
Things to commit just before leaving your job - diegolo
https://gist.github.com/aras-p/6224951
======
onion2k
Something I wrote to amuse the junior front end developers here:

    
    
        document.write('Error: Script not found.');
        var node = document.currentScript;
        if (node.parentNode) { node.parentNode.removeChild(node); }
    

Pop that in a JS file called something like jQuery.min.js and add it to an
HTML page with the usual <script src="/js/jQuery.min.js"></script>. It'll run
when the page loads, add the line of text to the page, and then it'll remove
it's own <script> tag so there's no reference to it in the DOM (in relatively
modern browsers) if you view the source. It's easy to debug by watching the
network traffic, but it caused a few scratched heads for a little while.

~~~
thegreatpeter
Why wouldn't you search for 'Script not found' in the source code..?

~~~
onion2k
The point wasn't to leave people puzzling over it for hours. It was a bit of
fun. But ... It'd be quite trivial to hide the string.

    
    
        var msg = ['E','r','r','o','r',':','S','c','r','i','p','t',' ','n','o','t',' ','f','o','u','n','d'];
        document.write(msg.join(''));

~~~
billyhoffman
I gave a talk at BlackHat many years ago about JS malware, and proposed
obfuscating malicious JS like this:

\- Treat JS code like 7-bit ASCII

\- For each character, convert the bits into white space. 1= space, 0 = tab

\- A = "1000001" = space tab tab tab tab tab space

\- concat it all together, \n shows you are done

So you can represent JS code as just whitespace. Which means this is malicious
code:

<script> //st4rt

//3nd

var html = document.body.innerHTML; var start = html.indexOf("//st" \+ "4rt");
var end = html.indexOf("3" \+ "nd"); var code = html.substring(start+12, end);
eval(hydrate(code)); </script>

~~~
onion2k
I like that a lot. I wonder if it might be possible to use Unicode zero width
space and zero width non-joiner characters.. Then there wouldn't even be any
white space to see.

------
verelo
I would suggest before you leave your job, you say "it was nice working with
you" to the people you liked working with, and absolutely nothing to those who
you did not enjoy working with.

The tech world is big in some ways, but also equally small in others. A select
few might find this funny, but others will not appreciate their day (or
longer) spent debugging your practical joke...and on the chance you actually
get something like this onto production, well now it won't just be your
developer buddies you got off side.

~~~
tormeh
And if you do a code change, make sure it is really funny, is easy to fix and
discover and is invisible to customers. Like, inject a hilarious joke into the
log files or something.

~~~
MatthewMcDonald
A coworker at a previous job altered the company's internal web application so
that when one specific user was logged in, about 1/20 of the time it would
load a hidden iframe that played Rebecca Black's Friday. This stayed in place
for a long time because the user couldn't figure out what was going on and was
too embarrassed to ask anyone else about it. Instead, they turned off the
computer's sound and started listening to music on their phone.

------
happywolf
The horror story that I heard was a disgruntled engineer silently replaced the
source codes (C++ based) in the project with compiled binary object files and
he kept the source codes on his local computer, not checking those in. He did
this over an extended period of time to make sure this crept into the backup
tapes as well. No one found out because each engineer owned a code module of
their own. Then he resigned.

When his successor tried to debug and enhance the code base, the core files
were basically all stripped binary object files...

~~~
Cshelton
this is why we have code. reviews. haha. Yeah...I'd file a criminal lawsuit on
his ass though.

~~~
late2part
In the US, only the "State" can file a criminal lawsuit. Imagine trying to
explain this crime to a county prosecutor!

~~~
johan_larson
It's called "private prosecution". And there are still a few parts of the US
where it is possible.

[https://en.wikipedia.org/wiki/Private_prosecution#United_Sta...](https://en.wikipedia.org/wiki/Private_prosecution#United_States)

------
cjslep
From "How to write unmaintainable code" [0], here is a function declaration
that changes signature based on how many times the header is #included:

    
    
        #ifndef DONE
        #ifdef TWICE
        void g(char* str);
        #define DONE
        #else // TWICE
        #ifdef ONCE
        void g(void* str);
        #define TWICE
        #else // ONCE
        void g(std::string str);
        #define ONCE
        #endif // ONCE
        #endif // TWICE
        #endif // DONE
    

Granted, it isn't one line long.

[0]
[https://www.thc.org/root/phun/unmaintain.html](https://www.thc.org/root/phun/unmaintain.html)
(Cert issue shows up on FF unfortunately)

~~~
eljimmy
I honestly believe that one of the CTOs at my previous employer has followed
that guide to ensure the security of his job.

