Incompetent Boobs Part 2

Stupid user stories are a tradition in I.T., and there’s a whole subgenre of clueless manager/boss/executive stories. However for once this is a story where the manager was absolutely right, and the I.T. staff (or at least the incompetent boobs who built this system, if not for the poor schmucks who had to maintain it) were colossally wrong, with devastating consequences. And to make matters worse they still don’t realize what they did wrong or how to fix it.

Here’s the story from Andrew Brandt at InfoWorld:

Being part of an online community can reap rich rewards. Allowing the tools that fuel those communities to wreak havoc on your company Web site — well, that’s probably not what you had in mind.

Of course, when it’s your boss who is insisting on tapping those tools, sometimes you have to buck hierarchy and sneak behind his back to help him toe the prudent IT line, as the administrator of a business-to-business Web site quickly found out.

The tool in question was a toolbar called Alexa, which tracks the surfing habits of its users and spiders Web sites to build a ranking system for comparing the popularity of Web sites. The admin debated the value of the toolbar with his boss often, though perhaps “debate” is too delicate a term.

“I told him time and again to uninstall it, and even did so myself a number of times, but he’d put it back every time,” the admin says.

“Then, one day, all dynamic content on the main page [of the b-to-b’s Web site] just vanished. I brought it back from backup and chalked it up to a bug. Then it happened again a little while later. I started snooping around our logs,” he says.

As it turns out, Alexa’s spiders had been ignoring the robots.txt file — and were instead capturing usernames and passwords.

“It logged into the administrative area and followed the ‘delete’ link for every entry,” the admin says. “My dumb-ass boss still didn’t want to uninstall Alexa — could have strangled the man.”

Fallout: The data was restored, with some difficulty, and Alexa’s spider was prevented, through other means, from accessing the administrative side of the Web site.

Moral: When confronted with the classic pointy-haired boss, Machiavellian subterfuge sometimes becomes necessary. Try using the Image File Execution Options registry key to prevent Alexa — or whatever undesirable, dangerous, or obnoxious program he or she keeps using to make your life miserable — from running.

Unfortunately Brandt draws the wrong moral from this story, or at least not the most important one.

The problem, yet again, was that the Content Management System was designed by INCOMPETENT BOOBS, who didn’t know the difference between HTTP GET and HTTP DELETE. They had no business building a CMS for their church choir, much less a real business.

One more time: any operation that deletes a web page should be done with HTTP DELETE; or, if you must, with HTTP POST. However you should, never, never, never, never design a link to delete a page with HTTP GET. Do not think robots.txt will protect you. It won’t. Do not think usernames and passwords will protect you. They won’t. Do not think nonces or referrer checks or JavaScript or proxy busting query strings will protect you. They won’t. (WordPress still hasn’t learned this lesson and is going to get burned one of these days. They too will then proceed to blame their users and third party developers who followed the relevant specs while denying their own culpability.)

The only reliable way to implement delete is by using HTTP as it was intended to be used. GET for safe operations, and PUT, DELETE, and POST for unsafe ones.

Brandt didn’t name names in the article; but if the perpetrators fess up, I’ll send them a free copy of Refactoring HTML. I especially recommend the first refactoring in Chapter 7: Replace Unsafe GET with POST. The team described in the article may have finally stopped their boss from using a valuable toolbar, but until they fix the root cause of the problem, they’re just one more plug-in away deleting the entire site again.

5 Responses to “Incompetent Boobs Part 2”

  1. John Cowan Says:

    Baboons, is more like it.

  2. Dave Says:

    Go on then…enlighten us?

  3. Curtis Cunningham Says:

    Wow, this is shocking! I’ve been pretty uneasy about having many/any of these types of plugin installed. Been using Safari on Mac for the last few months, so not many toolbars available for that (I don’t have any installed). When I use Firefox usually the only one I tolerate is the google toolbar, and that’s disabled most of the time.

    Thanks for the extremely informative post.

  4. Bennett Says:

    I completely agree about unsafe GET.

    Do not think usernames and passwords will protect you. They won’t. Do not think nonces or referrer checks or JavaScript or proxy busting query strings will protect you. They won’t.

    Just to be accurate, these things will protect you. But they do not offer 100% protection. And neither does POST, though it will protect you from spiders that follow GET links.

  5. lxs Says:

    s/away deleting/away from deleting/

    Thanks for the preview! Very useful.

Leave a Reply