Last year I built the platform 'Tindex'. It was an index of Tinder profiles so people could search by name, gender and age.

We scraped the Tinder profiles through a Tinder API which was discontinued not long ago, but weird enough it was still intact and one of my friends who was also working on it found out how to get api keys (somewhere in network tab at Tinder Online).

Except name, gender and age we also got 3 distances so we could calculate each users' location, then save the location each 15 minutes and put the coordinates on a map so users of Tindex could easily see the current location of a specific Tinder user.

Fun note: we also got the Spotify data of each Tinder user, so we could actually know on which time and which location a user listened to a specific Spotify track.

Later on we started building it out: A chatbot which connected to Tinder so Tindex users could automatically send a pick up line to their new matches (Was kinda buggy, sometimes it sent 3 pick up lines at ones).

Right when we started building a revenue model we stopped the entire project because a friend of ours had found out that we basically violated almost all terms.

Was a great project, learned a lot from it and actually had me thinking twice or more about online dating platforms.

Below an image of the user overview design I prototyped. The data is mock-data.

A super creepy webcrawler I built with a friend in Haskell. It uses social media, various reverse image searches from images and strategically picked video/gif frames, image EXIF data, user names, location data, etc to cross reference everything there is to know about someone. It builds weighted graphs in a database over time, trying to verify information through multiple pathways — although most searches are completed in seconds.

I originally built it for two reasons: Manager walks into the office for a meeting, and during the meeting I could ask him how his ski holiday with his wife and kids was, or casually mention how much I would like to learn his favorite hobby.

The other reason was porn of course.

I put further development in the freezer because it's already too creepy. I'd run it on some porn gif, and after a long search it had built a graph pointing to a residence in rural Russia with pictures of a local volleyball club.

To imagine that intelligence agencies probably have much better gathering tools is so insane to think about.

In a meeting after I explained that the user passwords will be encrypted before we save them in the database

Them: "Please don't do that, we don't want to change our clients data"

Me: " so we should save the clear text?"

Them: "Yes"

😒

User: *Clicks on staging environment*

Giant Warning Dialog: YOU ARE CURRENTLY ENTERING THE STAGING ENVIRONMENT

Users: Ok

App: *Completely different colour, I’m talking bright unsightly yellow*

User: Ok

Giant Yellow and Red Flashing Banner at the Top of the Screen: WARNING YOU ARE CURRENTLY USING STAGING, THIS AREA IS FOR TESTING ONLY

User: The production environment sure is acting strange today. It’s a weird colour and I don’t recognize any of the data, it’s all just dummy filler data. I better create a ticket for the dev team to check o—….. no wait I’ll send an email CC everyone including the CEO and sound the alarm production is currently down and filled with giant warning messages.

Manager: OH MY GOD PRODUCTION IS DOWN DID YOU HEAR ABOUT THIS??? WHAT THE FUCK COULD THESE WARNING MESSAGES BE THAT’S ONLY SUPPOSED TO HAPPEN ON STAGING! THE CEO IS BREATHING DOWN MY NECK YOU NEED TO GET THIS FIXED IMMEDIATELY!!!!!!!

Dev: …

In a user-interface design meeting over a regulatory compliance implementation:
User: “We’ll need to input a city.”
Dev: “Should we validate that city against the state, zip code, and country?”
User: “You are going to make me enter all that data? Ugh…then make it a drop-down. I select the city and the state, zip code auto-fill. I don’t want to make a mistake typing any of that data in.”
Me: “I don’t think a drop-down of every city in the US is feasible.”
Manage: “Why? There cannot be that many. Drop-down is fine. What about the button? We have a few icons to choose from…”
Me: “Uh..yea…there are thousands of cities in the US. Way too much data to for anyone to realistically scroll through”
Dev: “They won’t have to scroll, I’ll filter the list when they start typing.”
Me: “That’s not really the issue and if they are typing the city anyway, just let them type it in.”
User: “What if I mistype Ch1cago? We could inadvertently be out of compliance. The system should never open the company up for federal lawsuits”
Me: “If we’re hiring individuals responsible for legal compliance who can’t spell Chicago, we should be sued by the federal government. We should validate the data the best we can, but it is ultimately your department’s responsibility for data accuracy.”
Manager: “Now now…it’s all our responsibility. What is wrong with a few thousand item drop-down?”
Me: “Um, memory, network bandwidth, database storage, who maintains this list of cities? A lot of time and resources could be saved by simply paying attention.”
Manager: “Memory? Well, memory is cheap. If the workstation needs more memory, we’ll add more”
Dev: “Creating a drop-down is easy and selecting thousands of rows from the database should be fast enough. If the selection is slow, I’ll put it in a thread.”
DBA: “Table won’t be that big and won’t take up much disk space. We’ll need to setup stored procedures, and data import jobs from somewhere to maintain the data. New cities, name changes, ect. ”
Manager: “And if the network starts becoming too slow, we’ll have the Networking dept. open up the valves.”
Me: “Am I the only one seeing all the moving parts we’re introducing just to keep someone from misspelling ‘Chicago’? I’ll admit I’m wrong or maybe I’m not looking at the problem correctly. The point of redesigning the compliance system is to make it simpler, not more complex.”
Manager: “I’m missing the point to why we’re still talking about this. Decision has been made. Drop-down of all cities in the US. Moving on to the button’s icon ..”
Me: “Where is the list of cities going to come from?”
<few seconds of silence>
Dev: “Post office I guess.”
Me: “You guess?…OK…Who is going to manage this list of cities? The manager responsible for regulations?”
User: “Thousands of cities? Oh no …no one is our area has time for that. The system should do it”
Me: “OK, the system. That falls on the DBA. Are you going to be responsible for keeping the data accurate? What is going to audit the cities to make sure the names are properly named and associated with the correct state?”
DBA: “Uh..I don’t know…um…I can set up a job to run every night”
Me: “A job to do what? Validate the data against what?”
Manager: “Do you have a point? No one said it would be easy and all of those details can be answered later.”
Me: “Almost done, and this should be easy. How many cities do we currently have to maintain compliance?”
User: “Maybe 4 or 5. Not many. Regulations are mostly on a state level.”
Me: “When was the last time we created a new city compliance?”
User: “Maybe, 8 years ago. It was before I started.”
Me: “So we’re creating all this complexity for data that, realistically, probably won’t ever change?”
User: “Oh crap, you’re right. What the hell was I thinking…Scratch the drop-down idea. I doubt we’re have a new city regulation anytime soon and how hard is it to type in a city?”
Manager: “OK, are we done wasting everyone’s time on this? No drop-down of cities...next …Let’s get back to the button’s icon …”

Simplicity 1, complexity 0.

USER: I can't see any data in the page...!
ME: ok, I'll do a check
ME: API calls get no data back. Boss, did you change anything and put it in production?
BOSS: Absolutely not, I just modified the name of what was the "Family" parameter in "Type".
ME: Seems legit. Totally agree. I'm going to lunch. Can you check in the meanwhile why calling the API with "Family" does return nothing? Thanks.

Interviewer: So are you familiar with our company and what we do?

Dev: I looked at your website, looks like you build tools for managing restaurants.

Interviewer: No. That’s not even close.

Dev: ?

Interviewer: What we do is create an ecosystem of integrated data centres all orchestrated for immediate stakeholder utilization.

Dev: But the product itself…. it’s a user interface for tracking inventory. Of like…. burgers…. and bottles of wine.

Interviewer: It’s not a product! It’s a data……habitat!!

Dev: …

Dev: So does that make your users animals?

Interviewer: 😡. Unfortunately it looks like you do not see our vision and would not be a good fit for this role.

Dev: Agreed.

I just got a text from T-Mobile telling me about their updated privacy policy and that I can “opt out.” So, naturally I do exactly this.

After a little bit, I land on their “Do not sell my data” page and discover that, not only does it have 175+ trackers,
it doesn’t even fucking work. Also, on the desktop version of the site, the very control allowing the user to opt out of having their data shared/sold doesn’t even render.

These are all absolutely inexcusable.

Devs: We need access to PROD DB in order to provide support you're asking us for.

Mgmt: No, we cannot trust you with PROD DB accesses. That DB contains live data and is too sensitive for you to fuck things up

Mgmt: We'll only grant PROD DB access to DBAs and app support guys

Mgmt: <hire newbies to app support>

App_supp: `update USER set invoice_directory = 54376; commit;`

----------------
I have nothing left to say....

I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).

Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!

I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.

Lesson: Always secure your URLs.

The worst thing I’ve seen a dev do is create a social sharing platform that sells its user data to the highest bidder and then asks for forgiveness after the privacy horse is out of the barn.

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

expect([
row[‘blah’][0][1],
row[‘blah’][1][1],
row[’blah’][2][1],
row[‘blah’][3][1],
row[‘blah’][4][1],
]).to contain_exactly(
a.name(user), # “John doe”
c.name(user), # “John doe”
e.name(user), # “John doe”
b.name(user), # “John doe”
d.name(user), # “John doe”
)

(Note: The comments are mine.)

See the problem? No, not the ugly code (which is actually worse than what i posted here).

It’s using the same ridiculous getter (if you can call it that) that pulls a name out of the passed user object, and then expecting each row to have that name, in order. Not that order matters when they’re all the same.

Upon inspection, all objects created by the spec have the exact same name, so the above test passes (as long as there are 5 rows). It passes, but totally not because it should: those aren’t the objects that are actually in the table. All of the specs — all 22 of them — only check for that shared name on various rows, and no other data. And it’s not like this is the only issue, either.

Fuck me these are bad.

And this guy is a senior dev earning significantly more than me. Jesus what the fuck Christ.

What kind of cum gargling gerbil shelfer stores and transmits user passwords in plain text, as well as displays them in the clear, Everywhere!

This, alongside other numerous punishable by death, basic data and user handling flaws clearly indicate this fucking simpleton who is "more certified than you" clearly doesn't give a flying fuck about any kind of best practice that if the extra time was taken to implement, might not totally annihilate the company in lawsuits when several big companies gang up to shower rape us with lawsuits over data breaches.

Even better than that is the login fields don't even differentiate between uppercase or lowercase, I mean WHAT THE ACTUAL FUCK DO YOU SELF RIGHTEOUS IGNORANT CUNTS THINK IS GOING TO HAPPEN IN THIS SCENARIO?

