Coding Horror

programming and human factors

A Question of Programming Ethics

From the ACM Code of Ethics:

As an ACM member I will
  1. Contribute to society and human well-being.
  2. Avoid harm to others.
  3. Be honest and trustworthy.
  4. Be fair and take action not to discriminate.
  5. Honor property rights including copyrights and patent.
  6. Give proper credit for intellectual property.
  7. Respect the privacy of others.
  8. Honor confidentiality.

It's hard to square that with the following hair-raising tale Dustin Brooks sent me via email:

I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.

It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

I opened up a browser and logged in to gmail using his account information. It still worked.

gmail password thief screenshot

Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself.

I generally try to give people the benefit of the doubt, but it's difficult to imagine any scenario where this isn't a completely malicious violation of people's trust. This is every user's greatest fear when giving out their login credentials, and to see it realized hurts the trust relationship between users and every other professional programmer working today. I've inadvertently posted my own login information to this very blog before. Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.

I certainly hope there are more programmers out there like Israel Orange than John Terry. Ethics matter for programmers, too.

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: https://infosec.exchange/@codinghorror