Article 200G7 No Account for You

No Account for You

by
Remy Porter
from The Daily WTF on (#200G7)

Ed wasn't excited about his job. He worked for a large automotive manufacturer. This is the kind of industry that might invest heavily into robots and research and development, but when it comes to managing their supply chain and accounts receivable, their IT infrastructure was frozen in amber circa 1974.

hqdefault.jpg

The pay was fine, but the work was frustrating. Things like "Code reviews" and "refactoring" were viewed as "wastes of time" or "developers playing with toys". Unit tests were a luxury for "lazy" developers- good developers should just be writing code that works. If the work you're doing isn't directly involved in getting cars built and shipped, you shouldn't be doing it.

Ed was looking to get out of the company, and while he kept sending out resumes, he found more excuses to get away from his desk by taking smoke breaks with Mitchell. Mitchell was a lifer- he joined the company back when pensions were a thing, and was close enough to retirement that he just needed to keep his head down and stay the course to check out with a nice nest-egg. "But you," he'd tell Ed, "you've gotta get out of here. You're young. You shouldn't be wasting your time here."

After one of those smoke breaks, Ed returned to his desk to see Pilar waiting for him. Pilar was their summer intern, a junior in college. She mostly handled "manual reporting", which was a euphemism for "we don't actually have a reporting system for this data set, so we have an intern run SQL queries against production and then copy/paste the results into a spreadsheet." Yes, there were still manual reports because none of the SBUs wanted to pay to automate them.

"I've got a new report," she said, "and it's on something called SCORDBE? You wouldn't know how I get access, would you?"

Ed didn't know. At best, he might have seen the acronym someplace on a PowerPoint during a quarterly meeting once. "No, but has anyone shown you the Internal Apps Sheet?" He was referencing a spreadsheet used to track support contacts for different applications. He CTRL+F-ed to the entry for SCORDBE. "Oh, no""

The SCORDBE database was administered by Yev "Ticket-Nazi" Kassem. He automatically closed any tickets for changing the database- even for production releases. Any ticket requesting access to the database, for any reason, received a simple reply: "NO ACCOUNT FOR YOU." He used IP whitelists to prevent connections from unapproved devices. While it probably was good for security, that was an afterthought. Yev had a small bit of power, and he wanted to make sure that he held onto it.

Still, that was just the database side. There was an application on top of that database. He scrolled across the spreadsheet, past the cloumns for "Approving Manager", "SBU Contact", "SBU Backup Contact", "SBU Backup Bakcup Contact" and found "IT Development Contact". It was Mitchell.

"I don't think you'll get very far with the database," Ed said. "But maybe Mitchell can help?"

Pilar went off to visit Mitchell, and Ed got back to his regular work. A half hour later, Mitchell CCed him on an email to Pilar. "I've got a solution. Just visit this URL and it'll run your query. And you can change the id=" part at the end to do it for other part numbers."

Ed didn't think much about it until his next smoke break. "So," he said, "how'd you get past the Ticket-Nazi?"

Mitchell laughed. "I didn't." He paused and lit his cigarette, taking a few drags before explaining. "SCORDBE is about 35,000 lines of Perl written back in the 90s. Nobody ever wants to touch this code, and nobody really understands what it does. I figured there had to be some poorly escaped queries, so I just grepped until I found one. Now we can run ad-hoc queries as needed."

Ed left the company a short time later. Mitchell, and his injection-based reporting solution, however, are still there.

buildmaster-icon.png [Advertisement] BuildMaster integrates with an ever-growing list of tools to automate and facilitate everything from continuous integration to database change scripts to production deployments. Interested? Learn more about BuildMaster! TheDailyWtf?d=yIl2AUoC8zAEyYu90IZpQE
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments