
How not to check the validity of an email address - morgante
http://www.dellsystem.me/posts/dont-do-drugs-kids/
======
joshfraser
In college I was hired to build an auction site. I was billing my client $20 /
hour and subcontracting out the work to some of my fellow classmates at $10 /
hour. I was swamped with other work and didn't have much time to review the
code. I just made sure it satisfied the specifications and shipped it. We
launched the site and did a few hundred thousands dollars worth of
transactions in the first 24 hours. Then something strange happened... all of
the bids mysteriously disappeared from our admin panel and users started
emailing in asking why their bids weren't showing up anymore. I got a panicked
call asking what had happened. I had no clue, but promised to look into it. I
started digging through the server logs and noticed that all the bids had been
deleted around the time that Google had discovered and crawled the site. Sure
enough, my friend had added links to delete bids via the admin panel that were
executed via GET requests. It wouldn't have been that big of a deal except the
poor guy had used JavaScript for authentication! Google's crawlers had
carefully hit every single Delete link and wiped out the site. I fixed the
authentication system, refunded everyone's credit cards and relaunched the
site with a huge apology for the issues. Needless to say, from that day on I
became far more diligent about doing code audits.

~~~
m_mueller
This story almost had me in tears (a mix of schadenfreude and shame for my
profession). I hope they learned something _not_ to give business critical
work to college students. Makes me think that IT Risk management should be
right at the top of what MBAs have to learn.

~~~
aestra
Wow. Just because someone is a college student doesn't mean they are
incompetent! Plenty of people do business critical work as college students,
haven't you ever heard of co-op before? A degree doesn't make you competent
either, I've worked with enough people who have degrees who are completely
incompetent. College students might need some extra supervision to make sure
they are doing the right thing, but so do jr engineers.

Anyways, those are the things that a code review would catch.

~~~
m_mueller
I think you got me wrong, sorry for not having myself made clearer. I worked
through college as an IT consultant as well, however as you noted _under
supervision_ of a consulting company with seniors. Hiring a college student
directly, without a company attached that can be made liable, is just a bad
idea, both for the customer and the student. Just imagine the customer had
sued parent. I wasn't talking about technical competence - it's all about
liability as well as having proper processes for design, implementation,
review, testing and rollout in place - a thing that can easily he seen even
before signing a contract.

------
Glyptodon
Every single legacy application I've ever worked on has had analogous code
buried in it somewhere.

An application I've just been "repairing" recently has a spot where it uses
two separate queries to pull two full table sized lists of values, then
manually joins them with a loop, and then manually re-orders the joined values
into groups selectively ignoring some rows, and then embeds the the whole
reordered list in a web page. The page takes around 20 seconds to load.
Switching it to use a single properly formatted SQL reduced load times to
under a second.

Another legacy app I'm employed to "repair" has one single 'template' for
every page on the whole site. Its first ~500 lines conveniently consist of a
giant and highly nested if/else clause to set the page variables and inline
javascript.

Such things are the result of "IT experts," "Software Managers," and "Product
Administrators" who've never done real software/web development in their lives
hiring random "programmers" who have history or psychology degrees and think
they can program because they made a form in PHP.

It only gets lovelier when eventually somebody realizes it's a huge security
risk and hires an outside development firm to "secure" it. (Giant eye roll. If
they couldn't vet a programmer, you can bet they're great at vetting security
consultants and contract developer shops.) Did you know that randomly moving
code into folders named "private" and "public" for a few thousand dollars can
solve giant architectural and security issues like ridiculously easy XSS and
SQL injection?

I don't know what the deal is, but a huge proportion of people writing code
are plain incompetent.

At my last company we fired someone who created huge amounts of work for
everyone (he thought he could secure page content and alert messages by using
base 64 encoding as a stand in for hashing and encryption, for example) and a
few months later he was hired as lead developer by a pretty reputable
educational business.

... sigh

~~~
jbaiter
> hiring random "programmers" who have history or psychology degrees and think
> they can program because they made a form in PHP.

That's pretty unfair to people coming from history or psychology who actually
_can_ write good code. Just because you don't have a degree in CS doesn't mean
your code is shit. This is purely anecdotal, but my predecessor at my current
job was a CS graduate and wrote code like in the OP.

~~~
einhverfr
As a history major, I would agree with you.

One of the real issues has to do with the mentality of coding. There are
people regardless of background who approach coding as a job, and those who
approach it as a craft. You want the latter, not the former.

Here's my rule:

If you don't look back at code you wrote a decade ago with some degree of
horror, you are either an extraordinarily good coder, or you aren't a good
coder at all.