Developer vs Tester

(Spoiler alert: developer wins)

My last developent was quite big and is now in our system testing department. So last week i got every 20 minutes a call from the tester, that something did not work as expected. For about 90% of the time i looked at the testing setup or the logs and told him, that the data is wrong or he used the tool wrong. After a couple of days i got mad because of his frequent interruptions. So I decided to make a list. Every time he came to me with an "error" i checked it and made a line for "User Error" or "Programming Error". He did not liked that much, because the User Error collum startet to grow fast:

User Errors: ||||| |||
Programming Errors: |||

Now he checks his testing data and the logs 3 times before he calls me and he hardly finds any "errors" anymore.

Me: *Demoed my search API which supports multiple database implementations at the backend*

My Manager: Great!! Is the API independent of DB? Can you plug this API to any DB?

Me: Yes

My Manager: How can user specific DB at runtime?

Me: Why will user be interested in the DB used at the backend? He will just query the API for data.

My Manager: Let's just assume he wants to select a database at runtime.

Me: While searching a movie on Netflix, do you specific from which DB you wanna stream the movie?

My Manager: *Confused and pissed*

My neighbor(He is 14 I think) pitched this to me and wanted advice since he was going try to participate in the Google science fair.

Him:"A robot that gives you medical advice. You just tell it your symptoms and voila! You've got your diagnosis. No doctor required."

Me: "How are you going to decide what disease the user has?"

Him:" I'm just going to write an if-else ladder statement. I've already got some of the data from this site called WebMD. It's amazing."

Me: "Go with something simple. What you're suggesting won't work out."

He told me I didn't have "Vision".
His ditched his project last week.

The fuck did you think was going to happen?

User: ITs dragging their feet which is why x hasn't gone out yet.

PM: Why hasn't this gone out yet?

Me: They sent me a template then another and then said wait that's wrong too I'll send you the correct one.

I've yet to receive this and no one's provided me the data to check over.

PM: Well that's not what x said.

Me: Well my email chain says so. (Proceed to show them the emails)

PM then walks off and blasts the users. Your #blamegame ended the moment you emailed me knob shits.

Trash, trash, trash.
Who the fuck writes this shit?

Who the fuck lets these trash should-be-junior devs roll their own crypto? and then approves it?

The garbage heap of a feature (signing for all apis) doesn't follow Ruby standards, doesn't follow codebase conventions, has `// this is bridge` style comments (and no documentation), and it requires consumer devs to do unnecessary work to integrate it, and on top of all this: it leaks end-user data. on all apis. in plaintext.

Fucking hell.

I tried to convince my boss that using 3d rendering to display information on webpage is unnecessary luxury.

The web browser would hang if the user is using an average pc and there is too much data to render.

This product is aimed for average joe, but he argues that computers in foreign countries are high end devices ONLY.

Such a bullshit.

I asked what if someone with low spec laptop tries to view the webpage.

He said, we will set a min spec requirements for using the website.

Are you fucking kidding me?! RAM and Graphics requirements for a webpage?!

My instinct says that the thing I'm working on would probably end up as waste of time.

But I'd probably learn cool tricks of threejs.

Boss: We need health data for this iOS app.

Me: Cool, so we'll use apples HealthKit.

Boss: No that requires the user agrees to it.

Me: ... well yeah ... its private data.

Boss: No we need it to work regardless. If the user says no to HealthKit, just give them textfields for all the metrics HealthKit has and they can enter manually.

Me: .... but ... eh ....

Boss: and we'll partner with some companies and support their devices.

Me: ... see, the thing is ...

Boss: We also need to store it locally and then sync it to the cloud app. What do you think?

Me: ... ... ... no

Not only do I write software, but now I help the managers view and understand our analytics, just like in kindergarten.

Now I'm forced to help them essentially fake data so investors are satisfied 🤡🔫

"Delete metrics X, Y, and Z for now, we don't want anyone to see them!"

"Change the label of this metric to 'unique user' views! (not total!)"

"Set all charts to cumulative so it looks like they are all up and to the right!"

Sigh.

This isn't what I signed up for.

Business User [1 PM]: So I know every month you’ve been using your dark magic SQL skills to transform my monthly data into better monthly data.

Well I know it’s the middle of the month, and this is totally random... but... I have some other data formatted totally differently, almost totally different data! You can just run this through your magic SQL Proc right?? Easy! Also, I need this by end of day... thank you for your support.

Me [1:01 PM]: K.

FUCK THE RECRUITERS WHO ASK US TO MAKE AN ENTIRE PROJECT AS A CODE TEST.

Oh you need to scrape this website and then store the data in some DB. Apply sentimental analysis on the data set. On the UI, the user should be able to search the fields that were scraped from the website. Upon clicking it should consume a REST API which you have to create as well. Oh and also deploy it somewhere... Oh I almost forgot, make the UI look good. If you could submit it in one week, we will move towards further rounds if we find you fit enough.

YOU KNOW WHAT, FUCK YOU!

I can apply to 10 others companies in one week and get hired in half the effort than making this whole project for you which you are going to use it on your website YOU SADIST MOTHERFUCK

I CURSE YOUR COMPANY WITH THE ETERNITY OF JS CALLBACK HELL 😡😤😣

Business User: Hey can we get a sample output you plan to send us?

Me: yes heres a mock

BU: This doesn't look right, can you use real values?

Me (said nicely): WELL IF WHEN YOU WROTE THE FCKIN REQUIREMENTS WEREN'T SO VAGUE AND ACTUALLY PROVIDED REAL VALUES FOR THE INPUTS WE WOULD GET AND WHAT WE SHOULD OUTPUT USING THEM MAYBE I COULD GIVE YOU A BETTER SAMPLE... AND DO LESS GUESSING ABOUT WHAT THE FUCK YOU ACTUALLY WANT...

BU: Oh I forwarded some data

Me: *looks at input data*

(thoughts) THIS FUCKING MAKES NO SENSE!! NOWHERE DOES ANYTHING LOOK LIKE WHAT YOU WANTED.... HOW ABOUT I PULL MAGIC VALUES OUT OF MY ASS?

Dev: Can you please tell me why you changed this?
Me: Because we need to handle permissions in the app. The quickest way of doing it, according to the docs, is [insert change log here]
Dev: But we can just check for the user's token.
Me: That's not exactly a permission, because...
Dev: I was only showing the information related to the user according to their token.
Me: I understand. But that means you're filtering data, not authorising users to access it. If a user is logged in, but changes query parameters, they can still access data they shouldn't be able to.
Dev: Whatevs.

Le me then proceeds to try to push my changes (that took the whole day to implement), gets a "you need to pull first" message from git, doesn't understand why, logs onto GitHub and realises dev has implemented their "permissions".

I was the one responsible for making those changes. Le dev was meant to be doing other things.

How do I even begin to explain?

Managements definition of an MVP:

- Integrate our backend and database with a similar-ish, older internal system built on a different tech stack and different rules.
- Merge the functionality and delete the old one.
- Modify our system to accept 2 types of logged in users.
- Have 2 versions of our API that return different values.
- Update our mobile app to render different data based on which user is logged in.
- Onboard the old system users to this new system.

My definition of an MVP:

- Tell the store we are taking over, that they have to print their labels from our tool, and onboard the users to our app.

Fuck Optimizely.

Not because the software/service itself is inherently bad, or because I don't see any value in A/B testing.

It's because every company which starts using quantitative user research, stops using qualitative user research.

Suddenly it's all about being data driven.

Which means you end up with a website with bright red blinking BUY buttons, labels which tell you that you must convert to the brand cult within 30 seconds or someone else will steal away the limited supply, and email campaigns which promise free heroin with every order.

For long term brand loyalty you need a holistic, polished experience, which requires a vision based on aesthetics and gut feelings -- not hard data.

A/B testing, when used as some kind of holy grail, causes product fragmentation. There's a strong bias towards immediate conversions while long term churn is underrepresented.

The result of an A/B test is never "well, our sales increased since we started offering free heroin with every sale, but all of our clients die after 6 months so our yearly revenue is down -- so maybe we should offer free LSD instead"

Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend

Getting ready for GDPR at work. I had to explain to my bosses what it meant, especially regarding one of our project where we store a lot of user data. Then I heard it: "this crap doesn't regard us. we have no sensitive data. we only save out users' name and generalities.". I have no words.

Me:
Totally riffing to my new playlist....
the ideas are just flowing.....
Code flying...
changing in my brain....
I think I've got I might have it.....
...... RING RING ITS THE MOTHERFUCKING BOSS,
Boss:
Why is the whole website down?

Me: WTF, looks fine here, all logs are clear.

Boss: I just got an email saying the whole thing is fucked. Stop everything and fix it now.

Me: but we just agreed dev is taking priority over any support issues within sla and I've checked from everywhere there are no issues, just data issues probably from user error.

Boss: Just get it back and figure it out!!!!! Why are you being difficult?

Me: okay whatever, let's patch each of these shits.

COULDVE SENT THIS ANYWHERE BUT NOW MY IDEA IS GOOOONEEE!!!!!! NULL FUCKING DATA FIELD ON A SINGLE FUCKING EMAIL....FRAAAAACKKK THIS

So... GDPR.
And the deadline.
And I have no idea what to do.

What does it mean for one-man indie projects? Data protection officers? Companies? Controllers? Processors? EU employees? Argh.

Look, please, EU. Not everyone can afford to hire an entire team for this, when their current team is literally one person.

Yes, the GDPR is probably a step in the right direction, but I think I'll just stop collecting the data altogether.

(All data I collect is just user settings stored in a database, nothing more.)

Can someone point me in the right direction?

My code review nightmare?

All of the reviews that consisted of a group of devs+managers in a conference room and a big screen micro-analyzing every line of code.
"Why did you call the variable that? Wouldn't be be more efficient to use XYZ components? You should switch everything to use ServiceBus."
and/or using the 18+ page coding standard document as a weapon.

