I’m no fan of professional soccer, but a quick search or two on some of the (non-victim) names from the screenshot appear to be related to it (John Terry of Chelsea, Pawel, and Lesnikowski). Maybe the dickwad responsible for this douchebaggery (thanks Jeff for expanding my vocabulary) is a fan.
Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn’t abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.
Is this why you chose the word “orange” for the post security word? Interesting choice. 
Nice post Jeff.
Rule: wherever you give your passwords you should/must be cautious.
The ACM also has a similar document called Software Engineering Code of Ethics and Professional Practice which has more practical and tangible aspirations. These aren’t just rules for ACM members, they prescribe a code of conduct for all software engineers.
http://www.acm.org/about/se-code#full
of these, John Terry has violated these:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
And that, my friends, truly is coding horror.
Hi Jeff,
I don’t normally post but I thought I should make an exception for this topic.
I completely agree that this is a horrible betrayal of trust. I find this offensive to the honest programmers out there for whom this has negative effects. It’s scumbags like this guy that make people question every file, live in fear of scams, and contribute to fear of technology.
I really enjoy your blog, thanks for sharing this.
To give John Terry the benefit of the doubt, there is always the possibility that this was some kind of development (debugging) version that had somehow become publicly available.
These guys are also selling programs for MySpace and YouTube (FriendTools and TubeAdder) that require your login/password.
And here’s the kicker: they’re both spamming tools.
“Add thousands of new friends to your network quickly. Great tool for those who want to market to myspace users.”
“This easy to use software also automates the process of adding comments on YouTube. If you plan on marketing on YouTube, you need this tool.”
That russmate.com/matemedia.com site rang a bell - I knew I’d seen it somewhere before. Recently. Amid many LOLs.
And yes indeed - MateMedia turned out to be the company hosting a scammy “Federal suppliers directory” site which gave Alex Papadimoulis of The Daily WTF a chance to run a most excellent story all his own:
http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx
(Do NOT miss the spectacular flameout by company staff in the comments!)
Man, 2008’s really shaping up to be their year, isn’t it?
This is really a big threat for opensource or freeware developers. Users wont trust developers anymore whom are working hard to provide something useful.
Why didn’t Mr. Brooks just use an old-fashioned Perl script for archiving?
terrible!
And Ryan the info is still there it is in Mail class in SM.dll file not in main exe.
I don’t normally post, but I wanted to comment on those who are saying that programming in some way for the military violates 1 and 2 of the code above. As Oogie Pringle said, there are people in the world who are malicious, and it is important to defend against them.
Maybe this could be seen as an unfortunate prisoner’s dilemma, but in no way does it reflect poorly on the ethical or moral sense of the people doing the programming.
Please elaborate more on reflector please.
Author/website perhaps? Thanks.
Phil
Lutz Roeder’s .NET Reflector: http://www.aisto.com/roeder/dotnet/
Excellent tool.
We use Lutz as a verb. “Let’s lutz it and find out”
Dave asked, “Were his [Dustin Brooks] actions /really/ any more “ethical” than John Terry’s?”
To which the answer is a resounding “yes.”
Go on and live in your little world where everything would be just fine if there were no guns or missiles. I’m sure that before that everyone live in peace and harmony, right? Of course, all you have to do is look at North America BEFORE 1492 and that goes right out the door.
And don’t worry. People like me will continue to defend people like you so you can live in your safe little world.
Oogie
Domenic,
you would like to use an encrypted appSettings element in your app.config then.
http://msdn2.microsoft.com/en-us/library/ms998280.aspx
Domenic, security by obscurity has never been a solution. You don’t embed sensitive credentials in code. Period.
Encrypting the data means you have a key somewhere. Writing your own cryptographic algorithm means it’s broken (see Schneier) and anyway, all that’s needed to break your clever encrypted-password-in-executable scheme is to set up a software http/https proxy (fiddler, wireshark, etc.) and read the plain text credentials passed by the program.
Never rely on native code obfuscation for security.
HAH! I was not expecting my name to pop up when I started reading this post BTW, Jeff sent me some awesome Coding Horror stickers for my trouble.
Patrick-I can’t take credit for Jeff’s choice of CAPTCHA-it was around a long time before I ever spoke to him.