~~~
dpcx
A decade is a long time at a single job... Try six months for a good start :)

~~~
krisgee
Six months? I come in after the weekend and constantly want to rewrite the
whole goddamn thing.

~~~
vxNsr
This^ and I'm only a student; I'll write a program in the evening and by the
following morning I'm all, no, no, no!

~~~
einhverfr
I tend to spend a lot of time planning (almost as much as coding). I do tend
to notice big changes over a period of 2-3 years but areas where I can notice
improvements in say six months.

~~~
krisgee
I think I spend too much time planning and not enough time just getting shit
done. It's one of the things that I feel like I have to work on this year.

~~~
einhverfr
I don't think it is necessarily a bad thing. I spend a lot of time planning
because I find my coding productivity is higher. Often it's better to let
problems sit for a bit than to code then first, or if one does a mock-up it is
an exploration that is part of the planning, to be discarded and done right a
second time.

But what this means is I rarely come in the next week and wonder what I was
thinking (it does happen, but rarely). More often I look at things, over a few
months figure out better solutions to coding problems and my style changes
accordingly.

------
rachelbythebay
Gradebusters / Making the Grade, or something with names like that, used to
use a Java applet to "secure" the web site with student grades. You could just
download the applet and decompile it to figure out their trivial encoding of
the IDs and PINs (which were just params in the HTML).

Or you could figure out just an ID (typically a student ID number, although
more than a few were social security numbers, apparently), and use "1066"
since they had a backdoor PIN in quite a few releases. Battle of Hastings, eh?

Want to know how users did web security instead of asking their admins for a
proper .htaccess/server-level config setup? That's how.

~~~
girvo
Education software is literally the worst.

Moodle was pretty ick to begin with, but you should've seen the state of one
install I had to work on by the time I got to it.

I still have nightmares.

~~~
fnordfnordfnord
Needs disrupting

~~~
krisgee
It's extremely hard to break into because like healthcare these gigantic
institutions where nobody can get fired made choices ten to twenty years ago
that have now become "the way it's done" and they won't accept a better
solution.

~~~
fnordfnordfnord
I know. I am at one of those institutions. We practically have a social
sciences lab for the Dunning-Kruger effect in place of IT decision makers.

------
Zikes
Clearly they should have optimized this by stripping the @mail.mcgill.ca on
the server side before serving the list.

~~~
mmariani
Clearly you must be joking. They should've kept the emails on the server-side
the entire time. Then would be a matter of validating the request by searching
the email in let's say SQLite. Would it be done? Probably not. But at least
it'd be a lot stronger than sending sensitive data to clients every damn
request.

~~~
banachtarski
You're missing the sarcasm :P

~~~
mmariani
Unless it's clearly stated sarcasm gets garbled over the wire. So in the hope
of helping those who don't get it I decided to do the right thing just to be
on the safe side. ;)

~~~
biot
From now on, when you see a post taking the form "Clearly [obviously bad
idea]", please read it out loud in The Simpson's Comic Book Guy voice and
place extra emphasis on the irony. This ensures you will get the correct
intent 99% of the time.

~~~
mmariani
Clearly, acting like a dumbfuck in order to become enlightened is obviously
the right thing to do.

~~~
ZoF
'eh; keep trying, you'll catch on someday.

------
MichaelApproved
I've had something similar delivered to me on a project I hired out. The most
frustrating part was not the code but the developers reaction to why it was so
bad. He had no idea what the big deal was and thought I was being nitpicky.

Worse yet, was an initial claim that it was more efficient to do it that way.
That was followed up with a claim that doing it differently wasn't possible.

Needless to say, I stopped working with that team of "developers".

~~~
meowface
>The most frustrating part was not the code but the developers reaction to why
it was so bad. He had no idea what the big deal was and thought I was being
nitpicky.

This is always the worst. I've had experiences like that on many an occasion,
where the person is simply like "huh? what's wrong?"