He wrote an entire custom framework for their SaaS platform. I couldn't
believe my eyes when I started work on it. I think I lasted 4 weeks before I
gave them my 2 weeks notice.

------
monkeyshelli
Someone will lose some hair over this

    
    
      /* create memory leaks if compiled on April, 1st */
      #define free(x) if(strncmp(__DATE__, "Apr  1", 6) != 0) free(x)
    

The random ones are just pure evil.

~~~
tajen
I believe random ones based on compilation date can be evil, since git bisect
can't find them. What about an error that only happens depending on character
encoding?

------
josephmosby
PCI-compliant networks often contain checks for credit card numbers being sent
in plaintext over the network. Problem with that is that credit card numbers
are computed according to a formula, and it's really easy to generate a bunch
of fake 16-digit numbers that will pass the check. So if you want to troll
your security team, generate a CSV with a stack of credit card numbers and
drop it in a few places on a server. Even better, set up a script to send it
over the network somewhere. Then wait for the scan.

Piece on check digits, for reference:
[http://www.datagenetics.com/blog/july42013/index.html](http://www.datagenetics.com/blog/july42013/index.html)

------
DeusExMachina
It is always a funny joke to say "commit this when you leave a job". But I
always wondered if there are people that actually do this.

Although it could be funny and give a sense of revenge for some wrong
(perceived or real) that the person leaving might have suffered, I don't think
this would be a good idea. Contracts usually include liability for gross
negligence or wilful misconduct.

Does anybody have a record of this actually happening at any company?

~~~
kaolinite
The problem with doing this, besides being incredibly unprofessional, is that
it won't really affect the company much - besides reducing productivity for a
little while - however it will annoy the hell out of your previous colleagues.
Unless you're leaving because you fell out with your colleagues, I doubt it
would have the desired effect.

~~~
bobbyadamson
Yeah everyone would notice it around the same time, look at recent commits,
see some silly file got committed and revert. You'd have to have a team of
pretty sub-par devs to not undo this fairly quickly. Although it would be sort
of annoying for a couple of hours. In fact if you left on really good terms
and were still great friends with the team, something like this might be more
of a silly prank than anything truly malicious.

------
jasonkester
I left a file called xmas.js included in an internal tool one time when I left
for a 9 month trip in between contracts (in November).

Basically it would check whether it was the last few weeks of December, and
whether rand()%20 was zero. If so, it would wait about a minute then slowly
fly a little gif of Santa & his sleigh across the background, behind all the
controls on whatever form it happened to land on.

They had a team of data entry guys using this tool, and it would take on
average a few minutes to enter each record. So it made its way through QA and
eventually to the desk of a friend. Got an email on the beach about it. Fun
times.

------
codeshaman
I love this. Evil in it's purest form.

But also a great war story for the person who discovers it later.

"So it was my 5th sleepless night. The thing would work 99% of the time. I
triple checked every single line of code and it was still formatting the hard
drive from time to time. Then I discovered:

#define if(x) if ((x) && (rand() < RAND_MAX * 0.99))

"

------
leni536
From the comments my favorite:

    
    
       #define i j

~~~
BraveKenny
It gets debugged in a flash though.

~~~
shoo
yep. e.g. gcc 4.8.4 happily complains about redeclaration errors and points
out that it is a result of the offending macro expansion.

------
tilt
My favorite (JS)
[https://twitter.com/benbjohnson/status/533848879423578112](https://twitter.com/benbjohnson/status/533848879423578112)

------
Loque
I watched my friend swap the 'm' and 'n' keys around on the two tech directors
keyboards the evening he left after goodbye drinks, the next day they both had
to contact the IT support department as it turns out they still look at their
keyboard whilst tapping in their passwords... amazing!

~~~
knodi123
I heard about a bug report once, where a guy contacted IT to say "I can't log
in when standing up, only when sitting down."

IT guy is like "well that's the stupidest thing I ever heard", but he tromps
up to the reporter's cubicle, and sure enough, same thing happens to him.

Eventually he discovers you can only log in if you're touch-typing, because a
few letters got swapped, and nobody touch-types when they're standing up.

------
kelukelugames
I joked about starting a salary spreadsheet during my last week. Management
wouldn't even make eye contact with me on the last day. :P

~~~
trashymctrash
I don't get this one. Could you elaborate?

~~~
irl_zebra
I think everyone knowing everyone else's salary would cause major problems, at
least here in the US. It would be a major source of headache for management as
they try to triage complaints from employees who are getting paid less than
their colleagues with the same title or similar experience (or even less
experience).

