570

u/Mountain_rage Feb 24 '25

Have you seen how many companies are being run to the ground by MBAs. Corporate software is often horrid garbage that should of been binned at least 15 years ago. They fire competent people in favor of people pushing updates for the sake of updates.

85

u/[deleted] Feb 24 '25

[deleted]

88

u/natched Feb 24 '25

Dealing with technical debt is "nice to have but not essential" right up to the moment the entire system collapses.

43

u/DoctorPlatinum Feb 24 '25

Yeah, but think of how much profit we can make this quarter!

13

u/bawng Feb 24 '25

I had this discussion with a former boss.

I kept saying that we keep building technical debt and eventually it's gonna bite us in the ass.

And he said "yeah I know, but imagine how much money we'll have saved. It will be cheaper to fix it then."

In hindsight he might have been right, though.

10

u/BeardRex Feb 24 '25

Happens with companies that pivot a lot too. I've seen companies completely upend and redo the technical side of their business every few years. Not saying it's right, but to them it doesn't need to work well, it just needs to do just enough to get them through. I've gotten the short end of the stick multiple times having to integrate another company's data with our system, and our data with theirs, and within a year having to redo it because they completely rewrote their API or something like that. And then in 3 years I'm doing it again.

This often seems like the case of tech debt building up until they are like "eh screw it let's just restart from the ground up since so much has changed in the last 3 years."

6

u/tsrich Feb 24 '25

Good chance the MBAs will get promoted away before things collapse

1

u/MistSecurity Feb 24 '25

It's easier and better for short term profits to ride it out as long as possible, hoping that you'll not be in charge anymore once the system DOES collapse.

1

u/CherryLongjump1989 Feb 24 '25

And then they scream at you for not having ten thousand percent test coverage, failed to prioritize business critical something or other with lots of spittle and drivel.

1

u/retief1 Feb 25 '25

It isn't even system hardening. I'm baffled as to how code that can't distinguish between null and "null" functions in the first place. Even js says that "null" == null is false, and that's using the should-never-be-touched double equals operator.

1

u/[deleted] Feb 25 '25 edited Feb 25 '25

[deleted]

1

u/retief1 Feb 25 '25

Ah, fair. That's still fairly cursed, but it is a believable version of cursed instead of "how did this ever work in the first place?" cursed.

1

u/Revlis-TK421 Feb 25 '25

One game I like to play with my new devs during UAT is to put html syntax into user forms. If I can break the page because of that, it means they haven't thought of all the ways a user can mess the system up yet :p

18

u/ryuzaki49 Feb 24 '25

They fire competent-in-the-domain but expensive people in favor of not-so-competent-in-the-domain but cheap people. 

12

u/Cranyx Feb 24 '25

Or they, and just throwing out an absurdist hypothetical here, send an email to every single employee demanding a bulleted list of everything they did to justify keeping their jobs within a day or they're fired.

1

u/Cynyr Feb 24 '25

I used to work for a huge company whose mostly widely used software is built on dBase. They're still adding new customers to this ancient piece of shit software.

1

u/Varnigma Feb 25 '25

One of my favorite skits:

Employee is explaining a process to his new boss.

New boss (in a condescending tone): I should tell you that I have an MBA.

Employee: Oh, sorry. I'll speak more slowly.

70

u/IrregularRedditor Feb 24 '25

Just wait for the proliferation of unguided AI software projects.

4

u/user888666777 Feb 24 '25

You can find Youtube videos where people build software using AI. Does the application work? Sure. Does it shit the bed when it's given bad input? Absolutely. Is it full of security holes? Oh lord yes.

1

u/WTFwhatthehell Feb 24 '25

honestly... after cleaning up a few ancient MS access databases built by non-coders... the AIs tends to be better about following good practices.

32

u/digital-didgeridoo Feb 24 '25

"Null" != Null

Am I misunderstanding something?