You can't really fix that level of sheer incompetence, ignorance, and
arrogance all wrapped into one.

~~~
ketralnis
> You can't really fix that level of sheer incompetence, ignorance, and
> arrogance all wrapped into one.

Sure you can. You can tell them why it's wrong and point them at reading
material to fix it. Fixes incompetence and ignorance, and if you're lucky,
arrogance. All wrapped into one.

Everyone had to start somewhere.

~~~
meowface
True, but it depends how arrogant and stubborn they are. If they're just
simply arrogant and don't understand, you can do something, but in many cases
they'll insist "this is fine. what's your problem?"

------
pmiller2
Man. Reading posts like these has several effects on me. One is utter shock
that anyone could be so stupid. Another is to remind me of how little I know
(because I'm sure in the eyes of someone who actually knows anything about
security, I'd probably provoke the same reaction). I'm also amazed that some
of the people responsible for these things can still find work.

Here's my own personal story. The other day, I had a brain fart regarding my
password for my online banking account. So, I got lazy and just clicked the
"forgot password" link, answered the security questions, and within seconds, I
got an email. It had my old password in it. Yes, my bank stores passwords in
clear text. _sigh_.

BTW, I'm also looking for a new job right now, so if you're after someone with
2 brain cells to rub together who also happens to be a decent Python
programmer, shoot me an email. (It's in my profile.)

~~~
dclowd9901
Not necessarily. They may be using a reversible hash. Not much more secure,
but it beats plaintext.

~~~
mason240
Yeah, maybe they just look up the MD5 hash on
[http://md5.gromweb.com/](http://md5.gromweb.com/) and sent him the result.

I used that site to show my boss his plaintext password to explain why MD5
alone is barely more than security though obscurity when trying to convince
him that we needed to salt them as well - he agreed with me on the spot.

~~~
moron4hire
I actually did that for a system. I had grown a major case of the ass about my
job. I hated working there and I hated spending effort on the work they made
me do. They hired me to fix the legacy systems the previous .NET developer had
made (and they were all OS X people who didn't have the courage to even look
at a Windows machine), but every time something went wrong, they wouldn't let
me fix the issue, they would only approve me time to fiddle the data in the
database. "Just brute force it" was some kind of mantra from our CEO.
Somewhere in the last 5 years, it seems non-technical people overheard the
"brute force" meme and display the notion that they believe it's the always-
practical, never-difficult solution to a problem when the programmer would
prefer an overly engineered solution of negligible or negative gain.

So I had gotten tired of people forgetting their single-english-word passwords
and making me overwrite their MD5 hashed password to a known-value that mapped
to something like "password123" (yes, no salting for the hashes). So instead
of manually resetting the password in the database all the time, I banged out
a small web app that ran on my machine for printing every user and reversing
all of their MD5 hash'd passwords. It didn't work for the ones who had chosen
actual, random strings for their passwords, but that was maybe 1% of cases.

And then I shared the IP address to my machine as a link for every other
engineer in the company (all 3 of them). One of the other engineers freaked
out that I had "exposed" the passwords, but as far as I was concerned, the
passwords were already exposed. He shut up when I pointed out that the work
was done and that I had other things to do, things that were his
responsibility but he couldn't do because he had a habit of taking on too much
work.

From that point on, any time I had more than 2 repetitions to do something,
I'd write the most basic of web app to do it, and I'd shove it onto that
little server on my machine. The future repetitions would invariably come in
and I'd save tons of time not doing it the manual way.

Seriously, this was easy stuff. Don't take this to mean I'm bragging about it.
I'm mentioning it because it _is_ so simple and so obvious of work to do in
these cases, and it eventually got me fired. I made the mistake of trying to
get credit for the work I did, for saving the company time, freeing myself up
to do other work, and all the CEO could see was that I was no longer able to
charge 3 hours to create new accounts in the system now that it took less than
a minute through my admin app. "Wasn't bringing enough value to the company."
One of my reports found a quarter million dollars in lost licensing revenue.
Wasn't bringing enough value to the company.

So it's not just programmers who can be grossly incompetent. Oh, they
certainly can be, I've had to clean up my fair share of systems. But I've
found far more often that systems are bad because the programmer's manager was
an asshole idiot who made unreasonable demands and forced the programmer to
make compromises. Maybe that programmer wasn't the best programmer, but nobody
can do as good of work as they are capable in that situation.

------
mherdeg
Gosh. For some reason, the "right answer" I expected to see was "do not try to
validate the address; just send the e-mail and handle the bounce if it fails".

There is a whole other layer which is very good at handling incorrect or
undeliverable addresses.

