I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.

  1. They were stored in a configuration file, in xml format.

  2. The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.

  3. This was then sent to the server as pure sql, no orm.

  4. Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.

  • FigMcLargeHuge@sh.itjust.worksEnglish
    70·
    20 days ago

    Long time ago, but by far the worst for me was when I inherited some code that a previous programmer had done. Every variable was a breakfast item. So if biscuit>bacon then scrambledeggs=10. Shit like that. It was a nightmare and luckily I only had to deal with it infrequently.

    • CaptDust@sh.itjust.works
      38·
      20 days ago

      Why do people do stuff like this, is the logic not difficult enough to follow on it’s own without a secondary definition table to consult!? Fucking hell.

    • vrek@programming.devOPEnglish
      27·
      20 days ago

      I don’t know what’s worse… That program or that you put biscuits greater than bacon…

      Actually I think the greater crime is biscuits being greater than bacon

    • hddsx@lemmy.ca
      17·
      20 days ago

      I don’t know how old you are but when I was in school, this was just going out of style. They saw this as job security. If you’re the only one who can work on the code, then they won’t fire you

  • Ephera@lemmy.mlEnglish
    47·
    20 days ago

    One time, I had to request firewall access for a machine we were deploying to, and they had an Excel sheet to fill in your request. Not great, I figured, but whatever.

    Then I asked who to send the Excel file to and they told me to open a pull request against a Git repo.
    And then, with full pride, the guy tells me that they have an Ansible script, which reads the Excel files during deployment and rolls out the firewall rules as specified.

    In effect, this meant:

    1. Of course, I had specified the values in the wrong format. It was just plaintext fields in that Excel, with no hint as to how to format them.
    2. We did have to go back and forth a few times, because their deployment would fail from the wrong format.
    3. Every time I changed something, they had to check that I’m not giving myself overly broad access. And because it’s an Excel, they can’t really look at the diff. Every time, they have to open it and then maybe use the Excel version history to know what changed? I have no idea how they actually made that workable.

    Yeah, the whole time I was thinking, please just let me edit an Ansible inventory file instead. I get that they have non-technical users, but believe it or not, it does not actually make it simpler, if you expose the same technical fields in a spreadsheet and then still use a pull request workflow and everything…

    • vrek@programming.devOPEnglish
      18·
      20 days ago

      The corporate world runs on excel, never the best option, but everyone knows it so…

        • inzen@lemmy.world
          16·
          20 days ago

          Try a few Gigabytes. I worked on site IT support for a year, we had to max out memory on a workstation because the company database was a, about 3GB, Excel file. It took minutes to open and barely worked, crashing frequently.

  • CaptDust@sh.itjust.works
    42·
    20 days ago

    I’ve had legacy systems that would encrypt user passwords, but also save the password confirmation field in plain text. There was a multitenent application that would allow front end clients to query across any table for any tenant, if you knew how to change a header. Oh and an API I discovered that would validate using “contains” for a pre-shared secret key. Basically if the secret key was “azh+37ukg”, you could send any single individual character like “z” and it would accept the request.

    Shits focked out here, mate.

    • vrek@programming.devOPEnglish
      4·
      20 days ago

      I have to ask, if it’s only contains wouldn’t you get a ton of collisions?

      Expecting an apartment manager to know what a api header was nevermind how to change it is probably not likely. Security hole to be sure though.

      • CaptDust@sh.itjust.works
        8·
        20 days ago

        The secrets themselves were basically guids, they had quite a lot of characters. If sent MORE than 1 character, pretty low chance they would clash. But those long guids also covered a lot of letters and number - it wasn’t terribly difficult to find one single character that cleared authorization reliably.

        And maybe you’re joking lol, but multitenant meaning multiple businesses/customers using the same application stored in the same database. If Bob’s construction wanted to spy on Jim’s contracting, they’d just need to know the right header to send and could get whatever they wanted from the other customer partitions. User access should of course be limited to their own assigned partitions.

        • vrek@programming.devOPEnglish
          3·
          20 days ago

          Oh, ok I interpreted multitenant wrong. I was thinking it was like a apartment complex so you have like a manager and a sales person with access and that’s it. Still a valid security risk but not as severe as what you are saying now.

          Sorry for confusion

    • Hasherm0n@lemmy.world
      3·
      19 days ago

      I once saw an application that would encrypt (not hash, encrypt) passwords but then when a user was logging in, they’d encrypt the password candidate and then compare the cipher texts to see if they were the same. This was using 3des, so no IV.

