An aside - while I love the snark and making fun of these "legacy" systems, it has given me a window into my own maturity as an engineer. I was absolutely this cavalier and cocky about poorly implemented systems I've been a user or admin of in the past. But having now spent nearly a decade and a half getting paid for this work and seeing a lot of stuff and the evolution of best practices, I have much more empathy for the organizations and authors of these systems. There are very very few programs that ever achieve something like elegance and beauty when they collide with the real world.
I partially agree. While there is nothing wrong with boring "legacy" systems, and the world runs on them, practices like sending plain text passwords over email and all other security failures mentioned in the post are inexcusable. Software like Atrium is a perfect example of companies getting large contracts (usually in the public sector) through connections/corruption and outsourcing development for pennies, with no quality control or other oversight. This stuff should not be romanticized.
In fact there is a non-zero chance that the company's response to this blog post will be to file a lawsuit against these students for "hacking" and ruining their lives, as has happened many times in the past in such cases.
While I do not like the 'get out of breach free card' that companies like Equifax seem to get, your tone has that exact sort of arrogance that smacks of immaturity.
You just can't always apply today's sensibilities to code that has lasted longer than your life so far.
I agree that companies need to be held responsible for their decisions not to update security, but that's a different (related) issue than 'legacy'.
I am more concerned with legislation and law enforcement. That's the real way to fix things. Rust rewrites wont change business incentives.
I’m 46 and been working professionally since the late 90s. There was never a time in the history of the web when storing user passwords in plaintext was OK. Encrypted passwords were already well established in UNIX.. although I remember using systems without shadow passwords or salt.
Yeah, the best thing about hiring people "fresh out of college" (or whatever the equivalent is today) is that they see things with fresh eyes and want to change everything. The worst thing about hiring people fresh out of college is that they see things with fresh eyes and want to change everything. ;-)
Turning 50 this year, writing code for living, and could not agree more. I used to think all must be re-written and refactored. "Old crap must go". "I can do it better". But then one realizes the rewritten system is "crap" to someone else soon.
Learning existing system is harder than to create something seemingly equivalent that author understands well. For some time at least.
My measuring stick is how much the team can understand what is happening. When the team at large cannot move through the codebase and effectively make changes then it is time to make changes.
If the code is on the back burner and only receiving maintenance then no need to mess with it.
But active feature development? Teams need to have a grasp on it and have a way to get a mental model of what is happening.
In a dysfunctional company where "the code is the documentation"? Yeah.
If there are knowledgeable people to lead the process, and the transition is done appropriately: it is 100% possible and I have done multiple times in my career.
The burden on rewriting shouldn't lie in developers alone. And before someone quotes Spolsky: not every software is Netscape Navigator.
Corollary: If the change is going to make it harder to effectively make changes (and figure out changes that need to be made, i.e. manual troubleshooting), it's probably a bad change.
(this corollary might be most applicable in robotics?; dealing with the fallout of kubernetes being forced onto robots by cloud-oriented folks)
Wow, I am sorry for your pain and suffering. I am not anti-k8s, I get it, I get why people like it. But it's just so much complexity for so little payoff in many cases where you don't need the overhead.
If I can do things better, and I usually can, it's because I have a more performant higher level algorithm or set of low level optimization strategies to apply.
I agree, Those API organizers are just creating future crap for others. However, objective benchmarks showing my changes yield 10 to 100 thousand times quicker execution than the old method mean the legacy code was crap...
Legacy being crap is not always the fault of devs. Back on Z80 and similar, before execution caches were expansive and expensive to invalidate, the short circuiting && and || bool operators made sense. Now that invalidating the CPU instruction cache with a jump is far more expensive than just running the ops these short circuits are trying to avoid, it is better to just use bitwise | or & instead of boolean || or && unless there are needed side-effects (really should make the conditional evaluations into proper branches [if statements] anyway, if only for clarity). Benchmark it and see. C is stuck doing LOTS of old and busted style logic, and coders imagine their compiler is doing a lot of magic voodoo under the hood that simply isn't happening. There's loads of compiler optimization hype.
Sometimes the hardware or platform just shifts underneath Good Code and turns it into Crap Code.
Definitely agree. My first few gigs were in consultancy and after seeing how the sausage is made I don't feel much like calling out these kinds of old systems anymore. The budgets and deadlines are tight, the people working on them are often inexperienced and underpaid and have little time to sit down and think things through, and when they have to work on an old system to add some features they have little time and incentives to improve the overall state of things.
I have a similar length of experience as you, but I'm on the opposite side of the fence and side with the students in this case. If an organization is willfully putting out and maintaining shit products year after year and equivocating about how updating things to be more in-line with modern practices is oh so difficult and oh so expensive, maybe they do deserve to be mocked. If they're making an effort, that's a different story. There's really no excuse to keep insecure and outdated things out in the wild except for organizational laziness. Stand behind and maintain the crap you sell or don't sell it at all.
