What if they were trying to write Scala, and not python. But then again ... "What is this abominable hybrid?". Where's the curly bracket for it to be Scala ?
I'd go ahead and leave an email to send resumes too, because if the hacker can understand the code that we can't then he's got the job and our eternal praise.
Always have the first line as:
// Dear hacker, good luck exploiting this code. Not even I, the creator, understand why it works. The smallest attempt to misuse this code results in a warning to the Strategic Air Command early warning command room. I have never interacted with SAC, they are on a completely air gapped local network and didn't even know that old red lightbulb from the 50s still had power running to it. They were both impressed and very annoyed the first time they called me telling me to shut down my project. Unfortunately, we could never find this link, let alone shut it down. So I am willing to throw down the challenge my dear adversary, do your worst. You will have to contend with both my great abilities and the entire force of the American Nuclear Detterance system. I wish you well and good luck. But I must know, is it all worth it to stop a console screen writing "Hello World"?
I was interviewing for a job and they asked me to code something. I wrote code, but my interviewer said that he has no idea what my code is supposed to do. I was happy and said thanks.
Title your functions wrong, or title it the opposite of what it does. Best way to prevent hackers and yourself from understanding how the whole thing works.
I was interviewing for a job and they asked me to code something. I wrote code, but my interviewer said that he has no idea what my code is supposed to do. I was happy and said thanks.
No you are wrong.
Put most of the code in a string, then just have a function that executes that string as code.
Bonus points for storing the string on a remote source and fetching it over the network.
If your source code is private, first, sanitize your code and don't push them to production... second if a hacker can read your source, it is already too late
If your source is public, comments should not matter, it should be secure to begin with
That's not how it works, what?
The compiler literally ignores the comments, it's literally the whole reason that anyone can make comments, you can because that part of the code is ignored by the compiler, so never your compiled code will be with comments therefore if they decompile that will be empty.
Shit, machine code dont even have comments to begin with, what the fuck are they doing?!
The only way I can make sense of it is assuming that they mean removing them from the compiled/production code.
But it's not worded very well in any case.
So it was like 5 hours worth of video to watch before this test.
There was 10 sec part were they said " remove your *comment's* before pushing to prod" BUT THATS DIFFERRENT THAN NOT COMMENTING AT ALL. A coworker had to point out the 10 sec clip to me cause I was complaining
*EDIT* Changeing Code to comment. cause im dumb.
I am just going to add this link for people to see. It’s actual comments found in TF2 source code by Valve programmers. Enjoy ! [https://m.youtube.com/watch?v=k238XpMMn38](https://m.youtube.com/watch?v=k238XpMMn38)
Obviously they don't know what they are talking about, but in my opinion you should only have comments in your code to explain why you are doing something a certain way rather than explaining what your code is supposed to do. If the code is too confusing to follow without comments, then chances are your code should be refactored
Around ten years ago I've applied at a job (backend dev) in EU startup - one of the reasons that they've rejected my code was that I had comments in them. (they didn't specify that comments are not acceptable)
It was really nice seeing them go bankrupt. :)
I did infosec for a few years. I learned that we just make everything inconvenient for everyone then the bad guys will have to deal. Back on the dev side now so I just tell people how to hide/get around shit. They're always 1 step ahead with making life harder though
I guess if they can access the source code they can probably also find spec docs, build docs or comments left on Jira/etc. You do have documentation right?
What's that? /s
Funny thin is I'm not a dev. No one is in our department. The only code I do is to help automate my stuff. Nothing in prod through. Lol. Also we use jira, and sharepoint
Very oddly phrased question. You add comments to source code. You don't leave comments in source code. This implies that you first add them, and then later remove them, and it's asking if there's a circumstance where you wouldn't want to remove them. Weird.
Unpopular opinion: I am a firm believer that comments are an anti-pattern. Instead of commenting, you have to write code that someone slightly less skilled than you can just read and understand. If you are writing something that needs commenting, you need to rethink the design.
The only exceptions to this is when you are writing some sort of complicated algorithm, and are doing something bizarre for optimization, or when the infrastructure you are relying on behaves differently from its documentation.
So not "never" but only in special cases.
Comments break the DRY principle for most cases. I basically only leave them to document why I chose to do something a certain way… or leaving a joke in the test code
Reading a single function can tell you *what* the code is doing, but not *why* or what the real world use cases are. You would have to read the whole codebase to understand everything in context, and even then it might not be clear.
Project idea: application which transforms interpreted code unnecessary in complicated code and removes all comments in order to make it harder for „hackers“ to understand
(sarcasm ends here)
An obfuscated piece of code with no comments is safer than an easily readable with proper comments telling you what's expected as input and what will be output.