------
corysama
Back in the bad old days of Visual SourceSafe I believe it was possible to
perform a "commit time bomb" by rolling your computer's clock forward a couple
months before committing. The VSS backend would not enact the commit until the
server's clock caught up to the commit's timestamp. D:

------
yarper
We've got a guy in the office that merges the past over the present all the
time. He's not quitting but I imagine if you were to try to break things this
would be a good way to do it.

~~~
wil421
Got a offshore guy just like that. Constantly committing his whole project
where most files are out of date and only the few he worked on are not.

There's no reason for him to commit javascript files he doesn't even work on
the front end. It took me forever to figure out he wrote over my files the
other day.

~~~
cjrp
He must be using push --force in that case.. which seems like a bad practise.

~~~
yarper
What they're doing is something like branching off a very old version of
master, making changes to file A then trying to merge into the latest version
of master, which already has a load of changes to file A. They then resolve
the conflict by picking "ours", thus ignoring all changes on origin/master in
favour of their own old version of master. This doesn't require a --force.

~~~
cjrp
Oh, that seems even worse!

------
codeshaman
Wouldn't it be wise if the compiler (or preprocessor) issued at least a
warning if you redefine language keywords ? :)

So I just pasted this into a C++ file I was working on and it compiled without
a single warning:

#define struct union

#define if while

#define else

#define break

#define double float

#define volatile // this one is cool

I mean, redefining language keywords is not a thing I do every day and I guess
most of you don't do it either and I can't see a valid reason why you'd want
to do it in a normal project. For people who really want to do it, they'd just
disable the warning.

Am I missing something here ?

~~~
jamie_ca
No warnings is the whole point.

My c++ isn't so good that I understand that first one, but if->while and
break->"" can introduce infinite loops, else->"" will break logic (and
possibly hit null pointers), double->float will cause subtle rounding errors
in numeric computation, and volatile->"" will break multi-threaded apps
unpredictably.

It's evil, subtle code breakage that because of the macro (in an included
header far far away) leave the code looking perfectly ordinary.

------
jheriko
"#undef FLT_MIN #define FLT_MIN (-FLT_MAX)"

i've seen FLT_MIN used as if it is -FLT_MAX enough times that i'm skeptical
this would cause bugs rather than fix them. XD

------
noir_lord
#define if(x) if ((x) && (rand() < RAND_MAX * 0.99))

That one is pure and absolute genius...er evil.

------
maxaf
Those who make liberal use of 'git bisect' can not be so easily trolled.

~~~
StavrosK
Unless you use one of the random ones.

------
to3m
Perhaps we now finally know the story behind this:
[https://code.google.com/p/android-source-
browsing/source/dif...](https://code.google.com/p/android-source-
browsing/source/diff?spec=svn.platform--bootable--bootloader--
legacy.734756ca3968b54e32acab867a05b10fc5e13d07&repo=platform--bootable--
bootloader--
legacy&r=734756ca3968b54e32acab867a05b10fc5e13d07&format=side&path=/libc/memset.c)

"probably can live undetected quite long" indeed...

~~~
MikeTV
So memset was crippled from Android 1.5-2.1? How did this not bring everything
to a grinding halt? (Not familiar with Android's inner workings specifically,
but from a C standpoint this sounds major.)

~~~
to3m
How often is memset used to set the data to something other than zero?
Probably even less often than strncpy copies a string that is exactly the
length of the destination, I'd wager :)

That is the evil genius of this bug.

------
tmaly
I had a professor back in the university that changes all the variable names
to beer names while at a job. It ended up not being a problem for the company
as he was consistent with the names.

~~~
tonyblundell
I once started a job where whoever wrote the codebase I inherited had used
variable names like MrString, MrsInteger, SirArrayOfArrays etc.

Was hilarious :-|

------
mechazawa

      #define continue break

------
kevindeasis
If only we can get a rosettacode version of this in all languages. I bet
trolls will coming out left and right. It would be pure evil.

~~~
masklinn
Most languages don't have a purely textual and completely unsafe preprocessor
running during the compilation process, so it would be quite hard.

~~~
chedabob
You could do some real evil stuff with reflection though, such as messing with
Java's IntegerCache:
[http://codegolf.stackexchange.com/a/28818](http://codegolf.stackexchange.com/a/28818)

~~~
vidarh
Ruby:

    
    
        irb(main):009:0> class Fixnum; def + other; 42; end; end
        => nil
        irb(main):010:0> 4 + 5
        => 42

------
IgorPartola

        #define i++ i--
    

Or even better

    
    
        #define i++ ++i

~~~
tomtomtom777
I don't think '+' is valid in a C preprocessor macro name.

------
roelvanhintum
If you wan't to give your boss a laxative, through the coffee machine and lock
the restroom doors in advance, just do.

~~~
BillTheCat
I am having a har'd time working out that contraction.