I think as a profession we need more derision and mockery of poorly made, documented and maintained shit and less reverting to robotic response of "you just don't understand, man".
I don't necessarily disagree. But you get what you pay for. These public institutions typically put out bids for projects and take the lowest one. Incentives matter and these types of organizations are incentivizing the production of cheap and poorly made software.
I totally get what you mean, and I feel kind of the same but in reverse: When I was young, I was totally making systems like this legacy dumpster thermal experience.
A lot of this stuff is hacked together by young aspiring programmers just finding their footing, often grossly underpaid, and with very little experience or formal training. Which is great, respect the hustle! But not so super when personal data is being handled. Luckily, it kind of looks like they maybe dodged that bullet in this case?
Lesson of the day is: Use different passwords for each thing you log in to. :-)
> A lot of this stuff is hacked together by young aspiring programmers just finding their footing, often grossly underpaid, and with very little experience or formal training. Which is great, respect the hustle! But not so super when personal data is being handled. Luckily, it kind of looks like they maybe dodged that bullet in this case?
This is an odd generalization to me - are the massive mainframe COBOL systems handling personal data at banks to this day, "hacked together" by underpaid young programmers? I'm sure they were underpaid... but inexperienced with no formal training?
You went straight to massive fortune 50. Guess what, there are 100s of thousands of businesses in the US. Most aren't fortune 50.
Here are some other kinds of business:
Freight
Logistics
Concrete
Construction
Eyeglasses
Lawn care
Plumbing
Cabinet making
Law Office
Hair styling
These small shops run on bespoke industry specific software with few competitors. They are often buggy and out of date because there is only one game in town a lot of times.
There is more to the world than huge businesses headquartered in NYC or SF.
Judging from the javascript, they scraped. The system they were scrapping would have been cutting-edge in 2004-5. Keeping something running that long, duck tape and all, is no small feat.
Mocking bad systems like this is all fun and games but it definitely demonstrates your inexperience. Eventually you realize this is just normal, most stuff is as bad as this in one way or another. Mocking it all would be your full time job. And you just get tired of it.
Within a couple years of working professionally, I went from "who on earth would do X?" to "ah... almost certainly they were forced to do X by ..." some external factors - time/deadline, workaround to another bad system, or management pressure for some weird reason. Sometimes it turned out to be just "really naive dev copy/pasting", but that wasn't a majority of the cases.
What still bugs me though is that when poorly done/hacky/broken systems still 'work', the assumption is that everything is 'fine'. When I'm needing to work with those systems, the assumption by others (management, other devs, whoever) is ... "why is this taking so long? just do XYZ and move on!" not understanding that often I'm discovering all the ways the broken system is broken - very hidden things, bad docs, charset issues, speed, incorrect data coming back that other consumers just 'know' to hack around (without it being documented anywhere, etc). It's not frustration at the devs of the other system as much as the pressure you face when others don't realize how much workaround you're needing to do to do something 'simple'. And yeah, it should be simple, if the broken system wasn't broken in the first place.
100%, I love debugging and digging through legacy systems, personally, yet have only run into co-workers in my career over the years that loathe and fear them!
Being able to jump in and put out fires on a building that's already built has served me very well in my career, but in overall satisfaction as well!
Yeah, once you have gone through a few cycles or your cutting edge approaches becoming standard and then becoming legacy and outdated, you realize the treadmill never stops.
Absolutely. I'm not trying to dump on them. It may not have come through with my choice of verbiage, but there's something romantic (in the aesthetic sense) and admirable about what they've done and their attitudes. That kind of unbridled optimism and confidence of youth that can be hard to cultivate as we get older.
Life is full of cringe and certainly I have had more than my fair share of it, who am I to judge anyone. Maybe I am even far more cringe than an average person, or maybe I notice my cringe much more, I hope it is the last, but I can never tell.
> Through some clever promotion on Ben’s part, we managed to get hundreds of students to use it in just a couple of days
At the end of the day, marketing is just as important (or more), than the tech we build
I won a hackathon this way too. We were the only ones who brought a printer to the event, we printed maybe 100 posters of our app with a QR code to use it, then we put the posters up all over the venue
By the time to pitch came, we not only had a working proof of concept, we also had the data we collected from all the people who had already used it, so we were able to show traction in barely more than 24hrs
We also spent at least 4hrs creating and rehearsing the pitch
1. I would never be so brazen (brave? have the guts?) as to try all of this. I would expect to be rate limited and throttled or banned or get a nasty letter from a lawyer or something.
