Should I apply for job with a company ...



  • That I know stores plaintext passwords in the database? It's just asking for heartbreak, isn't it?


  • kills Dumbledore

    Is the job security consultant or pentester?



  • The one a recently left and my current one do it. It certainly is a major point against them, but one fault shouldn't be enough to rule them out.



  • The point of "wtf" is to point out less than desirable ideas.

    As far as finding companies that have less than desirable ideas, welcome to the real world.

    You need to ask yourself what motivates you and what keeps you happy.

    For me, it's being with co-workers that support me. So, I chose a job that's less desirable in the :wtf: department, but full of good people. This came after I left a company that was fixing every :wtf: they could find, but didn't understand how to motivate people, and threw me under the bus.


  • FoxDev

    that's a red flag, yes. but is it the only red flag? is it something that they know about and are planning on fixing or is it a "whatever, code this now" sort of thing?



  • @accalia said:

    "whatever, code this now"

    Even good companies will have these.

    Is everything like that? is a better question.



  • Hell, where I work we don't even do that for our local test accounts (normally our sites are accessed from a Single Signon server).



  • @powerlord said:

    Hell, where I work we don't even do that for our local test accounts (normally our sites are accessed from a Singleton Signon server).

    I read this....


  • FoxDev

    @xaade said:

    Even good companies will have these.

    true, but when they do that when confronted with security issues it's a bit of a red flag.

    that being said i did get to sit through a "WE GO HAXXED AND IT'S YOUR FAULT ACCALIA" meeting last week and come out of it without any egg on my face. (I had warned the company about the security risk about six months ago, and was told not to waste my time on that. I asked for those instructions in writing and saved them)



  • QA has its own single signon server, so its not a Singleton. 😛



  • Again, it sounds like the experience was about working with bad people.

    Honestly, I can boil it down to bad people everytime.

    But which would you rather, bad people that make bad programming mistakes (which you can fix), or bad people that throw you under the bus (which you will never fix).

    Again, this is my priority and my take on it.

    Someone may be more happier being able to code correctly, and people be damned. (Throw me under a bus, fire me, who cares, just don't make me store passwords in plain text).



  • So...

    The Single Sign-on servers could be provided by a

    Singleton Single-Sign-On Server Factory.


  • FoxDev

    @xaade said:

    Again, it sounds like the experience was about working with bad people.

    not so much. more i got caught in a power struggle between WEB and IT.

    i just played my cards and pointed out that WEB had explicitly said in writing that i was not to perform any more security work on "their" servers. IT responded by telling WEB that their servers were 100% under WEB's control and IT would be doing no more maintenance on them.....

    then when it hit the fan WEB tried to blame IT.

    it did not end well for WEB. my boss bought me a drink at the bar later though.



  • @accalia said:

    power struggle

    bad

    @accalia said:

    WEB and IT

    people

    😄

    @accalia said:

    my boss bought me a drink at the bar later though.

    Seems like you work with good people though.


    Again, all perspective.

    My point to the OP, is can you find something at the company that matters more to you. If not, then don't take the job.


  • :belt_onion:

    My boss told me just last week "We don't have time to be paranoid about this. I'll update [openssl] the next time we need to do a server reboot. We can't spend this much time worrying about this kind of stuff"

    Aside from this, it's a very good place to work - small business, I like everyone on the team, and we're pretty obscure so I'm OK with this. Just make sure you've got your bases covered and that you've done everything you can to prevent a hack


  • FoxDev

    @xaade said:

    bad

    yeah, politics are never fun. Forunately i know how to deflect most of the shit upwards without actually looking like that's what i'm doing. it's a good skill.

    @xaade said:

    Seems like you work with good people though.

    this we can agree on without question!



  • @accalia said:

    it's a good skill.

    So is the skill to get 3rd parties to do what you want them to do, by painting them as stupid in front of the client, without actually looking like that's what you're doing.

    That's my skill, and it saved the company $$$.


  • FoxDev

    @xaade said:

    So is the skill to get 3rd parties to do what you want them to do, by painting them as stupid in front of the client, without actually looking like that's what you're doing.

    the real trick is to get the client to understand you're painting the 3rd party as idiots while making the third party think you are praising them as heros.

    hard to do, but worth it if you can master it. ;-)



  • That's what I pulled off.

    I've spent a lot of time trying to reconstruct how I did it, so I can write a book on it and make money.


  • FoxDev

    @xaade said:

    I've spent a lot of time trying to reconstruct how I did it, so I can write a book on it and make money.

    I've found a lot of it is vocal tone, and staying on the call after the 3rd party has rung off to talk to the client afterwards helps. generally is better not to talk to the client ahead of time. they're not always good poker players.



  • If I remember correctly

    1. Mention what they did in positive tone.
    2. Mention what they could do to make it more awesome in a positive tone.
    3. Mention what work would be like if they didn't be the hero and do the really awesome thing.
    4. Mention what the cost of doing it on your side (without all the relevant information they have access to).
    5. Mention what really awesome thing you'll do next.
    6. Repeat what they did in a positive tone.

    Then let them talk and make themselves look really stupid.

    My poker face is acting like I don't have a fucking clue what I'm doing.

    Works for the first X rounds. But that's usually enough rounds to get me through a project.


  • FoxDev

    hmm... that's a good plan as well. and the key part in poth plans is basically the same. make them put the egg on their own face. ;-P


  • Winner of the 2016 Presidential Election

    I had to pull off something similar recently. My company had recommended another developer to a loyal client for a certain project, as we didn't want that particular project for reasons. The other developer did ok, but produced a shitty UI. And since the project was an Android app intended for the masses, that was pretty bad.

    So an emergency meeting was held. My job was to convince both the outside developer and the client that he should let us do the UI while continuing to develop the rest of the project on his own. So I basically had to tell him his UI was crap and that we'd do a much better job than him without making him look bad in front of the client. Bonus: The other developer had a lot more experience and was about 20 years older than me, which made it even harder to do so without insulting him.

    Judging from how much I sweated during that meeting, I must have lost about five pounds in two hours that day. But I managed to convince both parties to let us do the UI and only the UI. Me and my boss got pretty drunk that night.



  • On the condition that you are allowed to fix it within 1 month of hire date.



  • Bah! There are WTF's everywhere. If you're not responsible for this, don't worry about it. If you'll be responsible for it, then do as Blakey says.



  • Wow, I wasn't really expecting serious answers ... but thanks for the input, everyone. It looks like the job would be on an entirely different product (which no doubt has its own WTFs); so yeah, I guess I'll keep it on the list.


Log in to reply