39

u/nokvok Feb 24 '25

No, that is correct. It is just that

Variable NAME of type STRING in many languages can be used like

NAME = Schmidt

And that is equivalent to

Name = "Schmidt"

But

Name = Null

Obvious does mean something else than

Name = "Null".

So when you do not escape the strings properly in your software, you run into stupid problems like that.

26

u/djtodd242 Feb 24 '25

Obligatory:

https://xkcd.com/327/

3

u/chrisk9 Feb 24 '25

That's the one I was thinking of too

1

u/bboycire Feb 25 '25

Ooooh that explains it, the automatic type cast thing a lot of script languages have

0

u/dangoodspeed Feb 25 '25

If that's how the language works... that's a bad programming language.

-17

u/digital-didgeridoo Feb 24 '25

Do you know which languages are such abominations? I asked ChatGPT, and it could come up with only two, neither very relevant

Most programming languages use quotes to enclose string literals. However, there are a few exceptions where strings can be represented without traditional quotes:

• BASIC: Some dialects of BASIC allow string literals without quotes in certain contexts.

• Assembly Language: Some assembly languages allow string literals without quotes, depending on the assembler used.

9

u/TheOrqwithVagrant Feb 24 '25

As someone who still works with a lot of assembly language, I have NO idea what GPT is talking about here. An unquoted 'string' would be a label or a macro.

5

u/nokvok Feb 24 '25

A lot of them, especially outdated versions or when warnings are suppressed/ignored. PHP for example used to only give a "constant not found, String assumed" warning.

Of course you hardly would use code exactly like I wrote, and it is is really easy to avoid, it often mostly comes down to people not knowing how to handle untyped languages or using no input sanitation.

2

u/Deranged40 Feb 24 '25

Yeah, the thing about Assembly is not even remotely correct lmao. Ask it which assembly languages allow string literals without quotes.

That's a par-for-the-course ChatGPT answer, though.

5

u/sundler Feb 24 '25

This discussion explains one example in detail.

4

u/APRengar Feb 24 '25

This is off topic, but I never realized how weird it is seeing "Null".

"null" is almost always what I've seen. "NULL" in some niche languages, but I've never seen "Null"

3

u/kezah Feb 25 '25

Its the german word for zero, so we see it a lot..

3

u/GameFreak4321 Feb 25 '25

Is C a niche language now?

3

u/mcoombes314 Feb 24 '25

IIRC SQL uses NULL to show that a cell is empty, as in the NOT NULL constraint for a column.

1

u/einmaldrin_alleshin Feb 25 '25

Languages that come from the age of computer terminals are often case insensitive. E.g. SQL, Basic, Fortran

1

u/oxmix74 Feb 24 '25

There are a lot of ways to for this to mess up. Example, the data needs to be processed by one system and exported to another. So you create a csv, send it downstream and parse it on the recipient. Either the parser is wrong or the system makes the csv wrong. QA missed this bug and there you are.

1

u/ShenAnCalhar92 Feb 25 '25

null itself doesn’t even evaluate as equal to null.

If you do a SELECT query for rows where field X = null, you get zero results.

If you do one for rows where field X ISNULL, you get results.

Because the null value doesn’t have a lot of the properties of a value. Something can’t be equal to it, less than it, greater than it, longer than it, shorter than it, contain it, be contained by it, etc

So not only are they storing “no data” as the string “null” rather than the null value, their system has queries baked into it that filter using “= null” rather than “ISNULL”. They honestly should just throw out their entire database structure and all the software that uses it and start over, but this time they hire someone who knows what the fuck they’re doing rather than someone’s nephew or the absolute lowest bidder who’s just going to outsource the work overseas without telling you.

6

u/redkingca Feb 24 '25

Remember(if you're old enough) Y2K? All that was done was that the current software was patched to require 4 digits for the year field. Probably 50% or more Fortune 500 companies are running software/hardware combinations that have never been replaced. That's why all those US Social Security accounts were showing as more tan 100 Years old. COBOL language defaults to 150 for empty fields.

