Payroll System!



  • The previous system was made around the late 90s and it while bad, was the predictable bad for the time. Wouldn't print to anything other than a LPT printer, directly access "database" files over CIFS resulting in repeated corruption when it crash and it crashed weekly.

    The new system is just a complete fail and doesn't have the excuse of been old. This is not an in house system, we pay money for this. It's bad enough I'm beginning to think the old system with the paper payslips might actually be better

    Logging In

    • Welcome page is weird, instead of been a login page it's a pre-login page. We have to select if we want $payroll-system-admin or $payroll-system-self-service and to use either we have to enter a Client ID. Wouldn't mind this if we could bookmark the page it takes you to but then you get a invalid session ID error.
    • If you accessed the welcome page by going to http://$productname.com instead of http://www.$productname.com, you get a blank page instead of the login page after hitting OK. I checked the returned html, the server doesn't return a 5xx error, the body element is there but empty
    • The Login page asks for Username, Password and Client ID. It doesn't prefill with the Client ID you just entered on the last page. No biggie but just feels slack.
    • There is a Forgotten Password link, the resulting page again asked for Username and Client ID, second page asks for Surname and D.O.B. and I can't tell you about the third as I've never seen it. It always errors saying either Surname or D.O.B. is incorrect. I know it is correct as I copied and pasted it from their account information page!
    • Just to top off the Forgotten Password page, 3 tries and you account is locked until the Payroll Officer unlocks it. So it locks your account because you're trying to use a broken system. I have had their developers defending that the Forgotten Password page doesn't work as the Payroll Officer can reset your password. Why have it there if it doesn't work and you don't care! I'm betting for a feature tickbox exercise.

    The Self Service UI

    • Viewing a payslip is bugged differently depending on if you use FF or Chrome.
    • In Chrome it will open the first payslip you select, when you try to open a different payslip it always opens the first one you open for that session. The only way to view a different payslip is to logout, delete the cookies for the site and log back in.
    • In Firefox you get a 404 page. Chrome use to do this as well until I got very loud about it. The URL is the same for IE, FF and Chrome but the behavior is different. What the !#$@
    • The leave module is barebones at best
    • The leave log only shows transactions that use up leave but not when you accrue leave, meaning you can't verify you leave entitlements have been allocated correctly. I'm told this is OK as the Payroll Officer is well trained and doesn't make mistakes.
    • There is no online leave application, in an app only 5 years old!

    The Admin interface

    • It only works in IE and requires and ActiveX that must have local admin privileges, I assume this is because it writes the data files for crystal reports to C:$productname. Devs says this is so it's consistent on all computers!
    • It is unable to calculate either leave loading or backpay due to a backdated payrise (Common in this sector). Their answer is that is OK as they provide a Excel Sheet overloaded with Macros, which doesn't handle situations with variable working hours (over half of the staff). I rewrote it using a government supplied formula in Google Sheets in a day, turns out their sheet was wrong, confirmed by auditors.
    • Requires winword and excel to be in the path, that was their fix to the issue of using hard coded paths valid only for Office 2003.
    • Name fields are only 20 long, while not common there have been staff affected by this.
    • The UI always shows that a save is successful, even if it's not. The data will still be there for that session but next time you login it will be gone. Thankfully not common, maybe a dozen times a year I get that call.

    I'm not sure what pisses me off more, that a company can sell something this crap or that we purchased it and now because of the money invested they don't want to change.

    At least my hours are static so my pay consistently works, I pity the ones that aren't.



  • It sounds like you have impressionable upper management and they have a good salesperson.

    Do they dismiss all major deficiencies in the software as "teething problems", too?



  • Yep, combined that with too much pride in decisions and avoiding conflict/confrontation. There is someone over his head I could do to but I don't want to use that as it's a bridge burning exercise and this decision maker is my line manager's boss. My line manager agreed with me and has tried talking to the decision maker but no joy. As bad as the system is, I get paid on time, if that stops I'll make far more noise.

