So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

Fulfillment company: the order you put in our system is wrong, the hours we needed to correct this will be charged to you (Red: or rather my employer)

Me: *Checks logs and our server - finds out the order was made in their own webform/webapp*

Me: hey how come I can put in values in your webform that should not pass sanity checks, thats weird (in this case it was a product w/ a quantity of 0)

Fulfillment company: we don't do sanity checks or validation, we just find out when shit crashes and burns, nothing weird about that

Me: WTF

From a dev and eCommerce management perspective, Groupon is THE WORST. They just launched a brand new marketplace site but STILL don’t have an API I can connect with to do fulfillment. Their CSV format is useless for our shipping company. Their data inputs are not sanitized and standardized enough to be predictable for purposes of transformation via scripting. The exceptions and edge cases are infinite. So I’m STILL stuck having to take time out of my day to manually copy and paste and correct order data into the proper format to FTP to the fulfillment company. Oh, and I don’t yet know if the new marketplace does this, but the old one used to suspend vendor accounts for...get this...selling TOO MUCH! How is Groupon still in business?

Note to self:
Close off ALL ways things could go wrong..

Long story short; I released a new feature, to be able to better follow up on any stock moves, their amounts, locations and even expiry dates. An older tool just bypassed that very verification and nothing was logged or taken out of stock.

~

Taking out an amount for a certain orderline has a shortcut in place to mitigate some of the mandatory steps that pickers need to take in order to verify what's being taken. This little tool only available, visible and possible for a very few select users.

I assigned some orders to one of these people, which made him think it was an urgent batch. It's only one product, for multiple orders, so he went to the location, took out the amount needed and then used the tool to quickly be able to prepare them for shipping.

This bypassed the new methods to check if the location actually had stock to take, which I had just enabled for 1 account.

Luckily I caught the miss-hap as I was monitoring that product first-hand and noticed the batch of orders was collected but the stock amount didn't update.

It was 5min before I was leaving work, so I investigated and then ran to the person in question to ask what he did; which was "I used that tool"

I facepalmed myself internally while blaming myself, as he couldn't know that it wasn't ready to use for that purpose.

The tools to fix this up are there already.. so I used that to fix some missing stock-takes manually.. Though I'll need to close that little tool for these kind of orders for sure, asap, probably when I get home, at least until I bring over its new logic to it.

Happy Tuesday? (:

Hey guys. I am in a situation where I need to decide wether to take on a new project or not. And if not, how to turn down that client so that I would not burn any bridges. So I need your opinions on this matter in order to make the final decision.

To make things clear heres some background info. 10 months ago I quitted my fulltime position in another EU country and went back to my own home country. 10 months forward till today and I have my own ltd company which currently has 5 projects. Its doing pretty well money wise. All projects combined, I already earn more then I ever did and I need to work max 10 hours a week since all projects are remote projects so I dont waste time on useless meetings and etc. However I dont feel fulfilled or challenged anymore because surprise surprise doing well paid projects doesnt guarante your sense of fulfillment.

So I noticed that I have lots of spare time which I spend diving into rabbitholes with hobby projects. I decided that its time to scale my company and take on more projects and maybe even hire more people.

So I started searching for other projects I could work on (prefferibly remote projects or flexible ones where I could come in 2-3 days a week in office and work remotely rest of the week). Reason being that I am already out of sync with fulltime position lifestyle and I am totally result oriented, not punch in my hours and go home oriented.

For exampleIf i get my weekly tasks I prefer to do them in 1-2 days (even if it requires doing double shifts which rarely but happens) but then I want to have rest of the week off. Thats how my brain works and thats how Im wired. I cant stand fulltime positions especially in enterprise bigger companies where I come in and do maybe 2 hours of actual work everyday because of all useless meetings and blockers from backend/etc. Its soul crushing to me.

So I posted linkedin ads and started searching for new clients/projects. One month ago I went to an interview for an android project in a startup.

The project looked interesting enough. Main task was to rewrite their android app from java to kotlin. Apparently their current current app was built by a backend developer who wants to focus solely on backend.

So during the interview they showed me their app which was quite simple frontend wise but not so simple backend wise from what I was able to figure out.

Their project lead (also a backed guy) asked me my estimation of price and completion of task. I told them maybe 2-3 months to do everything properly.

Project lead was basically shocked because all other candidates told him they can rewrite the app from java to kotlin in 2-3 weeks. I told him that everything is possible but his app quality will suffer and for a better estimation he would we would need to sign an NDA so I could evaluate the costs. So we ended the interview.

After that we kept in touch for one month (it took them one month to google a generic NDA and sign it digitally with me).

So heres the redflags I noticed:

1. They dont respect my time. Wasted 1 month of my time and after signing NDA gave me 2days to estimate their project and go to a meeting and give them detailed info about what I can offer. I thats not a brain rape then I dont know what it is

2. They are changing initial conditions we talked about. We agreed on rewriting the codebase and be done with it. Now they prefer a fulltime worker who would be responsible for android app as his own product. So basically project lead was not able to find a fulltime dev so now hes trying to convert me (a company owner) to his fulltime worker.

3. Lack of respect. During the interview he started speaking in his own native language to me with some expression (he seemed pissed off at that moment when he switched languages).

4. Bad culture fit. As I said Im used to relaxed clients and projects where I dont need to be chained to a desk a monitored and be micromanaged. I mean lets sign a contract give me access to your codebase and tell me what to do, I will produce results and lets be done with it.

5. Project lead is a backend guy who doesnt understand how complicated android apps can be. No architecture and no unit tests are in his frontend app. He doesnt care about writing proper app since he ships it in his own device so he doesnt need to worry about supporting custom devices or different api levels of android and etc. But not having any architecture? Cmon.

So basically I am confused. Project lead needs a fulltime dev but hes in contact with me in hopes that I would sign a fulltime contract. But how I can work fulltime if all what I can see are redflags?

Basicaly I thinkthis was a misundersanding. Im searching for fulltime remote projects and hes offering fulltime inhouse projects. Project lead never outsourced so hes confused as well.

As you can see decision is already basically made to turn him down, I just need to know how to tell him to fck off in the most polite manner and thats it.