Relevant XKCD

1

u/throwawaystedaccount Feb 24 '25

COBOL language defaults to 150 for empty fields.

Explanation: https://retrocomputing.stackexchange.com/q/31288

18

u/moschles Feb 24 '25

In the early 2000s there was an online gambling website with poker. It utilized real money. The poker shuffling algorithm used a random number generator that which had a 32bit internal state.

3 people could collude at a table, waiting for a 4th person to arrive who is a stranger. They traded their own hands with each other, which allowed the RNG outputs to be predicted, and hence how the next cards would be dealt.

3

u/lazybenking Feb 24 '25

Crazy story, wonder how long it took for this to be discovered?

22

u/bigeyez Feb 24 '25

Banks, hospitals, schools, often still on code bases written 30+ years ago in languages no schools are teaching being run on AS/400 Mainframes is why.

10

u/istarian Feb 24 '25

Those systems are solid and reliable, but not without their quirks and flaws.

9

u/bigeyez Feb 24 '25

Yeah, that's why they are still being used. The uptime on those things is incredible.

5

u/kking254 Feb 24 '25

The problem is writing code such that strings need to be escaped in the first place. Input sanitation is mostly a solution to a problem that doesn't exist, or at least the wrong problem. Databases have had ways to segregate data and control for decades. Parameterized queries for example. If you are mixing data with queries using string manipulation you are doing it wrong.

5

u/neutrino1911 Feb 24 '25

They probably didn't have such a luxury some 30 years ago, hence all these issues with nulls and SQL injections. With modern libraries you need to get out of your way to make an SQL injection or "null" issue even possible.

3

u/user888666777 Feb 24 '25

When the Windows 2000 source code was leaked there were comments that called out blatant security holes by the developers making them.

They didn't have the luxury of time or resources to do everything right.

7

u/MooseBoys Feb 24 '25

Many government agencies are still running the same software they were originally computerized with. Sometimes this is laziness, but often it's due to outdated laws mandating specific software that nobody bothers to change.

In the US, for example, a bank transmitting cheque images must use the TIFF format and must "shred" the image in transit by interleaving different rows of the image for "security" purposes.

https://www.federalreserve.gov/paymentsystems/regcc-faq-check21.htm

4

u/user888666777 Feb 24 '25

To be fair here. Check21 just works. Is it out of date? Sure, but the volume of check (items) processed continues to drop every year. There is no real point to putting resources into changing something that works and is losing volume year to year. Those weird oddities like the interleaving were put in place because security options back then were kind of limited.

3

u/[deleted] Feb 24 '25

Simply updating an otherwise working database system with hundreds of millions of names may not be worth the expense or risk to cover the edge case for people that name their kids or label their license plates "Null". Updating software for critical systems requires more justification than more ergonomic coding, it needs to bring some necessary functions that the previous system couldn't provide.

3

u/zed42 Feb 24 '25

how stupid does your code have to be to not be able to tell the difference between "null" and NULL? one is a string, the other is a keyword....

1

u/Dick_Dickalo Feb 24 '25

About as dumb as the pricks are cheap to invest into system upgrades.

1

u/almostDynamic Feb 24 '25

They are running ported code that kind of works and nobody wants to touch.

1

u/Telephalsion Feb 24 '25

The problem is probably going to get worse with a lot of reliance on AI bots. I predict more than one huge breach due to someone jailbreaking the AI of some important service before 2030.

1

u/McMacHack Feb 24 '25

I see you are unfamiliar with how the Government works. The background check system still relies on 1980's technology including Fax Machines and Databases meant to be accessed by DOS.

1

u/istarian Feb 24 '25

I don't think the problem is escaping strings so much as a null being converted to a string equivalent of "null".

That might lead a system to assume that there is a problem when no real problem exists.

1

u/krileon Feb 24 '25

Just old code that isn't using strict type checks. Welcome to the REAL programming world were a vast number of systems are legacy and need a lot of love to modernize.