    At least we finally are getting rid of the old pabx that went out of extended service life 14 years ago, it's amazing how system failure gets people to finally move. Telephony is finally been given to IT instead of Facilities so we'll at least get something sane 😄



  • @Squiggle said:

    It sounds like you have impressionable upper management and they have a good salesperson.

    This is how I ended up being the liaison between our extremely tolerant Nigerian client and a vendor for a piece of software which I call ProblemMaker. The vendor's written English, despite being native, was inferior to that of the client. The result was that I would spend long periods of time reading AND writing messages from/to the vendor, presumably by comparison to said vendor, whose responses seemed wordy, vague and poorly formatted (I wasn't looking for anything fancy, just some carriage returns).

    On a technical level, our company had the resource to write a better (working and actually customisable) version of ProblemMaker, but ended up supporting, fixing and negotiating improvements with a guy who ultimately wouldn't send us all the files when we wanted to support the system ourselves, rather than wait days for a reply.

    On a social level I had conversations such as:

    **Me**: "Where is X?" **Vendor**: "We don't use X, we use Y." **Me**: "Where is Y?" **Vendor**: "Again, we don't use X, we use Y."

    And:

    **Me**: "I can't find the button for doing stuff." **Vendor**: "The button for doing stuff is very easy to find in the same place it has always been. I have more things to say on this, and eventually I will even give you directions to the button within this message." **Me**: "I followed those directions. It's not there. I have attached a screenshot." (The screenshot is where he directed me, and where I was expecting to find it in the first place, showing no button) **Vendor**: "Sure it is. You just need to follow these instructions, which turn out to be identical to the previous set of instructions. I'm obviously assuming your intellect or the machinery are non-deterministic, otherwise I would have shown some indication of looking at your screenshot or reading your message(s)." **Me**: *Continues to spend time looking for ways to communicate with the alien native Brit who somehow speaks a more foreign English than the extremely patient Nigerian client* (The next day): **Vendor**: "I found the issue: Your permissions were not set up, so you couldn't see the button." **Me**: *Regrets not burning down his house*

    Finally:

    **Boss**: "We won't be renewing their contract." **Me:** "Probably for the best."


  • @TheFrustrated said:

    It only works in IE and requires and ActiveX that must have local admin privileges

    For some reason, this is the item that makes me want to stab the developers in the eye. A webapp that requires admin rights...



  • Remember that ActiveX was added to IE specifically to check the "web app" box while still technically being a Windows app. Anything that anyone happened to do with it that might have been productive is merely coincidental.



  • @Shoreline said:

    Me: Regrets not burning down his house

    Found the problem!



  • @TheFrustrated said:

    The Login page asks for Username, Password and Client ID. It doesn't prefill with the Client ID you just entered on the last page. No biggie but just feels slack.

    This is my #1 beef with "Forgot Password" links. If I just entered a valid username/email, what is the reason that can't be used?

    @TheFrustrated said:

    Just to top off the Forgotten Password page, 3 tries and you account is locked until the Payroll Officer unlocks it. So it locks your account because you're trying to use a broken system. I have had their developers defending that the Forgotten Password page doesn't work as the Payroll Officer can reset your password. Why have it there if it doesn't work and you don't care! I'm betting for a feature tickbox exercise.

    This is especially fun when they also truncate your password without mentioning it, but inconsistently, so that you're allowed to enter your 64-character password (of which only 20--WHY FUCKING 20?!!?--characters are actually saved, probably in plaintext) when setting a password, but when you try to log in, you're SOL.

    I remember when I noticed AOL didn't bother with anything after the first n characters (at first 8, later 20)... I was gobsmacked. If anything was well worth the extra transfer even at sub kilobaud speeds, you'd think it'd be a password.



