Access To Live: Length

I needed to check the live databases in order to investigate a bug. I had to request access by filling in a form.

There was a field to specify how long you need access for.

Sometimes, you will know you just need 1 day, but other times, you might not know how long it is going to take to complete your investigation. As the saying goes “How long is a piece of string?

It said on the form you can leave the date blank, and they will give 2 weeks by default. I was incredibly surprised by this.

  • A) You would think they would be really restrictive
  • B) It’s like they actually understand how you work!

I thought that would be the best option for me, so I left it blank and submitted it.

I then received an email, stating my request was incomplete and she needed to know how long I need access for before she can approve my request. 

Annoyed at Autonomy

To illustrate how awkward it is these days to do something simple… we needed to disable a button, but it’s not clear to the user why the button is disabled. I quickly put a tooltip on the control.

I knew we needed approval from the UX team who are responsible for the “User Experience”, so I emailed them.

When our Product Owner was told, she was really annoyed and started moaning that I made a decision behind her back.

A decision hadn’t really been made, I was just exploring one simple option and trying to get things done. There was always the chance that UX wouldn’t agree with it, but it’s given them context and a possible solution.

The Product Owner didn’t like the tooltip at all. I did point out that other areas of the system do disable the button but don’t show a tooltip. So my button is an improvement that we show a tooltip – at least the users know why the button is disabled.

I suppose showing a tooltip for this disabled button is inconsistent UX, but that’s why I emailed the UX team. I know UX Team tend to hate “dynamic” UIs so don’t like things appearing/disappearing. This isn’t something we are removing, but just disabling/enabling.

After the Product Owner contacted UX, they wanted me to basically redo the dialog because other aspects don’t conform to their standards, but all that functionality has been around for years.

The bug/enhancement wasn’t actually reported by our users. It was just a Developer who decided it would be beneficial to change.

Conclusion

When there’s many people in charge of deciding what work needs to get done, and many people in charge of how things get implemented; making any change is a slow process and most things end up getting thrown on the backlog because the effort of implementing anything increases.

OpenJDK

Recently we had this slightly humorous exchange. It’s a good example of how something minor can cause confusion. Java was apparently added to the list of software we could no longer install, but it wasn’t communicated well across the department, including what the alternate plan was. So people had different beliefs of what could be done.

Apache changed the Java licence to be paid for commercial organisations. We didn’t want to pay, so we were prevented from using it.

  1. Manimozhi needs Java to run JMeter.
  2. Nandha tells him to install Java.
  3. Manimozhi says he did that previously but got told off by Devops Team because it was unlicensed
  4. Nandha says to use OpenJDK then since that is free
  5. Manimozhi claims it doesn’t work
  6. Nandha thinks he must be confused and tells him again to use OpenJDK
  7. Manimozhi is sceptical
  8. Matt says if it doesn’t work, then don’t use JMeter
  9. Mukesh then chimes in saying that we actually do have a licence to use Java

I don’t know if we did have a licence to use Java, but I believe OpenJDK did work.

Full conversation below:

Manimozhi
We need Java in our environment to run the J meter - to get it we have raised the ticket to IT but that seems they don't have access to the machine, so could someone guide us what we have to do to get install Java in our environment.
Thanks!
 
Nandha
you can install latest and compatible Java version yourself in the machine it's pretty straightforward
 
Manimozhi
yea , have already installed but when we did this last time we got email from devops team asking about java license and reason for installation . as Java v8 involved cost and J meter is compatible only after from V8.
 
Nandha
It can't work with openjdk ?
 
Manimozhi
no
I suspect being a Apache foundation open source project it must not have any paid dependency.
It was free before Nandha, later they have changed it for paid
 
Nandha
No I'm saying about jmeter
https://stackoverflow.com/questions/59269365/does-jmeter-works-on-openjdk-13
I suggest you to try openjdk first it's free
 
Manimozhi
ok Nandha, will check this, Thanks!
I am worried will I get error while launching, but lemme try that.
 
Matt
If OpenJDK doesn't work, I suggest you find an alternative to JMeter.
 
Manimozhi
Sure Matt
 
Mukesh
 Java JDK was licensed now recently,

Retention Policy

After we got taken over, we were notified that our parent company has a “Retention Policy”. This is the time when information will be permanently deleted. 

This affected emails, Teams messages, OneDrive files, and SharePoint data.

Emails90 days
Archived Emails3 years
Shared emails3 years
Teams personal chats90 days
Team Channel posts3 years
OneDrive5 years since modified
Sharepoint1-5 years (decided via approval process)

When we were told this, we thought it was ridiculous. How many times has someone needed to dig up an old email to determine why code was written the way it was? How many times have we dug up an old Team chat to know how to fix a random configuration error that suddenly happened?