  • i_stole_ur_taco@lemmy.ca
    41·
    20 days ago

    I found code that calculated a single column in an HTML table. It was “last record created on”.

    The algorithm was basically:

    foreach account group
  foreach account in each account group
    foreach record in account.records
      if record.date > maxdate
        max = maxdate

    It basically loaded every database record (the basic unit of record in this DATA COLLECTION SYSTEM) to find the newest one.

    Customers couldn’t understand why the page took a minute to load.

    It was easily replaced with a SQL query to get the max and it dropped down to a few ms.

    The code was so hilariously stupid I left it commented out in the code so future developers could understand who built what they are maintaining.

  • deadbeef79000@lemmy.nz
    35·
    20 days ago

    A registration form and backend that would return the error “please choose more unique password” if you choose a password that was already stored (in plain text) in the database against another username.

    I shit you not.

  • TootSweet@lemmy.worldEnglish
    28·
    20 days ago

    Java webapp. Customer facing. E-commerce application, so in PCI scope and dealt with credit card info and such.

    There was one specific cookie that stored some site-wide preference for the customer. (Why not just put that preference in the database associated with the user? Because that would make too much sense is why.)

    But the way they encoded the data to go into the cookie? Take the data, use the Java serialization framework (which is like Python’s “Pickle” or Go’s “Gob”) to turn that into a string. But that string has binary data in it and raw binary data is kindof weird to put in a cookie, so you base64 encode the result. (The base64 encoding was the only sane step in the whole process.) Then you do the reverse when you receive the cookie back from the browser. (And no, there was no signature check or anything.)

    The thing about the Java serialization framework, though is that decoding back into Java objects runs arbitrary object constructors and such. As in, arbitrary code execution. And there’s no checking in the deserialization part of the Java serialization framework until your code tries to cast the object to whatever type you’re expecting. And by that point, the arbitrary code execution has already happened. In short, this left a gaping vulnerability that could easily have been used to extremely ill effect, like a payment information breach or some such.

    So all a malicious user had to do to run arbitrary code on our application server was serialize something, base64 encode it, and then send it to our servers as a cookie value. (Insert nail biting here.)

    When we found out that there was a severe vulnerability, I got the task of closing the hole. But the existing cookies had to continue to be honored. The boss wasn’t ok with just not honoring the old cookies and developing a new cookie format that didn’t involve the Java serialization framework.

    So I went and learned enough about the internal workings of how the Java serialization framework turned a Java value into a binary blob to write custom code that worked for only the subset of the Java serialization format that we absolutely needed for this use case and no more. And my custom code did not allow for arbitrary code execution. It was weird and gross and I made sure to leave a great big comment talking about why we’d do such a thing. But it closed the vulnerability while still honoring all the existing cookies, making it so that customers didn’t lose the preference they’d set. I was proud of it, even though it was weird and gross.

    The value that was serialized to put into the cookie? A single Java int. Not a big POJO of any sort. Just a single solitary integer. They could just as well have “serialized” it using base-10 rather than using the Java serialization framework plus base64.

    • mcmodknower@programming.devEnglish
      11·
      20 days ago

      Some minecraft mods had/have a similar problem. They use javas serialization stuff for sending stuff between client and server. There is mod that partially fixes this by only allowing whitelisted classes to be deserialized.

    • vrek@programming.devOPEnglish
      4·
      20 days ago

      Wow… If you can answer was this like a single company or were you selling the service to other companies?

      If selling to multiple companies did you offer a “new” version and a “security patch” for the old or just made everyone use your implementation?

      • TootSweet@lemmy.worldEnglish
        17·
        20 days ago

        This was a developed-in-house e-commerce web application at a major e-retailer. So fortunately that monstrosity of a cookie-handling mess was only ever used by one company.

        You know what, though? Talking about this reminds me of another story about the same e-commerce application.

        After a customer placed an order on this e-commerce site, the company’s fraud department had to evaluate the order to make sure it wasn’t fraudulently placed. (As in, with a credit card not owned or authorized for use by the purchaser.) Once that was done, the order had to be communicated to a worker at the warehouse so they could pack the right items into a box, put on a shipping label, and set the box aside to be picked up by the UPS truck which would come once a day near the end of the day.

        The application used by the fraud department and the application that displayed new orders to warehouse workers was one and the same application. Whether a user had fraud-evaluating powers or pack-items-in-boxes powers just depended on what permissions their particular user had. (That may have been decided by LDAP groups. I don’t remember for sure.)