  • @VaelynPhi said:

    This is especially fun when they also truncate your password without mentioning it, but inconsistently

    Yeah, I've posted before that I have this problem with one particular website. I comply with their stated password requirements, and it accepts my password when I set it, but not when I try to log in, necessitating a reset.


  • Discourse touched me in a no-no place

    @VaelynPhi said:

    This is my #1 beef with "Forgot Password" links. If I just entered a valid username/email, what is the reason that can't be used?

    Because 1) nobody else does and 1) that would require originality of thought.

    @HardwareGeek said:

    Yeah, I've posted before that I have this problem with one particular website. I comply with their stated password requirements, and it accepts my password when I set it, but not when I try to log in, necessitating a reset.

    My bank's website for my car loan was annoying, with lame restrictions on reusing passwords. Eventually I got sick of dealing with it and just started requesting a password reset every month; it was easier than remembering what my password was.



  • @FrostCat said:

    Because 1) nobody else does and 1) that would require originality of thought.

    1and1MyComment.com


  • Discourse touched me in a no-no place

    @chubertdev said:

    1and1MyComment.com

    I guess you didn't notice lately I've been using absurd numbering conventions in defiance of Discurse.



  • @cdosrun1 said:

    A webapp that requires admin rights...

    That reminds me...

    If it's not a WTF, somebody needs to explain to me why giving a mailserver the ability to erase all my phone's data is not throwing caution to the gaping maws and grinding teeth of tentacular mixed metaphors.

    As you might have guessed, I didn't set up this particular mail service on my phone.


  • Discourse touched me in a no-no place

    @Shoreline said:

    If it's not a WTF, somebody needs to explain to me why giving a mailserver the ability to erase all my phone's data is not throwing caution to the gaping maws and grinding teeth of tentacular mixed metaphors.

    It's generally a corporate function/facility:

    http://technet.microsoft.com/en-us/library/aa998614(v=exchg.150).aspx



  • @PJH said:

    It's generally a corporate function/facility.

    Ahhh. Corporate security. I guess that just means no hooking up my personal phone to the company mailserver.


  • Discourse touched me in a no-no place

    That's the usual way round it, yes.



  • I guess it's the default, even.

    I mean, when I tried to connect my Android phone to my university's Exchange server, I got the very same prompt.


  • FoxDev

    @Rhywden said:

    I guess it's the default, even.

    not the default for Exchange, but i've yet to meet an admin of an exchange server that wouldn't turn it on. I think it's even a question that the installer asks.

    and hell for all i know they did make it a default in the latest exchange version (i havent dealt with that one yet)



  • Well, I myself declined to avail myself to that particular service.

    I mean, I knew the IT guys there (we clashed with them from time to time) and I wouldn't trust my personal data to guys who are implementing an id-field in MySQL in a very ... unique way.

    I saw one of the tables they were using to implement a university-wide linking of students to dorm rooms / clients. The table had an id-field and a uid-field. The id-field was UNIQUE and AUTOINCREMENT but wasn't used anywhere, Instead, they used the uid-field, which wasn't UNIQUE and AUTOINCREMENT.

    But how did they ensure that the uid was indeed a unique id (because that's what the "u" stood for, after all)?

    Easy: First a "SELECT biggest_uid FROM Students LIMIT 1 ORDER BY uid DESC;" followed by a quick increment in PHP which then resulted in a "INSERT INTO Students (uid, name) VALUES (biggest_uid+1,student_name);"

    And no, they didn't lock the table or something beforehand. And since the whole thing was based on self-signup, you can guess as to how unique those uids really are. Granted, it didn't happen often... but still.


  • Fake News

    @Shoreline said:

    Ahhh. Corporate security. I guess that just means no hooking up my personal phone to the company mailserver.
    Or get a phone that has a firewall (at the hardware level, no less) between corporate and personal stuff. Who's that? It's that one company that everyone thinks is going bankrupt.


