How do you deal with egotistical developers?

A few days ago, our team inherited an old web application from a company that was acquired by our overlords parent company. Rather than being written in an actual programming language, the original developer used one of those "drag and drop windows and buttons and call yourself a web developer" tools that we're popular during the dot com bubble.

The vendor that created this tool is nowhere to be found, and our parent company has been paying the original dev ridiculous consulting fees to fix any issue they've had since then. The thing is, he doesn't really know what he's doing.

Before giving us access to the environment, he protested. He assured us that the application was already completely secure, and that he should be the one maintaining it because it was his application. The parent company put their foot down and made him hand it over.

When they handed the servers over to us, the first thing I did was set up monitoring. I noticed the mail queue on one of the webservers was in the hundreds of thousands. It had been compromised and was selling supplements.

It must have been compromised for years. From a security perspective it's a disaster. The thing is sitting on CentOS 4, with no firewall, not even in a private subnet or anything. There are 6 servers like this in the environment for different tasks, all talking to eachother over the open internet with weak DSS ssh keys to root. There's also no initscripts. Not even some hacky bullshit in rc.local. Every time a machine went down they called him to start up the app.

We start working on modernizing the thing. We ask the dev about how the app is structured, what services do what, dependencies, etc. He tells us "it's all on one machine", which caught us off guard. There are obviously 6 servers. How does he not know that? He's the one who's been maintaining this environment.

OK, whatever. He tells us, "this app can't be started as root, you need to use the <foo> user". In this case <foo> was his personal username. To make it funnier, a quick 'ps' showed that the app was indeed started as root. He also apparently didn't know 'sudo' was a thing. He'd log in as root and su to his own user (not even the other way around).

The whole time he acted like he was the best programmer on the planet and put down pretty much everyone else, but especially our junior sysadmin. Any time she'd make a suggestion, he'd cut her off and say something like "leave the programming to me". I'm 10000% sure she's a better programmer than this asshole.

So we did what we normally do when modernizing legacy apps. Put the services in Docker, spun up a fresh k8s cluster, hammering out the obvious kinks as we go. We re-wrote a couple of the app's services in Go because – contrary to conventional wisdom – it was just easier that way. After scrambling for a few days we have something that seems to be working, but we needed him to test it because he still knows the application better than anyone.

So we send him an email, asking if he can test it. He responds with "I thought you guys were experts. Test it yourself." We haven't been able to get him to respond since.

I forgot to mention previously that he controls the DNS records for this thing from a personal account with his registrar (because of course he does).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: