What do you say to the boss who has been robbed blind by the outsourcers?

gremlinz273 · Jan 24, 2015

So I'm at a new contract job to write a mobile app for this large corporation. They have a preexisting api that was written for an inhouse app. The developer that wrote the api is no longer with the company and has gone home to India. So I'm digging through the api to figure out what is going on and if it is even suitable for what I need. I find a section of the code that looks strange, almost deliberately obfuscated, or less carefully written than other parts of the code. I dig further into to it find that is is accessible without going through any log in process and allows total access to the database without any auditing.

What should I do? Brave members of Rerolled screenshots help me decide how I should handle this dilemma.

I tempted to go tell the idiot boss what an idiot he is for blindly trusting outsourcers.
But who knows, for this company, it could be placed there for the NSA.

What do you boys think?

Just ignore it, collect phat paychek?

Agraza · Jan 24, 2015

Why wouldn't you tell them? Even if it is for the NSA, why wouldn't you tell them? I don't see how it matters who put it there. Sounds like BS to me because I would immediately tell them.

gremlinz273 · Jan 24, 2015

And if it turns out the boss is Mr. "Don't give a damn if we get hacked." ?

Spock Vader · Jan 24, 2015

Take the money and run. Then hack the system yourself.

Breakdown · Jan 24, 2015

Then that's his fucking problem, you are a contractor.

What's the dilemma here? Sounds like some mad pussy shit, yo.

Also, point it out now before you foot the blame

Agraza · Jan 24, 2015

What he does with the information is up to him. You don't have to put any emphasis on it. You don't have to spin the story. Yo man, there is a significant backdoor in your api. Anyone can just walk in and take your data. If they want you to ignore it, you ignore it.

gremlinz273 · Jan 24, 2015

This is a true story. I'll let you guys know how I handled it once I'm sure I'm no longer legally liable. Just thought I'd give some of you guys a chance to ponder how you'd handle it.

gremlinz273 · Jan 24, 2015

I don't have any reason to ignore it. I never signed anything to that effect.

Angelwatch · Jan 24, 2015

I'd tell him about it. He can then act on it or not based on his judgement.

Alternatively, since it's a large corporation, if you have access to their internal auditors, talk to them about it. If a regular auditor found the loophole you're describing, they would, likely, determine it is a control deficiency which would prevent them from receiving an unmodified opinion (extremely bad news).

Regardless, I wouldn't just sit on it. If you do that, it might come back to bite you in the ass.

RobXIII · Jan 24, 2015

Don't you be closing my back door! Nosy sombitches....

Rais · Jan 24, 2015

Ya report it. Cause if there is a major issue down the line where they know you were inside the code and pretty much knew it was there and didn't tell anyone, well I sure in the fuck wouldn't want to be left hanging out holding my nuts in that situation.

Aaron · Jan 24, 2015

Maybe that Indian was trying some Office Space hack? If so, ask if you can join so you can do this:

e8fda25b3ce62684bf418d1f248cde70cbcbaaba3226c8f31a020781782210f5.jpg

moonarchia · Jan 25, 2015

Rais_sl said:
Ya report it. Cause if there is a major issue down the line where they know you were inside the code and pretty much knew it was there and didn't tell anyone, well I sure in the fuck wouldn't want to be left hanging out holding my nuts in that situation.

This. Always CYA by being above board and well documented in email/writing when you are working for someone else.

Lejina · Jan 25, 2015

Write the boss an email about it. That's your legal paper trail.
Then tell the boss about it because he didn't read the email.

Jilariz_sl · Jan 26, 2015

You are pretty much obligated to report this to the company and maybe even the FBI considering this most likely goes across state and country lines. By not reporting it you could easily be nailed for accessory.

Djay · Jan 26, 2015

Lejina_sl said:
Write the boss an email about it. That's your legal paper trail.
Then tell the boss about it because he didn't read the email.

This. And then, if the boss tells you to do nothing about it, get that in writing, too. I keep paperwork anytime someone wants to praise my work...and anytime something could potentially bite me in the ass.

iannis · Jan 26, 2015

Seeing as something like this could easily bite you in the ass, you need to tell him. In writing and verbally.

99% that nothing will ever come of it. 1% that Sanjay activates his sleeper stuxnet and you'll never get that week and two fingers back that you left in Gitmo.

iannis · Jan 26, 2015

See, the mistake you made was actually looking. Now that you're aware there is a problem that problem is YOUR problem.

Ignorance remains the best policy.

LachiusTZ · Jan 26, 2015

Not sure that's right about the audit... Maybe for web/sys trust junk.

And that's not a control deficiency, it's indictative of a possible control deficiency. At least i think, I don't work audits tho, leave that to the plebs.

Either way, quit being a shitty human and do your job. Tell the client, and move on.

Chukzombi · Jan 26, 2015

as has been said, document everything first. then verbally tell the boss. its too easy to blame shit on the tech guys. big companies always do whenever their shit goes down in flames.

Search

What do you say to the boss who has been robbed blind by the outsourcers?

gremlinz273

Agraza

Registered Hutt

gremlinz273

Spock Vader

Lord Nagafen Raider

Breakdown

Gunnar Durden

Agraza

Registered Hutt

gremlinz273

gremlinz273

Angelwatch

Trakanon Raider

RobXIII

Urinal Cake Consumption King

Rais

Trakanon Raider

Aaron

Goonsquad Officer

moonarchia

The Scientific Shitlord

Lejina

(╯°□°）╯︵ ┻━┻

Jilariz_sl

shitlord

Djay

Trakanon Raider

iannis

Musty Nester

iannis

Musty Nester

LachiusTZ

Rogue Deathwalker Box

Chukzombi

Millie's Staff Member