tractor company that had gone defunct twenty years earlier. ITWerks had managed to get spun off and survive on its own, handling general IT and development tasks for many other businesses in the area. The market was tiny, but competition was scarce, and since ITWerks was the sole vendor in its little corner of the state, it had little reason to change. Without any incentive to learn new processes and technologies, ITWerks became an isolated island of 1995 which was inexplicably transported to 2015.

Calvins first task was to fix a few bugs in their web API. The API tied several different products together. He scheduled some time with Hank, the original developer, to get an overview of the product. Hank had been with the company for thirty years now, and hadnt learned anything new in at least twenty. His overview was brief and uninformative.

Im sure this API will look modern enough to you young whippersnappers, Hank said. Now, I originally done this in Visual Basic 5, but when C# came out, I decided to take a looksee and I rewrote this whole thing with C#. Its been purrin like a kitten ever since. Anyway, all the source code is in a shared folder. Go ahead on and grab that, and let me know ifn youve got any questions.

No source control? Calvin thought to himself as he settled in at his desk. In 2015? Source code in shared folders? He shook his head and wondered what he had gotten himself into.

He found the source easily enough… and was horrified at what he found. The API only had one class, called WebService.asmx, which was a hundred-thousand line monstrosity, all contained in a single source file. And though it was nominally written in C#, much of the underlying functionality was provided by old VB5 and VB6 DLLs, which the C# assembly called into using runtime-callable-wrappers.

Calvin spent the next few weeks engaged in intense archeology. Despite the massive, convoluted, and uncontrolled codebase, he was able to find and fix the bugs assigned to him without too much difficulty. Late one morning, he met with Hank again to see what the deployment process was.

Deployment? We dont really do no deployment, Hank replied.

How do you put code into production? Calvin asked, clearly confused.

Oh, that? You just need to build it, is all.

What do you mean?

Hank laughed. Bless your heart. I mean, in Visual Studio, go on up to the Build menu, open it, and click Build Solution.

Calvin paused for a couple seconds to see if any sudden understanding would strike him. It didnt. Sure, he said, that compiles the code. But how do I deploy that to the web server?

Hank started to look annoyed. Listen, you just build the solution, and that deploys it to the web server.

Calvin feared that he was starting to understand Hank, but hoped he was wrong. Hank excused himself to go to lunch, and Calvin headed back to his desk to check something.

His suspicions were horribly, horribly correct. The network share Calvin had been using to work was mapped to a virtual directory in IIS. Calvin had unknowingly been releasing changes to production every time he pushed the build button- releasing code for an API that was used by several applications and a few dozen customers.

Despite ITWerks being a WTF-filled cesspool of mid1990s development practices that were horrible even in the 90s, Calvin decided to stay. He has enough leeway to slowly drag ITWerks into the modern era. Theyre now using Git and Continuous Integration on some of their projects, the deployment process now involves actually choosing to publish your code, and now theres a test environment. Calvin especially enjoys his new commute. Instead of driving an hour each way to the big city for work, he gets home in about ten minutes to find his muddy kids running up from the creek in the pasture to greet him. Thats a fair trade in his mind.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/the-galapagos

Scott K was cleaning up a configuration utility used by his team when he dredged up this sanity-threatening artifact:

void Save(string path)
{  
    XmlTextWriter write = null;  
    try
    {  
        write = new XmlTextWriter(path, null);
    }  
    catch (IOException)
    {  
        write.WriteEndDocument();  
        write.Close();  
        try
        {
            write = new XmlTextWriter(path, null);
        }  
        catch (IOException)
        {
            return;
        }
    }  
 // Write stuff to the file
}  

Theres nothing terribly complex or unclear about this C# function that takes a file path and attempts to open the XML file located there for writing. Like any good file-I/O-related code, Save is prepared for I/O-related problems: if, say, the filename is invalid, the catch block is ready to leap into action. The code it runs& is guaranteed to fail in three exciting ways:

1. Since the exception must have been thrown by XMLTextWriters constructor, write is still null. Trying to call a method on it will throw a NullReferenceException
2. Even if write werent null, the first call attempts to write a document end tag to the XML document. Since this code is executing before it ever started writing the XML document, this would throw an ArgumentException
3. Ignoring both of those, the subsequent attempt to close the unopened document using the uninstantiated object reference will throw another NullReferenceException

And just in case none of the above happens the code then re-tries the same call that threw the original exception, oblivious to the well-loved clich'e. When this doesnt work, the method swallows the exception and returns, leaving the caller blissfully unaware that the file was not, in fact, saved.