PHB:"On page 5, paragraph 9, sub-section A-123, the standards dictate to select all the necessary data from the database. Your query is only selecting 5 fields from the 15 field field table. You might need to access more data in the future and this approach reduces the amount of code change."
Me: "Um, if the data requirements change, wouldn't we have change code anyway?"
PHB: "Application requirements are determined by our users, not you. That's why we have standards."
Me: "Um, that's not what I ..."
PHB: "Next file, oh boy, this one is a mess. On page 9, paragraph 2, sub-section Z-987, the standards dictate to only select the absolute minimum amount of the data from the database. Your query is selecting 3 fields, but the application is only using 2."
Me: "Yes, the application not using the field right now, but the user stated they might need the data for additional review."
PHB: "Did they fill out the proper change request form?"
Me: "No, they ...wait...Aren't the standards on page 9 contradictory to the standards on page 5?"
PHB: "NO! You'll never break your cowboy-coding mindset if you continue to violate standards. You see, standards are our promise to customers to ensure quality. You don't want to break our promises...do you?"

User: Hey, we got a big issue with one of your tools. One of your pages isn't loading.
Me: Ok, so when did this happen?
User: We don't know? Its been like that for a long time though, so we thought it was normal 😃
Me: ....ok. So do you know what data is supposed to appear?
User: Uhhh we're not sure as well. Since, you know, its been like that for a while.

Just great 😑

Sad story:
User : Hey , this interface seems quite nice
Me : Yeah, well I’m still working on it ; I still haven’t managed to workaround the data limit of the views so for the time limit I’ve set it to a couple of days

Few moments later

User : Why does it give me that it can’t connect to the data?
Me : what did you do ?
User : I tried viewing the last year of entries and compare it with this one

Few comas later

100476 errors generated
False cert authorization
Port closed
Server down
DDOS on its way

Stakeholder: In user profiles, I want users to be able to renew gift memberships for their giftee.

Me: ???

SH: For example, if I buy a gift membership for you and it expires or is about to expire, then I want to be able to renew it for you.

Me: Typically, gifts aren’t the gifter’s responsibility to manage. There’s no reason for you to be able to manage my membership from your account, even if just to renew. You’re opening up Pandora’s box here. If you let users renew for giftees, you’ll eventually have a user ask if they can cancel the giftee’s membership because they got into a fight and want to stick it to the giftee.

SH: But our users aren’t using the gift membership sales flow correctly. That results in all sorts of data issues for our reporting services and we spend so much time fixing it by hand.

Me: Your sales flow is confusing. The website asks users to verify membership for a giftee in case the giftee has or had a membership. How it the gifter supposed to know that? You’re trying to make things easier for you, but you’re expecting the user to know that and comply. That’s unrealistic.

SH: But there must be a something you can do.

Me: No.

"The aim is to develop highly robust data streams so we have the flexibility to build and evolve the user interface without having to change code in the API"

Oh, is that all you need?

Three months into a new job, as a senior developer (12+ years experience) and updated an import application.

With one small update query that didn't account for a possible NULL value for a parameter, so it updated all 65 million records instead of the 15 that belonged to that user.

Took 3 people and 4 days to put all the data back to it's original state.

Went right back to using the old version of the apllication, still running 2 years later. It's spaghetti code from hell with sql jobs and multiple stored procedures creating dynamic SQL, but I'm never touching it again.

Goddamn, people who rant against the GDPR make me rage...
Making privacy issues more complex for both user and provider is exactly the damn purpose! People who dont care about their private data make me sick! These ignorant fucks get to elect my government? Wtf! GDPR means more work for companies but that also means companies who actually care will implement it and everyone else can gladly fuck off! Keep your stuff in the states where you can build your own manipulative society...

Damn... I should relax a bit...

User: I need you to extract all the invoice data for us.

Me: What invoice data in particular, what are filters you require. This is a massive database with millions of transactions.

User: JUST EXTRACT THE TABLE!

Me: Right.....(this is a database with 3000+ tables and hundreds of joins)

A popular social media website in my country (which my friends and I were working on it's new design) was hacked and everyone on the dev side of the website was invited to the ministry of communications, believing we were going to discuss security of user data. The other guys (working on the back-end) were friends with the CEO (if you want to call it that) and naturally came to the meeting. They started to talk about the girls of their city. Meanwhile about 1.2 million user data encrypted with MD5 was out there.

I managed to accidentally clear everybody's usernames and email addresses from an SQL table once. I only recovered it because a few seconds before, I'd opened a tab with all the user data displayed as an HTML table. I quickly copied it into Excel, then a text editor (saving multiple times!), then managed to write a set of queries to paste it all back in place. If I'd refreshed the tab it would have all gone!

For fucks sake, how many times can you get the same error before giving up?

So, there's this form, and it's used quite frequently without fail, and there's this 1 user receiving an error that some data is incorrect, so... they submit the form again, and again, and again, and 6 more times with the same bloody error all because changing 1 fucking field is obviously to hard to recognise as the problem when the error says "you can not have 'x' in field 'y'"

Fuck it, do I need to replace 'x' with a blank, just because you can't read a fucking error message?

While trying to integrate a third-party service:

Their Android SDK accepts almost anything as a UID, even floats and doubles. Which is odd, who uses those as UIDs? I pass an Integer instead. No errors. Seems like it's working. User shows up on their dashboard.

Next let's move onto using their data import API. Plug in everything just like I did on mobile. Whoa, got an error. "UIDs must be a string". What. Uh, but the SDK accepts everything with no error. Ok fine. Change both the SDK and API to return the UID as a string. No errors returned after changing the UIDs.

Check dashboard for user via UID. Uh, properties haven't been updating. Check search properties. Find out that UIDs can only be looked up as Integers. What? Why do you ask me to send it as a string via the API then? Contact support. Find out it created two distinct records with the UID, one as a string and the other as an Integer.

GFG.

*Working on a project with boss, I am working on a mobile app, he is working on web service app.

Me: this service takes user id as parameter to get all account details (all other web services are like that)

Boss: yes, I use the id to filter the data.

Me: but by this, everyone has the id can do anything ! why we do not use session token?

Boss: this is a detail, it is not important !

Me:...

*7 years of experience my ass

The Hungarian public transport company launched an online shop (created by T-Systems), which was clearly rushed. Within the first days people found out that you could modify the headers and buy tickets for whatever price you set, and you could login as anyone else without knowing their password. And they sent out password reminders in plain text in non-encrypted emails. People reported these to the company which claims to have fixed the problems.

Instead of being ashamed of themselves now they're suing those who pointed out the flaws. Fucking dicks, if anyone they should be sued for treating confidential user data (such as national ID numbers) like idiots.

Thank God the week 233 rants are over - was getting sick of elitist internet losers.

The worst security bug I saw was when I first started work as a dev in Angular almost year ago. Despite the code being a couple of years old, the links to the data on firebase had 0 rules concerning user access, all data basically publicly available, the API keys were uploaded on GitHub, and even the auth guard didn't work. A proper mess that still gives me the night spooks to this day.

A project I'm working on uses Elastic for internal monitoring and logs. The customer asked to access those logs - not something we'd normally do, but it's isolated from other things we use and there's no critical data there, so what the heck, let them have it.

Ever since, we're getting tons of questions like "There are tons of [insert random info message] all the time, do you have any plans to resolve them?" and it gets to the point where I'm just about ready to scream back "NO, SUZAN, BOOKING NOT COMPLETED MANS THE USER F###ING CANCELLED IT, IT'S NOT SOMETHING I CAN FIX IN THE CODE"

Edit: the customer's name isn't actually Suzan

That feeling when the business wants you to allow massive chunks of data to simply be missing or not required for "grandfathered" accounts, but required for all new accounts.

Our company handles tens of thousands of accounts and at some point in the past during a major upgrade, it was decided that everyone prior to the upgrade just didn't need to fill in the new data.

Now we are doing another major upgrade that is somewhat near completion and we are only just now being told that we have to magically allow a large set of our accounts to NOT require all of this new required data. The circumstances are clear as mud. If the user changes something in their grandfathered account or adds something new, from that point on that piece of data is now required.
But everything else that isn't changed or added can still be blank...
But every new account has to have all the data required...

WHY?!

Just got an email with a new really nice douche-bag move from Postman to raise their prices again (this time for almost double) on their paid plans with excuse "it will help us deliver more of what our customers need from us."

Even though I've decided to look other way around for years on their electron-based garbage of bloated app, have not been a fan of their pricing 8$/month/user just for a simple feature such as sharing request schema and environment data.

This simply needs to stop and I'm seriously thinking about doing something about it. 🙄

Spent a month working on a website that relied on crawled data
Got the memory leaks and usage down from 700mb to ~150mb
CPU usage from ~100% to <5%
Shrink-wrapped the DB requirements based on data
Created self-supporting services and what not

When everything FINALLY worked good enough for me to look at it and go "damn, this actually worked"
the whole monitoring sys got dyed in red :v
A quick look up and my crawlers exhausted my godaddy's per-user db limits.

Kill me.
Just fuckin kill me.

Did a code test at an interview, had to aggregate data from a db. They stored cities with population count and users referenced cities.. 6 cities had a higher user count than population 🤔

They were a little taken back and suggested the population data must be outdated 😉.. it got a bit awkward

TLDR: Find a website that requires a subscription but doesn't check their cookies' integrity, now I'm on a website for free.

>be me
>wonder if it's possible to intercept browser data
>download Wireshark
>download Fiddler
>find that none of these really fit me
>go to youtube, search how to intercept POST data
>find something called BurpSuite
>Totally what I was looking for
>start testing BurpSuite on devrant
>neat!
>I can see all the data that's being passed around
>wonder if I can use it on a website where my subscription recently ended.
>try changing my details without actually inputting anything into the website's form
>send the data to the server
>refresh the page
>it worked
>NEAT!
>Huh what's this?
>A uid
>must be a userID
>increment it by 1 and change some more details
>refresh the page
>...
>didn't work 😐
>Hmmm, let's try forwarding the data to the browser after incrementing the uid
>OH SHIT
>can see the details of a different user
>except I see his details are the details I had entered previously
>begin incrementing and decrementing the uid
>IFINITE POWER
>realize that the uid is hooked up to my browsers local cookie
>can see every user's details just by changing my cookie's uid
>Wonder if it's possible to make the uid persistent without having to enter it in every time
>look up cookie manipulator
>plug-in exists
>go back to website
>examine current uid
>it's my uid
>change it to a different number
>refresh the webpage
>IT FUCKING WORKED
>MFW I realize this website doesn't check for cookie integrity
>MFW I wonder if there are other websites that are this fucking lazy!!!
>MFW they won't fix it because it would require extra work.
>MFuckingFW they tell me not to do it again in the future
>realize that since they aren't going to fix it I'll just put myself on another person's subscription.