~~~
retube
Not sure you read the article - there is an additional constraint in that only
email addresses pertaining to the institution in question are allowed.

~~~
mherdeg
Yes, I decided to ignore that constraint because it doesn't make sense :).

The article suggests performing "server-side membership testing, which is
O(1)", but I think this is a bit too much — you can do even easier server-side
validation without the list of all valid e-mail addresses, just the
information that "@[anything but these two domains] is not an OK target".

~~~
zamalek
> Yes, I decided to ignore that constraint because it doesn't make sense :).

Then the customer won't pay you because you ignored their requirements. They
might even sue you because you breached contract.

If the customer asks you for a mound of poo you write them a mountain of poo;
you try your damned hardest to make sure that the room smells like poo when
they are using the app. If they go home and tell their wife and kids about the
giant mound of steaming poo they have been using all day then you have
succeeded because they will go back to the one developer who knows how to
stick to their senseless requirements.

At the end of the day all the other developers are giving them apps built on
principles that only make sense to developers - principles that only really
make sense for millions of users and not the few thousand that they have.
Principles don't put a house over your head and food on the table - money
does.

~~~
mherdeg
Heh, yes, the smiley face there encodes something like of ", although of
course I know that in the 'real world' people can't just ignore product
requirements that don't make sense, and hopefully people will challenge at the
design phase insane requirements like 'client-side validation of all possible
e-mail addresses' rather than implementing them."

~~~
pdonis
As I understand it, it wasn't the customer who requested client-side email
validation; the customer just requested validation against a list of known
good addresses (instead of just against a list of known good domains), which
is a perfectly reasonable requirement (for reasons given in other posts in
this thread). It was the programmer who (insanely) decided to do the email
validation client side instead of server side.

------
willvarfar
A timely reminder to everyone:

[http://thedailywtf.com/](http://thedailywtf.com/) is still going strong! Be
there or be ... competent?

~~~
danielweber
I quit them when Alex tried to takeover Programming Praxis by force when
negotiations didn't seem to be moving fast enough for him.

~~~
_sh
This was news to me.

[http://programmingpraxis.com/2009/08/13/the-daily-wtf-
malici...](http://programmingpraxis.com/2009/08/13/the-daily-wtf-maliciously-
infringes-programming-praxis-trademark/)

------
jb17
Am I the only one who thinks that the repeated attacks on drugs and drug usage
are really unnecessary (and not well informed on the topic)?

~~~
adamdavis
Nope, blog post was loaded with snark - her attitude offended me more than the
poor code D:

~~~
tcfunk
Glad to hear that I wasn't the only one.

------
auctiontheory
You know what would be awesome?! If the developer in question happens to
frequent HN and responds to this thread, eh?

~~~
slig
Developers like these don't even know HN exists.

------
Sami_Lehtinen
One coder used framework he didn't completely understand. Originally there
wasn't password requirement for users. But when site got more confidential
data password feature had to be added. Well how it was done? When user gave
login and clicked ok, came page asking for password. But if you changed url at
this point, everything worked. When I checked the actual code, the user form
logged user in and password form logged user out if password was incorrect. Oh
boy, I did praise that guy. Same guy used base64 encryption, so urls would be
unguessable. Guess if there's real authentication at all if you modify the url
content correctly. - Well, of course there isn't. Btw. Why there aren't
negative recommendations at linkedin?

------
jrochkind1
It's good to be reminded how many employed programmers don't actually know how
to program.

Actually, I'm not quite sure why or whether it's good to be reminded of this.
Maybe it's better to try and forget it.

------
itengelhardt
I love how she gives away the name of the actual software (desire2learn) in
the tag. :-)

~~~
morgante
she

------
cdcarter
McGill seems to use a LMS branded as "myCourses", apparently the newest label
Blackboard is using for it's "Learn" line.

~~~
ssalenik
McGill switched to 'Desire2Learn' last summer as Blackboard no longer supports
'webCT', I think (access to old courses hosted on webCT is now very limited).
'myCourses' was the branding chosen by McGill... I think now they just call it
'myCourses2', after the switch.

