Confessions of a Programmer

#1
If a client is an unbearable asshole during the initial communication, I look for every excuse to pad on the hours for the estimate to get paid more. If a client goes above and beyond in their douchbaggery, I tack on an additional $40/hour.

#2
Sometimes I will present an elaborate solution to a client, but really I'm just reading off the features of a plugin or library I'm going to download or buy after the call. Not because I can't build it myself, but because I'd rather spend more time on other/my own projects.

#3
Clients assume because I know one language, I know them all. Rather than turning down the work, I take a crash course to work in that language, or outsource the work and clean it up afterwards, whichever is more practical at the time.

#4
I use cPanel on a dedicated to manage our client websites. I'm not paid enough to bother with setting up everything manually.

#5
Certain projects I build have a 3-day backdoor built into it. If the client doesn't pay upon completion, a unique hash triggered as a GET variable deletes a core file in my work, rendering the work useless. If it wasn't triggered by the 4th day, the file allowing me to trigger this backdoor is removed. This is only used for clients where the project must be launched on their servers, or if there has been a previous issue collecting payment.

#6
I slip in the initial contract that all preceeding phone calls will be monitored and recorded, and that they acknowledge the recordings are admissable in court. This has saved me from losing money twice now.

#7
I have never used an IDE. (I know, I know, it's really inefficient and dumb, but I'm just more comfortable with Sublime. Plus I often find myself mobile and without my computer, so I have to program from my phone.)

#8
Each day resembles a betting spectacle of which work will be late, which will be rushed out and which will never see the light of day.

#9
I have used "sick" and "family emergency" as an excuse to just sleep in far more than I can count.

#10
When a client from hell crosses over the line in their conduct (such as getting very nasty and personal, or sending threats), I anonymously report them to the BBB and on RipOffReport.

Facebook publicly announced that it won't build a backdoor into its services for the intelligence agencies as for the latest requests to weaken/remove the encryption.

I can only imagine the intelligence agencies going like this now:

NSA director: Alright, as expected they said no so they won't have more damage to their public image, lets go for plan A 2.0!
NSA employee: Aaaand that is?
NSA director: Serve them a FISA court order requiring them to do this shit anyways but also serve a gag order so they can't tell legally.
NSA employee: Ahh, fair enough, I'll get that rolling. By the way, how did we do this with WhatsApp's encryption again?
NSA director: Oh that one was simple. There's a backup function which nearly everyone uses on either Android/iOS which does plaintext backups to Google Drive/iCloud.
NSA employee: Oh, okay. How do we access that data again?
NSA director: PRISM/XKeyScore!
NSA employee: Right, but then still the issue of how we even collect the encrypted messages from Facebo...
NSA director: PRISM/XKeyScore as well, don't worry about that.
NSA employee: But, how'd we justify this....?
NSA director: We probably never have to as these programs operate outside of the public view but otherwise just call terrorism/pedophelia... BAM, done.
NSA employee: Gotya, let's put this into motion!

Today was my last day of work, tomorrow i have officially left that place. It's a weird feeling because i'm not certain about the future.
The job was certainly not bad, and after all i read on devrant i'm beginning to believe it was one of the better ones. A nice boss, always something to eat/drink nearby, a relaxed atmosphere, a tolerance for my occasionally odd behaviour and the chance to suggest frameworks. Why i would leave that place, you ask? Because of the thing not on the list, the code, that is the thing i work with all the time.

Most of the time i only had to make things work, testing/refactoring/etc. was cut because we had other things to do. You could argue that we had more time if we did refactor, and i suggested that, but the decision to do so was delayed because we didn't have enough time.

The first project i had to work on had around 100 files with nearly the same code, everything copy-pasted and changed slightly. Half of the files used format a and the other half used the newer format b. B used a function that concatenated strings to produce html. I made some suggestions on how to change this, but they got denied because they would take up too much time. Aat that point i started to understand the position my boss was in and how i had to word things in order to get my point across. This project never got changed and holds hundreds of sql- and xss-injection-vulnerabilities and misses access control up to today. But at least the new project is better, it's tomcat and hibernate on the backend and react in the frontend, communicating via rest. It took a few years to get there, but we made it.
To get back to code quality, it's not there. Some projects had 1000 LOC files that were only touched to add features, we wrote horrible hacks to work with the reactabular-module and duplicate code everywhere. I already ranted about my boss' use of ctrl-c&v and i think it is the biggest threat to code quality. That and the juniors who worked on a real project for the first time. And the fact that i was the only one who really knew git. At some point i had enough of working on those projects and quit.

I don't have much experience, but i'm certain my next job has a better workflow and i hope i don't have to fix that much bugs anymore.
In the end my experience was mostly positive though. I had nice coworkers, was often free to do things my way, got really into linux, all in all a good workplace if there wasn't work.

Now they dont have their js-expert anymore, with that i'm excited to see how the new project evolves. It's still a weird thing to know you won't go back to a place you've been for several years. But i still have my backdoor, but maybe not. :P

So as quite some people know on here, I am strongly against closed source software and have a very strong distrust in it as well.
So next to some principles (and believes etc etc etc) there is one specifc 'event' which triggered the distrust in CSS (No not Cascading Style sheet, I mean Closed Source Software :P). So hereby the story about what happened.