Hey !
A big question:
Assume we got an android app which graphs a sound file .
The point is: the user is able to zoom in/out so the whole data must be read in the begining , but as the file is a little longer , the load time increases.
What can i do to prevent this?

"So Alecx, how did you solve the issues with the data provided to you by hr for <X> application?"

Said the VP of my institution in charge of my department.

"It was complex sir, I could not figure out much of the general ideas of the data schema since it came from a bunch of people not trained in I.T (HR) and as such I had to do some experiments in the data to find the relationships with the data, this brought about 4 different relations in the data, the program determined them for me based on the most common type of data, the model deemed it a "user", from that I just extracted the information that I needed, and generated the tables through Golang's gorm"

VP nodding and listening intently...."how did you make those relationships?" me "I started a simple pattern recognition module through supervised mach..." VP: Machine learning, that sounds like A.I

Me: "Yes sir, it was, but the problem was fairly easy for the schema to determ.." VP: A.I, at our institution, back in my day it was a dream to have such technology, you are the director of web tech, what is it to you to know of this?"

Me: "I just like to experiment with new stuff, it was the easiest rout to determine these things, I just felt that i should use it if I can"

VP: "This is amazing, I'll go by your office later"

Dude speaks wonders of me. The idea was simple, read through the CSV that was provided to me, have the parsing done in a notebook, make it determine the relationships in the data and spout out a bunch of JSON that I could use. Hook it up to a simple gorm golang script and generate the tables for that. Much simpler than the bullshit that we have in php. I used this to create a new database since the previous application had issues. The app will still have a php frontend and backend, but now I don't leave the parsing of the data to php, which quite frankly, php sucks for imho. The Python codebase will then create the json files through the predictive modeling (98% accuaracy) and then the go program will populate the db for me.

There are also some node scripts that help test the data since the data is json.

All in all a good day of work. The VP seems scared since he knows no one on this side of town knows about this kind of tech. Me? I am just happy I get to experiment. Y'all should have seen his face when I showed him a rather large app written in Clojure, the man just went 0.0 when he saw Lisp code.

I think I scare him.

The security on my school computers is a joke.
The standard student accounts have no user rights, but the "guest" account has admin rights???
The teachers private data is not secured, it's just hidden from explorer, so if you manually type in the folder location into the explorer bar, you can access the teacher's data. Not to mention everything is running on Windows 7 machines from 10 years ago.

Imagine

websites didn't use unnecessary cookies,
JavaScript was only used when needed,
no trackers, no ads, no telemetry, no user
data saved when it doesn't benefit the user.

*Wakes up in cold sweat*

when I was a newbie I was given a task to upload a site.
I had done that many times before so I thought it wont be a big deal so I thought I never gave a try uploading through ftp.
Okay I began work on it the server was of godaddy and credentials I got were of delegate access.
right I tried connecting through ftp but it wasn't working thought there's some problem with user settings why shouldn't I create my own user to stay away from mess.
Now I creater my own user and could easily login but there were no files in it saw that by creating user my folder is different and I dont have access to server files I wanted to take backup before I do upload.
now I was thinking to give my user access to all files so I changed the access directory to "/" checked ftp again there was still no file.
don't know what happened to me I thought ahh its waste of time for creating ftp user it does nothing and I deleted my ftp account.
now I went through web browser to download data and earth skids beneath my foots. Holy fuck I lost all the data, all were deleted with that account it scared the shit out of me.
There were two sites running which were now gone.
Tried every bit to bring them back but couldn't do so. i contact support of godaddy they said you haven't enabled auto backup so you can't have them for free however they can provide their service in $150. Which is 15k in my country.
I decided to tell my boss about what happened and he got us away :p I wasn't fired gladly

Dev team: This part of the app has a shitty ux. We want to fix it after we finish this feature.
Business: hey guys we think we lack data so we got some users to check our page with shitty ux and see if they think it is shit
User: yeah it’s shit

Great use of resources you chucklefucks

After 4 years of professional programming the most important thing that I learned is "user is stupid".
Once I modified old code that was summing salaries (I added extra column to the result), nothing else. My result was rejected because all salaries was empty. Period of data was from first day of the month from user selected date to user selected date. It turned out that user was selecting 27th day of the month (it was 27th then). I responded that salaries have full month period, and you'll have to choose end of the month... And then shitstorm began, that I messed up previous functionality. I tried to explain, but it wasn't working. It ends up with user selecting any date and I'm doing end-of-the-month in the background^^
It's my first rant, welcome to you all :)

Corp: you will get a four hour assignment to work out
Me: cool nice.
Corp: here it is, build a dragon with conflicting requirements, stocks but without any form of pricing mixed in. Then slay that dragon and post it to the static backend we created.
Me: cringe much?
Corp: yeah, you can spend more than 4h but be sure to spice things up abit. Since it is frontend, and all we spin up from the backend is flat data. But it must exhale an exciting user experience.
Me: stop the cringe pls!

Facebook:
Privacy: not sharing user data with competitors

Fuck you Intel.
Fucking admit that you're Hardware has a problem!

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data"

With Meltdown one process can fucking read everything that is in memory. Every password and every other sensible bit. Of course you can't change sensible data directly. You have to use the sensible data you gathered... Big fucking difference you dumb shits.

Meltown occurs because of hardware implemented speculative execution.
The solution is to fucking separate kernel- and user-adress space.
And you're saying that your hardware works how it should.
Shame on you.

I'm not saying that I don't tolerate mistakes like this. Shit happens.
But not having the balls to admit that it is because of the hardware makes me fucking angry.

Putty remote executuon vulnerability(no patch yet)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unspecified input validation error when processing data, received from SSH server. A remote attacker can trick the victim to connect to a specially crafted SSH server and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

User: This web page form is too hard to use and is prone to have wrong data filled out.

Me: Uh...ok. Here is a redesign. You literally fill out one text field and a date picker.

User: Oh this is great, thanks.

*checks the database and the very first entry they created had the wrong date.*

Fuck me.

A coworker of mine was asked to make a utility C# app to help with our internal testing. The idea was that the app would collect data and display the results.

He decided that it was very important that the app have a command line interface. He's spent far more time building the app from scratch for the command line than he would have if he'd used C#'s built-in GUI utilities.

Today was our demo day and he shows an internal command-line app in 2017 built in C#. I asked about the GUI and he said that the command line functionality was more important. I suggested that it was maybe less user-friendly and he proceeded to explain to me how "non-technical" people might prefer a GUI, but clearly any serious developer would just want a command line app.

I feel like, in one fell swoop, he trivialized my suggestion, didn't address any of the data visualization needs, and suggested I wasn't a "real developer". Am I right to feel a little outraged by this?

Stakeholder: Users are connecting invalid memberships to their web accounts. They shouldn’t be able to do that.

Me: Their memberships were valid when they set up the account. Your team’s record de-duping project is the issue here. You decided to mark those memberships as invalid.

I’m real tired of this stakeholder acting like this is a website issue or user error. Plus, this chaos could have been avoided if they and other involved stakeholders had just cc’d me on this de-duping project. I would have said their approach was not a good idea. But they didn’t because they want to do what’s convenient for them. If they want to be a reliable source of truth for our data, then they need to be responsible with how they’re handling that data.

Fun fact!

Xiaomi has a restriction where you're only allowed a bootloader unlock key one week after you've requested it. No, not a week after you've bought the phone. Not a week after you created an account and generated so much usage data that it would be stupid to doubt you're a genuine user.
No, you have to wait one week after installing their fucking desktop app and getting past some arbitrary point in the process.

Seriously, how much shit can this company pull with a straight face? At this point they're just sabotaging me, it's not even for any reason.

When there’s a glaring user-facing issue in your company’s app that can cause the user to spend mobile data after specifically choosing a setting that’s supposed to prevent that.

And your boss says your fix is “out of scope for the current sprint.” And the product team agrees with him.

I ALREADY DID THE WORK AND HAD IT VERIFIED BY QA.

Sometimes I Hate agile. Then again, I don’t think we’re doing it quite right anyway.

Why the fuck do apps throw tantrums as soon the phone looses internet connectivity?

HBO stops steaming and closes the player as soon as wifi disconnects, discarding the buffered data.

For Quora, it replaces loaded answers with a UI asking you to reload the page. Now, what am I supposed to do in the lift? Stare awkwardly at the lift buttons?

At what point did we decided bad user experience and arbitrarily discarding cached data is the way forward?

"How does HTML store user data?"

Client asked us to build standard dating app. Android version was published without problem but iOS version was rejected because during registration we collect data application does not need to work properly, that data is age and gender of user...

Being Honest,
I never had any problem with Google tracking my activities. I love their services and I feel like they're using my data to really serve me better.

But I do have problems with Amazon and Facebook.
Amazon keeps disturbing me with their annoying ads recommending things I've already purchased.
Using Facebook on the other hand is like standing nude in public.

So I just started a part time job in a hospital research center - because the processing is long I got a temporary user name and password (that belong to the main HR secretary) so I can start work straight away (mainly data analytics)
The kick?
Administrator privileges.
I can access edit create or delete everything in the entire fucking database. On my first God damn day.
In the 2nd largest hospital in the fucking country.
Agh. How do systems survive with so many dumb security breaches?

Hello everyone,
I'm new here. [OK. Let's skip this]
I want to know where to begin on my journey on learning how to create a program that predicts what a user will say next by storing already said things and by making specific characteristics for the users.

I know that I will need to train it with some data first lol.
But how will it do the prediction. I just need this part of understanding.

