Sounds Awful
Sounds awful - but isn't that pretty much how the whole software-as-a-service thing, and indeed the automatic-update thing of today works? You will be updated, whether you like it or not...
If it's Monday, then it must be time for another jaunt to the hallowed confessional of Who, Me? where Register readers confess their, or their co-workers', deepest darkest sins. Today's story concerns the acquaintance of a reader. Having stuck a hand in The Register's big bag 'o pseudonyms, we shall call the miscreant "Ron". …
But why would anyone sell me software that is broken or can't do what it says on the side of the box it came in?
And why would anyone update software they sold me that was working properly?
I begin to suspect that the entire post-internet software business model is fundamentally flawed.
Tsk! Late binding, dynamic linking and silent downloading, eh?
I begin to suspect that the entire post-internet software business model is fundamentally flawed.
FTFY
The difference pre-internet was that you might never actually get patches for the broken stuff you bought until you bought the newly released version.
Only if you insisted on running your enterprise on toy computers.
When I took my first look at a DEC Alpha after being spoiled by years working on 1100/2200 series Unisys machines I was appalled that the man pages listed known bugs in commonly used utilities - that were 20 years old by that point. Even ICL (bless their oft-darned cotton socks) could do better than that.
It was the push to internet-enabled updating that fueled the "ship any old crap and fix it in 1.1" attitude that is the standard operating procedure of all software companies, it seems.
It was dynamic linking that enabled and continues to enable the malware merchants who can change the fundamental way one's legacy software works overnight with no warning they have done so.
It is late binding that makes all this easier when using the hated Javascript, which can so easily become the slim-jim that cracks open the doors of your computer so the evil doers can have a good root around before crapping all over the seats.
Hello. Welcome to IT. I see you're new here.
It's theoretically possible that at some time, someone, somewhere has sold someone a piece of software that wasn't broken, but I've never heard of such a thing and frankly I doubt if it's ever really happened.
Integrity
Fail fast, fail often. Except when you're dealing with transactions that must not fail and must have integrity.
People have gone to prison for "working around the technology" in the regulated industry, if you change the software when you're not permitted, go straight to jail, do not pass go, do not collect £200.
"What is this "must" you speak of? "
Not really a "must".... but.... " "just another requirement", no less negotiable than every other requirement in the spec " is bollocks. There's always requirements that are more important than others. For example in a banking system, the requirement for transactions to 'never fail' is clearly (to anyone in IT) impossible. However the requirement for a success rate in the very high 9s and a logging/flagging procedure for failures would probably be a non-negotiable requirement, while the colour of the screen terminal is certainly negotiable
My wife needed Windows 10 only to run a single sign on security application so we find an unused Genuine Windows HDD and install it on an old laptop. We had forgotten the Windows Experience:
Which is One of:
Fire up the thing from sleep, for a quick check before going to work, then some 45 minute update kicks in because Windows-Internal stuff is always more important than our work.
Fire up the thing, for a quick check before going to work, then some upgrader process flatlines the CPU and HDD for about 25 minutes because, Obviously, there are priorities and then there is you.
Good thing that most people working with Windows still gets paid while the OS is generating internal heat or the economy would suffer.
Let us not forget the "initiate Windows shutdown because I have to leave to catch a flight, and Windows decides to start installing updates, and You Must Not Turn Off The Computer for the next half hour while it does that idiocy".
Thank the gods there's an option buried somewhere (Group Policy, maybe?) to disable the astoundingly stupid bit of code that changes the Shut Down menu option to "Install Updates and Shut Down".
Ron was gainfully employed performing IT functions for the equities business of an investment bank back in the early noughties. "It was," said our reader, "when Risk was still just a board game."
I can remember playing Risk on a Mac SE in about 1990 or 1991. The computer player wasn't very good.
(OK, I probably haven't interpreted that the way it was meant.)
It seemed to me that that remark, from someone working in investment banking of all industries, suggested a great obliviousness to the big picture.
If investment bankers, even in the noughties, didn't think all the time about risk, then they deserved everything bad that happened to them and so much more.
The 90's
I remember chatting to my neighbour about his job. He was basically doing IT for a financial institution, and could be called 24/7. If shit happened at the weekend, he logged in from home, some 100 miles away from the office.
I had also, coincidentally, been to a presentation by the same company the previous week. Part of which was about their IT security, and "there are no external lines with access to the system".
I'm fairly sure that the authors of the presentation thought they were telling the truth :-)
Probably were, and they had the official version. The reality of IT is that any rule is only a generality, a guideline, rather than hard fact. That is because it is IT's job to make sure everyone else can work, and nobody is interested in hearing IT say that they can't because rules.
When a manager wants something, he doesn't care about the rules, he just wants the result. So IT bends the rules because, in the end, it's always IT's fault when something doesn't work.
4 letters? Luxury! Wait, make that Security!
Worked for a multi billion US$ corporation where a mid level manager had a 2 letter user name and password. Both the same. With read access to everything and write access to almost everything.
But at least the two letters were not his initials. No, they were his department's.
A few years back, our team of engineers had seperate accounts for logging onto customer systems and openly shared them amongst themselves. Took me months to highlight the practice with project teams and management turning a blind eye but eventually they were forced to stop. The result was that engineers stopped sharing user accounts but now all use the same passwords on every account. Glad I am out of there now... AC cos I'm over paranoid....
Or when IT wants something...
Many years ago, I was in a project to consolidate a number of systems onto a much smaller number of servers and deploy them to production.
I was working alongside two fellow greybeards who really knew their stuff, (and to whom I am very grateful for their advice and help on an OS of which I had far less knowledge).
