Coding Horror

programming and human factors

The Bathroom Wall of Code

In Why Isn't My Encryption.. Encrypting?, many were up in arms about the flawed function I posted. And rightfully so, as there was a huge mistake in that code that just about invalidates any so-called "encryption" it performs. But there's one small problem: I didn't write that function.

Now, I am certainly responsible for that function, in the sense that it magically appeared in our codebase one day -- and the the entire project is the sum of all the code contributed by every programmer working on it. I invoke the First Rule of Programming: It's Always Your Fault. And by "your", I don't mean the particular programmer who contributed this code, who shall remain blissfully nameless. I mean us -- the entire team. The onus is on us, as a team, to vet every line of code at the time it is contributed, and constantly peer review each other's code. It's a responsibility we shoulder together. Nobody owns the code, because everybody owns the code.

Yes, I failed. Because the team failed.

Geoff Weinhold left this prophetic comment on the post:

The irony in this is that someone will inevitably end up here for sample encryption code and blindly copy/paste your flawed code.

Indeed. Heaven forbid someone copy and paste flawed code from the internet into their project! In fact, a quick search on some of the unique strings in that original Encrypt() function turns up a few ... interesting ... search results.

01/2006C# Shiznit - Library Encrypt and Decrypt Methods using TripleDES and MD5
05/2006Code Project - Encrypt and Decrypt Data with C#
04/2007Bytes - String Encryption Help
06/2008Egghead Cafe - invalid length while decrypting TripleDESCryptoServiceProvider
09/2008ASP.NET Forums - Need help on password-encrypted key used for signing
11/2008code:keep Encryption
12/2008Encrypt/Decrypt the password in C# .net
05/2009My Own Stupid Blog Post

That's just a sampling of the 131 web hits I got. To paraphrase Austin Powers, this Encrypt() function is like the village bicycle: everybody's had a ride. It's a shame this particular bicycle happens to have a crippling lack of brakes that makes it dangerous to ride, but what can you do.

Scott Hanselman coined a nice phrase for this: the internet as the bathroom wall of code.

bathroom wall graffiti

It's true. People, being people, have gone and scrawled a bunch of random code graffiti all over the damn internet. Some of it is vanity tagging. Some of it is borderline vandalism. And some of it is art. How do we tell the difference?

That's the very reason I put forth a modest proposal for the copy and paste school of code reuse. Not that it would have helped in this case, but it sure would be nice if someone could perform a grep replace ... 

s/Mode = CipherMode.ECB/Mode = CipherMode.CBC/g

... on, like, the entire internet. So other projects don't absorb this critically flawed code sample.

In the meantime, until that tool is developed, I recommend that you apply extra-strength peer review to any code snippets you absorb into your project from the bathroom wall of code. That internet code snippet you're looking at, the one that appears to be just what you're looking for, could also be random graffiti scrawled on a bathroom wall.

It's true that some bathrooms are nicer than others. But as we've learned, it pays to be especially careful when cribbing code from the internet.

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: https://infosec.exchange/@codinghorror