------
forgettableuser
Ooh. I recognize one of the contributor names, @cmuratori, from another HN
post: Handmade Hero: C game from scratch
[https://news.ycombinator.com/item?id=8604489](https://news.ycombinator.com/item?id=8604489)

~~~
forgettableuser
And another, @mike_acton, from CppCon 2014: Mike Acton “Data-Oriented Design
and C++”
[https://news.ycombinator.com/item?id=8391464](https://news.ycombinator.com/item?id=8391464)

~~~
aras_p
Yeah there was some crowdsourcing via twitter back when I wrote the (initially
short) gist.

------
hellofunk
Perhaps the most enlightening (and actually useful) purpose of this file is to
dramatize the glaring weakness in the c/c++ macro system. A proper macro
system would not make it so easy to do this, shall we say, "evil", stuff :)

~~~
gberger
Ruby too:

    
    
        class Fixnum
          def +(other)
            self - other
          end
        end
    
        10 + 3 
        >>> 7

------
cyphunk
> (only pixel snapping + vertical-align left)

If vertical-align is the last thing, rather than one of the first, that one
resolves... then we are in for 7 more years of hell.

------
TeMPOraL
Oh I so desperately need a PHP equivalent right now.

~~~
TazeTSchnitzel
PHP actually allows much less mischief here than C or, say, Python does. It
doesn't let you redefine or delete functions, classes or constants, unlike C
where macros can be abused for this, and Python where you can delete anything.

But you could hide all errors if you want to screw with people:

    
    
      error_reporting(0);
      set_ini('display_errors', '0');
      set_error_handler(function () { return TRUE; }, E_ALL | E_STRICT);
      set_exeception_handler(function ($ex) { });

~~~
arcatek
Well yes of course you can, we're talking about PHP here.

[http://php.net/runkit_function_rename](http://php.net/runkit_function_rename)

~~~
wvenable
Most, if not all, installations of PHP won't have runkit installed. It's an
extension.

------
xzcvczx
and i read it just in time to have

"So basically just #include <windows.h>"

as the last comment, i think it was an interesting summary

------
bbatha
I like #define const

------
chinathrow
#define ntoh hton

------
Kenji
_#define volatile // this one is cool_

Oh wow. This literally sent a shiver down my spine. Imagine debugging that.

Also love the randmoness based ones!

~~~
lfam
Will you explain what this would do?

~~~
Kenji
Of course :)

Basically this removes the volatile keyword from your code and replaces it
with... nothing.

If a variable is declared volatile, it disables compiler optimizations and
signals the compiler that this variable can be modified at any time (e.g. by
hardware or other threads). Omitting volatile can lead to nasty concurrency
bugs (e.g. if the optimizer optimizes spin locks away). In the worst case,
such bugs are extremely hard to reproduce (and thus debug) but lead to
deadlocks and/or crashes in case they do occur.

~~~
masklinn
> Omitting volatile can lead to nasty concurrency bugs (e.g. if the optimizer
> optimizes spin locks away). In the worst case, such bugs are extremely hard
> to reproduce (and thus debug) but lead to deadlocks and/or crashes in case
> they do occur.

In C and C++, volatile is not intended and must not be used for
synchronisation primitives, it is not a memory fence (so it does not force
cache coherency and does not prevent operations reordering) and operations on
volatile variables are not atomic. Its primary use case is memory-mapped IO
(with a sub-use case of preventing eliding memory operations affected by
inline assembly). If a lock is broken because `volatile` is disabled, it's
probably incorrect in the first place.

All `volatile` does[0] is forbid elision of loads and stores.

[0] again in C or C++, Java and C# have completely different semantics

~~~
hydrogen18
While you are absolutely correct, you will find no shortage of experienced
employees at large companies that will disagree. In fact, they will insist
that the only purpose of volatile is a primitive for synchronization. I
actually had a conversation where a developer insisted that by declaring a
variable volatile all operations on it were atomic.

Of course at this same company a developer insisted that if you use the
mongoDB client libraries in your software, your software can never have data
consistency problems.

~~~
codeflo
If those developers target Visual Studio exclusively, they are actually
correct: [https://msdn.microsoft.com/en-
us/library/12a04hfd.aspx](https://msdn.microsoft.com/en-
us/library/12a04hfd.aspx)

~~~
hydrogen18
That is pretty entertaining. It is also a good reason to never use microsoft
development tools.

------
Kenji
How about

 _#define free(x) if((rand() &15)!=15) free(x)_

------
f00644
This is when the scriptkiddies start getting involved..

~~~
simoncion
Skript kiddiez -by definition- don't program; they run canned scripts to do
their l33t hax.