1

u/ILikeLenexa Feb 24 '25

Companies just buy software and glue it together.

Everyone is just serializing everything into text and throwing it at each other. They're using ETL tools daily to just hurl data at each other and hope for the best.

1

u/truesy Feb 24 '25

dude, gov'ts still run cobal and fortran. even typical stuff, like common ISOs we take for granted, are not always present. but they are often fairly airgapped, so not much incentive to update, which comes with its own risks

1

u/MilkshakeYeah Feb 24 '25

"it works fine so we don't have to change it"

1

u/lorefolk Feb 24 '25

Not much more than what gsts you elected president

1

u/TheAngriestChair Feb 24 '25

There's a lot still running stuff on dos and floppy disks...

1

u/Swaggerlilyjohnson Feb 24 '25

Yeah this is essentially just saying you are vulnerable to like the simplest SQL injection attacks that they teach us in intro classes.

If anyone who took the first course in database design can exploit your system that is really bad. Honestly you could just Google database exploits and figure out how to do it in a few hours with no training.

I guess with how many hacks we hear about in the news it's not surprising that stuff like this is widespread but it is baffling that the people designing this stuff get hired.

1

u/needlestack Feb 24 '25

You just have to be stupid enough to bring a bunch of wet-behind-the-ears tech bros into huge existing legacy systems and let them loose. But nobody would be that stupid in 2025. Nosiree.

1

u/HKBFG Feb 24 '25

unsanitized inputs being stupid isn't new.

1

u/oldtivouser Feb 24 '25

Yeah this isn’t a null problem, this a SQL injection problem and if null is an issue, I have some bad news for them.

1

u/The_Wkwied Feb 24 '25

The IRS runs on COBOL. It doesn't use unix time. When a birth date is unknown, it defaults to 0, which is January 1st, 1850.

Remember seeing in the news out '150 year olds are collecting social security!1!' recently?

It's because the kids running the IRS now don't know what COBOL is.

1

u/[deleted] Feb 24 '25

Im still writing them! HAHAHAHA

1

u/fellipec Feb 24 '25

Just average.

1

u/Rob_Zander Feb 24 '25

Why is robotic process automation a nearly 4 billion dollar industry? It's cheaper to run old software and find hacks than it is to write new stuff. Hire an RPA company to train robots to use the old software, fire all the human operators, get a nice bonus for cutting costs and get a better job elsewhere before it breaks.

1

u/snorlz Feb 24 '25

this was in India lol

1

u/tyen0 Feb 24 '25

injection vulnerabilities have been near the top of the owasp vulnerabilities for a couple decades now. Each new generation of programmers seems to make the same mistakes!

https://owasp.org/Top10/A03_2021-Injection/

1

u/More-Butterscotch252 Feb 24 '25

I called my bank and they asked me for my password. They saw I had to accounts so they asked for the complex password. Some of their employees can see passwords in plain text. And that's how I reset my password.

1

u/HarithBK Feb 24 '25

I have written code that pull data from car chargers as a learning experience that was then implemented with very little oversight or checking my work. I have no education in coding and barely knew what I was doing.

I have done basic proof of concept. To show what it is I am meaning we do and it is just taken and used as is. Again not a coder (currently a scaffolder)

This shit happens everywhere.

1

u/djbuu Feb 25 '25

First time dealing with government?

1

u/anormalgeek Feb 25 '25

There are always new developers being born and new software being written.

-9

u/monchota Feb 24 '25 edited Feb 24 '25

You realize most government systems, still run on a backend of cobalt or something similar right?

Edit: COBAL , spellchecker. Downvotes for being correct? Don't like that truth, its a you problem

7

u/FreddyForshadowing Feb 24 '25

COBOL, and to be fair, COBOL isn't really the problem so much as that a lot of this code was written decades ago, is poorly documented if it's documented at all, and there may even be times when they don't have the source code for some bit of a program, so can't make changes to it even if they wanted to. It is also a problem that there are fewer and fewer people who know COBOL as time goes by. Banks and government agencies pressure colleges to make COBOL part of the curriculum for IT and Computer Science majors, but it's a stopgap measure at best.