I think it was about 5 years ago when a guy joined my programming class (I wasn't in uni although I studied but for the sake of clarity, lets just call it uni for now (also, that makes me feel smarter so why the fuck not!)) in uni. He knew a shitload about programming for his age but he was convinced that he was always right. (that aside)
Anyways, at some point we had to work in groups on this project (groups for specific tasks) and he chose (he loved it, we hated it, he had the final say) Trello for 'project management'. He gave everyone (I was running Windows for a little bit at that moment because the project was in C# and the Snowden leaks had not arrived yet so I was not extremely uncomfortable with using Windows, just a lot) this addon program thingy he created for Trello which would make usage easier. I asked if it was open source, he replied with 'No, because this is my project.' and although I did understand that entirely, I didn't feel comfy using it because of it's closed source nature. Everyone declared me paranoid and he was annoyed as hell but I just kept refusing to use it and just used the web interface.

*skips to 2 years later*

I met that guy again at the train station at a random day! Had the usual 'how are you and what's up after a few years' talk with him and then he told me something that changed my view on closed source software for most probably the rest of my life.

"Hey by the way, do you remember that project of a few years back where you didn't want to use my software because of your 'closed-sourceness paranoia'? I just wanted to say that I actually had some kind of backdooring feature build in which (I am not going to say what) allowed me to (although I didn't use it) look at/do certain things with the 'infected' computers. I really wanted to say that I find it funny how you, the only one who didn't give in to my/the peer pressure, were the only one who wasn't affected by my 'backdoor' at that moment! Also your standards towards the use of closed source software probably played a big part probably. I find that pretty cool actually!"

Although I cannot confirm what he said, he was exactly the type of guy who would do this IMO (and not only IMO I think).

So yeah, that's one of the reasons AND the story behind a big part of why I don't trust closed source software :).

So.. Oneplus "forgot" to strip Qualcomm.EngineerMode from release build...

Wordpress. The only backdoor with a plugin system and CMS included.

I have to clean ANOTHER. Hacked WordPress site. One wrong decision and you have to support it for the life time :'(

Recently I got an E-Mail from PayPal.de with the headline "Your account gets limited". Fun Fact: I don't have a PayPal account.
This Mail got me curious though, as it couldn't be a phishing mail, since I don't have a PayPal account in the first place, so I opened the e-mail just to get greeted by pure emptiness. It was completely empty. I thought to myself "oh no, is this some sort of new trick? Did I get infected by some sort of a weird hacky backdoor trojan already?!"

Name: PayPal.de
Original E-mail Address: NULL (never seen this before)
I then realized, that Thunderbird blocked the only content from this mail: a clickable image.

This is getting even more confusing the longer I examine this unique mail. The image is showing me a domain from a site completely unrelated from PayPal, so it was obviously no phishing, but I didn't trust this clickable image, so I looked up its hidden link to find an even more confusing redirection to not a picture upload site like the image suggests, but to a game key reselling site instead, like wtf? What was the whole point of this whole e-mail? Was this a weird try to make advertisements for more than one website? It wasn't even a ref-link or something like that. It was just weird, iunno.

Customer requested the implementation of a "Master PIN" Code for accessing their appliances, to be used by field technicians when the users forgot their PIN.
Actually they could also read or reset it via USB using the config utility, but then again it's much more convenient not having to carry a laptop all the time...

Our only contact person at that company - the guy we got all the requirements from, let's call him Mr. L - wouldn't talk only positive about the company and managers, but we never worried as the project was making good progress.

In the final phase of the project, Mr. L was often hard to reach, always seemed to be busy even when we just needed a prototype approved to start production.
He always claimed to be waiting for approval from his supervisors and engineers, still discussing minor things with them.

When he left the company about three months later, it turned out he was pretty much the only person knowing about the details of the project, and his successor would start asking us very basic questions about the appliance,
wondering why we had implemented certain things the way they were.
(Well, how about we implemented everything just as requested by a former co-worker of yours?!)

Somewhere in the preliminary specs previously exchanged with Mr. L, there is even a hint of a "Master PIN", but the value is never specified anywhere on paper.

Today, we are not sure if anyone except for him even knew about it.
Maybe we should ask them whether they are now selling a product that has a 4-digit backdoor PIN nobody at the company is aware of?

Obviously, it is the birth year of Mr. L.

1. It's gonna be more and more specialized - to the point where we'll equal or even outdo the medical profession. Even today, you can put 100 techs/devs into a room and not find two doing the same job - that number will rise with the advent of even more new fields, languages and frameworks.

2. As most end users enjoy ignoring all security instructions, software and hardware will be locked down. This will be the disadvantage of developers, makers and hackers equally. The importance of social engineering means the platform development will focus on protecting the users from themselves, locking out legitimate tinkerers in the process.