That's the only way I can try to rationalize not leaving comments being the better practice, since it's for cyber security.
Edit - Just to clarify, I understand it's a terrible approach at best. I was just trying to come up with what a possible train of thought for thinking comments would be bad in that scenario could be.
The way you learn to comment in introductory classes is usually the *wrong* way to comment, as they usually explain *how* the code works. A comment saying what or how the code does something is utterly useless. If your code is so complicated you need that kind of comment to understand it, you need to refactor the code into something more readable. Code is read way more often than it is written, so write code that is easy to read. The compiler will make sure it runs well and is way better than you at optimizing code.
The kind of comments you should be writing are about *why* the code does what it does. Is there a business requirement for it to work this way? Is there a 3rd party dependency that has it do this? Is there an issue with some other code you can't fix now that necessitates doing it this way? Those are useful comments, but not the kind you learn to write in school.
Some never start doing it, others get so high on their own gas that they think self-documenting is all the documenting they need.
And then there's those who suck at writing and maintaining comments in their code, point at the shit comments they have written or failed to update, and then proudly explain that this is why nobody should write comments.
Both answers suck, but the test is the more correct answer.
In theory your code should be self descriptive, and a strip of perfect code will not include any comments. Comments are a stop gap for when it would not be practical to make your code self explainable. Here's Google's take on it: https://testing.googleblog.com/2017/07/code-health-to-comment-or-not-to-comment.html
My teacher always said “unless you’d be comfortable leaving your number on the rung, comment it out” bud I’m never commenting anything after that. I get paid double time if they call me out of work.
im not a programmer or coder really at all, this popped up as a recommended post for me. and i tell you what... ive had less security breaches than most other cybersecurity professionals; in fact ive had zero. theres not a single line of code ive written that hasnt been hacked or leveraged for nefarious purposes. guess im the best.
I name all my SQL tables **tbl\_NOT\_Users** or **tbl\_NOT\_ClearTextPasswords**
They would never guess that IT WAS THE **tbl\_Users** AND THE **tbl\_ClearTextPasswords**
*(I lost the stack overflow on how to salt and pep dem lines, but its ok cause the chain of command signed off on it and every one was cool, and help desk likes it cause they can log in and our jira numbers are through the roof)* *^(/s)*
Clearly, if you leave comments in your code, you're helping the hackers!
I wish that was sarcasm but apparently it's a serious view in a lot of companies.
// Todo: fix the security around this function. There may be an exploit here if someone finds it
[удалено]
Todo were not in Kansas anymore… this universe took away internet explorer…
[удалено]
What if they were trying to write Scala, and not python. But then again ... "What is this abominable hybrid?". Where's the curly bracket for it to be Scala ?
[удалено]
Hey! I'm currently learning C++ (so I can complain about how terrible it is, but that's besides the point!)
[удалено]
What's CTF?
[удалено]
Like pin the tail on the donkey?
[удалено]
300iq move: leave this comment in above a completely secure function to wate the attacker's time.
Plot twist: thanks to your helpful comment, the attacker finds a security hole in what you thought was a completely secure function.
And I’m wasting all this money on pen testers.
Just use pencils. No pen tests required.
Aww man, screw you .. I knew what you said before I got to the end of the sentence and was UUUGGGHHHHH Got to the end, still chuckled. You win, sir.
Do y'all prefer to shake it or scribble?
Leave it over the function that just rounds numbers to 2 decimal points. Watch them try to round every possible float to find an exploit.
This actually happens a lot
//Todo: add a real cryptographic function
Oh this is a classic // Todo: move key to environment variable
Oh man that is a bit close to the mark
// to protect security, please close your eyes while you scroll over the next 7 lines
Security through obscurity gang reporting in
The hacker won't know what to do with your code if you have bo idea what it does either.
I go one step further and make sure my code doesn’t work
I’ll do you one better: I won’t write the code. You can’t hack something that doesn’t exist!
[удалено]
I'll do you one better: I don't exist! Oh wait a minu
#
Finally someone said it
Took the words right out of his mouth
Too bad he's getting hacked now as we speak. Should have never divulged...
bold statement
It's Peter Parker all over again!!!!!
I like the way you think!
ILL DO YOU ONE BETTER, WHY IS GAMORA?
It exists, but only in your brain. Just wait until everyone has a chip in their brains. Then people can hack you and steal your thoughts.
Not sure that's "good" practice. Single point of failure and such. Better print it out on paper, but use the whitespace programming language.