I'm sorry for my bad English btw.

i want to get my own social network up and running.

so far ive got -
login 100% securely
register (1000% securely)
view someone’s profile (10^7% securely)

to add -
scrypt (maybe bcrypt, however scrypt looks like the better option)
friend a user
track their every move (ill use facebooks and googles apis for that)

to describe my product -
ai
blockchain
iot
big data
machine learning
secure
empower
analysis

call me when im a gazillionaire

but seriously, im making a social network and i hope its done by wk105 tbh

I have quite a few of these so I'm doing a series.
(2 of 3) Flexi Lexi

A backend developer was tired of building data for the templates. So he created a macro/filter for our in house template lexer. This filter allowed the web designers (didn't really call them frond end devs yet back then) could just at an SQL statement in the templates.

The macro had no safe argument parsing and the designers knew basic SQL but did not know about SQL Injection and used string concatination to insert all kinds of user and request data in the queries.
Two months after this novel feature was introduced we had SQL injections all over the place when some piece of input was missing but worse the whole product was riddled with SQLi vulnerabilities.

Fuck everything about Microsoft Dynamics. I'm supposed to use the REST API to make a web front-end. I notice all of the data comes back codified.

null == 0.
boolean true == 100000000
boolean false == 100000001

except sometimes when

boolean false == 100000000
boolean true == 100000001

or other times

string "Yes" == 100000000
string "No" == 100000001
string "Maybe" == 100000003

Hang on. Is the system representing a 1 bit value with base 10 numbers? Did the client set this up like this? Holy crap every number corresponds to a unique record in a table somewhere. That means it only returns numeric values instead of strings and I have to figure out what the number means in the context of the table.

A "key" is user typed? So every time someone starts to make a new record it saves a new "key" without a record? So I can pull a bunch of "0" records if I pull sequentially? So basically I need to see all of the data in Dynamics to have any context at all for what is returned from the Dynamics API? Fuuuuuuuuuu

Carmack: "Hi, I am Carmack, your AI artist today. I create high definition 3D interactive world by listening to your verbal request or brain-computer interface."

User: "Hey Carmack, create me an ideal cyberpunk world."

Carmack: "World created. Here are the main resources used to synthesize your defintion of 'Cyberpunk'. Done. Is that what you want?"

User: "Hey Carmack, can you make it less similar to Coruscant, but more vintage, and more like Blade runner more like Africa, mixing super Mario galaxy. Also add a mansion similar to this link and the hot girl in this link. Make her ideal. Make the world ten times bigger than GTA V"

Carmack: "Alright, bro. The definition of "ideal" has been data driven by the norm on internet.
Done. Is this what you want?"

user: "Yes, test it in VR"

Carmack: "Enjoy."

If you need 10TB of User data to make a marketing strategy, you might be in the wrong business. When I was young we used our imagination to make good marketing ;-P

About to punch Android studio in the face! My SYNTAX IS CORRECT!!!! 😡😡😡😡

So, I was able to hack into a local business (legally) in under two minutes today... great and scary right? Get this, it was from my iPhone. All switches were still the default username and password... after seeing that they didn't think anything was wrong and didn't sign the contract... imagine what I could have done with my laptop and my PWNtools...

Fuck it, more (l)user data for me to log.😏

Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...

...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...

On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...

It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.

help

Okay, so I have to write a script that will get user data from an AD, additional information from an XML, combine those two to get boss user relationship and output that mess into an excel sheet.
Oh, and both sources are ofc completely inconsistent. So I need full error handling on everything.
Aaaaaaand I have to write it in VB script... Using np++... Without plugins...
I hate my life!

Oh, you're encrypting user data
Your boss: write the encryption key on notepad or paper

management logic.

dev : calling api on every product scroll is a stupid idea. we shouldn't do it. what if user has 100s of products bought?
mgmt : it isn't a practical scenario. in prod, we checked the data and we rarely have customers with more than 20 products
dev : 😮🤷‍♂️

dev : this is a rare issue that only happens for very old devices from this specific manufacturer. even manufacturers have acknowledged this.
mgmt : we don't care. fix it, as per data this error has been logged for more than 12 times (from 1 user only)
dev : 😮😢

Possibly the start of a very bad adventure: I'm helping my brother-in-law set up a website for a business he'd beginning with his wife. I'll be needing to provide him a simple cms & shopping cart that he can manage. No payments as we want to just use PayPal so as to avoid having to actually manage user data & credit card information.

Wish me well....

Also advices appreciated cause otherwise, I'm gonna use a simple Drupal or WordPress site with like 1 theme and 0 plug ins.

"Using MD5" !? What year are we in again?

NOTICE OF DATA BREACH

Dear Yahoo User,
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
...
What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5)

Data Disinformation: the Next Big Problem

Automatic code generation LLMs like ChatGPT are capable of producing SQL snippets. Regardless of quality, those are capable of retrieving data (from prepared datasets) based on user prompts.
That data may, however, be garbage. This will lead to garbage decisions by lowly literate stakeholders.
Like with network neutrality and pii/psi ownership, we must act now to avoid yet another calamity.

Imagine a scenario where a middle-manager level illiterate barks some prompts to the corporate AI and it writes and runs an SQL query in company databases.
The AI outputs some interactive charts that show that the average worker spends 92.4 minutes on lunch daily.
The middle manager gets furious and enacts an Orwellian policy of facial recognition punch clock in the office.
Two months and millions of dollars in contractors later, and the middle manager checks the same prompt again... and the average lunch time is now 107.2 minutes!
Finally the middle manager gets a literate person to check the data... and the piece of shit SQL behind the number is sourcing from the "off-site scheduled meetings" database.
Why? because the dataset that does have the data for lunch breaks is labeled "labour board compliance 3", and the LLM thought that the metadata for the wrong dataset better matched the user's prompt.

This, given the very real world scenario of mislabeled data and LLMs' inability to understand what they are saying or accessing, and the average manager's complete data illiteracy, we might have to wrangle some actions to prepare for this type of tomfoolery.

I don't think that access restriction will save our souls here, decision-flumberers usually have the authority to overrule RACI/ACL restrictions anyway.
Making "data analysis" an AI-GMO-Free zone is laughable, that is simply not how the tech market works. Auto tools are coming to make our jobs harder and less productive, tech people!
I thought about detecting new automation-enhanced data access and visualization, and enacting awareness policies. But it would be of poor help, after a shithead middle manager gets hooked on a surreal indicator value it is nigh impossible to yank them out of it.

Gotta get this snowball rolling, we must have some idea of future AI housetraining best practices if we are to avoid a complete social-media style meltdown of data-driven processes.
Someone cares to pitch in?

So yeah XML is still not solved in year 2018. Or so did I realize the last days.
I use jackson to serialize generic data to JSON.

Now I also want to provide serialization to XML. Easy right? Jackson also provides XML serialization facitlity similar to JAXB.

Works out of the box (more or less). Wait what? *rubbing eyes*

<User>
<pk>234235</pk>
<groups typeCode="usergroup">
<pk>6356679041773291286</pk>
</groups>
<groups typeCode="usergroup">
<pk>1095682275514732543</pk>
</groups>
</User>

Why is my groups property (java.util.Set) rendered as two separate elements? Who the fuck every though this is the way to go?

So OK *reading the docs* there is a way to create a collection wrapper. That must be it, I thought ...

<User typeCode="user">
<pk>2540591810712846915</pk>
<groups>
<groups typeCode="usergroup">
<pk>6356679041773291286</pk>
</groups>
<groups typeCode="usergroup">
<pk>1095682275514732543</pk>
</groups>
</groups>
</User>

What the fuck is this now? This is still not right!!!

I know XML offers a lot of flexibility on how to represent your data. But this is just wrong ...

The only logical way to display that data is:
<User typeCode="user">
<pk>2540591810712846915</pk>
<groups>
<groupsEntry typeCode="usergroup">
<pk>6356679041773291286</pk>
</groupsEntry>
<groupsEntry typeCode="usergroup">
<pk>1095682275514732543</pk>
</groupsEntry>
</groups>
</User>

It would be better if the individual entries would be just called "group" but I guess implementing such a logic would be pretty hard (finding a singular of an arbitrary word?).

So yeah theres a way for that * implementing a custom collection serializer* ... wait is that really the way to go? I mean common, am I the only one who just whants this fucking shit just work as expected, with the least amount of suprise?
Why do I have to customize that ...

So ok it renders fine now ... *writes test for it+
FUCK FUCK FUCK. why can't jackson not deserialize it properly anymore? The two groups are just not being picked up anymore ...

SO WHY, WHY WHY are you guys over at jackson, JAXB and the like not able to implement that in the right manner. AND NOT THERE IS ONLY ONE RIGHT WAY TO DO IT!

*looks at an apple PLIST file* *scratches head* OK, gues I'll stick to the jackson defaults, at least it's not as broken as the fucking apple XML:

<plist version="1.0">
<dict>
<key>PayloadOrganization</key>
<string>Example Inc.</string>
<key>PayloadDisplayName</key>
<string>Profile Service</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist

I really wonder who at apple has this briliant idea ...

A couple of years ago, we decide to migrate our customer's data from one data center to another, this is the story of how it goes well.

The product was a Facebook canvas and mobile game with 200M users, that represent approximately 500Gibi of data to move stored in MySQL and Redis. The source was stored in Dallas, and the target was New York.

Because downtime is responsible for preventing users to spend their money on our "free" game, we decide to avoid it as much as possible.

In our MySQL main table (manually sharded 100 tables) , we had a modification TIMESTAMP column. We decide to use it to check if a user needs to be copied on the new database. The rest of the data consist of a savegame stored as gzipped JSON in a LONGBLOB column.

A program in Go has been developed to continuously track if a user's data needs to be copied again everytime progress has been made on its savegame. The process goes like this: First the JSON was unzipped to detect bot users with no progress that we simply drop, then data was exported in a custom binary file with fast compressed data to reduce the size of the file. Next, the exported file was copied using rsync to the new servers, and a second Go program do the import on the new MySQL instances.

The 1st loop takes 1 week to copy; the 2nd takes 1 day; a couple of hours for the 3rd, and so on. At the end, copying the latest versions of all the savegame takes roughly a couple of minutes.

On the Redis side, some data were cache that we knew can be dropped without impacting the user's experience. Others were big bunch of data and we simply SCAN each Redis instances and produces the same kind of custom binary files. The process was fast enough to launch it once during migration. It takes 15 minutes because we were able to parallelise across the 22 instances.

It takes 6 months of meticulous preparation. The D day, the process goes smoothly, but we shutdowns our service for one long hour because of a typo on a domain name.