2. The HTTPie thing was interesting. I am still not quite sure what that application is, but I am definitely going to stick with curl now.
3. They demknstrated a number of interesting strategies unrelated to tech per se like registering that new domain and getting people to add them as a guest account and making those fake posts on what I presume is a university message board type thing. I bet this is how people who are good at stuff like “growth hacking” or developing engagement numbers and such work. Pretty clever. Still makes me feel a bit uncomfortable.
A cool story. I was hoping the demo image would say “you at $300 of omelets” but I guess it is probably not that fine grained?
Reminds me of a fun project I did in 2005.
I made a course schedule generator that once you picked your courses it showed price comparison of text book prices from local university bookstore and amazon.
I made a bit of money before receiving a lawyer call from the university.
Funny part was, they could have used our course scheduler for students but no, they wanted students to still hand pick their classes one by one.
This let you block off times you didn't want class and it would make a schedule around that.
Reason was, "students might think they are registering for their class when they are not". We had an alert stating we didn't actually pick the classes and to log in __link__ to start. had the same warning everywhere.
I'll be less nice than you and say I'd be pretty mad if I was building something legit but lost out to a project like this. You not being brazen to phish all your fellow students just means you're not an asshole (and I thank you for that).
Playing devil's advocate here... university systems feel like a great place to poke around recklessly like this. Especially when presented publicly. Any holes in the system that enabled such ease of abuse should be patched up.
I don't know the author but would guess these hacks would never be used "in production" or with any system expecting to earn money. They're pretty blunt about how hacky it all is, and they don't sound happy to have done it.
I clicked through and skimmed for "losing my sanity". I didn't find anything - total clickbait headline - but it was interesting to note the utter lack of reasonable ACLing in the university's campus food-ordering system, as well as the social engineering "attack" of posing as users to post their project and get actual users to try it.
The loss of sanity I reckon was when they found out about all the backdoors and lax security the old system had. Incrementing int for id's, the session key being part of the url as a parameter, the XML. This may be something you're ok with but for those of us who care about security, this would drive me mad as well.
State University of New York used to famously use students' Social Security Numbers for their student ids up until around 2005. That student id was printed on your student id card and used for just about every system on campus.
They finally changed that system after lots of scams/fraud perpetrated against students brought the practice to media attention.
I must've missed the hacking part. All I saw was a phishing expedition that resulted in them being able to log in as other users (and scrape their data)?
Bad title, good article. It's about exploiting security flaws in a university meal accounts website to build a Spotify-wrapped style summary of student's eating habits.
It seemed to me like they actually got explicit consent to have guest permissions to view this information, I am honestly pleasantly surprised. Once I saw them looking at the security tokens I got worried, but they pulled it out of a tailspin pretty quick.
> Because we can’t instruct students to copy-and-paste the URL (and thus their session key), we needed another way to access students’ transaction history. We turned our attention to JumboCash’s guest access feature.
I am going to take "can't" as "were not willing to" which is more impressive. It sounds like they could pretty easily have convinced people to give them a lot more access than they realized, and chose not to go that route.
> I am going to take "can't" as "were not willing to"
I disagree. I take "can't" as a reference to this earlier statement:
> Change to another IP address, and it…breaks?
I.e., they would need to not only ask for the key, but also use the same IP address that the key was generated with. Depending on what sort of NAT may or may not exist on campus, that could be difficult or easy.
"The portal is really a wrapper around the reanimated corpse of much older software, its rotting flesh visible through nonsensical decisions and the occasional XML response."
It seems there is a second story here about their University requiring the purchase of a 'meal plan' and that generally not being good value (costing more than the dishes individually)? Am I reading that between the lines correctly?
Yes and no. It seems you're required to be on a meal plan. First-year students automatically (you might be able to downgrade) get a plan for $4019 which includes 400 meals and $75. Meals vary in price though.
So if you max out on dinners ($14.97), in theory, you can get 405 dinners which would cost a total of $5974. In other words, a meal plan saves you $1955 vs buying individual meals. If you eat all three meals (breakfast, lunch, dinner), the average meal would equal $12.19. In other words, you'd get $4951 worth of food for $4019.
To summarize, it seems the meal plan saves you money by giving you a discount. The problem (I assume) is that some students don't make use of their 400 meal swipes.
My alma mater solved this issue by making the compulsory "meal plan" a credit for the campus wide system so you could eat in the residence dining hall (which was relatively cheap) or spend the credit at various food courts on campus (more expensive, but there is a Subway, McDonalds, etc. etc. as well as various non-franchised options).
The second term, they added the credit on a weekly basis because a bunch of students had run out of credit before the end of the first term ... which, as our psychology department pointed out, was a completely predictable eventuality.
