A minor but important correction. Krebs wrote that the Gov claimed that “fixing the flaw could cost the state $50 million.” That’s not quite right. In the press conference linked in Kreb's post, the Governor actually claims that the “incident alone may cost Missouri taxpayers up to $50 million.” I’d guess this number includes an estimate for the legal cost of dealing with the data breach plus any statutory penalties the state might incur (plus a grossly inflated price for fixing the bug).
It's a disgrace the agency who produced this website is not liable for this substandard quality.
How crazy is it that code like this is deployed to production and then the customer has to pay 50 million to get it up to standards? The senator should be ashamed they are being scammed like this.
> fixing the flaw could cost the state $50 million
It's hard to imagine the kind of contorted bureaucracy that could turn such a fix into a $50 million change request, and yet, I wouldn't be surprised at all if it did cost that much.
I would absolutely love to know who provided that estimate and how they arrived at that number. I understand that issues are often far more complex than they appear but this just seems ridiculous.
Turns out a bunch of other systems rely on this bug to fetch information, and no-one's entirely sure where they are, who's responsible for them, or what they do. Also the page is auto-generated though some arcane CMS such that it's really hard to figure out how to get the data off that page while keeping it other places where it needs to be, without restructuring the whole thing. Also deployment is manual and you'll need to go back and forth with some unrelated department for months to make it happen. Also there's no testing environment, no information about how to get it running—let alone any useful scripts or config/deployment management—is in the repo or otherwise available at all, and there are no tests. And it's all written in an unholy combination of ASP.NET and Java server pages. And the "database" is a standards-nonconforming CSV.
a785236|4 years ago
tinco|4 years ago
How crazy is it that code like this is deployed to production and then the customer has to pay 50 million to get it up to standards? The senator should be ashamed they are being scammed like this.
christophilus|4 years ago
It's hard to imagine the kind of contorted bureaucracy that could turn such a fix into a $50 million change request, and yet, I wouldn't be surprised at all if it did cost that much.
miohtama|4 years ago
newsbinator|4 years ago
But 50 million is a high estimate.
nerdawson|4 years ago
Knowing where sed output is generated: $49.9999M
willcipriano|4 years ago
Invoice Fee - 1 million
Not bad for -1 lines of code.
cure|4 years ago
_3u10|4 years ago
vjust|4 years ago
elliekelly|4 years ago
handrous|4 years ago
(pure speculation)
kizer|4 years ago
comeonseriously|4 years ago