Thank goodness none of that matters, because of Exciting Failure Case #1! And since the calling code doesnt handle exceptions, the user will be very aware their file wasnt saved when the whole application crashes! Now thats a great save.

Bonus Content!

For additional entertainment, heres the code that calls the Save method. How long til the madness sets in when you contemplate what this is doing?

string temp = sfd.ToString();
string[] tempArr = temp.Split(' ');
Save(tempArr[4]);  

(Note: sfd is an instance of SaveFileDialog)

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/save-yourselves

"Samsung's printer technology must really be something," writes Tim, "A black and white printer able to output a full color photo?! Who knew!"

Richard wrote, "Hmmm...at 17 GB, do I really need source control that badly?"

"Finally - a survey I can agree with," Sean L., "One is definitely less than five."

Rafael C. writes, "Undocumented and serious?! I think that I might be in trouble."

"Okay, I need Yellow Toner, sure, but it seems I have bigger, vaguer problems to tackle first," Josh P. wrote.

Brian F. writes, "Alas, AVG AntiVirus Free...I hardly knew you."

"Some websites take their good old time updating their sites," Paolo T. writes, "but considering East Germany (German Democratic Republic) hasn't been around since 1990, KTMB (Malaysian Railways) had better get with the program!"

"The Chase Credit application form I filled out asks that if I'm self employed that I type 'self:' with what I do," Collin wrote, "This isn't a problem, until you go to submit the form and find that special characters like ':' aren't permitted."

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

http://thedailywtf.com/articles/no-color-no-problem

We pick on date handling code a lot here, simply because there are so many ways to mess up date related code (because dates are hard). In a way, its almost like were cheating. Even smart programmers could mess that up. What about basic conditional logic? How hard could that be to mess up?

Well Jan L. came across this solution to a simple boundary check- if telegramType is between 100 and 199, it is a payment type telegram.

boolean isPaymentType = false;
for (int i = 100; i < 199; i++) {
    if (telegramType == i) {
        isPaymentType = true;
    }
}

If it looks stupid but it works its… no, its still stupid.

Well, what about when youre getting a string, and you need to see if its true? You could do a raw string comparison, or even better, convert the string to a boolean type using a built-in function. Or, you could be like **Marcus M.s``` co-worker and do this:

Private Function thisWasARealFunctionFoundInACodeBase() As Boolean
            Return (MyCBPage.MyNeo.GetQSVar("contenton").ToLower() = "true" Or MyCBPage.MyNeo.GetQSVar("contenton").ToLower() = "true" Or MyCBPage.MyNeo.GetQSVar("contenton").ToLower() = "true")
End Function

For those keeping score at home, that is the same expression tested three times. I assume this function started life before the developer learned about ToLower, and they intended to cycle through every possible capitalization of tRuE.

Well, at least none of these are trying to parse a bit mask using a triple-nested ternary expression hidden behind a C++ macro, right?

Chris sends us this:

#define CALCOPT_NOHITS          ( (m_CalcOpt & (CALCOPT_TRACEHITS|CALCOPT_TRACESUBHITS)) == (CALCOPT_TRACEHITS|CALCOPT_TRACESUBHITS) ? m_CalcOpt^(CALCOPT_TRACEHITS|CALCOPT_TRACESUBHITS) : ((m_CalcOpt&CALCOPT_TRACEHITS) ? (m_CalcOpt^CALCOPT_TRACEHITS) : (m_CalcOpt&CALCOPT_TRACESUBHITS)?(m_CalcOpt^CALCOPT_TRACESUBHITS):m_CalcOpt) )

Chris replaced that with a far simpler macro (that doesnt use a ternary): #define CALCOPT_NOHITS (m_CalcOpt & ~(CALCOPT_TRACEHITS | CALCOPT_TRACESUBHITS))

Alright, so maybe conditional logic is hard. But you know what should be easy? Embedding a script in a web page. I mean, theres built-in, simple tags for that. How hard could that be?