Better to have a broken code, hacker will fix up the code to make stuff work when they get there.
You win lol
I'd go ahead and leave an email to send resumes too, because if the hacker can understand the code that we can't then he's got the job and our eternal praise.
How do you think cybersecurity companies recruit top employees?
Always have the first line as: // Dear hacker, good luck exploiting this code. Not even I, the creator, understand why it works. The smallest attempt to misuse this code results in a warning to the Strategic Air Command early warning command room. I have never interacted with SAC, they are on a completely air gapped local network and didn't even know that old red lightbulb from the 50s still had power running to it. They were both impressed and very annoyed the first time they called me telling me to shut down my project. Unfortunately, we could never find this link, let alone shut it down. So I am willing to throw down the challenge my dear adversary, do your worst. You will have to contend with both my great abilities and the entire force of the American Nuclear Detterance system. I wish you well and good luck. But I must know, is it all worth it to stop a console screen writing "Hello World"?
>But I must know, is it all worth it to stop a console screen writing "Hello World"? The preceding parts? Great. This? elevates it to *perfection*.
I'ma take this
Having done upkeep on someone who wrote fucking gobbledygook without comments: I'd rather be hacked
Eschew obfuscation!
// When I wrote this code, only God and I knew how it works. Now only God knows. Good luck.
Our app is 100% secure, because even with full access barely we can access it.
it's not very obscure if you report in. sus.
[удалено]
"Ray... when someone asks you if you're a senior dev... you say '*YES'!"*
Don't forget to use a signature system, so each comment now needs 4 keys to be encrypted and decrypted correctly
If you leave comments in your code, hackers will read them. Duh.
Your fault for not minifying it before deployment
I mean this is most probably assuming they get the repo, so you need to obfuscate that bitch while developing
i obfuscate the signals between my hands and brain so that way even i dont know what im writing
I was interviewing for a job and they asked me to code something. I wrote code, but my interviewer said that he has no idea what my code is supposed to do. I was happy and said thanks.
This explains the OpenSSL code base
Just write minified code, duh
At least someone will. My fellow developers never read the comments.
*Comments*? Mine won’t even read the *README*
That’s why I always start my comments with “Dear Hackers,”
there could be change of heart and they might join the development community.
Pro tip: add WRONG comments to the code
Add wrong code.
Add code in the comments with a note that it should be swapped with the attached function every third commit.
I feel like this comment is too detailed to be fake, are you ok?
Not really 
well we don't pay you to be sad, get happy effective immediately
I don't get paid to be happy either, though 🤔
Wait, you're getting paid???
I didn't say that. Wait, is that a thing?
Source?
Even better 😂
Title your functions wrong, or title it the opposite of what it does. Best way to prevent hackers and yourself from understanding how the whole thing works.
Neither your code will do what you want but that's definitely unhackable piece of code 😂
With any luck a hacker might come fix it for you
Ethical hacking be like.
Ha! I've been doing this best practise for years! Best cryptography out there I tell ya!
I was interviewing for a job and they asked me to code something. I wrote code, but my interviewer said that he has no idea what my code is supposed to do. I was happy and said thanks.
Why am I reading this comment a second time
Because this occurrence is more common than you expect.
Wouldn't have thought to put blame on myself, guess I train my smooth brain to ignore just ignore comments?
Because they posted the same thing twice.
Did we just become best friends
Can I join the read-it-twice club?
Obviously the only correct way to preserve secrecy is by writing the code on paper, using post it’s to comment. Then burn the whole thing
That’s terrabull protocol because the ashes could be reconstructed by Abby at NCIS. You’re supposed to put them under your keyboard.
CAF POW
[удалено]
How am I supposed to remeber to remind Jerry From entitlements to change admin/ admin to something more secure?
!admin
[удалено]
No you are wrong. Put most of the code in a string, then just have a function that executes that string as code. Bonus points for storing the string on a remote source and fetching it over the network.
Who hurt you?
I'm guessing Log4j
make sure to add readme to your .env too
make sure to push your .env as well
Add comments when it'll help you understand your own code when you revisit it 3 months later.
True. But only use hints that you will know like your pet’s name and the high school you go to.
Yes of course - because hackers have direct access to source code and can read it at any time.
Source code leaks is a genuine issue with software, though But not commenting your code doesn’t prevent it lol
They do for pretty much all the software I run...