  • Discourse touched me in a no-no place

    @Rhywden said:

    Easy: First a "SELECT biggest_uid FROM Students LIMIT 1 ORDER BY uid DESC;" followed by a quick increment in PHP which then resulted in a "INSERT INTO Students (uid, name) VALUES (biggest_uid+1,student_name);"

    Ohh - hello!:

    http://what.thedailywtf.com/t/getting-badges-twice/4108/15?u=pjh



  • @Shoreline said:

    If it's not a WTF, somebody needs to explain to me why giving a mailserver the ability to erase all my phone's data is not throwing caution to the gaping maws and grinding teeth of tentacular mixed metaphors.

    Outlook Web Access gives you the ability to wipe your own phone remotely, so it isn't entirely corporate security. This could come in really handy of it gets stolen.


  • area_deu

    Luckily there are alternatives like MailWise (that app of course has its very own share of WTFs, but still) that can ignore all that remote control shit Exchange wants and just reply "yeah yeah, the user agreed, give me teh mails already".



  • @Jaime said:

    Outlook Web Access gives you the ability to wipe your own phone remotely, so it isn't entirely corporate security. This could come in really handy of it gets stolen.

    That's cool. It looked suspicious from the personal phone -> someone else's mailserver angle.

    I can probably wipe my phone from my samsung account if I find the password (which is hopefully still the same length as the one I put in :O ). Not that I want to, but y'know... if it gets stolen.

    I'd rather fuck with the thief first, but whatever.


  • Discourse touched me in a no-no place

    @Shoreline said:

    Not that I want to, but y'know... if it gets stolen.

    Encryption (inc external SD card) + phone lock with a 16 character password is sufficient for me for that instance.


  • Grade A Premium Asshole

    Seriously? You enter a 16 character password whenever you want to use your phone??


  • Discourse touched me in a no-no place

    Yes.

    Well there's a timeout between the screen going off (confiurable up to 30 minutes) and being required to re-enter the password, But if it's not been used for a while, yes, I have to enter a password.

    Takes about 3-4 seconds, which - from observation - appears to be less time than it takes my less tech-savy peers to enter their pretty patterns:

    http://www.careace.net/wp-content/uploads/2011/11/lock-screen-pattern.png



  • I warned someone off setting up their iphone to wipe if somebody failed the password 10 times.

    They eventually agreed, after I pointed out to them, that if they're drunk (not impossible), and their friends were drunk (also not impossible), and didn't know it was set up to wipe after 10 failed attempts (still not impossible), only one person needs to pick it up when the owner isn't paying attention and patiently try to crack the password.

    Didn't learn the hard way = win, IMO.


  • Grade A Premium Asshole

    You mean the patterns that you can usually guess by the smudges on the screen? Yeah, that has always been psuedo-security to me. Especially so for females as their makeup foundation leaves a nice film on the screen. (Now I have been labeled an MRA...)

    I tend to rely on the fingerprint swipe on my S5, with a backup password that is 12 semi-random characters. I never have to enter the password though, unless I am drunk and cannot even swipe in a straight line.


  • Discourse touched me in a no-no place

    @Intercourse said:

    You mean the patterns that you can usually guess by the smudges on the screen?

    I did say less tech-savvy.

    @Intercourse said:

    I tend to rely on the fingerprint swipe on my S5

    Relevant. Don't use fingerprints as surrogate passwords. Surrogate usernames at best.


  • Grade A Premium Asshole

    @PJH said:

    Relevant. Don't use fingerprints as surrogate passwords. Surrogate usernames at best.

    Honestly, that does not concern me that much. If I were going up against hardcore hackers, then I would. But there is a concept such as "good enough security". Some people take security to the extreme. I just like to remember the old parable about the bear and the campers.

    Two guys are camping when they hear something outside their tent. They look out and see a bear nosing through their food. One of the guys starts to put on his running shoes when his fellow camper says, "You can't outrun a bear!" He replies, "I don't have to outrun the bear. I just have to outrun you."