Olivier V.s company hired a 3rd party web consultancy that came up with this:

document.write('');

I can only assume that someone in their organization banned the use of the word script inside of a script.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/if-you-want-to

"So, first day, huh?"

"Yeah." Jake loosened his tie nervously and straightened his suit. Standing in a room full of geeky-looking guys in T-shirts and hoodies, he felt like a time traveller from centuries past.

"Don't worry, a few days and you'll get a grip of how we do things around here." Steve, Jake's superior and tour guide, couldn't suppress a sly smile at the expense of the new guy. "Anyway, that's our office, here's your desk." He pointed to one of the open plan seats, quickly swiping an empty Coke can off of it. "And remind me, you're the back-end guy, aren't you?"

"Well, my strong suit is database work, but I know Ruby and PHP too," Jake said. "Also some basic HTML and CSS, if there's a need."

"Nah, don't worry, we have lots of people doing this. Speaking of people, let's go around and say hi to everybody, then we can grab a coffee and breakfast — there's a nice vegan cafeteria downstairs — and by 11:00 all your accounts should be set up and we can get you some real work to do."

"Sounds good to me," Jake replied as they walked toward the other end of the office. "So, can you tell me what you guys are doing here?"

Two hours later, after making all his acquaintances, discussing the upcoming project, and eating what appeared to be a piece of cardboard coated in sea salt, Jake finally ended up in front of his shiny, triple-monitor workstation.

"Okay, our SVN is at https://svn.initrode.com." Steve took a free seat nearby. "The account should be there already. You know how to connect to it, right?"

"Sure, but I'll need my credentials, right?" Jake asked.

"Oh, that's simple," Steve replied. "See, since we were tired of people going around asking for passwords, we developed this little tool called PassMan. It's sort of a keyring, keeps all your passwords together. Just open the command prompt and type 'passman'."

Hearing that, something in Jake's brain instantly threw a red flag, but he kept his mouth shut. After all, the first day at a new job was not the best time to question the company's processes. For now, he decided to oblige.

C:\Users\jakesmith>passman
USAGE: passman   
Available systems: db financial ftp intranet jira joshua lync mail prodsrv svn testsrv tfs webadmin
C:\Users\jakesmith>

Huh. I guess I'll get the password via e-mail or something when I request it, Jake thought. Here we go…

C:\Users\jakesmith>passman Jake Smith svn
Your login is: jsmith
Your password is: 1qazxsw2
C:\Users\jakesmith>

Jake's jaw dropped.

"See?" Steve seemed much more impressed by the solution. "Simple, efficient, and you no longer need to go through all the paperwork just to get a password! Now get your project, have a look at it, and ping me when you're ready." He got up and walked away, leaving Jake stumped and speechless.

After setting the repository to download, Jake decided to play around with the PassMan...

C:\Users\jakesmith>passman Jake Smith webadmin
Your login is: admin
Your password is: hunter2
C:\Users\jakesmith>passman Jake Smith db
Your login is: dbadmin
Your password is: dbadmin
C:\Users\jakesmith>passman Jake Smith joshua
SHALL WE PLAY A GAME?
^C^C^X^C^CC:\Users\jakesmith>

A thought struck him like a bolt of lightning. Oh God. They do verify the user names, right? With throbbing heart, he typed in Steve's name:

C:\Users\jakesmith>passman Steve Williams svn
Your login is: swilliams
Your password is: i<3tswift

Jake had to pinch himself before closing the command prompt to make sure he wasn't having a bad dream. Keyring? More like a master key up for grabs! Who thought this was a good idea?

Jake leaned his head against the office window to his side. Looking down from his seat, he could see all 14 stories of his building — a building that hosted of one of the largest ISPs in the country...