If they are deleted after 90 days, then we will lose a lot of information.

After raising concerns, we initially got pushback along the lines of “if it’s important, then it should be in a Team Channel or on Sharepoint“.

But even then it can still be deleted after a length of time. 3 years might sound a lot but it soon passes by.

It sounded like there was no warning when information was about to be deleted either. It just disappears silently and there’s nothing you can do about it if you didn’t copy it elsewhere.

There was more pushback when some long-standing employees said they would have to go through 10 years of emails to decide what could potentially be useful and what isn’t. After a lot of pushback, we got the email policy increased to 3 years.

Secrets in code 

Recently, we received the following message sent to the entire Software Development department from a manager:

Over the last couple of days, we have witnessed multiple instances of sensitive credentials committed into GitHub. This has been noticed by chance whilst supporting teams / reviewing PRs. Instances have included an individual’s GitHub PAT & test user account password. 

The security team are likely to enable a secret scanning tool in GitHub to help identify instances of this in future. However, this isn’t guaranteed to spot all issues and by the time it does; we are already potentially at risk. 

Please ensure that you are vigilant in reviewing your own / other’s code before committing / merging code. If a sensitive credential is identified; please ensure that this is removed and revoked immediately to prevent misuse of the secret. 

I’m really surprised if multiple people have done this, because we keep talking about improving security, and improving processes. Adding private keys/credentials etc to your repository sounds like a common cliché and is like Security Lesson 1. From the very start of the project, we have talked about having security scanners on our code from the very start.

I thought GitHub automatically scanned for credentials but it might just be for public repositories, and ours are private.

Security keys/tokens can often easily be regenerated so it’s easily fixed. However, your mistake of committing them is in the history of the file. I suppose there’s technically ways to modify the history but at a massive inconvenience.

Suspicious Parent Company Emails

When we got taken over, we started receiving emails from our parent company. However, we were not told what to expect in future emails and many look rather suspicious. 

Some emails just go straight to Junk so they obviously haven’t communicated well with our IT department either.

As part of our security training, you are told to be wary of unexpected emails, then look for suspicious links, text calling for urgent action. These emails tick all the boxes.

One example of an email was titled “Secure: Your Security Access Request was completed“, then looked like an invoice with my name, date, a Request Id link; with a header containing the word SECURE in upper case. It had no information detailing what request was completed, making it required to click the link. I didn’t make a request, but it did say it was on my behalf.

The email address looked like our parent company’s main domain name. It was received in the same week as we got told about our new credentials to access some of their systems. So was this related or not? 

When we don’t understand the new systems, know what we should be able to access, and who we need to communicate with, it would be prime-time for a malicious hacking group to try to socially engineer our credentials. This seems hypocritical when they made a big fuss when they were hit with a cyber-attack in recent times.

Project Gatekeeper

A few years ago, the company I work for was taken over. This was by a larger group of companies. One of the smallest companies they own was a company dealing with financial payments so was much more important than their size suggests.

My understanding that someone working for that company was “social engineered” and their password was accessed. This cyber-crime group that acquired the password then used it to install ransomware on the entire system. Sensitive information was believed to be stolen, and the systems were unable to be used; preventing millions of transactions being processed.

It was a massive hit to the reputation of the parent company, and cost millions paying out loans to those hindered, and compensation over the incident.

Even though it had nothing to do with our company, it caused instant fear that we could be next, therefore any security policy that could be changed was.

The stolen account didn’t have 2 factor authentication, but even if it did, the code could have also been socially engineered. I think it’s a bit naïve to assume that was the only reason it happened.

Even though we used 2FA on our accounts, products like Microsoft Teams asks you to log in then keeps you permanently logged in. So then they changed the policy so it asked you every day. As we found out, Microsoft Office doesn’t handle this well, sometimes struggling to log in to Teams and Outlook to start our days. I’m not sure what that was even trying to achieve, but it was a massive annoyance to everyone. It then got reverted after a week or so.

Other changes followed as part of what we called “The Gatekeeper Programme”.

 Gatekeeper Programme Scope

  • Risk assess all practices, tools and techniques.
  • Prioritise security based projects
  • Create new practices, policies, process and control measures.
  • Improve security monitoring
  • Remove use of out-of-support products
  • Training to prevent against social engineering

What it really meant is we ended up switching to products used by the parent company, and we lost access to do certain activities. So our VPN software was changed, we had different Remote Desktop software and only certain people were allowed to use it.

In some ways this does make sense as it reduces the number of products that could have a vulnerability. Restricting privileges to only necessary staff members also reduces the number of people malicious groups can target.

Many of the changes seemed an over-reaction and the urgency we had to remove products was a massive hindrance on certain departments, mainly Group IT.