        Meanwhile, the e-commerce site offered gift cards for sale online. The gift card would be shipped to the customer. And there was a box where you could write a message associated with the gift card. So, for instance, someone could buy a gift card to be sent to their nephew’s address or whatever and include a little note like “Happy Birthday. Don’t spend it all at once.” or whatever. And the fraud/pick-and-pack application would display all details of the order including any messages associated with the gift cards.

        Well, I found a stored cross-site scripting vulnerability where if you put <script>...</script> tags with some JavaScript in the gift card message box and completed the order, the JavaScript would execute any time someone viewed the details page for the order in the fraud/pick-and-pack application. And of course, the JavaScript could do within that application just about anything the user could do with their given permissions.

        The main danger was that a malicious actor with sufficient knowledge of how our fraud application worked could place an order fraudulently with someone else’s credit card and include in the order a gift card with a malicious JavaScript payload in the message box, and then that malicious JavaScript could automatically mark the order “a-ok, no fraud here” when a fraud department worker loaded the order details page, letting the order be fulfilled without any actual fraud review.

        The fix was pretty simple. Just stick a <c:out>...</c:out> in the appropriate place in the fraud/pick-and-pack application code. But it was an interesting example of a vulnerability in a not-customer-facing application that could none-the-less be exploited by any public customer/user without any particular special access.

        If you’re interested in one more interesting story about the same e-commerce application, see this comment I made a while ago.

        • vrek@programming.devOPEnglish
          4·
          20 days ago

          That is interesting, I dealt with purely internal software so never considered that.

  • Phoenixz@lemmy.ca
    28·
    19 days ago

    A program that HR had built so that all employees could they their payment receipts online

    The username was the companies’ email address, the password was a government personal id code that you can lookup online, a don’t change, and you can’t update the password to something else.

    So I told the director of HR this was a bad idea. She told me I was overreacting until I showed her her own receipt, then she finally understood that this is a really fucking bad idea.

    Okay, so now she out me in charge of debugging that program.

    So I setup a meeting with the director of the company they hired, he came by with the developer: a 21 yo girl who I think hadn’t finished college yet. Great start! Apparently it was her idea to do the authentication like that so that explains a few things.

    So we dive in to the code.

    First of all, the “passwords” were stored in blank, no hashing, no encryption, nothing. That wasn’t the worst.

    For the authentication she made a single query to check if the user email existed. Of that was true, then step two was a second query to see if the password existed. If that were true, the email had been authenticated.

    So let’s say, hypothetically, that they had actual passwords that people could change… I could still login with the email from anyone, and then use MY OWN password to authenticate.

    This just blew my mind so hard that I don’t think I ever fully recovered, I still need treatment. The stupidity hurts

    • groet@feddit.org
      15·
      19 days ago

      I wouldnt blame that on stupidity as much as on ignorance and naivety. Many people simply don’t think about anybody deliberately misusing their design. The idea that somebody could even want to access somebody elses receipts didn’t occur to them. And if they were still doing their studies they might not have known that you can “combine” SQL queries and ask for two things at once.

      I don’t blame the girl, but whoever chose her to design a system with sensitive information.

      • Phoenixz@lemmy.ca
        2·
        18 days ago

        I don’t blame a girl for doing a job that lands her food on the table. I blame the guy employing her because she’s the cheapest option

        Having said that, this design was so bad that she should not have been doing any of this. If you don’t know that SQL allows you to select multiple columns then by all means, do a tutorial, it’s not that hard.

        If you don’t even know what encryption is, that passwords need hashing and what not, then you should really question what you’re doing

        OPs question was about the worst code I’ve seen, that was the worst I’ve seen

        • RobertoOberto@sh.itjust.works
          1·
          17 days ago

          If you don’t even know what encryption is, that passwords need hashing and what not, then you should really question what you’re doing

          I agree with your point, but I would phrase it more generally: when we’re assigned a task in a problem space we are unfamiliar with, we should always take some time to research that space before designing our solution.

          After all, if we don’t know what encryption or password hashing are, how could we know that we need to learn about them first? But spending just a couple hours one morning reading about password and authentication management would have given the developer a good sense of best practices.

          So she either, A) didn’t think to familiarize herself with a new topic prior to working on it, or B) did read about it and ignored general industry guidance. Both of those options are more problematic to me than simply not knowing specific things. Those are process problems that need to be addressed to build her skills as a developer.