3. With the EU getting into the backdoor game with eTLS (only 20 years after everyone else realized it's shit), informational security will reach an all-time low as criminals exploit the vulnerabilities that the standard will certainly have.

4. While good old-fashioned police work still applies to the internet, people will accept more and more mass surveillance as the voices of reason will be silenced. Devs will probably hear more and more about implementing these or joining the resistance.

5. We'll see major leaks, both as a consequence of mass-surveillance (done incompetently and thus, insecurely) and as activist retaliation.

6. As the political correctness morons continue invading our communities and projects, productivity will drop. A small group of more assertive devs will form - not pretty or presentable, but they - we - get shit done for the rest.

7. With IT becoming more and more public, pseudo-knowledge, FUD and sales bullshit will take over and, much like we're already seeing it in the financial sector, drown out any attempt of useful education. There will be a new silver-bullet, it will be useless. Like the rest. Stick to brass (as in IDS/IPS, Firewall, AV, Education), less expensive and more effective.

8. With the internet becoming a part of the real life without most people realizing it and/or acting accordingly, security issues will have more financial damages and potentially lethal consequences. We've already seen insulin pumps being hacked remotely and pacemakers' firmware being replaced without proper authentication. This will reach other areas.

9. After marijuana is legalized, dev productivity will either plummet or skyrocket. Or be entirely unaffected. Who cares, I'll roll the next one.

10. There will be new JS frameworks. The world will turn, it will rain.

Brave Browser.

There’s a reason why brave is generally advised against on privacy subreddits, and even brave wanted it to be removed from privacytools.io to hide negativity.

Brave rewards: There’s many reasons why this is terrible for privacy, a lot dont care since it can be “disabled“ but in reality it isn’t actually disabled:

Despite explicitly opting out of telemetry, every few secs a request to: “variations.brave.com”, “laptop-updates.brave.com” which despite its name isn’t just for updates and fetches affiliates for brave rewards, with pings such as grammarly, softonic, uphold e.g. Despite again explicitly opting out of brave rewards. There’s also “static1.brave.com”

If you’re on Linux curl the static1 link. curl --head
static1.brave.com,
if you want proof of even further telemetry: it lists cloudfare and google, two unnecessary domains, but most importantly telemetry domains.

But say you were to enable it, which most brave users do since it’s the marketing scheme of the browser, it uses uphold:

“To verify your identity, we collect your name, address, phone, email, and other similar information. We may also require you to provide additional Personal Data for verification purposes, including your date of birth, taxpayer or government identification number, or a copy of your government-issued identification
Uphold uses Veriff to verify your identity by determining whether a selfie you take matches the photo in your government-issued identification. Veriff’s facial recognition technology collects information from your photos that may include biometric data, and when you provide your selfie, you will be asked to agree that Veriff may process biometric data and other data (including special categories of data) from the photos you submit and share it with Uphold. Automated processes may be used to make a verification decision.”

Oh sweet telemetry, now I can get rich, by earning a single pound every 2 months, with brave taking a 30 percent cut of all profits, all whilst selling my own data, what a deal.

In addition this request: “brave-core-ext.s3.brave.com” seems to either be some sort of shilling or suspicious behaviour since it fetches 5 extensions and installs them. For all we know this could be a backdoor.

Previously in their privacy policy they shilled for Facebook, they shared data with Facebook, and afterwards they whitelisted Facebook, Twitter, and large company trackers for money in their adblock: Source. Which is quite ironic, since the whole purpose of its adblock is to block.. tracking.

I’d consider the final grain of salt to be its crappy tor implementation imo. Who makes tor but doesn’t change the dns? source It was literally snake oil, all traffic was leaked to your isp, but you were using “tor”. They only realised after backlash as well, which shows how inexperienced some staff were. If they don’t understand something, why implement it as a feature? It causes more harm than good. In fact they still haven’t fixed the extremely unique fingerprint.

There’s many other reasons why a lot of people dislike brave that arent strictly telemetry related. It injecting its own referral links when users purchased cryptocurrency source. Brave promoting what I’d consider a scam on its sponsored backgrounds: etoro where 62% of users lose all their crypto potentially leading to bankruptcy, hence why brave is paid 200 dollars per sign up, because sweet profit. Not only that but it was accused of theft on its bat platform source, but I can’t fully verify this.

In fact there was a fork of brave (without telemetry) a while back, called braver but it was given countless lawsuits by brave, forced to rename, and eventually they gave up out of plain fear. It’s a shame really since open source was designed to encourage the community to participate, not a marketing feature.

Tl;dr: Brave‘s taken the fake privacy approach similar to a lot of other companies (e.g edge), use “privacy“ for marketing but in reality providing a hypocritical service which “blocks tracking” but instead tracks you.

I'm in a react/vue/angular/polymer-debate. Lets continue this here, but only with the worst arguments you heard about these 4.

I start:
React: "I dont like it, facebook might have a backdoor in the code so they can see what we're developing"
Angular: "We use Google Cloud, angular is developed by google too. There is a synergy between the two"

(If you really need this to be a question, then it's "what are the worst arguments you heard about javascript-frameworks?")