    In the time that a petty thief is not taking to find a high resolution 3D printer to produce a negative mold to make a surrogate fingerprint, I can easily change my GMail and Google Apps passwords and have my phone wiped. Makes more sense to me than having to enter a long, random password every few minutes. In your case, if someone swipes your phone within 30 minutes of you putting it down, all they have to do is keep it from sleeping and they have full access.

    To each their own though.



  • @Shoreline said:

    Ahhh. Corporate security.

    Just found a bit of that on one of the school laptops this evening. Was trying to track down a completely unrelated problem by using Wireshark, and found this thing hammering our proxy server with thousands of unsuccessful POST requests, each of which failed with a 407 error (it's an authenticating proxy). This is a laptop that I prepared the Windows image for myself, starting from known clean plain vanilla MS installation media.

    Couldn't find any malware with my usual kit of scanners. Interesting, I says to myself, looks like one of those experimental things I've been playing with installing today has gifted me with a little rootkit.

    But no! A bit of whois and googling later, I find that Acer has sold me a crop of laptops with corporate "security" malware baked into the BIOS. Nice.

    Fortunately, being very enterprisey malware, it's ridiculously fucking easy to nobble in the startup script even though they don't actually provide an official way to turn it off (no doubt for security reasons).



  • That's disturbing. Fortunately, AFAICT my Lenovo work laptop doesn't have this.

    I would like your post, but Dicsores says I can't do that for another 4 Discohours, so have a + 🍌.


  • BINNED

    @Intercourse said:

    psuedo-security to me.

    You can use it to keep your wife and the kids out ... for some time


  • Grade A Premium Asshole

    My boy is almost 3. If he figures it out, I better watch out.

    As for the wife, she is more likely to break it than to break in to it. She has a way with electronics...


  • Discourse touched me in a no-no place

    @Shoreline said:

    I guess that just means no hooking up my personal phone to the company mailserver.

    That would be a good idea. If you need your work email on your phone--why, God, why?--then use OWA instead.

    If the company insists you should be able to read your work email, they should either provide you with a phone or pay for part or all of your phone bill.


  • Discourse touched me in a no-no place

    @PJH said:

    Takes about 3-4 seconds, which - from observation - appears to be less time than it takes my less tech-savy peers to enter their pretty patterns:

    They're probably doing it wrong, then. I can swipe my pattern pretty fast.

    At some point I'll probably get rid of it anyway in favor of a passcode, because supposedly Google can reset/bypass a pattern lock for the cops but not a passcode.


  • Discourse touched me in a no-no place

    @Intercourse said:

    You mean the patterns that you can usually guess by the smudges on the screen?

    I deliberately make extra random patterns on the phone after unlocking it.

    @Intercourse said:

    I am drunk and cannot even swipe in a straight line.

    There's an obvious alternative here.



  • @FrostCat said:

    If the company insists you should be able to read your work email, they should either provide you with a phone or pay for part or all of your phone bill.

    That sounds great... But, some of us sell ourselves as people who will do the responsible thing for the benefit of the company. I don't mean that I jump every time my phone beeps, but if I need to be involved, I'm almost always there. It's worked out for me, I had one job where the company went from 127 technical staff down to 7 before closing the doors. I was the second highest paid, but they kept me on until the end because they thought I was worth the extra money.

    Some jobs paid my phone bill, some didn't. Either way, it was only a rounding error in my yearly pay. No need to stand on principal over something so small.


  • Discourse touched me in a no-no place

    @Jaime said:

    No need to stand on principal over something so small.

    That's easy to say before someone accidentally wipes your personal phone.



  • Buy TouchDown and it can't happen. They will only wipe the container with the corporate email in it.


  • Discourse touched me in a no-no place

    @Jaime said:

    Buy TouchDown and it can't happen. They will only wipe the container with the corporate email in it.