~~~
ivan_ah
Hm... how come Desire2Learn hasn't been sued by Blackboard yet? Usually, as
soon as a uni stops switches away to use a competing course management
software, the competitor get sued based on the LMS patent:
[http://patft.uspto.gov/netacgi/nph-
Parser?Sect1=PTO1&Sect2=H...](http://patft.uspto.gov/netacgi/nph-
Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6988138.PN.&OS=PN/6988138&RS=PN/6988138)

UPDATE: they //did// get sued, but won, and the above patent is invalid now.
Way to go!
[http://en.wikipedia.org/wiki/Blackboard_Inc.#Legal_matters](http://en.wikipedia.org/wiki/Blackboard_Inc.#Legal_matters)

------
AYBABTME
I've once come across:

    
    
       if (!Boolean.FALSE.equals(aBoolean)) { 
          // ...
       }
    

I was pretty baffled.

~~~
arethuza
I've seen a surprising amount of code that does:

    
    
        if (aBoolean == true) {
           ....
        }

~~~
jlgreco
Typically that isn't done from ignorance, just some (imho misguided) idea
about readability.

~~~
arethuza
Probably the same kind of place that bans use of the ternary conditional
operator because it's "too complicated" <sigh>

~~~
jlgreco
Eh, I can't say that I have any love for the ternary if operator. It is an
ugly construct made necessary by the other flow control constructs being
statements. Scala lets you just use if/else like that, the result is much
clearer at the cost of 4 or so characters.

------
asdfs
Somewhat unrelated, but out of curiosity, does anyone know of a site that
lists — for all popular languages — various libraries/code snippets/routines
which one can use to correctly (according to the RFCs) check the validity of
e-mail addresses?

If not I may be compelled to create one.

~~~
mason240
@"^[^@]{1,}[@]{1}[^@]{1,}\\.{1}[^@]{1,}$"

I check it with this RegEx to make sure it's in the right format of
[string]@[string].[string] to make sure that user at least tries to enter an
email address, but beyond that sending and email and getting a response is the
only way.

~~~
drdaeman
> @"^[^@]{1,}[@]{1}[^@]{1,}\\.{1}[^@]{1,}$"

Is not

> [string]@[string].[string]

It's mere ^.+@.+\\..+ (in both POSIX extended and PCRE dialects) that properly
represents the latter.

And even such regexp filters out many technically-valid but obscure cases of
RFC-compliant email addresses (for example ai, io, kh and ws TLDs have MX
records, and supposedly hostmaster@io should be a valid email address).

------
eksith
People who write similar code are what I like to call _low-hanging fruit
factories_. I'm counting on them to make things as rubbish as possible, as
long as they're not involved in any service I use, so anyone tempted to find
vulnerabilities will go there first.

------
babuskov
I'm sad to see so many smart people wasting their time discussing what some
stupid person did. :(

I'm also disappointed I lost a couple of minutes of my life reading about this
stupidity as well... just because it got 233 points.

So, I'm looking at YOU 233 who upvoted this. WHY DID YOU DO IT?

~~~
babuskov
As expected. :)

Just click the downvote button on my comment. Don't bother to explain
anything.

Oh, I know, you disapprove I called you smart. Sorry about that.

~~~
Nicholas_C
I've been on HN for a while (lurking), never seen a downvote button but here
people referencing them on occasion. Why do I not see downvote buttons? Or is
this some inside joke?

~~~
Domenic_S
You need 500 karma to get a downvote button.

"Why don't I see down arrows?"

[http://ycombinator.com/newsfaq.html](http://ycombinator.com/newsfaq.html)

------
lstamour
Hate to burst people's bubble here on the privacy of email addresses, but it's
routine at universities to have open, relatively unprotected LDAP directories
or even web listings. That said, under Canadian PIPEDA (privacy laws), email
addresses are considered personal information, so this would be a severe
breach... As are all the times I get CC'd a bulk email rather than BCC'd.

------
hawkharris
"I stumbled upon this snippet while doing research for my thesis, 'Prolonged
drug use and its effect on code quality.'" Lol.

~~~
Sami_Lehtinen
Old slogan, booze bottle a day, keeps good code away.

------
apinstein
This made my day. After spending the last 6 months turning down developers
based on horrible code reviews, I finally feel vindicated for sticking to my
instincts and hoping to eventually find someone that doesn't think code like
that from TFA is "programming" and subsequently destroying my codebase and
crushing my soul.

------
weichi
In order to truly understand the madness at play here, we really need to know
how the list of email addresses was generated.

