Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

Trusting coders

Discussion in 'General Board' started by stender, Jun 25, 2011.

Thread Status:
Not open for further replies.
  1. stender United Kingdom

    stender Well-Known Member

    Joined:
    Nov 2005
    Posts:
    2,501
    Likes Received:
    30
    I've just won the euromillions for about the fourth week in a row. I do it online, get an email, "news about your ticket" login to see if my account balance says £105m only to find a grand total of £7.60

    This got me thinking how do companies police the code for their sites?
    Example for the lotto: coder adds a bit of extra code
    If winning ticket=lucky dip and ticket has not been viewed, swap it with auntie maureens.

    How do you know a coder hasn't put a backdoor in your site?
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    IWA Meetup
     
  3. fish United Kingdom

    fish Well-Known Member

    Joined:
    Nov 2006
    Posts:
    2,710
    Likes Received:
    27
    get a third party to validate the code / look for the back door ?
     
  4. denchomsky United Kingdom

    denchomsky Well-Known Member

    Joined:
    Dec 2005
    Posts:
    1,782
    Likes Received:
    37
    In my experience with working for a very big media company, they wouldn't have a clue, they don't even do in house code reviews on third party agency code, let alone get a third party to do code reviews.
     
  5. fish United Kingdom

    fish Well-Known Member

    Joined:
    Nov 2006
    Posts:
    2,710
    Likes Received:
    27
    so where's the rub?
     
  6. davedevelopment

    davedevelopment Well-Known Member

    Joined:
    May 2009
    Posts:
    1,307
    Likes Received:
    86
    With regard to gambling site's there's a fair amount of governance that goes on, though I'm not sure of the details.
     
  7. Retired_member41

    Retired_member41 Retired Member

    Joined:
    Mar 2010
    Posts:
    3,417
    Likes Received:
    55
    Is that not why coders put notes everywhere, so as to show clients and as a redundancy should they die etc
     
  8. denchomsky United Kingdom

    denchomsky Well-Known Member

    Joined:
    Dec 2005
    Posts:
    1,782
    Likes Received:
    37
    Well I cant talk for gambling sites but for media its all about advertising and sponsorship, so everything is time sensitive, and the quality of code is not important for the bosses, as long as the site goes up, they get paid.
     
  9. Blossom

    Blossom Well-Known Member

    Joined:
    Oct 2010
    Posts:
    1,406
    Likes Received:
    57
  10. stender United Kingdom

    stender Well-Known Member

    Joined:
    Nov 2005
    Posts:
    2,501
    Likes Received:
    30
    ##nothing to see here. this is just a test.

    Permanent 50% discount code=$myfiftyoff

    I think they might note that part differently :D
     
  11. aZooZa

    aZooZa Well-Known Member

    Joined:
    Nov 2005
    Posts:
    4,875
    Likes Received:
    253
    It's easy to work an expiry code. Simply AND EOR XOR <pass> with expiry date, and then every day translate back.

    That code is however easy to spot.
     
  12. philipp United Kingdom

    philipp Active Member

    Joined:
    Feb 2005
    Posts:
    638
    Likes Received:
    17
    AFAIK EOR and XOR are different names for the same thing.

    P.
     
  13. philipp United Kingdom

    philipp Active Member

    Joined:
    Feb 2005
    Posts:
    638
    Likes Received:
    17
    Interesting story - it's funny how completely convinced officials can be about the randomness built into their systems only to find they have more holes than a Swiss cheese.

    Oh that's funny, Nominet's drop algorithm from a few years back comes to mind. I wonder why ;)

    P.
     
  14. aZooZa

    aZooZa Well-Known Member

    Joined:
    Nov 2005
    Posts:
    4,875
    Likes Received:
    253
    You're a sharp kipper. The *AND* with the same constant messes it. Is my truth table messed? Maybe semantics mean the same.
     
