Trusting coders

[stender]

I've just won the euromillions for about the fourth week in a row. I do it online, get an email, "news about your ticket" login to see if my account balance says £105m only to find a grand total of £7.60

This got me thinking how do companies police the code for their sites?
Example for the lotto: coder adds a bit of extra code
If winning ticket=lucky dip and ticket has not been viewed, swap it with auntie maureens.

How do you know a coder hasn't put a backdoor in your site?

 

[fish]

get a third party to validate the code / look for the back door ?

 

[denchomsky]

In my experience with working for a very big media company, they wouldn't have a clue, they don't even do in house code reviews on third party agency code, let alone get a third party to do code reviews.

 

[fish]

In my experience with working for a very big media company, they wouldn't have a clue, they don't even do in house code reviews on third party agency code, let alone get a third party to do code reviews.

so where's the rub?

 

[davedevelopment]

With regard to gambling site's there's a fair amount of governance that goes on, though I'm not sure of the details.

 

[Retired_member41]

Is that not why coders put notes everywhere, so as to show clients and as a redundancy should they die etc

 

[denchomsky]

so where's the rub?

Well I cant talk for gambling sites but for media its all about advertising and sponsorship, so everything is time sensitive, and the quality of code is not important for the bosses, as long as the site goes up, they get paid.

 

[Blossom]

Reminds me of this: http://www.wired.com/magazine/2011/01/ff_lottery/all/1

 

[stender]

Is that not why coders put notes everywhere, so as to show clients and as a redundancy should they die etc

##nothing to see here. this is just a test.

Permanent 50% discount code=$myfiftyoff

I think they might note that part differently

 

[aZooZa]

It's easy to work an expiry code. Simply AND EOR XOR <pass> with expiry date, and then every day translate back.

That code is however easy to spot.

 

[philipp]

It's easy to work an expiry code. Simply AND EOR XOR <pass> with expiry date, and then every day translate back.

AFAIK EOR and XOR are different names for the same thing.

P.

 

[philipp]

Reminds me of this: http://www.wired.com/magazine/2011/01/ff_lottery/all/1

Interesting story - it's funny how completely convinced officials can be about the randomness built into their systems only to find they have more holes than a Swiss cheese.

Oh that's funny, Nominet's drop algorithm from a few years back comes to mind. I wonder why

P.

 

[aZooZa]

AFAIK EOR and XOR are different names for the same thing.

P.

You're a sharp kipper. The *AND* with the same constant messes it. Is my truth table messed? Maybe semantics mean the same.

 

[Aegean]

To get back to the OP, in my own experience working for AT&T, B&Q and Global Santa Fe, there would be two main reasons you couldn't just slip an extra piece of code into the site.

The first is there is no one person doing the coding. At B&Q for example we had over 50 people just coding and the code was very carefully planned and checked and double checked by others before deployment.

The second is the risk. No large company in their right mind would assign approval of any online code to any individual but even if they did the risk is massive. In most of the large companies I have experience with, there are so many people seeing whats being done that it would be nigh-on impossible to 'slip something in'. If you were caught you're talking about grave consequences.

Most people are devided into group levels, then these groups are assigned particular responsibilities, then individuals in that group are assigned particular parts of those responsibilities and these parts are double checked by others, so we know exactly who has done what and when. Plus we (at my current job and previous jobs) use a project management system that follows, coordinates and tracks all the pending, current and completed jobs along with any issues.

To the OP, I do know what you mean and perhaps with some smaller companies it could be done, but generally (and especially with someone like Camelot) I would say it's unlikely.

 

[Ashton]

Aegean hit the nail on the head - from my own experience as part of an agile team, there is no coding done that is private, the code is only compressed at the end process, so any compressed code would look very dubious. I don't think people would risk there careers to that extent anyway.

 

[denchomsky]

Well its nice to know there are companies out there that seem to take their coding seriously, the global media company I worked for (not a small company) had no code review process at all, nothing, another developer and I had to initiate a process of our own backs when we starting noticing the poor standard of code from third parties and the consultancy company.

This soon got stopped because we were spotting so many errors and poor code from the consultancy and agencies that it was threatening release schedules, so were told to stop doing it.

 

[monaghan]

In a previous employment, I had to try and explain to my boss that there was something wrong when I had to write the requirement spec, produce the code, test the code and implement it into the live customer facing systems, it took a long time before he could see the issue

 

[disruptive]

There are some pitfalls - especially as people have outlined with random numbers - which created by a computer without a hardware add-on are only pseudo-random numbers. Whether these can exploited is highly dependent on the scenario, but lets put it this way, the casino's are very keen to ensure they, when desired, get as random as possible without any bias.

 

[stender]

Thanks aegean/all. I will now enter and win tomorrow's euromillions and put a tenner behind the bar at the next acorn do!

Things are a lot better run at the companies you have worked for than me.
My company has wasted millions on regulations in IT
With auditors, qa departments, controls, security and yet they still haven't a clue what they are doing. For all their controls it is still full of holes.
We have developers coding in whatever looks good on their cv and we even have a change control system where the people approving changes have no idea what they are approving.
Ive been tempted to prove the point by entering a change saying the dilithium crystals in the server need replacing. I'm sure it would be approved.

 

[Aegean]

Ive been tempted to prove the point by entering a change saying the dilithium crystals in the server need replacing. I'm sure it would be approved.

That made me laugh, I've done similar things myself when the CEO tries to pretend he knows what hes talking about. I'd say the "traffic on the server was causing combobulation within our system" or "we need to increase the flux capacity". He politely nods and says "yes, yes I see". Probably best he just sticks to counting his money lol.