    Well, that's certainly a solution. I think I'd rather insist the company buy me a phone.

    Fortunately it's never come up--the one time it might have when I was doing on call, and there was a company-supplied Blackberry, which I didn't use at all except for taking support calls.



  • @FrostCat said:

    supposedly Google can reset/bypass a pattern lock for the cops but not a passcode.

    Unless that passcode is used to encrypt the contents of the phone I don't see how that's possible.


  • Discourse touched me in a no-no place

    @another_sam said:

    Unless that passcode is used to encrypt the contents of the phone I don't see how that's possible.

    My understanding is that when cops snoop your phone, they don't actually bypass the encryption. If you don't have a pin on obviously the entire phone is open to inspection. So if Google can remotely reset a pattern lock, obviously a pattern lock isn't actually a lock.

    I'm just going on a comment or article I read somewhere; I have no idea if it's true and am too lazy to research it.



  • @FrostCat said:

    My understanding is that when cops snoop your phone, they don't actually bypass the encryption

    If they want your phone calls and text messages they don't even involve your phone, just the phone company. If they want the data and it's encrypted, they have to break the encryption.

    @FrostCat said:

    So if Google can remotely reset a pattern lock, obviously a pattern lock isn't actually a lock.

    Yes, now replace "pattern lock" with "passcode". I don't see how a passcode is different.


  • Discourse touched me in a no-no place

    @another_sam said:

    If they want your phone calls and text messages they don't even involve your phone, just the phone company. If they want the data and it's encrypted, they have to break the encryption.

    True, but many stories suggest they just open your phone if you get arrested and troll through the whole thing. A lock they can't bypass is an obvious barrier; if you cared at all about keeping people--not just cops--out of your phone, you don't want something that can be broken.

    @another_sam said:

    FrostCat:
    So if Google can remotely reset a pattern lock, obviously a pattern lock isn't actually a lock.

    Yes, now replace "pattern lock" with "passcode". I don't see how a passcode is different.

    Neither do I, unless they just didn't do it.

    FWIW: https://support.google.com/nexus/answer/3388218?hl=en

    for pattern locks only, you can reset the pattern lock by signing in to your google account again; other methods require a factory reset.



  • @FrostCat said:

    True, but many stories suggest they just open your phone if you get arrested and troll through the whole thing

    That would be part of the same search of your pockets, bag, car, etc that is performed on arrest. The swipe lock will stop that just as well as the passcode.

    @FrostCat said:

    for pattern locks only, you can reset the pattern lock by signing in to your google account again

    The cops don't have your Google password and can't (legally) force you to unlock the phone in any case.


  • Discourse touched me in a no-no place

    @another_sam said:

    The cops don't have your Google password and can't (legally) force you to unlock the phone in any case.

    No, but reports from places like Ars Technica are that if you get arrested they will attempt to unlock your phone and troll through everything without bothering with the niceties of a warrant.

    A lock they can't easily undo is a deterrent to that and should be used on general principles.



  • @FrostCat said:

    No, but reports from places like Ars Technica are that if you get arrested they will attempt to unlock your phone and troll through everything without bothering with the niceties of a warrant.

    If you are arrested they don't need a warrant to search you and whatever you have on you.

    The only thing I don't understand here is: Why is a passcode better than a swipe lock? Cops can't (legally) break either.


  • Discourse touched me in a no-no place

    @another_sam said:

    If you are arrested they don't need a warrant to search you and whatever you have on you.

    This is not settled law. Cops are doing it because modern-day cops assume they can do whatever they want. Courts are beginning to say "wait a minute."

    When phones were dumb there wasn't much on them. Now, they can have all sorts of things. It's closer to rummaging through your house than looking at the post-it notes in your pocket.

    @another_sam said:

    Why is a passcode better than a swipe lock?

    Because apparently it's possible to turn off a swipe lock but not a passcode.


Log in to reply