Remember when people used to know what they were doing?

Remember when people used to know what they were doing? those were the days.

“what concerns me the most is that there was a time where everything almost worked like clockwork and now it seems like more ruins every day”

Software Architect

“I am more surprised when something works”

Me

We used to be a company full of smart people, working effectively. Now we work slowly and people just cut corners and do incredibly dumb things. In more recent times, people now don’t think for themselves because they ask AI what code to write. Sometimes it’s absolute rubbish but they never reviewed it themselves; so it really is zero thought. You point it out to them that it’s not going to work, and they respond back with an overly polite message, clearly written by ChatGPT; which just adds insult to injury.

So it’s like developers don’t even develop because AI does it. Then they don’t do any dev-testing. Then the Testers don’t know what they are doing either.

Recently Testers have been installing our software on the application servers.

Even though one of the Lead Testers has been posting angry rants about it; it keeps on happening. The Lead Tester’s points were that it’s not representative of live, and how it takes up the RAM/processing time and lags out the app server for everyone else.

I don’t get why people got the idea to install the client on the app server, and remote on. You can’t think that is official. The servers were always configured to only allow 2 people on at once, so it’s not like the entire department can log on to test if it was the official process.

I just hate what this company has become. I feel like it’s just gonna keep getting worse with managers constantly encouraging people to use AI.

Let’s read the words, the words, the words, of the developer

Introduction

When working with Indian developers, their English skills can vary. You also need to be aware of certain words exclusive to Indian English; some of which I actually like. For example they have the word “prepone” which is the opposite of “postpone”, but in UK English, we don’t seem to have a single word for that.

Some phrases seem more like poor grammar. An example of that is “Can able” or “Can’t able” when we would say “I’m able/unable”.

  • “i think you can able to see the second image is it?”
  • “I can’t able to find any relationship between those two codes” 
  • “still we can’t able to recreate the issue”

“For the same” is an interesting phrase because it just refers to something earlier in the sentence without having much meaning. It’s similar to when they say “do the needful” which just means “do whatever is required” but often doesn’t really add anything to the instruction; if they have requested something from you, then surely you will do it if you can.

There’s a few strange greetings like saying “good noon” which I’d assume is just a shortened version of “good afternoon” rather than being appropriate for a very specific time period. There’s a few people that have a strange greeting of “Ho!”

“Ho!! Is it please can you share those knowledge with me…”

To take time off, they like to “avail”. As a bonus, here’s a strange requests:

Morning Team,
I have picked up fever and heavy cold. Availing AL today.
 Please conduct stand up and end call.
Available over mobile for any urgent issues.
Thanks and Regards,
Jeeva

I’m glad you told me to end the call Jeeva, because I’d have stayed on it all day otherwise.

Indian Pull Requests

When it comes to the Code Review process aka Pull Requests (PRs), it can be hard to ask them why they are making certain changes. Sometimes asking questions can just lead to further confusion. Also, sometimes I’m sure some developers try to blag and hope you move on.

I was discussing this with a Lead Developer and he agreed that asking questions can either result in

  • Blagging
  • Revert the code and hope it works
  • Or you actually get a good answer. But then if it’s not clear why the code was written like that, then maybe it does need a code comment or some documentation so others don’t get confused in future.

Even though I often got frustrated with their comments, in recent times, a lot of them use AI like ChatGPT to rewrite their responses, or sometimes I get the impression they just put your question into the AI and hope it comes out with a good response. So instead of poorly written English, it’s all robotic and a blag of jargon. So you can’t win really.

Row

“Refresh on special while saving special note, row background, Radio button alignment based on include exclude” 

Blagging with Words on PRs

I questioned their pointless try/catch blocks which were catching an exception then rethrowing the exact same type of exception.

“Yes, as I couldnt use the dll in the resourcepicker project, so we can thrown the exception and catched it in resourcepicker class”

And

“The resources can be used due to filecahe, but no changes can be saved, when service is down. The above message is already used in Picker solution.”

Then when their project was being merged into the main branch, another developer questioned the same code. This time they said:

“To restrict that, have drilled up the ux tree and displayed the error message.”

Observation 

“Found an observation while testing 12602 in 9.3.6 branch”

what does that even mean? I assume “observation” means “bug” or “potential problem”.

Bad Refactoring

He refactors some existing codec but also changes the return type of the method, which means the caller’s logic will have to be changed so was causing cascading changes which weren’t really relevant to his main change. Also, the logic didn’t look equivalent so I wouldn’t call it refactoring:, more like introducing a bug. He then claims he hasn’t changed it…

Me: "is this equivalent? It was checking >1 not >=1"
Them: "Actually, I haven't attempted to modify that as the logic written working as per acceptance criteria, and it already tested"
Me: "I don't understand, this method has been changed in this PR"
Them: "Just used expression for methods as commented by Andy. Apart from that i haven't changed any logic around that."