          But ultimately, in my opinion, this is really all the fault of the cheapass director who didn’t want to pay any experienced professionals to handle the task.

  • i_dont_want_to@lemmy.blahaj.zone
    22·
    20 days ago

    I was told about a bug in a specific tool. It was being used in production. Apparently we’ve gotten a lot of complaints about it over the years, and they would complain if the site was actively used it always failed.

    I couldn’t find it in the development branch in source control.

    I asked if this tool was purchased from a third party. My boss, who was not a developer, said no. And he was very sure of that. But he didn’t know where the code was.

    I was the developer with the most seniority, and I was there for less than a year at this point.

    I looked again. I finally found it… In an unapproved pull request from a few years prior.

    The meat of this tool basically took information to make an order and create an order in the system.

    Any time we needed to insert a record, it would find the highest Id in the table, increment 1, and insert the new record, id and all. It did this for every entity that needed to be inserted. Address, customer… Everything.

    Worse, very little validation was done. Want to order something but it’s out of stock? No problem, this tool just pushed it right through.

    Want to ship something using a shipping method that doesn’t exist? You got it.

    Want to ship something to an address that doesn’t exist? Sounds like the warehouse’s problem.

    Knowing about the level of knowledge here, you know that there were no transactions. All sorts of unused records were left in the database when there was an error. The users would get a generic error and try again several times, too.

    The worst part was, we have an already existing function that would take order information and try to make an order. And it would give you actionable errors!

    • JackbyDev@programming.devEnglish
      6·
      20 days ago

      This reminds me of a time at work when we got sued. The company was allegedly using (or had copies) of some tool we couldn’t have anymore. Annoying, but fine. However, to check this, they scanned all of our computers for the name of that company. They told us all to delete our entire local Maven repository. Someone who worked there was on the commiter list for a couple of open source projects. I just manually deleted those files because I knew for a fact that our central Maven repository didn’t have some of the versions of our own code on it and I wasn’t confident we wouldn’t need them again. Turns out I was right and needed to grab one later on to upload. Because I manually deleted the files with the company’s name instead of just deleting everything, the scanner thing they were running didn’t detect offending files. (Not that a file listing someone’s email address as a commiter to an open source project should be offending, but still.)

  • halloween_spookster@lemmy.worldEnglish
    21·
    20 days ago

    Our CFO’s social security number, contact info, and just about everything you’d need to impersonate them inside a random shell script that was being passed around like drugs at a party for anyone to use. Oh and it had an API key to our payments processor hard coded into it.

    That was the tip of the iceberg of how bad the systems were at the company. All of these are from the same company:

    • A fintech based company with no billing team
    • An event system that didn’t event
    • A permissions system that didn’t administer permissions
    • A local cache for authentication sessions. Which means that requests would intermittently fail auth because the session was only on one replica. If you hit any of the other ones, you’d get an unauthenticated error
    • A metrics collection system that silently lost 90% of it’s data
    • Constant outages due to poorly designed and implemented systems (and lack of metrics… hmmm)
    • Everything when I joined was a single gigantic monolith that was so poorly implemented they had to run at least 3 different versions of it in different modes to serve different use cases (why the fuck did you make it a monolith then?!)
    • The subscriptions system was something like 20 or 30 database tables. And they were polymorphic. No one could touch the system without it breaking or that person declaring failure, which leads me to …
    • A database schema with over 350 tables, many of which were join tables that should have been on the original table (fuck you scala/java for the limitations to the number of fields you can have in a case class). Yes you read that right. Table A joined to table B just to fill in some extra data that was 1:1 with table A. Repeat that a few dozen times
    • History tables. Not separate from the original table, but a table that contained the entire history of a given piece of data. The worst example was with those extraneous join tables I just mentioned. If you went and changed a toggle from true to false to true to false, you’d have 4 records in the same table. One for each of those small changes. You’d have to constantly try to figure out what the ‘latest’ version of the data was. Now try joining 5 tables together, all of them in this pattern.
    • Scala… I could go on a tirade about how bad scala is but needless to say, how many different error handling mechanisms are there? Scala decided to mix all of them together in a blender and use them all together. Scala is just two white paper languages in a trenchcoat. Never use it in a production system
    • A dashboard for “specialists” that was so easy to overwhelm that you could do it by breathing on it due to the LACK of events that it needed
    • Passwords stored in plain text (admittedly this was in the systems of the company we acquired while I was there). Doesn’t matter if they were actually <insert algorithm here>, they were visible in a dashboard accessible by employees. Might as well have been plain text
    • A payments system that leaked it’s state into a huge part of the rest of the system. The system ended up being bifurcated across two systems, I was brought in to try to clean up some of the mess after only a couple of months. I desperately tried to get some help because I couldn’t do it solo. They ended up giving me the worst engineer I’ve ever worked with in my 15 year career, and I’ve seen some bad engineers. Looking back, I’m reasonably confident he was shoving our codebase into an AI system (before it was approved/secured, so who knows who had access) and not capable of making changes himself. I could make several posts about this system on its own
    • I could go on but I’ll cut it off there
  • softkitteh@lemmy.blahaj.zoneEnglish
    21·
    19 days ago

