this post was submitted on 26 Jul 2025
878 points (99.0% liked)

Programmer Humor

25425 readers
1301 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
878
I wonder if this was made by AI or a shit programmer (infosec.pub)
submitted 1 week ago by lena@gregtech.eu to c/programmer_humor@programming.dev
178 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] JackbyDev@programming.dev 34 points 6 days ago* (last edited 6 days ago) (2 children)

Hack has at least two definitions in a computing context.

  1. A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
  2. Accessing something you shouldn't. "They hacked into the database."

A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.

That said I definitely wanna see the company face charges for this, this is insane.

[–] SpaceCowboy@lemmy.ca 18 points 6 days ago (3 children)

Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.

[–] Rivalarrival@lemmy.today 9 points 5 days ago

Terrible analogy. A webserver is not at all like a door. It doesn't block or allow traffic to and from your file system.

A web server is more like a receptionist. It handles requests. "Can I have your basic catalog?" "Certainly, here you go."

"Can I get this item from your basic catalog?" "Certainly."

"I don't see it in your catalog, but my buddy said he got this other item from you. Can I have this other item too?" "Absolutely."

"Can I borrow your stapler?" Sure. "How about a pad of paper?" "Of Course". "Can I just have the contents of your supply closet?" "Here you go." "How about your accounting files, can I get those?" "No problem!" "How about your entire customer list?" "Consider it done!"

When you hire a receptionist and specifically tell them to give customers anything they request, that's entirely on you. You have to at least make a token effort to restrict access to only authorized users before you can even claim that a particular user was unauthorized.

This wasn't burglary. This was putting up signs that say "come in" and labeling everything in your house with "free" stickers.

[–] grendel84@tiny.tilde.website 11 points 6 days ago (5 children)

@SpaceCowboy @JackbyDev

In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.

A better analogy is putting your journal in a public library and getting mad when somone reads it.

I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.

[–] SpaceCowboy@lemmy.ca 7 points 6 days ago (3 children)

Terrible analogy. You have permission to read books in a library.

Forgetting to lock your door isn't granting permission to people enter your house, and it doesn't grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn't imply granting permission to enter your house.

Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.

load more comments (3 replies)
load more comments (4 replies)
[–] JackbyDev@programming.dev 7 points 6 days ago

Thank you! I feel like I'm taking crazy pills reading people's reactions to this. And if it was a business instead of your house and it was customer data you weren't protecting you should still be in trouble too. It's like people think only one side can be in the wrong in this or that because the data wasn't secured and in the public that gives them free reign to post it everywhere. I wonder how those people would feel if their addresses were leaked. Afterall, if you're a homeowner your name is attached to the property and is publicly accessible.

[–] spicehoarder@lemmy.zip 13 points 6 days ago (4 children)

No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.

[–] JackbyDev@programming.dev 6 points 6 days ago (1 children)

It can be both. The company can be at fault for not keeping something secure while the people who steal the data are at fault for stealing data. Data leaks and hacks are not mutually exclusive.

load more comments (1 replies)
load more comments (3 replies)
[–] fmstrat@lemmy.nowsci.com 70 points 6 days ago (1 children)

Peak Vibe Coding results.

[–] funkless_eck@sh.itjust.works 19 points 6 days ago (3 children)

while True:

Jesus Christ

[–] FooBarrington@lemmy.world 24 points 6 days ago (2 children)

You know that's not the Tea code, but the downloader, right?

[–] fmstrat@lemmy.nowsci.com 19 points 6 days ago (1 children)
[–] FooBarrington@lemmy.world 22 points 6 days ago* (last edited 6 days ago)

Sure, it might be, I'm not saying it isn't. All I'm saying is: the screenshot shows the code someone wrote to download the images. It's not part of the Tea codebase.

load more comments (1 replies)
[–] mobotsar@sh.itjust.works 9 points 6 days ago (2 children)

There's nothing wrong with manually breaking a loop.

[–] funkless_eck@sh.itjust.works 7 points 6 days ago (2 children)

There's nothing wrong with eating a banana with a knife and fork, either.

Except living with the shame.

load more comments (2 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] EmilyIsTrans@lemmy.blahaj.zone 44 points 6 days ago (4 children)

I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.

A Firestore database facing the client directly on any serious project is a code smell in my opinion.

[–] tiramichu@sh.itjust.works 24 points 6 days ago* (last edited 6 days ago)

It's like people learn how to make a phone app in React Native or whatever, but then come to the shocking and unpleasant realisation that a data-driven service isn't just a shiny user interface - it needs a backend too.

But they don't know anything about backend, and don't want to, because as far as they are concerned all those pesky considerations like data architecture, availability, security, integrity etc are all just unwanted roadblocks on the path to launching their shiny app.

And so, when a service seemingly provides a way to build an app without needing to care about any of those things, of course they take it.

And I get it, I really do. The backend usually is the genuine hard part in any project, because it's the part with all the risk. The part with all the problems. The place where everything can come crashing down or leak all your data if you make bad decisions. That's the bothersome nature of data-driven services.