Down Merge

Vignesh
Here after no comments fixed against assurance branch?
Just need information about down merge
 
Andy:
sorry I'm not sure what you mean?
 
Vignesh
Two comments pending for our side... if any one raise PR I will raise PR also. Because of down merge... Incase only I will raise PR again do down merge that's why I am asking

IsMobileEnabled 

IsMobileEnabled needs to return boolean value, so removed exception caused by null and also the GetResources during Trigger prompting needs to include Template also along with Protocols.

Didn’t Launch The Portal

me: “where is this used?”

developer: “This is used at TryLaunchPortal()…. At this point of time we never know the portal type to compare and verify the condition because the user didn’t launch any portal

walkie talkie comms going on here

This reminds me of walkie-talkies, stating “over” so you know it’s the end of the message.

Roshni 
give line break after method over
 
Shoban
Ok Roshni, Updated the changes
 
Shoban
Completed with the Changes
 
Roshni 
give line break after method over not before the method over
 
Shoban
Thanks Roshni, Got your point. Made Changes
 
Roshni 
and again please remove the empty line no 267
 
Shoban
Code changes completed as mentioned

Welsh 

PR: Updated the Walsh text

Description: Updated the resource file with Walesh text

Do you think the text is gonna be accurate if he can’t get the title correct in English? It should say “Welsh text” as in “the Welsh language”.

Customer

Merge from Curomer first branch to main

Accelerator Keys

To define an accelerator key (allows you to use Alt key to select it), you place an & character before the letter. So Export has E defined. Edit can’t use E because Export has taken it, so they have chosen D. Cancel seemed an odd choice of N.

btnBackup.Text = "&Export";
btnContinue.Text = "E&dit";
btnCancel.Text = "Ca&ncel";
btnBackup.DialogResult = DialogResult.None;


Me
can't C be used as an accelerator key?
 
Kalyanaraman
C for Continue
 
Me
what is the continue button? Isn't this it? btnContinue.Text = "E&dit"; that is using D

SQL is up to 10 times better

yes i have tried with mocked 10 lacks data in local
and while this query the data was well optimized.
For data, I ran sp thrice

I bet you can’t tell if this is from some old children’s folk tale or an Indian’s PR

Always Run SQL Code Analysis

Roshni has worked here several years, and when she started, I’m sure she made the same mistake several times. When making a database patch, we have a Patching Tool that not only applies the patch but runs some code analysis to make sure it conforms to coding standards.

Many times when developers have reviewed her code, Roshni has been told her patch would have been flagged by the tool if she had run it as part of her Developer Testing.

When I was a junior, once I was told by the Seniors; I never forgot to run it again. It’s like the embarrassment/shame makes you remember. Also I cared about quality and this was a simple process that ensured quality and standardisation of our SQL code.

Recently, she had merged her fix ready for release and a Tester, Mick pointed out there were patching errors so her SQL patch cannot have been run through the Patching Tool, or even tested.

She claimed it had been tested, and it was a problem between SQL versions. So her claim was that – both her local machine and the test server it was run on (by another tester in her team) was a different version to what was on the main test environment we use before releasing the software.

So Mick looked at the SQL patch and saw the error was about a missing namespace. The patch was inserting XML, and XML has a namespace attribute on the first line. So then he looked at what data is currently in the table, and saw that all the existing entries had a namespace declared, and this was missing from Roshni’s patch.

So Mick embarrassingly pointed this out. So she had lied about testing the patch locally, she must have lied about it being tested in her team, and lied that it was an SQL version issue.

She then submits a brand new patch which conditionally checks if the previous patch had created the entries. If it hasn’t then, this new patch would insert them, then if it had already added them, then her new patch would run an update statement instead.

Mick then points out that this is nonsense because the original patch had failed so would have just rolled back and stopped patching. What she needed to do was just to fix the original patch so it would run. So then she quickly deletes her new patch, and updates the original one.

Although it’s what we wanted, the speed that she did it makes me think she hadn’t run the Patching Tool because it can be very slow to run. So yet again, we have told her it is important to run it through the Patching Tool, and she hasn’t bothered.

Although I think nothing was actually wrong with her new change, another tester had pointed out that her changes were across two repositories and her changes in the other repository were also flagging errors in the Patching Tool. So it’s not like she just forgot to run it once, it’s just that no matter how many times in the past we have told her YOU MUST RUN PATCHING TOOL; she never does.

It’s just infuriating we keep employing people like that that don’t listen or care about the work they are doing.