    Oh boy, this one was a doozy…

    Was working at a very big company named after a rainforest on smart home products with integrations for a certain home assistant…

    New feature was being built that integrates the aforementioned home assistant with customer’s printers so they can ask the assistant to print stuff for them.

    The initial design lands from our partner team with a Java backend service fairly nicely integrated with some CUPS libraries for generating the final document to be sent to the customer’s printer. All good.

    They are about to launch when… uh oh… the legal team notices an AGPL licensed package in one of the CUPS library’s dependencies that was absolutely required for the document format needed by the project and the launch is cancelled.

    So the team goes off in a panic looking for alternatives to this library and can’t find any replacements. After a month or two they come back with their solution…

    Instead of converting the document directly in the backend service with the linked CUPS library (as AGPL is a “forbidden license” at this company) the backend uploads the initial document to an S3 bucket, then builds a CUPS document conversion bash shell script using some random Java library, the shell script is then sent (raw) to a random blank AWS host that comes prepackaged with CUPS binaries installed (these hosts were not automated with CI/CD / auto updates as was usually mandated by company practice because updating them might remove the CUPS binaries, so they required a ton of manual maintenance over the service’s lifetime…), the bash shell script is then executed on that “clean” host, downloading the document from S3, converting it via the CUPS command line binary, then reuploading it to another S3 bucket where the Java backend picks it up and continues the process of working the document through the whole backend pipeline of various services until it got to the customer’s printer.

    This seemed to satisfy the legal team at the very least, and I have no doubt is probably still in production today…

    The kicker though? After all those months of dev work from a whole team (likely all on 6 figure salaries), and all the time spent by various engineers including myself on maintenance and upkeep on that solution after it was transferred to us?

    An alternative, completely unrestricted corporate license was available for the package in question for about $100 per year so long as you negotiated it with the maintainers.

    But that was a completely unacceptable and avoidable cost according to upper management…

    • vrek@programming.devOPEnglish
      3·
      19 days ago

      Wait 100 per year total or 100 per seat per year? If it’s per seat I can understand, if it’s total wtf…

      • softkitteh@lemmy.blahaj.zoneEnglish
        12·
        19 days ago

        $100 total, per year… as a FOSS enthusiast, it made me very angry that such a rich company was so petty over such a small cost for a product that raked in multiple millions of dollars per year 😾

        • vrek@programming.devOPEnglish
          8·
          19 days ago

          Yeah that’s fucked up. From two perspectives 1. Who ever wrote that library needs money to survive. 2. From the company point of view they wasted WAY more money on the development then the license. Hell if 1 developer spent a day to do it, they paid more than they would for the license

          • NotMyOldRedditName@lemmy.world
            5·
            19 days ago

            The first time something goes wrong with that complicated setup, it probably pays for a decade half a century or more of it’s fee.

  • GottaHaveFaith@fedia.io
    19·
    20 days ago

    I basically fix other people shitty voice for a living (replacing it with my own shitty code), the “best” one was by a guy, I suppose he was a self taught c programmer from how he wrote code, writing a complex python program. I saw:

    • a function called randomNumberGenerator. It was a function which started a webserver. While looking for a python tutorial for something I found out why: he copy pasted the tutorial snippet but then didn’t bother renaming the function
    • a program whose job was to listen to all other services and send them to another service via udp BUT it had a maximum buffer size so messages sometimes got truncated. I just directly put the listener in the target program and deleted it
    • like another guy in this thread he didn’t use git. First day on the job they told me “yes, we need to check which machine has the latest code because he ssh into them and work there”. His version control was basically putting code in different machines
    • lot of copied variables, because of c I suppose? Things like var = self.var
    • camelCase python (ok this is just styling in the end)
    • files with 10k lines of code
    • half the services were in python 2, half in python 3. Don’t ask me why
    • variables name in his original language (not English, not the client language)
    • single letter variables, I fondly remember self.I (upper case i)
    • I remember an if a == a: (I left it there because lol)
    • he added a license check which used the ethernet mac address. Too bad ethernet was removed from the machine, and his code launched an exception which returned 00:00:00:00 as mac address, so all licenses were working on all machines