------
samirhurshal
This would have been so simple to just make right in the beginning. They
should have just hashed each of those user names and put the hash into a
dictionary. Whenever someone entered an email check if it is in the
dictionary. O(1) time and it wouldn't be a "data leak vulnerability". So
close...

------
powertower
> I would really like to know the combination and quantities of drugs consumed
> that resulted in this code. Do you know? Can you hook me up?

Meth. Two week binge. SilkRoad.

I can't imagine opiates did that.

And the only thing you'd do on coke is more coke in combination with hating
yourself; not coding shit like this up.

------
hussfelt
Check out our Eduware startup Coursio
[http://coursio.com/](http://coursio.com/) for hassle-free education!

I vouch for the code, wrote it myself with some really good advisors around!
;-)

Get in touch with me personally, I'll give you a brief introduction!

------
AMcQuarrie
Unrelated fact: Desire2Learn likes to employ large quantities of first year CS
student interns.

------
slig
Gee, what a newb. Here's how to do it in O(1):

    
    
        return userNamesStr.indexOf(curForwardUserName) >= 0
    

;)

(I'd love to not have to explain sarcasm, but people have an incredible
difficult time understanding it here.)

~~~
lstamour
lol, I was thinking that too -- "but indexOf is faster..."

------
kirab
Am I the only one who thinks that the amount of flaming is kind of
unproductive?

~~~
adamdavis
It's a common thing I see with programmers. I know I've been guilty of it
before. I see some poorly coded module and I'm just disgusted of how bad it is
and then proceed to say some of the nastiest things about the developer who
wrote it, sometimes just aloud to myself, other times to my peers.

These days I do my best to try to remember we all make mistakes, and that
instead of flaming whoever is responsible for a mistake when it rears its ugly
head, it's probably best to take it as an opportunity to discuss what I saw as
shortcomings in the code with them and turn it into a learning experience if
possible. Sometimes of course this isn't possible when you inherit code from
devs who are long gone. Either way, I'm not sure any good is done throwing all
that negative energy into the air.

------
Uchikoma
For me it depends on what "validity" means.

1.) Prevent typos etc. Regex or Mailgun or Kicksend is enough. 2.) Prevent
bounces, prevent wrong signups one needs to do double opt in.

~~~
anjc
The article has nothing to do with this aspect of address validation

~~~
Uchikoma
1.) Yes, the article was about choosing the right approach for validation

2.) I urge developers to step back and think about the requirements they get.
Concerning those I would have thought what validity in this situation means,
e.g. light validation in JS, send validation / validation list on the server
etc.

------
plg
there is a huge market (education and higher education) where institutions
(sometimes governments) will pay huge money for these sorts of apps, and for
whatever reason, the only real players are often of this quality

at my university we use a similar system called OWL, which replaced a system
called Web-CT. Both are horrendously slow, with fantastically poorly thought
out interfaces.

There is a ton of money to be made here. Low hanging fruit.

~~~
chenglou
How ironic that you mention WebCT, because that's what McGill in the article
uses until very recently.

------
kaeruct
this should be submitted to thedailywtf.com...

~~~
emiliobumachar
It's #1 on HN, it has plenty of exposure already.

------
w-ll

         if input_email in valid_emails_set:
            send_email(input_email, another_param, etc)
    

Their solution, while isn't wrong, could still be improved. With a somewhat
modified 2822 regex with a more strict domain rule. But I would also assume
you could just query the db.

~~~
tantalor
You assume "in valid_emails_set" doesn't make a query.

It's fairly trivial to define your own __contains__ in python.

~~~
masklinn
Indeed, since this is an internal system validating the uni's own emails it
could easily query the uni's MSA for valid addresses.

Although for a set of 80k items and long-running processes (fcgi or wsgi) you
could also load the whole thing in memory directly and not bother with a
custom `__contains__`.

------
drderidder
Dang, that programmer sure gets around! They did a stint on my team, too.

------
hadem
Sadly, this looks like something my boss might try to pull off...

------
jheriko
i wouldn't blame drugs... this is just stupidity, or perhaps even naivete. :)

------
nkg
lol

------
Buzaga
I was waiting for the part of story where she would describe how the developer
had an actual drug habit or something, so much she talked about it. I wonder
if she's ever really met someone who 'uses drugs', this mockery seems
incredibly infantile.