What surprised me the most is that the public directory of all students and staff really is completely public. Anyone on the internet can use it to get names and emails of students.
I assume that is the case for almost all public universities in the US, or at least it was back when i was in college a decade ago.
Also, those student emails listed in the directory aren’t personal ones, they are school-assigned ones, so I don’t think it is a major issue tbh. The only times I’ve ever got any emails sent to mine from people that obviously discovered it through the directory were from the recruiters (and those were definitely very welcome at the time).
Hackathons and programming contests can be fun. The world could use more but more importantly, more fun ones. Yeah, we need solutions in healthcare and government but that's so boring and the prizes are usually pathetic.
We need more flashy and fun ones! Especially ones that give the entrants something like a month instead of just a few days to come up with their entries.
It'd also be great if there were more hardware-development hackathons. Give folks three months to make some hardware or a robot that does X.
Make the prizes worthwhile for adult professionals! Spending a month of your free time for the chance to win $5,000 isn't very enticing. Make it $50,000 or more and I bet we'll see some really fantastic entries.
I think you're just getting too close to regular grants for research and development but with more losers. For example, Vinnova is handing out $5m for AI projects this year. Why participate in a contest when I can just get $100k from them by writing an application? In total, Vinnova handed out $300m last year with no follow-ups. That's just one organization.
> Why participate in a contest when I can just get $100k from them by writing an application?
Because that grant comes with obligations and strings attached (which you gotta deal with, after your application gets approved and the grant hits your bank account). The whole idea behind grants like this is that you use it to start up a real company, and the grant-giver gets to be one of the first early investors in it (in case of success). With this in mind, most of the work on your project is also expected to happen after you obtain the grant.
Hackathon winnings are supposed to be the exact opposite[0]. You do the work on your prototype on your own, you present, you win the prize with no strings attached, and that’s it. You aren’t expected to continue working on it after the hackathon as a condition to receive the prize (but you can of course, and you might even get encouragement and support from the sponsors/other entities at the event to do so).
On a related massive side-tangent: I was sorely disappointed in hackathons back in college after going to a few major and local ones. Winners half the time didn’t have any even barely functional prototype and would gather wins off of powerpoints alone, half of them with proposals that wouldn’t even be feasible or possible to implement at all.
A specific example that pissed me off at the time: the 2nd place winner at one of the Atlanta college hackathons I attended around 2014 was a team of 6 people with only a couple of devs. Their opening statement was like this: “none of us had any machine learning experience or knowledge until yesterday, but we learned it all in one day and decided to build an app that will tell you the full nutritional content of any dish you take a photo of, based on the food components in it.” First, I don’t think it is technically feasible to accomplish even in 2024. Second, claiming to have zero knowledge of machine learning and figuring it all out in one single day to the point of building a functional model that was beyond any cutting-edge research at the time was sussy. So naturally, I was excited to see what their prototype was. Turns out, there was no prototype and no code at all (which they easily admitted), just a powerpoint deck. Judges all fawned over it, and they won one of those “we are a startup accelerator and we would like to give you a grant to work on it afterwards to turn it into a real company, the grant is pre-approved and is waiting for you (if you are ready to commit)” sponsor grants.
However, there was one time where I remembered the winners vividly (and the hackathon overall, as it was one of the very few that I would consider “proper”), because I was genuinely impressed by what they built, and felt it was very well deserved. I tried to keep up with what they were up to, as they continued working on that project in the open after the hackathon, and I am so happy I did.
Spoiler: that team was the one that built WorkFlow[1]. Shortly afterwards, they actually released it in the App Store, and it kept growing over the years. It culminated into the team continuing to work on it full-time after graduating and getting acquired by Apple to build the improved native version of that, which is currently known as Apple Shortcuts. Which is an amazing tool I use all the time, and I am a bit surprised by how little discourse there has been about it in tech circles. Especially since it is clearly not abandonware, as Apple eventually expanded Shortcuts from iPhone to iPadOS and macOS, and it keeps being integrated into newer things Apple releases as well (like Home automation and plenty others).
0. Note: I am aware that a lot of hackathons now have similar type of “prizes” from some sponsors, where they give you a tiny (or often non-existent) cash prize and then offer to fast-track/pre-approve your grant application as a component of it.
An aside - while I love the snark and making fun of these "legacy" systems, it has given me a window into my own maturity as an engineer. I was absolutely this cavalier and cocky about poorly implemented systems I've been a user or admin of in the past. But having now spent nearly a decade and a half getting paid for this work and seeing a lot of stuff and the evolution of best practices, I have much more empathy for the organizations and authors of these systems. There are very very few programs that ever achieve something like elegance and beauty when they collide with the real world.