    And many other things…

    In another project I saw a backend running on the frontend, as in, this guy wrote the logic for a machine on the Javascript running the user interface of the screen

    • felbane@lemmy.world
      4·
      19 days ago

      files with 10k lines of code

      oh my sweet summer child.

      I was once charged with maintaining an application with a median line count of 40k. The largest file was 87kLOC with 2nd place going to a 69kLOC (nice) file filled with interwoven C and inline assembly. My favorite was a 51kLOC file with a 32,621 line function.

      Miracle I didn’t develop alcoholism during that job.

      • NotMyOldRedditName@lemmy.world
        4·
        19 days ago

        Pretty sure there was one over 100k file at one of my old workplaces. It kept growing and growing and was the most critical file in the business. Like if that file suddenly vanished, the business would be done or shut down for at least a year, maybe two kinda thing. Re-certifying the output of that file would probably take 6 months alone.

        It had a partner file, also very important, but not as, which was much smaller around 20k-25k

    • ThirdConsul@lemmy.ml
      2·
      19 days ago

      I remember an if a == a: (I left it there because lol)

      I once worked on a codebase in js where

      a == a // true
a == a // false
a == a // true

      (Same variable compar to itself is true at first, then false, then true…)

      And when I cried ‘per que’ the explanation made some evil, sadistic sense.

  • quinkin@lemmy.world
    18·
    19 days ago

    XML-DOM page templates stored in a database, line by line.

    So rendering a page started with:

    select * from pages

    where page_id = ‘index’

    order by line_number asc;

    Each line of XML from each record was appended into a single string. This string was then XSLT transformed to HTML, for every page load.

    • dejected_warp_core@lemmy.world
      8·
      19 days ago

      This has to be one of the worst ways to reinvent a filesystem that I’ve ever heard. At the very least, storing static data in an relational database at this scale should be a slappable offense.

      • quinkin@lemmy.world
        7·
        19 days ago

        The session data, that would have been fantastic to have in a relational, queryable, reliable and trustable format was stored as a single giant string of PHP pickled data structure in a session file associated with the users cookie id.

  • A_norny_mousse@feddit.org
    18·
    20 days ago

    Disclaimer: this is not really about code, but about using IT in my non-IT workplace and I realized this just yesterday. A rant.

    I work in the social sector. Our boss seems to have slipped into position sideways (they did not do our work for a significant amount of time before).

    I got zero onboarding when I started working there; everything I know about the organisational ins and outs I learned by asking my colleagues.

    The boss seems to actively want to not inform me of things, i.e. even if I ask about something they reply in the most cursory manner or immediately refer me to somebody else. I have no idea why they do it, my guess is that they sense that they’re woefully inadequate for the job, plus me being much older triggers insecurities?

    For example, when I could not log into an app to see my future shifts, I asked the boss about it first but they immediately refered me to tech support. Calling them, after a while we found out that the boss had mistyped my name. Then I could log in.

    Last week I was sick and waited til Sunday noon to check this week’s shifts - but again I couldn’t log in. The boss answered neither phone nor email. Fair enough I guess, on a sunday. Thankfully tech support was working and after a long while we found out that the app for checking my shifts only allows log-ins from within the workplace network, not the open web.

    I almost missed my monday shift because of that. Boss calls me, enraged. I explained the situation. They clearly did not know that the app only allows log-ins from within the workplace network.

    All my coleagues tentatively/silently agree that this boss is useless. How do we keep the workplace running, and why is it me who is left in the dark? Turns out they have a Whatsapp group. I don’t use Whatsapp. They asked me repeatedly and urgently to join.

    tl;dr: this workplace would fall apart if people wouldn’t communicate through Whatsapp instead of official channels

  • Valmond@lemmy.world
    16·
    19 days ago

    The architect sending a pointer over an API, in hexadecimal string format. char *c = “71E4F33B” just cast it on the right structure bro.

    Just to add, we only did C/C++, on windows mfc, in a monolithic software.

    I spent quite some time assuring myself that I was not the insane person before bringing it up with him.