But that's exactly why the backend is important, and especially the part you can't build anything decent without thinking about.

[–] sylver_dragon@lemmy.world 19 points 6 days ago (1 children)

I think it's less about the tech picked and more about developers with no sense of security and a poor understanding of networking. I've seen far too many web applications where the developer needed some sort of database behind it (MySQL, PostGres, MSSQL) and so they stood up either a container or entire VM with a public IP and whatever the networking layer set to allow any IP to hit the database port. The excuse is almost always something like, "we needed the web front end to be able to reach the database, so we gave the database server/container a public IP and allowed access". Which is wonderful, right up until half of the IP addresses in Russia start trying to brute force the database.

[–] EmilyIsTrans@lemmy.blahaj.zone 13 points 6 days ago

I agree that this is ultimately a problem with developers lacking security knowledge and general understanding, but my issue with Firestore specifically is that it is a powerful tool that, while it can be adopted as part of a carefully considered tech stack, lends itself most naturally towards being a blunt force instrument used by these kinds of developers.

My main criticism of Firestore is that it offers a powerful feature set that is both extremely attractive to amateur or constrained developers while simultaneously doing a poor job of guiding said amateurs towards creating a secure and well designed backend. In particular, the seemingly expected use case of the technology as something directly interfaced with by apps and other clients, as evidenced by the substantial support and feature set for this use case, is the main issue. This no-code no-management client driven interaction model makes it especially attractive to these developers.

This lack of indirection through an API Gateway or service, however, imposes additional design considerations largely delegated to the security rules which can easily be missed by a beginner. For example:

  1. Many examples of amateurs take an open-by-default approach, only applying access and write restrictions where necessary and miss data that should be restricted
  2. Some amateurs deploy databases with no access or write restrictions at all
  3. There is no way to only allow a "view" of a document to a request, instead a separate document and security rules containing the private fields needs to be created. This can be fairly simple to design around but seems to be a bit of a "gotcha", plus if you have similar but non identical sets of data that needs to be accessible by different groups it must be duplicated and manually synchronized.
  4. Since there is no way to version data models, incompatible changes require complicated workarounds or an increasingly complicated deserialization process on the client side (especially as existing clients continue to write outdated models).
  5. Schema validation of data written by clients to the database is handled by security rules, which is seemingly unintuitive or missed by many developers because I've seen plenty of projects miss it
  6. If clients are writing data directly, it can become fairly complex to handle and subsequently maintain their contributions, especially if the aforementioned private data documents are required or the data model changes.

All of these pitfalls can be worked around (although I would still argue for some layer of indirection at least for writes), but at this point I've been contracted to 2 or 3 projects worked on by "professionals" (derogatory) that failed to account for any of these issues and I absolutely sick to death of it. I think a measure of a tools quality is whether it guides a developer towards good practices by design and I have found Firestore to completely fail in that regard. I think it can be used well, and it is perfectly appropriate for small inconsequential (as in data leaks would be inconsequential) single developer projects, but it almost never is.

[–] meme_historian@lemmy.dbzer0.com 10 points 6 days ago

Ah yes, Firebase. The Google version of leaking all your company data through a public S3 bucket

I remember when they launched and started pushing it in the Android dev community. Actually won a Google Pixel at a Firebase sponsored hackathon in my town...after that I never touched Firestore again. Using that ACL language to restrict access, you could see the massive foot gun from a mile away

load more comments (1 replies)
[–] Diplomjodler3@lemmy.world 25 points 6 days ago (8 children)

I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?

[–] Gonzako@lemmy.world 11 points 6 days ago (1 children)

Make a PR

[–] axEl7fB5@lemmy.cafe 7 points 6 days ago

Be the change you want to see in the world.

load more comments (7 replies)
[–] zarkanian@sh.itjust.works 13 points 5 days ago (1 children)

These people should serve jail time. I'm not kidding.

[–] percent 8 points 5 days ago* (last edited 5 days ago)

I'm no lawyer, but this seems like at least grounds for a class action lawsuit, I would think. Like, it seems like privacy and security is implied (however ironic for an app like this) when requiring users to upload their PII.

Also, I assume their privacy policy didn't mention that they were just gonna publish their users' PII.

[–] NigelFrobisher@aussie.zone 7 points 5 days ago

You could say they “spilled the tea”.

[–] grrgyle@slrpnk.net 14 points 6 days ago (1 children)

What is the Tea hack?

[–] finitebanjo@lemmy.world 14 points 6 days ago (6 children)

An app called Tea™ was marketed as a safespace for women and used government issued IDs as a way to verify users.

4Chan users leaked all of the IDs onto the larger internet.

[–] grrgyle@slrpnk.net 10 points 6 days ago

Wow what a fuckin shitshow. I have so many follow-up questions

load more comments (5 replies)
[–] angstylittlecatboy@reddthat.com 12 points 6 days ago

At this point I think the women using it got psyopped

[–] gonf@lemmy.world 5 points 5 days ago

Almost definitely both were involved.

load more comments
view more: next ›