In college I was hired to build an auction site. I was billing my client $20 / hour and subcontracting out the work to some of my fellow classmates at $10 / hour. I was swamped with other work and didn't have much time to review the code. I just made sure it satisfied the specifications and shipped it. We launched the site and did a few hundred thousands dollars worth of transactions in the first 24 hours. Then something strange happened... all of the bids mysteriously disappeared from our admin panel and users started emailing in asking why their bids weren't showing up anymore. I got a panicked call asking what had happened. I had no clue, but promised to look into it. I started digging through the server logs and noticed that all the bids had been deleted around the time that Google had discovered and crawled the site. Sure enough, my friend had added links to delete bids via the admin panel that were executed via GET requests. It wouldn't have been that big of a deal except the poor guy had used JavaScript for authentication! Google's crawlers had carefully hit every single Delete link and wiped out the site. I fixed the authentication system, refunded everyone's credit cards and relaunched the site with a huge apology for the issues. Needless to say, from that day on I became far more diligent about doing code audits.
The first time someone wanted to hire me was even before I started college.
"so how much will you bill me?"
"Well right now I get 7€ (9.2$ at current rate) for unloding trucks ..." He interupted me before I could finish the sentence and demand 8€.
"I can not pay you 7€! taht is just to much!"
Sooooo I declined but someone took the job ... for under 8$ an hour.
This sadly still happens. I remember looking through Craigslist jobs and legit companies wanting someone with html/css/javascript/php experience for $8/hr, kid you not.
Part of the problem is, it's difficult to convince companies that (html/css/js/php) coding work is worth something, unless the company you're working for is actually a startup. Especially when they say "Can't you just do it in Wordpress, or Wix or something?"
Another part of the problem is, developers take that work. I probably would myself. I'd hate myself for it but if I have to take shit pay to make ends meet I'd rather do it coding than not.
Do they really allow hourly billing - I wonder if they realise it can cost less to get an experienced person at a higher hourly rate who'll do the job in less hours.
This seems analogous to "The Market for Lemons"* The proprietor of a small business has a very hard time judging the competence of a designer/developer even for simple jobs.
This story almost had me in tears (a mix of schadenfreude and shame for my profession). I hope they learned something not to give business critical work to college students. Makes me think that IT Risk management should be right at the top of what MBAs have to learn.
>I hope they learned something not to give business critical work to college students.
I've had the same kind of experience hiring a 'real' consulting firms. We were sent a PhD, who banged out a pretty standard looking interface for us that worked terribly. Ostensibly we could've sued, but that just takes more time, and doesn't really fix things.
Wow. Just because someone is a college student doesn't mean they are incompetent! Plenty of people do business critical work as college students, haven't you ever heard of co-op before? A degree doesn't make you competent either, I've worked with enough people who have degrees who are completely incompetent. College students might need some extra supervision to make sure they are doing the right thing, but so do jr engineers.
Anyways, those are the things that a code review would catch.
I think you got me wrong, sorry for not having myself made clearer. I worked through college as an IT consultant as well, however as you noted under supervision of a consulting company with seniors. Hiring a college student directly, without a company attached that can be made liable, is just a bad idea, both for the customer and the student. Just imagine the customer had sued parent. I wasn't talking about technical competence - it's all about liability as well as having proper processes for design, implementation, review, testing and rollout in place - a thing that can easily he seen even before signing a contract.
I agree with the sentiment, but in this particular case, do you really think an MBA'd IT manager was in charge of a project that paid $20 per hour? (As opposed to Accenture rates.)
No, I don't think so. On the other hand I do know a case with MBA type manager who gave away the job of doing their website to a complete amateur, just because he knew him. So it wouldn't surprise me either to be honest.
How did GoogleBot get access to the (presumably) private admin panel to crawl the links in the first place? Also, these sort of things require server-side authentication, not just JS. Just because GoogleBot won't crawl your PUT requests doesn't mean others won't -- including users (malicious or otherwise)! Just sayin'.
When you think about it it's actually pretty elegant -- if your purpose is to write something that appears to work but will do the worst possible thing when crawled.
