After my first year in university, I got an opportunity to work at a startup as an intern, lets call this company B. B was started by a lady called D who was in art business, she used to buy and sell art, she thought why not take this business online. So, with a bunch of friends she started the company B, to sell art online. She didn’t have much coding experience herself so she hired a consulting firm called V to create the website for her. V created a website but it wasn’t as good as she wanted it to be, so she hired me as an intern hoping that I’ll fix things for her.
My first task was to compile a list of errors on the website, and boy I found a lot of them. In the next two months I was supposed to fix these and it turned out to be a lesson about how not to write code.
The code base was terrible, every file used to have a imports, then all the code in a try block, then a catch statement which will catch all the errors and will just log them. Any small change in the code will bring the whole website down and I didn’t know why. They were not using any kind of version control and many of their employees didn’t even know that something called git exists. Fortunately the boss knew about it and I asked him why don’t they use version control, and he said it is too complicated, we don’t need it.
They were terrible at security. After you register on the website they will send you an email with login id and a password, everything is in plaintext and the default password was “Password”! The admin page was accessible without logging in through a special link, using which you can do all kind of bad stuff like deleting art works and modifying page descriptions. They were also comparatively minor issues like, using bad captcha, unsalted password database and use of TripleDES instead of AES.
I did few things, fixed the login system, stopped sending passwords by plaintext, implemented a login by OpenID, added an email verification system.
The employee responsible for the website wasn’t cooperative at all, whenever I used to go to her asking questions, she would shoo me away or give me answer which really didn’t help me in any way. No one actually read a single line of my code because everyone was too busy, and guess what, to get my code merged I had to email a person copy of my code and he would manually paste it on the live server. Overall it didn’t look like V gave a shit about B’s website, even if they did they were too incompetent to do a good job. The surprising part wasn’t that someone can be so incompetent, but that they can be so incompetent and still make profit. Four years on, B is dead and a subsidiary of V, providing Visitor Management Solutions to Corporates, boasts of clients like ICICI bank, DHL and Monsanto. My guess is that companies like V are a norm rather than an exception.
Now the question is why does a terrible company like V is able to make profit. I think the main reason is information asymmetry, it is very hard for a client without technical know how to distinguish bad work from good work, two websites can look good enough on the surface, but one can be heavily broken inside and other can be rock solid. In such scenarios client has to take everything the consultant says at face value. Then there is also a mismatch of incentives, because contracting firms are usually paid by hour they are incentivized to prolong the project as long as possible doing a bare minimum quality of job, things gets worse when the client cannot distinguish between actual work and pretension of doing work.
Possible solution involve making the consultant pay for their bad job. I once interviewed with a (different) software consulting firm, they also take contracts where there are paid by hour, so I asked them aren’t they incentivized to unnecessarily prolong their projects? They get their most of contracts through referrals by previous clients. They said if they do so their clients will know which will hurt their business in long term. They also have a policy of not working with non technical clients, basically clients who can recognize good work from bad work, in turn help them maintaining their reputation.
Extending this, there can be a national registry of security leaks which shames contractors responsible for security holes.
Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!