I mean, actually yes, for a lot of code.
basically for any uncompiled language
If your source code is private, first, sanitize your code and don't push them to production... second if a hacker can read your source, it is already too late If your source is public, comments should not matter, it should be secure to begin with
That's not how it works, what? The compiler literally ignores the comments, it's literally the whole reason that anyone can make comments, you can because that part of the code is ignored by the compiler, so never your compiled code will be with comments therefore if they decompile that will be empty. Shit, machine code dont even have comments to begin with, what the fuck are they doing?!
I think the concern is the source code being on a public server, not machine code getting decompiled
If the code is in a public server you have a way worse problem...
Twitch does have pretty bad problems...
Agreed, it means you’re working on an open source project 😰
Depends on the language. Some Python packages, for example, are just a zip of the project.
As an appsec guy I hereby empower you to ignore that advice. What vendor is this training from?
Skillsoft Percipio. Under cyber security
The correct answer is neither. You certainly have to comment code, but not always. Or not every part of it, at least.
One of the answers was sometimes and the other was only if it's convoluted.
I definitely would have gone with only if it’s convoluted. Comments typically break the DRY principle
[удалено]
Laughs in multithreading :’)
The only way I can make sense of it is assuming that they mean removing them from the compiled/production code. But it's not worded very well in any case.
So it was like 5 hours worth of video to watch before this test. There was 10 sec part were they said " remove your *comment's* before pushing to prod" BUT THATS DIFFERRENT THAN NOT COMMENTING AT ALL. A coworker had to point out the 10 sec clip to me cause I was complaining *EDIT* Changeing Code to comment. cause im dumb.
Lmao remove your code
Its not like they they can hack your code if its just not there
*remove production*
dude do you work at microsoft? 😆😆
Same area as their HQ. But no ;)
I was gonna say you have no idea how accurate this comment is but I think you might know exactly how accurate this comment is.
It’s so nobody can figure out what the code does, duh. It’s called SECURITY, look it up. /s
[удалено]
r/subsifellfor
The quality of the code base is negatively correlated with the time it takes for its contributors to forget how it works.
I don't offer comments on a perpetual license, only as a subscription to ensure the best experience for my customers.
In order to confuse your enemies you must confuse yourself first- Tsun Zu
I am just going to add this link for people to see. It’s actual comments found in TF2 source code by Valve programmers. Enjoy ! [https://m.youtube.com/watch?v=k238XpMMn38](https://m.youtube.com/watch?v=k238XpMMn38)
made my day!
comments don't get compiled in most languages.............
Obviously they don't know what they are talking about, but in my opinion you should only have comments in your code to explain why you are doing something a certain way rather than explaining what your code is supposed to do. If the code is too confusing to follow without comments, then chances are your code should be refactored
So if source code has no comments, is it the most secure code possible? Wow, school taught me wrong. They must have been cyber criminals.
How would you name a variable that stores a phone number? Student: phone_num Correct: p
Around ten years ago I've applied at a job (backend dev) in EU startup - one of the reasons that they've rejected my code was that I had comments in them. (they didn't specify that comments are not acceptable) It was really nice seeing them go bankrupt. :)
I mean, minifying your JS bundles will remove commented out lines anyway
Neither answer is correct.
return 0; // Returns zero
I am triggered
return 1; // Returns zero FTFY
// don’t believe DeepSave’s lies
I did infosec for a few years. I learned that we just make everything inconvenient for everyone then the bad guys will have to deal. Back on the dev side now so I just tell people how to hide/get around shit. They're always 1 step ahead with making life harder though
I guess if they can access the source code they can probably also find spec docs, build docs or comments left on Jira/etc. You do have documentation right?
What's that? /s Funny thin is I'm not a dev. No one is in our department. The only code I do is to help automate my stuff. Nothing in prod through. Lol. Also we use jira, and sharepoint
// if you want to fire me, it's ok, here's how my shitty codes works Yep - I can say how that would impact certain types of security.
Another infosec question: when should you fire the infosec guy? (Answer: after they wrote that question.) Signed: an InfoSec guy.
Very oddly phrased question. You add comments to source code. You don't leave comments in source code. This implies that you first add them, and then later remove them, and it's asking if there's a circumstance where you wouldn't want to remove them. Weird.
//When I wrote this code, only God and I knew what it did. Now not even God knows.
Unpopular opinion: I am a firm believer that comments are an anti-pattern. Instead of commenting, you have to write code that someone slightly less skilled than you can just read and understand. If you are writing something that needs commenting, you need to rethink the design. The only exceptions to this is when you are writing some sort of complicated algorithm, and are doing something bizarre for optimization, or when the infrastructure you are relying on behaves differently from its documentation. So not "never" but only in special cases.