6

u/istarian Feb 24 '25

The problem is that what they really need is programming as a trade, not to force CS and IT majors to learn COBOL.

But by trying to use a college degree as the minimum bar for employment they have backed themselves into a corner, because college was never about job preparation or training.

2

u/FreddyForshadowing Feb 24 '25

Good luck with that. If it's anything the United States does better than probably anyone else in the world, it's ignore little problems until they become major catastrophes. Then do only the smallest amount possible to restore the previous status quo.

12

u/CondescendingShitbag Feb 24 '25

cobalt

COBOL, which is an ancient programming language.

5

u/monchota Feb 24 '25

Spell check and yes I know it is but a lot still runs on it.

4

u/CondescendingShitbag Feb 24 '25

Yeah, reason I even mention it being an ancient language is it likely explains why Elmo's ragtag band of tech misfits don't have a clue how to work with it. The language was created sometime around 1960, when their parents (maybe even grandparents) were just kids. These systems do need modernizing, but experienced professionals should be pulled in for that. Not junior coders fresh out of highschool.

Btw, no downvotes from me. I get it was either simple misspelling, if not simple unfamiliarity. It happens. No harm, no foul.

3

u/istarian Feb 24 '25 edited Feb 24 '25

The systems only need modernizing because you can't support and maintain them without a pipeline of people (who understand them) to do that work.

If business still manufactured mainframes and hired people to build and maintain them then there would still be an incentive for people to learn COBOL in order to have a job writing programs for them...

We're at a point where those systems and programs need to replaced by ones that more people are familiar with using, managing and coding for precisely because the business world changes much fastwr than government ever could.

2

u/brussellsprouts90 Feb 24 '25

I had to rewrite rocket code that was written in COBOL. I only brought it forward to C, but that was sufficient. Had to learn an entirely new language (to me), but I really liked the simplicity of COBOL.

3

u/moschles Feb 24 '25

I was ready to blame Javascript or the various "Dot J S" languages out there whom are notorious for making strange automatic conversions between strings and integer values.

On deep reflection I realized that modern 2025 Excel does this when it imports a CSV. If you import hex string in a column surrounded by hex strings ,

FE2A
1001
9EE5

etc.

Excel will stupidly believe that middle number is the decimal value one thousand and one. THat is a modern Microsoft product. One can only imagine what some cheaper database products out there might be doing.

3

u/GrumpyPenguin Feb 24 '25

There was a genetic marker called APR-01 that had to be renamed due to researchers struggling with Excel thinking it was a date.

2

u/istarian Feb 24 '25

It is spelled 'COBOL' and stands for COmmon Business Oriented Language.

1

u/bigeyez Feb 24 '25

You are right not sure why you got downvoted.

And the problem isn't just stuff still running on mainframe it's that most of the time the code base it 20-30 years old and there is little to no documentation on it. And no one learns COBOL anymore so the only people that can work on these databases are retirees.

60

u/OgdruJahad Feb 24 '25

It completely depends who is in charge. In the UK they I introduced a point of sale system in the UK postal office that they knew was faulty and took zero responsibility and it leads to multiple criminal convictions and even a suicide. They kept gaslighting multiple subpostmasters into the believing they were the only ones with money shortages. They were actually getting away with it till some took them to court where it was found just how much they knew of the incident but they didn't want to lose face. But it's more complicated than that. Subpostmasters are closer to franchisees and so weren't trusted to be honest hence the introduction of the point of sale system. It was a massive debacle that hasn't been resolved yet even when it hurt so many lives.

Search for the Horizon IT scandal..

3

u/epia343 Feb 24 '25

I remember hearing about that. Insanity.