They say truth is stranger than fiction.
One afternoon at a now defunct payment processing company, sale while moving my coding fingers as quickly as possible, pulmonologist the programmers’ farm erupted in exclamations of “check your mail!” and gasps of terror.
An email had been sent to everyone in the department. It contained an attachment that clearly laid out our main (private) database schema in a much more clear manner than anyone had ever managed to document internally.
The mail’s body read like a ransom note. I don’t remember the exact words, patient but the gist was “Your web application is full of holes. I’ve exploited your code, and I’ve attached proof in the form of a schema diagram. If you don’t send me £50,000, I will start exploiting your customers.” It went on to give detailed instructions on how to pay our new extortionist friend.
We knew the problems were there. SQL injection as far back as CVS could remember. Most of us wanted to plug the holes, but we were never given the opportunity to do so. We attempted to take the opportunity a few times, but were unsuccessful in convincing management that a “trivial” problem like SQL injection could ever be more than an inconvenience.
As soon as this horrifying realization set in, we low-on-the-corporate-hierarchy-programmers gathered together and started forming a plan for how we’d crush these problems. We’d fix the low-hanging fruit first, and then we’d systematically go through the rest of the code to rid ourselves of this plague, once and for all. A back-of-napkin plan was in place within 15 minutes, and we dutifully started a commit storm of heroic measures to save the company.
By then, the news had trickled up to the CEO. We expected him to be livid, but we all knew there was no time to worry. We’d called our families and cleared our social calendars. It was time to pull an all-nighter; maybe two.
There was no yelling. No immediate firings. No faux-motivation speeches. Instead, the CEO (who normally had a short fuse) feigned tranquility and gathered the entire audience of the aforementioned email together for a short but simple talk.
“I understand you’ve all received a disconcerting email regarding the security of our systems. I want you to know that this situation is under control, and it requires no action on your part. Go back to your normal duties. None of you are to ever speak of this outside of this room. If you are caught doing so, you will be terminated immediately. The NDA you’ve all signed will see to easy termination, should it become necessary.”
No one ever asked for my help in wiring £50,000 to Russia, and that was the last any of us heard of this particular problem. If the company hadn’t flopped a year later (presumably due to unrelated circumstances), I’d expect those security holes to still be in play.