Pulled into an 'emergency' meeting with a group of web designers deeply concerned a particular service wasn't going to meet all their requirements.
DevA: "For each page, Its going to be A LOT of work to retrieve all the data and store it's state. Every page load will require a round trip to the service."
DevB: "Yes, we aren't sure how the service should be changed to do what we need."
Mgr: "What is it not doing now? Doesn't the service already returns all the necessary data?"
DevA: "Well...um...its all the boolean fields. Some may be defaulted from the database or false because the user unchecked the box. We have to know which is which"
Me: "Why? Are you doing anything different in the UI? Checkbox will be true or false. What or who set that value is irrelevant"
DevC: "Well, it matters if the user didn't fill out all other other values."
Me: "How so?"
DevA: "Its matters because the values in the other fields. Its going to be A TON of work to figure out."
<mgr goes to the white board>
Mgr: "Lets map this out...what fields are you needing to trigger the state on?"
DevA: "Um...uh...the 'Approved' field...and um...'OK to Contact' field"
Mgr: "Just those two?"
DevA: "Yea..um...there are other fields, but whether or not to show the edit box depends on those two."
Me: "The service already returns data, you only have two fields to check? I don't see a need to change the service at all."
DevA: "Returning all that data, we are going have a serious scaling problem. We'll be hitting the service A LOT. All that javascript could cause performance problems too"
Me: "How much data are we talking about? Name, address, couple of booleans?"
DevA: "I have to serialize the data. All that logic is going to be reeeaaallly complicated. It might be better if the service returned only the data I need."
Me: "$64,000 question, how often is this feature going to be used on the web site? Maybe once? Few hundred a week?"
Mgr: "We have no idea. A lot of the data will be pre-populated and we're only sending out a few thousand invitations. More around the holidays...but honestly, not very many."
Me: "Changing that service only for this particular area of the web site isn't going to happen. Changing the UI is the only course of action."
DevA: "Oh frack I can't wait until this project is over."

DevA...how the funck do still have a job here? You wasted about half-hour of my time with your cry-baby crap. Where is my hammer...no...no..don't go there...ahhh...thanks devrant. Prison sentence diverted.

A lot of people give Google, Facebook, Microsoft, etc. shit for "selling" user data although in my opinion acting as a matchmaker between advertisers and users does not really constitute selling data.

In contrast there seem to be a lot of companies that actually do sell user data that I never hear anyone here talking about.

When the user complains that our web tool is corrupting and losing data when converting results into excel while he is the one putting more that 40,000 characters into one text box which is way more than what Excel's cell can handle

Once i worked on an application which has very long form and submit to a soap endpoint (post). I felt my life was so pointless when testing after i made changes. So I automated the testing by generating post request so i can just run it.

I filled the user name with Brandon Boyd, Alan Turing or Ryan Gosling. And it increments like Boyd1, Boyd2.

Once my colleague found a bug, the data never get saved but all the boyds persists. He knew it was me, who uses that kind of name

My barbaric manager (was involved) kind of pointed his finger at me. I sweat a bit though i couldn't find logical explanation why Boyds stay. but turned out someone changed the sqlscript.

"Apple and Google will ban the use of location tracking in covid19 contact tracing apps on their stores to ensure user privacy and to prevent governments from using the syatem to compile data on citizens"

AHAHAHAHAHAHA

its been there since many years, but:

When did we turned the wrong way and made it acceptable that Windows can blantly say in my face that i cannot deactivate the transmission of data unless i have the "Business" Variant of their Software. Its called Windows 10 PROFESSIONAL. Why are there no international Laws against that? Where was the molotov throwing mob when this became the norm?

Additonally. that cute telemetry service consumes a considerable amount of cpu and disk power from time to time.

and no, Linux is not an alternative. It never was. There is proprietary software and driver sets used for lab equipment and machines that cannot run under linux, noone will ever have the time to tool something for it and the user base is too specific to hope for any community solution.

sidenote: even Level 0 STILL transmits data. I want mode -1

I just found a vulnerability in my companies software.
Anyone who can edit a specific config file could implant some SQL there, which would later be executed by another (unknowing) user from within the software.

The software in question is B2B and has a server-client model, but with the client directly connecting to the database for most operations - but what you can do should be regulated by the software. With this cute little exploit I managed to drop a table from my test environment - or worse: I could manipulate data, so when you realize it it's too late to simply restore a DB backup because there might have been small changes for who knows how long. If someone was to use this maliciously the damages could be easily several million Euros for some of our customers (think about a few hundred thousand orders per day being deleted/changed).

It could also potentially be used for data exfiltration by changing protection flags, though if we're talking industry espionage they would probably find other ways and exploit the OS or DB directly, given that this attack requires specific knowledge of the software. Also we don't promise to safely store your crabby patty recipe (or other super secret secrets).

The good thing is that an attack would only possible for someone with both write access to that file and insider knowledge (though that can be gained by user of the software fairly easily with some knowledge of SQL).

Well, so much for logging off early on Friday.

Contex: Working on a c++ frankenstein code (mixture of legacy and new stuff whith things depending on the client using it)

User Story: Migration from oracle to SQLite for half of the DB data

Summoner: One client wants to keep using legacy for now, therefore we need an strategy chooser templated singleton...

Satan 666 = Singletons + Static methods + Different compilation units

Result: 3/4 of the files of the full backend being modified for the migration.

Conclusion: When will be loaded on production company will probably lose many clients due to unspected bugs everywhere.

Insert potato here

Have you ever had the moment when you were left speechless because a software system was so fucked up and you just sat there and didn't know how to grasp it? I've seen some pretty bad code, products and services but yesterday I got to the next level.

A little background: I live in Europe and we have GDPR so we are required by law to protect our customer data. We need quite a bit to fulfill our services and it is stored in our ERP system which is developed by another company.

My job is to develop services that interact with that system and they provided me with a REST service to achieve that. Since I know how sensitive that data is, I took extra good care of how I processed the data, stored secrets and so on.

Yesterday, when I was developing a new feature, my first WTF moment happened: I was able to see the passwords of every user - in CLEAR TEXT!!

I sat there and was just shocked: We trust you with our most valuable data and you can't even hash our fuckn passwords?

But that was not the end: After I grabbed a coffee and digested what I just saw, I continued to think: OK, I'm logged in with my user and I have pretty massive rights to the system. Since I now knew all the passwords of my colleagues, I could just try it with a different account and see if that works out too.

I found a nice user "test" (guess the password), logged on to the service and tried the same query again. With the same result. You can guess how mad I was - I immediately changed my password to a pretty hard.

And it didn't even end there because obviously user "test" also had full write access to the system and was probably very happy when I made him admin before deleting him on his own credentials.

It never happened to me - I just sat there and didn't know if I should laugh or cry, I even had a small existential crisis because why the fuck do I put any effort in it when the people who are supposed to put a lot of effort in it don't give a shit?

It took them half a day to fix the security issues but now I have 0 trust in the company and the people working for it.
So why - if it only takes you half a day to do the job you are supposed (and requires by law) to do - would you just not do it? Because I was already mildly annoyed of your 2+ months delay at the initial setup (and had to break my own promises to my boss)?

By sharing this story, I want to encourage everyone to have a little thought on the consequences that bad software can have on your company, your customers and your fellow devs who have to use your services.
I'm not a security guy but I guess every developer should have a basic understanding of security, especially in a GDPR area.

One of our customers wants our mobile app to log out the user after 15 minutes of inactivity because of SeCuRiTy…

Why? The phones protect the apps with their hardware encryption from any malicious access.
And we are not dealing with super sensitive data here like some banking app or so.

Why do some people want to have bad UX for no reason?

Looking for a second opinion/validation.

*Me: “Perhaps this simple and concise way to ensure the user doesn’t lose their data before they leave the page that requires non-zero yet minimal input from the user. (Read: ya gotta push a save/submit button)”

*Everyone else: Let’s pretend to read the user’s mind and perform relatively complicated functions behind the scenes, of which the user will most likely be unaware, that will add an undetermined amount of complexity to the development because we think it’s “where things are going,” by saving the value of a certain HTML element as it loses focus.

Edit: this is an exclusively-internally used app.

User A: We need to do some check on our data. So you need to add in a new function for this, we can't use your system otherwise.
Me: Ok then.
Spends 2 days or so to get it working
Me: So this is the function we'll add. Can you confirm that its ok?
User A: Ohh...but now I'm not too sure about this. Let me confirm with my team lead on this.
User A: I just checked. Good news,we don't really need that function now. I think we can use it with the current one anyway haha. And I just confirmed this so no worries.
So I just wasted my time then. Great.

I just set up SSHFS so I can play my media library on my TV without moving all my data!

Basically my setup is something like this:

*Gaming PC (with a total of 10TiB - 6TiB being used for my /home) located in my office

*Home Media PC (with total of 150GB) located in my living room

Everything I have is on my 6TB HDD, and just my Videos folder is larger than the hard drive in the Home Media PC, so I decided to set up SSHFS. After about 15 minutes of reading man pages and trying different configurations, I ended up just needing "sshfs -o nonempty -o allow_other [user]@[location]:/home/$USER/Videos /home/server/Videos/"

This is so great guys; I love Linux so much!

Reporting is not fun..

Scenario 1:
* A user says they need to export certain data from our system..
* Developer W makes report called "Foo detail report"

Scenario 2:
* A user says they need this report to also show some extra fields
* Developer X makes a new report called "Foo detail report (extra fields)"

Scenario 3:
* A user says they need this report to be run with a different search criteria
* Developer Y makes a new report called "Foo detail report (extra fields) by bar"

Scenario 4:
* A user says they need this report show data grouped in a different way
* Developer Z makes a new report called "Foo detail report (extra fields) by bar- new grouping"

The above scenarios happened over and over for several years in no particular order...