FWIW, the multiple builds in production included some for which we simply had no test/dev systems so we had to build them and get them working in place.
Of course, *much* data had to be transferred between the firewalled test/dev and production networks - and we were given a DAT based system to do it by the client.
So it was tedious and introduced a lot of delay. We were very clear the project deadline (tight as per usual) was unachievable but shrugged our shoulders and just got on with it.
Until greybeard1 found by accident that he could ssh from a single test/dev server to the live system(!)
... and in the twinkling of an eye had installed a software distribution server.
... and had organised the addition of a LOT of disk to the server for the distributions and database backups etc etc
... and then told us.
Needless to say, our portion of the project's deadlines were met...
I wonder if that hole in the network is still there?
What 'IT' often fails to fully appreciate is that, when there is a breach, management will close ranks and be united in the purpose of making sure that only 'IT' will get to walk the plank over it. They will trade favours expended and received over the matter like one does Pokemon cards while the next 'IT' is installed. Readying for the next 'Big Launch', as it were.
The same goes for "Risk Management" B.T.W.
What 'IT' often fails to fully appreciate is that, when there is a breach, management will close ranks and be united in the purpose of making sure that only 'IT' will get to walk the plank over it.
Completely true, until you have several IT-staff, who have experienced that a couple of times. They will know how to cover themselves and document all requests, with double back-up for anything even the slightest irregular. When (not if) management tries to make IT walk the plank, there will be an Auto-da-fé resulting in a lot of terminally terminated careers. Been there, done that and the marshmallows tasted damned good.
That could well be true. Even here, the systems I work with for 95% of my job can only be connected to from our office's wired network. I don't usually bother taking my laptop to meetings because the few things I can usefully do with it over the wifi aren't worth having to reconnect to everything.
So when I have to fix things in the middle of the night from home, I have to remote desktop in to my office computer first, otherwise I can't do anything.
One place, I used to temporarily turn services *on* here and there. That way the auditors would happily produce an automated network report. Only if a box seemed to be too quiet would they manually check. There always used to be a finger service running somewhere in the bunch because it was funny.
I once visited a potential customer around 1990 who had an unusual request, although this didn't become apparent until I was in an enclosed room within the bowels of the organisation. The wanted the accounting program my company was a reseller for - all run of the mill stuff. But then they said that they wanted two copies. I countered that one copy would quite easily cope with the number of seats and transactions they performed each day. It was only then they informed me that they actually did twice as many transactions - half for their tracking and half for the official logs for the Tax man! And before I could blurt out a reason to leave the meeting they started outlining the front end they required to split incoming details to both the company and official (filtered) copies of the accounts.
Needless to say I left the meeting as soon as possible "to discuss the detail with my boss". Whilst I was recounting the meeting to the company owner, he was called by the accounts software authors, who warned us not to go to said customer as they had already reported them to the authorities after they had been in to see them on the previous day!
I used to know someone who wrote POS software for a small distributed industry in the US with about 200 clients. Every year he had a client meeting to discuss features and problems.
One year he was asked if it was possible to modify the software so that every 5th (say) transaction wouldn't be logged.
He then pointed out that were he to do that, there would be 200 points at which it might get picked up by the IRS, and catching one would result in tax inspections for the entire 200, with him going to jail.
They backed off.
Some years ago, in Spain, most locally developed POS software had a special "training mode" where transactions were not recorded. One day the tax authorities did a major sweep and shut down hundreds (if not more) shops until they adquired new, properly certified, software (oh, did I mention the fines... those hurt)
I remember reading of a case in the UK, probably in the 90s, where the directors of a small software house were jailed after selling customers an accounts package that contained two sets of books, the real (hidden) ones, and the ones sent to the Revenue.
The one I'm familiar with was in the '80s (courtesy of a close contact in the Customs & Excise computer investigation branch).
An Apple II accounting package was found to have a backdoor .. log in with the regular password and accounts were clean, but append a value, e.g. password10, and that percentage of transactions would be 'lost'.
IIRC the program was written in BASIC, so once suspicions were aroused it wasn't too difficult to find out what was going on.
In the early 90s, I worked with a girl who ran a husband and wife accounts software house in East London.
None of that '2 sets of books' nonsense for them. A simple electromagnet pair, one disguised as a very heavy and secure lid for their floppy storage case, the other housed in a drive bay in the PC, flicked on by a single desktop switch that could be yanked off the desk, pulling the cables with it, and chucked in the bin when the Excise Men came a callin was quite possibly the reason why she never turned up for work one morning.
I was once pulled into the CEO's office of the biggest privately-owned IFA in Scotland by his PA who wanted me to take a client's signature on one document, scan it, clean it all up and make it sparkle, and then print it onto a Power of Attorney declaration.
"It's all above-board - we've got his permission to do it."
I pointed out that there was no way I was going near that document, and there was no way they could make me go near that document. Then I left the room and got back to proper work that my conscience could cope with.
Back in the 80's, I used to sign my name hundreds of times a day on busy days, now once a month? I was shocked when I checked my old passports against my current one, my sig has changed substantially. I can see I don't really care what my sig looks like anymore.
Especially in Scots law before 1995 where a signiture was not what we'd normally call a signiture unless accompanied by something else.
It's more then 30 years since I had experience of this, but I vaugely remember something about "holograph", something about a signiture is only valid if the document is also in the hand of the signiture, so signing a printed document does not have any legal effect unless accompanied by additional words by the signer so there is more that just the signiture in the signer's hand.
Biting the hand that feeds IT © 1998–2022