[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

http://thedailywtf.com/articles/what-s-the-password

Today's snippet needs very little introduction. In the words of the submitter:

[My predecessor] is what I would consider, among the worst programmers in the world. While his programs actually do work and do what they should, his techniques and programming decisions are very questionable. The [below] code snippet is from a program he wrote after he spend about a year at this company.

The function had one goal: validate a pair of textboxes to ensure they each contain a date, usually in a format like "12 2012" for December 2012. It demonstrates the kind of short-sightedness that usually gets ground out of a developer inside of their first year, like the impulse to test only the happy path through the code and not any possible error conditions. It's generally best to assume your users are malicious idiots who will type things like "none" or "99 luftballons" instead of a proper date.

If that were all he did, though, this wouldn't be worthy of TDWTF. Have a look-see:

private void button1_Click(object sender, EventArgs e)
{
	int digitornot = 0; //'Tis a digit or not?

	if ((textBox1.Text.Length == 1) || (textBox1.Text.Length == 2) || (textBox2.Text.Length == 4))
	{ 
		foreach (char x in textBox1.Text + textBox2.Text)
		{
			if (Char.IsDigit(x))
			{
				digitornot = 1;
			}
		}

		if (digitornot == 1)
		{
			Program.Month = Convert.ToInt16(textBox1.Text);
			if ((Program.Month > 0) && (Program.Month < 13))
			{
				Program.Year = Convert.ToInt16(textBox2.Text);
				if ((Program.Year > 2000) && (Program.Year < 2050))
				{
					this.Close();
				}
				else
				{
					MessageBox.Show("Wrong input!\r\nCheck format!");
				}
			}
			else
			{
				MessageBox.Show("Wrong input!\r\nCheck format!");
			}
		}
		else
		{
			MessageBox.Show("Wrong input!\r\nCheck format!");
		}
	}
	else
	{
		MessageBox.Show("Wrong input!\r\nCheck format!");
	}
}

Not only did the author use integers when a boolean would be more appropriate, he also neglected to name any of his input fields, making maintenance a nightmare. The check for digits will allow all kinds of crud through, which will then crash the program when it tries to convert non-integers to Int16. The submitter has no idea why the year is being compared to 2050. Presumably, the Rapture will happen before then, so no future dates need be considered beyond that point.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/you-ve-got-my-number

Will, his boss Rita, and Nick from HR huddled around a conference room speakerphone, listening to their new marching orders from the giant company that’d just bought out their small 100-person shop. Big changes would be avalanching down from Corporate over the next several months. For the moment, they were going over the modifications required to be complaint with their new overlords’ IT policies.

Twenty minutes into the call, nothing major had come up. Will dashed down notes, thinking this wouldn’t be so bad after all…

Then the voice on the other side intoned, “Local admin rights for all users.”

Will and Rita glanced up from their laptops with a start, sharing the same wide-eyed look of alarm.

Nick glanced between them, picking up on their consternation, but unsure what it meant. “Uh, guys? Is that doable?” he prompted.

“Hang on a sec.” Will reached out to swat the Mute button on the speakerphone. Then, he couldn’t help himself. His glimmer of amusement turned into a snort, then a giggle, then full-on loud laughter—laughter that Rita joined him in.

“What is it?” Nick asked, more confused than ever.

“Local…? Sorry. Local admin rights for everyone?” Will sat back in his chair, pressing his palms against his eyes as he recovered his breath.

“It basically means we’d be giving everyone here carte blanche to install and run and change whatever they want, whenever they want, on their computers,” Rita explained. “That doesn’t sound so bad, but in reality, it makes us vulnerable to malware, viruses, security attacks, you name it.”

“Some people do need admin rights to perform their jobs, but not everyone,” Will chimed back in. “It’s gonna open up huge cans of worms.”

“Well, shoot,” Nick said, concerned. “I don’t know if we have much wiggle room. Let’s see what we can do.” His finger hovered over the Mute button. “You’re willing to explain to them why it’s a bad idea?”