Current Day:
* Some users have certain reports they use and rely on but we don't know which ones
* Nobody really knows what all of the reports do or what is the difference between them without looking at the sql
* If we want to change data structures we have many reports to update
* I have a request from a user to add an extra column to one of the reports

example of my commenting on bugs to fix later

Before I found devrant:

//1-3-18
//when user goes to send mailing for first time
//we need to remove the message from admin
//which only displays on first time login, but
//may block the data we are looking for
// then return to parent

After DevRant:

//9-8-18
//when user goes to send mailing for first time
//there's a fucking stupid message that they
//have to read once which blocks the data we need
//so, goutte click that shit, then return to parent

A user calls me an hour after I'm supposed to have logged off.
"Hey, ahh, like, something is not good with, like, some thing"
Oh, snap! What happened?
"There is, like, this report, and it's, like, not right?"
Oh, the report is showing wrong data? Let me try to get a fresh version and...
"No, like,the data is right, but, like, there is many reports and , like, should be only one?"
Oh, you mean the report consolidation feature? It should only happen if the reports are fully compatible, and since it's automatic if the reports are not already grouped it means that they cannot be grouped. Probably due to this shopping season, we've seen a high uptick in demand.
"But, like, it should be, like, one! If not I will have to type in each report, like, by hand! I usually talk to this guy XYZ and he, like, does something that I, like, have no idea what it is. Can you call him up?"
(The dude the user mentioned logged off hours ago, and is in a different timezone. It's now about 11PM for him.)
It might not be possible. The system should add observations to each report it cannot consolidate. What do those say?
(the user takes two seconds to respond. I don't think they checked anything)
"It doesn't say anything. Can you cal XYZ, please?"
...

Shit, why do people wait until the last few hours of the last day of the month to do something that should have been done days ago and then demand that everybody everywhere just adjust to their late-ass schedule?
And then to demand I wake up a hardworking dev because someone is to lazy to use the system as it was custom designed for them? Because it had no problems but just wasn't making all things easy?

That's why users have to pay - they don't pay us to code, they pay us to put up with their bullshit.

Just another day, building some hearty data structures in C.
I need to make a program that can multiplex user IO to different child processes from the command line.

Forgot to do server side verification.

As the service (an injectable game) was expanding and the old system relied on server side calculation without anything returned from the user, the expansion was done a little too fast.
The result could have been anyone passing wrong data and receiving the grand price like a holiday worth $10k. Quick fix ...

Today we start working on a app that learns biometric data from the user for extra security, so if some one else uses my account... The system would know and shuts the bad user out. Although we use an api for the biometric data collection, it's still epic! 😀😀😀

Only bad thing is that the deadline is next week

I'm ashamed of it, but I want to share my tifu-story:
My colleague asked me if I could rename his windows user name because he married and changed his last name. I changed it in the Active Directory, but he got some problems when he wants to log on. On every startup his old name appears. Simpliest task. Let me google that.
Easy going, let me just change this registry entry. Reboot. Old behaviour. Okay, I changed some of the other entries. Reboot. Yeah, his new name appears. But wait a moment. Windows just nulled his entire user profile and deleted all the data. "oh, haha you have a backup, right?" - "no, I saved everything on the desktop, all my work is gone!"
But at the end, the boss was mad at HIM, because he doesn't used the file server or any backup system.

i am not a smart man

Customer: the user summary report does not show all the transaction data I want to see

Me: there is a report called "transaction log report" that will show all the transactions

Customer: is that the user summary report?

This was originally a reply to a rant about the excessive complexity of webdev.

The complexity in webdev is mostly necessary to deal with Javascript and the browser APIs, coupled with the general difficulty of the task at hand, namely to let the user interact with amounts of data far beyond network capacity. The solution isn't to reject progress but to pick your libraries wisely and manage your complexity with tools like type safe languages, unit tests and good architecture.

When webdev was simple, it was normal to have the user redownload the whole page everytime you wanted to change something. It was also normal to have the server query the database everytime a new user requested the same page even though nothing could have changed. It was an inefficient sloppy mess that only passed because we had nothing better and because most webpages were built by amateurs.

Today webpages are built like actual programs, with executables downloaded from a static file server and variable data obtained through an API that's preferably stateless by design and has a clever stateful cache. Client side caches are programmable and invalidations can be delivered through any of three widely supported server-client message protocols. It's not to look smart, it's engineering. Although 5G gets a lot of media coverage, most mobile traffic still flows through slow and expensive connections to devices with tiny batteries, and the only reason our ever increasing traffic doesn't break everything is the insanely sophisticated infrastructure we designed to make things as efficient as humanly possible.

While on topic of google collecting too much data, is there an chromium like android os, that doesnt spy on its user? Adroidium?

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Haven't ranted for awhile but here it goes...
In a meeting with a front end user yesterday. They don't like the entry screens on our Oracle ERP system. They want us to provide them with a tool so they can create new entry screens to replace those they dont like. They want full autonomy over that tool and no interference from IT. Oh, and they want unfettered database access to the production data, including full ability to execute DML. I so wanted to say 'Are you high?'.

Today a client opened a ticket saying that all the content for a customer returns 404. Turns out it's kinda important to end a prefix on a separator if you plan to recursively delete all data /user/<user_id> or you might end up deleting a bit of extra data

Salespeople telling clients "Your site doesn't need a privacy policy/cookie policy since you don't actually sell anything on your site."

Wrong wrong wrong WRONGITY WRONG WROOONNGGGG!!!!!

Client to PM to me: "Well Jim said we don't need those on this site."

Me: "Well Jim is misinformed, since we use Google analytics, Facebook Pixel, and contact forms, you need to have both a privacy and cookie policy."

PM to client: "We'll find you a template you can use to get started, it'll cover most of what you need."

Me to PM: "we will do no such thing, we can send them a few links explaining why they need these, but they should consult a legal professional and cover their asses for their own business practices. I can provide any technical details they may need like what data the cookies collect if necessary."

PM to me: "well I'll just find something for them then."

*In my head* please just go crawl in a hole and die.

User: If we use Oauth2, can we audit exactly where this data is going and who sends it there, and in addition cam we audit who grabs that data from the Authenticating app and make sure it doesn't violate our requirements?

Me: No

User: Why not?

Me: Because thats like asking us to audit whether or not a user accessed files and then uploaded them to their personal drive instead of corporate. We don't mandate that application owners take responsibility for their data outside of their application, why would we require that in this case???

User: Uhhhhh

FFS the lack of understanding of application accounts here boggles my mind. I understand that the security concerns are real but throwing out all permissible contexts based on a mandate that we dont even apply to extremely permissive accounts (i.e. users compared to apps) is folly

// Stupid JSON
// Tale of back-end ember api from hell
// Background: I'm an android dev attempting to integrate // with an emberjs / rails back-end

slack conversation:
me 3:51pm: @backend-dev: Is there something of in the documentation for the update call on model x? I formed the payload per the docs like so
{
"valueA": true,
"valueB": false
}
and the call returns success 200 but the data isn't being updated when fetching again.
----------------------------------------------------------------------------------------
backend-dev 4:00pm: the model doesn't look updated for the user are you sure you made the call?
----------------------------------------------------------------------------------------
me 4:01pm: Pretty sure here's my payload and a screen grab of the successful request in postman <screenshot attached>
----------------------------------------------------------------------------------------
backend-dev 4:05pm: well i just created a new user on the website and it worked perfectly your code must be wrong
----------------------------------------------------------------------------------------
me 4:07pm: i can test some more to see if i get any different responses
----------------------------------------------------------------------------------------
backend-dev 4:15pm: ahhhhhh... I think it's expecting the string "true", not true
----------------------------------------------------------------------------------------
me 4:16: but the fetch call returns the json value as a boolean true/false
----------------------------------------------------------------------------------------
backend-dev 4:18pm: thats a feature, the flexible type system allows us to handle all sorts of data transformations. android must be limited and wonky.
----------------------------------------------------------------------------------------
me 4:19pm: java is a statically typed language....
// crickets for ten minutes
me 4:30pm: i'll just write a transform on the model when i send an update call to perform toString() on the boolean values
----------------------------------------------------------------------------------------
backend-dev 4:35: great! told you it wasn't my documentation!

// face palm forever

PouchDB.

It promised full-blown CRDT functionality. So I decided to adopt it.

Disappointment number one: you have to use CouchDB, so your data model is under strict regulations now. Okay.

Disappointment number two: absolutely messed up hack required to restrict users from accessing other users’ data, otherwise you have to store all the user data in single collection. Not the most performant solution.

Disappointment number three: pagination is utter mess. Server-side timestamps are utter mess. ANY server-side logic is utter mess.

Just to set it to work, you need PouchDB itself, websocket adapter (otherwise only three simultaneous syncs), auth adapter (doesn’t work via sockets), which came out fucking large pile of bullshit at the frontend.

Disappointment number four, the final one: auth somehow works but it doesn’t set cookie. I don’t know how to get access.

GitHub user named Wohali, number one CouchDB specialist over there, doesn’t know that either.

It also doesn’t work at Incognito mode, doesn’t work at Firefox at all.

So, if you want to use PouchDB, bear that in mind:
1. CouchDB only
2. No server-side logic
3. Authorization is a mess
4. Error logs are mess too: “ERROR 83929629 broken pipe” means “out of disk space” in Erlang, the CouchDB language.
5. No hosting solutions. No backup solutions, no infrastructure around that at all. You are tied to bare metal VPS and Ansible.
6. Huge pile of bullshit at frontend. Doesn’t work at Incognito mode, doesn’t work at Firefox.

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

Legit questions!
How does facebook secures itself, we never heard news like facebook hacked, user data stolen, recently with ddos, twitter and other websites were affected but not Facebook?
Are they superhumans?

Stakeholder: Can you investigate the problem with this user profile? We made updates to system A, but user is saying it’s the wrong info on the website.

Me: Looks fine to me. Looks like your updates just needed time to trickle down. Though, you will need to clean up this user’s data because it can cause X problems. There’s not much I can do since the site just displays info from system A.

SH: Can you delete the user’s website account and we can ask user to create a new one?

Me: …Ok, let’s try this again. It’s not necessary to delete the account and make the user create a new one. It’s not going to resolve the X problems that I mentioned. The website really needs clean data from system A.

I begin with the optimism and the joy that I am creating something new that will improve people's lives.

I listen to the user and analyze the current process in depth.

I try to suggest additional value to the system for the users consideration. Sometimes they do not realize we can improve 10x rather than 2x.

I learn what the users goals are and what they want out of the system. We think about reports and downstream value. Sort of working from the end to the beginning (data ingests and upstream processes that will feed the system).