  15. Aegean Greece

    Aegean Active Member

    Joined:
    Feb 2011
    Posts:
    740
    Likes Received:
    16
    To get back to the OP, in my own experience working for AT&T, B&Q and Global Santa Fe, there would be two main reasons you couldn't just slip an extra piece of code into the site.

    The first is there is no one person doing the coding. At B&Q for example we had over 50 people just coding and the code was very carefully planned and checked and double checked by others before deployment.

    The second is the risk. No large company in their right mind would assign approval of any online code to any individual but even if they did the risk is massive. In most of the large companies I have experience with, there are so many people seeing whats being done that it would be nigh-on impossible to 'slip something in'. If you were caught you're talking about grave consequences.

    Most people are devided into group levels, then these groups are assigned particular responsibilities, then individuals in that group are assigned particular parts of those responsibilities and these parts are double checked by others, so we know exactly who has done what and when. Plus we (at my current job and previous jobs) use a project management system that follows, coordinates and tracks all the pending, current and completed jobs along with any issues.

    To the OP, I do know what you mean and perhaps with some smaller companies it could be done, but generally (and especially with someone like Camelot) I would say it's unlikely.
     
  16. Ashton Canada

    Ashton Well-Known Member

    Joined:
    Feb 2010
    Posts:
    1,566
    Likes Received:
    28
    Aegean hit the nail on the head - from my own experience as part of an agile team, there is no coding done that is private, the code is only compressed at the end process, so any compressed code would look very dubious. I don't think people would risk there careers to that extent anyway.
     
  17. denchomsky United Kingdom

    denchomsky Well-Known Member

    Joined:
    Dec 2005
    Posts:
    1,782
    Likes Received:
    37
    Well its nice to know there are companies out there that seem to take their coding seriously, the global media company I worked for (not a small company) had no code review process at all, nothing, another developer and I had to initiate a process of our own backs when we starting noticing the poor standard of code from third parties and the consultancy company.

    This soon got stopped because we were spotting so many errors and poor code from the consultancy and agencies that it was threatening release schedules, so were told to stop doing it.
     
  18. monaghan United Kingdom

    monaghan Well-Known Member

    Joined:
    May 2007
    Posts:
    2,126
    Likes Received:
    78
    In a previous employment, I had to try and explain to my boss that there was something wrong when I had to write the requirement spec, produce the code, test the code and implement it into the live customer facing systems, it took a long time before he could see the issue :)
     
  19. disruptive

    disruptive Well-Known Member

    Joined:
    Jun 2006
    Posts:
    1,672
    Likes Received:
    16
    There are some pitfalls - especially as people have outlined with random numbers - which created by a computer without a hardware add-on are only pseudo-random numbers. Whether these can exploited is highly dependent on the scenario, but lets put it this way, the casino's are very keen to ensure they, when desired, get as random as possible without any bias.
     
  20. stender United Kingdom

    stender Well-Known Member

    Joined:
    Nov 2005
    Posts:
    2,501
    Likes Received:
    30
    Thanks aegean/all. I will now enter and win tomorrow's euromillions and put a tenner behind the bar at the next acorn do!

    Things are a lot better run at the companies you have worked for than me.
    My company has wasted millions on regulations in IT
    With auditors, qa departments, controls, security and yet they still haven't a clue what they are doing. For all their controls it is still full of holes.
    We have developers coding in whatever looks good on their cv and we even have a change control system where the people approving changes have no idea what they are approving.
    Ive been tempted to prove the point by entering a change saying the dilithium crystals in the server need replacing. I'm sure it would be approved.
     
  21. Aegean Greece

    Aegean Active Member

    Joined:
    Feb 2011
    Posts:
    740
    Likes Received:
    16
    That made me laugh, I've done similar things myself when the CEO tries to pretend he knows what hes talking about. I'd say the "traffic on the server was causing combobulation within our system" or "we need to increase the flux capacity". He politely nods and says "yes, yes I see". Probably best he just sticks to counting his money lol.
     
Thread Status:
Not open for further replies.