“In depth!” Will said.

“OK.” Nick un-muted the speakerphone. “We’re back now, thanks. Um, so, about the local admin thing—”

“We know you have objections,” one of the disembodied overlords replied casually.

Will, Rita, and Nick traded surprised looks.

“Most of you small fries do when you come aboard,” the voice continued. “Sorry, but that’s our policy. Non-negotiable.”

This marked the first time Will had a pronounced sinking feeling about their acquisition. It wouldn’t be the last.

“I really don’t want to do this,” he told Rita a few days later, poised to make the ordered changes.

Rita gave an apologetic shake of her head. “I appealed it as high as I could, kid. We don’t have a choice. Do me a favor: keep track of the extra tickets and problems we get as a result of this, OK? Maybe then I’ll have the metrics I need to get someone to listen.”

“It’s the metrics that matter.” With a distasteful shake of his head, Will got to work. “Can’t wait to see what comes in first.”

To their surprise, a full week of peace and quiet ensued, but this was merely the calm before the excrement-storm. Early on a Monday, emails flooded the support box.

Oh no where are my database icons?

Did you guys do something to my machine over the weekend? I’m missing a bunch of shortcuts…

Mysteriously, each user was missing the exact same set of desktop icons: 5 shortcuts leading to the databases located on the network.

His unfamiliarity with the problem, and horror at the sheer number of emails, sent Will careening to Rita’s cube. “Ever see anything like this before?”

“No,” she replied. “Does this have anything to do with enabling local admin rights?”

Will frowned. “I don’t really see how. I’m not sure what it is. I’m just gonna write up a quick batch file to re-add the shortcuts and push it out to everyone.”

So he did. The shortcuts reappeared, and worked perfectly. Everyone was happy. It was tedious, but Will made sure to log and close out a separate support ticket for each email he'd received, just in case he needed those blessed “metrics” later.

More like ammo, Will thought. Oh well, he doubted he’d ever run into this again.

Exactly one week later, the universe told him what he could do with his doubts.

“Those same icons are all missing again!” Will told Rita.

“OK, it really does seem like this has something to do with the admin change,” Rita said.

“How?!”

She shrugged and sighed. “Let’s find out.”

They pored through event logs, antivirus logs, GPO lists, and logon scripts. Nothing pointed to anything.

“Maybe Google is our friend?” Will proposed.

A few searches later, he had the answer: the infamous Windows 7 Computer Maintenance. If there were more than 4 broken shortcuts on the desktop, it deleted them completely. No Recycle Bin, no Unused Icons folder, just obliterated. It ran its maintenance tasks once a week on startup, after the desktop icons loaded, but before the network drives finished mapping. That meant the database links were "broken,” and were therefore deleted.

Windows Computer Maintenance required local administrator access to automatically delete icons off the desktop.

The icons could be retrieved via system restore, but Will wasn’t about to walk dozens of people of varying degrees of computer literacy through mounting a restore point and browsing to where the shortcuts lived. He ended up writing a startup script to manually recreate the shortcuts after all the other bizarre startup processes had finished doing their thing.

Again, he logged and closed support tickets for each email received. Two weeks after making everyone an admin, Rita had metrics-ammo spilling out of both pockets, but after a round of emails and conference calls, their overlords did not care.

[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

http://thedailywtf.com/articles/we-re-all-admins-here

"What makes this worse is that this wasn't an edge case," wrote Roger, "I only right-clicked in the body of an email."

"Luckily, I'm independently wealthy, and can afford to take a position like this. I'll get right back to you, Joe!" writes Scott.

Mike wrote, "How can client software live in a world where a server's answers are meaningless?"

Daniel Z. writes, "I never use XDebug, but when I do, I do it in Production."

"I guess that it makes sense that, this time of year, even Pluto doesn't have any hotel vacancies," David A. wrote.

"Now THIS is what I call proactive support!" Paolo T. writes.

Piotr wrote, "If you'll excuse me, I need to create a YouTube channel."

"Estimated delivery...NEVER!" Erik C. writes.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/what-is-this-right-click-you-speak-of