The mere act of selecting a buffer size should not be random and, so, should cause the programmer to stop and think about it (using an already defined symbol tucked away in some standard include is no better).

So the spook either dismisses it as incompetence or believes it was deliberate. Depending on the programmer’s history and persuasion skills the incompetence scenario may be hard to swallow by the spook.

The fact that it can be missed when reading the code is another matter altogether. I missed it, sure. But if I was writing the code I wouldn’t make such a bug. It would be my job not to make such a mistake. I’m not being paid just to press keys on the keyboard, my bosses expect me to be using my brain well and keep all my senses on high alert.

And if I did write the bug (perhaps while drunk or under the influence of hallucinogenic drugs) I would blame myself for being stupid, I would never think of it as “oops… there’s no way a fine-and-dandy programmer like me could ever catch that one… moving on to the next application…”.

I always thought that medical doctors, lawyers, psychologists, and possibly others, should all be necessarily good. Maybe even excellent. These professions have no room for the “sufficient”, “not-so-good”, etc., all those have to be weeded out, simply because people can get really hurt if a certain minimum level of quality in their work cannot be guaranteed. Mediocre is not enough, because those, on average, fail a number of times comparable to the number of times they succeed. And that is just not good enough if you happen to be their patient/client on one of the bad days, so all days have to be good days. Good professions have an extremely high ratio of good to bad days.

Back in the 80′s I didn’t think programming would end up being one of those professions. But, in fact, today people can get really hurt from bad code, either because some company goes bankrupt after some security flaw is exploited and all its 150 workers lose their jobs, or because users trusted some application implicitly and lost a lot of money when their credit card number was stolen by some malware or virus. And many other scenarios in between.

So, looking at how things are made today, I think the IT industry is moving in the wrong direction. Well, at least the bulk of it. Hiring cheap novice or unexperienced programmers, or even flat out bad programmers, and then getting them to learn on the job doing final production code can endup being very damaging to third parties (the users of the software, for example). Even worse, keeping bad programmers just because they are cheap makes someone else (probably a third party, like a user) end up paying for the rest of the cost.

In this case, hiring a rookie to do the code of this entry would, of course, be a bad idea (assuming it was supposed to be used in very critically important situations). A rookie could (and probably would) have made such a mistake, but a more seasoned programmer should have not. And if he/she did? Not seasoned enough then, his/her boss should have known that.

We may be reaching a time when programmers should work like medical doctors. While they are rookies (for the first 10 years of their career) they are supervised, and do nothing without close observation by their superiors. They are, in fact, trainees.

For medical doctors this minimizes loss of lives (and other negative consequences), but it is expensive. True. Somewhere along the way people started thinking that programming was easy and started developing all kinds of crappy software.

At any given time I have something crashing on me, or not doing what it was supposed to do, caused by crappy software. My car’s automatic windshield wiper cannot be used in its most sensitive position, otherwise it sometimes enters a loop of max activity even if it is not raining. The programmer forgot IIR filters sometimes do that and didn’t take the appropriate measures. My phone sometimes enters a state where the screen is non-responsive, but calls can still come in (although I’m unable to answer them). This is a known software bug on the phones. My set top box at home sometimes crashes when the right conditions are met (for example, I have a recording, which I keep for fun, that makes the device crash every time I rewinding to the point where the actor was crossing a door).

We are surrounded by software-based crap, done without quality. Many of us are the culprits, we want to by brand new, unproven, flashy, fast, and cheap, and there is still no real culture for demanding quality and assurances from gadget makers as opposed to an already well established culture of selecting refrigerators and dishwashers based on how many decades their manufacturers guarantee their devices to work correctly.

… well, I digress. Very nice post, an excellent example of how to make crappy code if we are not careful.

Kudos!

Thanks!

…

actually nobody uses scanf, even though the PPM line should not be larger than 70 characters because you don’t whether some stupid user uses a misplaced file
-> nobody likes programms with security lacks especially not if they’re obvious to any programmer

on the other side, you could have used fgets and sscanf in combination.

But still, just gread work.
You deserve it!

Sorry – its just bad code!

The penality here for code llike that is a round of drinks!

Very commendable.