After the user signs off on the requirements and deliverables and I have a realistic project plan I begin to code.

It works and has worked for me every time for a long long time.

So a team at on-site sent a OOM(Out of Memory) issue in our morning.
Everyone analysed the issue as being code issue since we were bringing too much data into the runtime process. The analysis was done on the heap dumps. The number of records reported by user were 1k. At the end of the day it turns the number of records were actually 100k+.
Why do people jump.to conclusions without thinking about the obvious. :-(

I am working on a multi user, high security, private data analytics Web app.

I keep a Ganondorf ammibo on my desk to remind me that; one wrong link could ruin everything.

So, we (I'm the backend guy and work with a UI dev) are building this product portfolio management tool for our client and they have a set of 250 users. The team has two point of contacts for the 250 users who maintain the master data, help users with data quality, tool guidance, reporting and other stuff. So one day one of these two support users come to me and say : Hey I'm not able to add new transactions coz a customer is missing.

We have the provision to create / maintain customers.

I check the production DB, application code, try creating the customer and then the transaction, everything works perfectly fine.

I ask the user for a screen sharing session, the user starts reproducing the error like this :

We have a 3 system landscape - Dev / Test and Prod

U : Logs into the test system url, creates the customer.

U : Points out the toast saying customer creation is successful.

U : opens a new tab, opens the production system, tries creating the transaction, searches for the customer and says " see !! cant find the customer here ! the master data management apps never work !! "

FML?.

A few minutes ago, I was going crazy over a bug caused due to data mutation in Rails.

Basically, user1 was creating a post record and it's stored in the database normally however, on page reload for a second user, user2, the post (that user1 created) was update to belong to user2. This is because, on page reloads, I was using `<<` method call to append user2 and user1 posts together! Apparently, `<<` not only mutates the array, it also performs a database update.

Kill me please!!

Also, data immutability seems a more reasonable feature in languages now.

According to the report of Reuters : Brazil's Ministry of Justice said on Monday it has fined U.S. tech giant Facebook 6.6 million reais ($1.6 million) for improperly sharing user data. The ministry's department of consumer protection said it had found that data from 443,000 Facebook users was made improperly available to developers of an App called 'thisisyourdigitallife.' The data was being shared for "questionable" purposes, the ministry said in a statement.

Fuck Google analytics .. seriously .. fuck it .. I understand it's a free tool that doesn't mean you mask your incompetency behind that banner.

Im pretty sure minecraft mods have better documentation than this POS.

I really like the user demographics data it gives , but with the asterisk on literally every other metric it gets harder to believe the ones that are functional.

I cant express exactly how many times I end up with hordes of articles that point out small caveats with this shit.

FUCK IT

What the hell is WRONG with Windows 10. Why does it need so much storage space? I get to only use 219+38.6+13.8 GiB and Windows gets to use 564 GiB of data to piggyback on data and storage space to push nonsense updates to user who do not want them. Use your own fucking servers, MS. I wish this fucking OS burns in hell.

the api endpoint for retrieving user-data in an alexa skill might as well be api.eu.amazonalexa.com WITH .EU
this is not as good documented as it should be and did cost me several hours until i saw it by accident analyzing the request-data another time...
you´re welcome.

User :
i've just done testing the system, based from one of the testing data i inserted, the procedure still isn't correct

Me :
- Desperately looking for whats wrong in the procedure -

User :
Oh, nevermind, the testing data itself is not correct

Also ME :
ASDJAHSGDUqa QY(^E*Q^w^EQV%&ABDYDTA^R6b ^#E%&W QE& !!!!!!!!!!!!!

I need advice.

So let's say, hypothetically, I found a site with a user data leak.

Would it be illegal if I only told them where the leak was for a bounty?

I am NOT going to distribute the user data. I just don't want to work for free, you know?

Again: NOT DISTRIBUTING USERDATA. No blackmail. Just information that their QA should have caught.

Me: You decided some records in system A should be obsolete, but the records are tied to active user accounts on the website. Now, I have users emailing and asking why their profile’s last name field says “shell record - do not use.”

Stakeholder: Oh…can’t you stop those profiles from loading? Or redirect the users to the right record in system A? In system A, we set up a relationship between the shell record and the active one.

Me: 😵 Um, no and no. If I stop a user’s profile from on the website, that’s just going to cause more confusion. And the only way to identify those shell record is to look at the last name field, a text field, for that shell record wording. Also, the website uses an API to query data from system A by user id. Whatever record relationship you established isn’t reflected in the vendor’s API. The website can’t get the right record from system A if it doesn’t have the right user id.

in my previous company , we used to create 4 custom ui states for just 1 screen in android app, and we would have task to create 3-4 new feature screens in 1 sprint (of 14 days) the states would be :

empty state : a state where data is not available. usually consisted of message, a graphic and some action button

data state : the usual state where data is filled on various elements

loading : a shimmer ui showing loading. it was supposed to be pixel perfect to that of the data state. it was basically a different xml, but with grey colored views instead of colorful. the tricky part would usually he to create the dynamic views

error/no connection state : as most of the screens couldbget api error or no internet error, this would be the screen for asking user to retry connection

all of these screens combined with their ui in xmls + kotlin code with barely any stuff being reusable , made the life incredibly difficult. however a lot of our customers would appreciate the interactivity of our app

doing these stuff again nd again , i had become trained to do all those 3-4 (x4) screens and the whole ui stuff in first 4 days of the sprint. but now i am in a company where i am getting passed on to managers after managers and getting tasks to change documentation in 1 week, i find those coding stuff incredibly tough.

gotta get back to shape

Just found the most embarrassing security hole. Basically a skelleton key to millions of user data. Names, email addresses, zip codes, orders. If the email indicates a birthdate, even more shit if you chain another vector. Basically an order id / hash pair that should allow users to enter data AND SHOULD ONLY AUTHORIZE THEM TO THE SITE FOR ENTRING DATA. Well, what happend was that a non mathing hash/id pair will not provide an aith token bit it will create a session linked to that order.

Long story short, call url 1 enter the foreign ID, get an error, access order overview site, profit. Obviously a big fucking problem and I still had to run directly to our CEO to get it prioritized because product management thought a style update would be more important.

Oh, and of course the IDs are counted upwards. Making them random would be too unfair towards the poor black hats out there.

Nitrux OS
I feel that this piece of wonder isn't getting the recognition it deserves.
One of the most beautiful UIs out there, revolutionary tech like znx(booting from the main iso ALWAYS and keeping user data across reboots, in a nutshell) and it has weird ass virtualization stuff that allowed them to run windows with very little virtualization overhead(tech details yet to announce).

Imma stop here before getting labelled another fanboy, just check it out and see for yourself
Thanks for reading, i use arch btw

So I am broke and can't buy a vds, I installed Termux on my android phone instead. Now I have a portable server that is capable to recieve calls and transmit sms for logs.

BUT, then I had to go to customer support due to case makes the phone get short circuited şn random times. Obviously they deleted all info and Samsung Cloud doesn't backup other users' data. (Termux emulates a terminal running on another user, which is not root by default)

Can anyone teach this teenager how to use tar properly? :D

So we have this administration page in the clients app that has tables of data.

The user can click on a row to edit or click "Add' to create a new one, doing so pops up a modal with a form full of inputs and a save button at the bottom.

The other day our client told me he was concerned that users would not understand how to edit data and that I should add some text below the first input field of each modal that says "Type in a new value and click 'SAVE' to change the [field name]"

As I implimented this crap, I took a few minutes to come up with a nice way of saying that his idea made no sense, added unnecessary clutter to the UI, and proposed some alternatives.

He essentially said, "Thanks for your much better ideas, for now let's just stick with what we've got and we can revisit this later."

Everytime I open that UI, I physically feel pain and get a little sick.

Sending email to client (the following is a short version of it)

"
Dear Data Evaluation Team,

Here is a link with the password to the data export for the questionaire.

You will find in there 4 sections:

1. Utilization Report
2. Question List
3. User Responses to questionnaire
4. Summary of responses
"

Email from client
"
Thank you data team.
I see that the user responses have some ids for the questions. Can you please give me the full question text, where is it?
"
My response
"Section 2, Question List"

Like really? Did you just not f*ing read the email and just jumped into the data export blindly. I wrote some fucking docs for a reason.

Not a rant, just the completion of a very demanding and interesting task for this week.

Wrote a whole data scheme for this enterprise app my company is developing. Very proud of it, since it has a very restricted size, multiple layers of encryption and data verification, several user types with different requirements, and it all has to be rock solid in an offline environment.

The punchile is...I enjoyed writing the documentation for the whole package more than I should, I guess...spent the whole day being very thorough and documenting every member, function, constructor and exception.

Feelin fabulous.

Made a website and 4K final for university in 10 days with Angular, FastAPI, ArangoDB and docker. No prior experience with Typescript whatsoever. Sessions, User Management, data manipulation and a d3-force graph which doesn’t dance around like a fucking clown. I feel like a fucking god right now

Hey there people, I have a few questions regarding neo4j. Your experience could also be very useful to me here @dfox.

1. Is neo4j good for storing user data, like password hashes, etc.. In addition to the regular relationships with other components of the ecosystem

2. Is neo4j good enough to accommodate a really large number of users..

3. Does DevRant use a dual database, like user info in Mongo and relationships like comments and ++ on neo4j or is it like everything on neo4j

For q.3, if you're not @dfox then just provide an idea of how you would handle the situation.

I've just spent the last hour or so banging my head against a brick wall trying to figure out why I'm unable to retrieve some data via AJAX even though I know data is being returned as I can see it in my error log.

Turns out the permission system I wrote a few days ago actually works and because I didn't specify a permission it automatically denied my user from retrieving the data. One thing I forgot to add was an error message to tell me when I don't have sufficient permission to do something. Adding a message could have just saved me a lot of time :/

Working from home. Most of the team is off. Client has an official half day. Most of them are off. Instead of being online at 7 am, gonna get online around 850 just before daily standup. Laying in bed, enjoying the cool sheets and the fact that there's no rush. ~0730 team lead calls, user shit himself and I need to fix it. Server issue? Nope. Data issue? Nope. Portal bug? Nope.

Client input conflicting data and can't progress with tool.