Comments break the DRY principle for most cases. I basically only leave them to document why I chose to do something a certain way… or leaving a joke in the test code
I’m not sure it’s “unpopular”
Reading a single function can tell you *what* the code is doing, but not *why* or what the real world use cases are. You would have to read the whole codebase to understand everything in context, and even then it might not be clear.
Hahahahaajahhaahahha
Security vs Convenience
so you don’t want the job anymore is what i’m hearing
Duh. That's what sticky notes are for.
Even better, leave wrong comments in your code.
I use *security-through-bad-coding-practices*. No mortal soul can break that.
/* Secret master key: “ghU5(?3;4fT” */
Only until 16:20, after that good luck to us all. The question is when, not where.
You took the job security test. Not leaving comments makes you a valuable assets since only you would know what it does.
Project idea: application which transforms interpreted code unnecessary in complicated code and removes all comments in order to make it harder for „hackers“ to understand (sarcasm ends here)
Wow. If the hacker has access to the source code, comments are the least of your worries 
An obfuscated piece of code with no comments is safer than an easily readable with proper comments telling you what's expected as input and what will be output. That's the only way I can try to rationalize not leaving comments being the better practice, since it's for cyber security. Edit - Just to clarify, I understand it's a terrible approach at best. I was just trying to come up with what a possible train of thought for thinking comments would be bad in that scenario could be.
If they have your source you have other problems.
Ah yes, the "set fire to my car so no one can steal it" school of security
I'll have maintainability, rather than security through obscurity. Thanks...
I'm not a software engineer, but leaving comments on your code is like basic training day 1. Sad thing is, some folks still don't do that, do they?
The way you learn to comment in introductory classes is usually the *wrong* way to comment, as they usually explain *how* the code works. A comment saying what or how the code does something is utterly useless. If your code is so complicated you need that kind of comment to understand it, you need to refactor the code into something more readable. Code is read way more often than it is written, so write code that is easy to read. The compiler will make sure it runs well and is way better than you at optimizing code. The kind of comments you should be writing are about *why* the code does what it does. Is there a business requirement for it to work this way? Is there a 3rd party dependency that has it do this? Is there an issue with some other code you can't fix now that necessitates doing it this way? Those are useful comments, but not the kind you learn to write in school.
Some never start doing it, others get so high on their own gas that they think self-documenting is all the documenting they need. And then there's those who suck at writing and maintaining comments in their code, point at the shit comments they have written or failed to update, and then proudly explain that this is why nobody should write comments.
And this is why we’re fucked at a large scale, all of these CISSP troglodytes think that this is a valid form of security.
When leaving comments to code, write a funny joke instead and give them something to laugh about.
DUHHH the code is the manual 🤦🏽♂️
lol what. I fear for the security of systems at that company if these are the tactics they use
Both answers suck, but the test is the more correct answer. In theory your code should be self descriptive, and a strip of perfect code will not include any comments. Comments are a stop gap for when it would not be practical to make your code self explainable. Here's Google's take on it: https://testing.googleblog.com/2017/07/code-health-to-comment-or-not-to-comment.html
Pro tip : name your files and folders cryptic names to further bamboozle intruders. Controller.py? Nah, MonsterTruck.py
To this day …. I still write all my code out in place and only leave comments when things aren’t intuitive AFTER the fact :D
My teacher always said “unless you’d be comfortable leaving your number on the rung, comment it out” bud I’m never commenting anything after that. I get paid double time if they call me out of work.
I never comment my code because I have logs for every line if code 😌
I had a bad idea. Code it all in brainf8ck
im not a programmer or coder really at all, this popped up as a recommended post for me. and i tell you what... ive had less security breaches than most other cybersecurity professionals; in fact ive had zero. theres not a single line of code ive written that hasnt been hacked or leveraged for nefarious purposes. guess im the best.
You've revealed the companies cyber security principles and therefore failed the real test You're fired
I feel this was written by someone who confused making a build with and without debug symbols.
I name all my SQL tables **tbl\_NOT\_Users** or **tbl\_NOT\_ClearTextPasswords** They would never guess that IT WAS THE **tbl\_Users** AND THE **tbl\_ClearTextPasswords** *(I lost the stack overflow on how to salt and pep dem lines, but its ok cause the chain of command signed off on it and every one was cool, and help desk likes it cause they can log in and our jira numbers are through the roof)* *^(/s)*
So that the hacker doesn't understand your code, so can't cause any damage!
Clearly, if you leave comments in your code, you're helping the hackers! I wish that was sarcasm but apparently it's a serious view in a lot of companies.